Wiley Part 2 Domain 1

WILEY PART 2 DOMAIN 1
1.Risk-based internal auditing approach does not apply to which of the following?
A.Assurance audit engagements

B.Consulting audit engagements
C.Compliance audit of laws, rules, and regulations
D.Compliance audit of a company's policies and procedures
The Answer C is Correct

The risk-based internal auditing approach does not apply to compliance with governmental laws, rules,
and regulations (LRRs) because they are mandatory in nature and because companies have no choice in
implementing them. Hence, LRRs must be audited regardless of their risk levels. In other words, LRRs
cannot be labeled as high, medium, or low risk, and they cannot be prioritized by risk with only
high-risk LRRs reviewed and low-risk LRRs ignored.
A.Incorrect. Review of assurance audit engagements can be risk based because senior management and
internal audit management can decide what to audit and when to audit based on a risk assessment.
B.Incorrect. Review of consulting audit engagements can be risk based because senior management
and internal audit management can decide what to audit and when to audit based on a risk assessment.
D.Incorrect. Review of compliance with a company's policies and procedures can be risk based because
some policies could be high risk, some could be medium risk, and others could be low risk.
2.Which of the following is a useful tool when internal auditors are coordinating their audit work
with internal and external service providers in governance, risk, and control areas?
A.Assurance map
B.Control map
C.Risk map
D.Governance map
The Answer A is Correct

Assurance maps are organization-wide and coordinated exercises involving mapping assurance
coverage provided by multiple parties (both inside and outside) against key or significant risks facing
the organization so that duplicate efforts, missed risks, and assurance gaps can be identified and
monitored.
The chief audit executive, senior management, and the board need assurance maps to ensure proper
coordination among diverse risk activities.
B.Incorrect. Control maps show an organization's understanding of its critical control points and major
controls at those control points.
C.Incorrect. Risk maps show an organization's understanding of its risk profiles and risk appetite.
D.Incorrect. Governance maps show an organization's understanding of its board of directors’ oversight,
stewardship, and fiduciary roles and responsibilities.
3.When selecting people to work in the internal audit department, the vetting process does not
apply to which of the following?
A.External assessors
B.Audit contractors
C.Guest auditors
D.External service providers

Guest auditors are insiders, borrowed from nonaudit departments for temporary work in the audit
department. They go back to their departments after completing their work in the audit department.
Hence, guest auditors do not need a vetting process because they have already gone through an internal
hiring and screening process.
A.Incorrect. External assessors are outsiders who are carefully screened, selected, and hired (vetted) for
a specific audit work to ensure that they are qualified to do the work.
B.Incorrect. Audit contractors are outsiders who are carefully screened, selected, and hired (vetted) for
a specific audit work to ensure that they are qualified to do the work.
D.Incorrect. External service providers are outsiders who are carefully screened, selected, and hired
(vetted) for a specific audit work to ensure that they are qualified to do the work.
4.A 360-degree review of an internal auditor's performance assessment includes which of the
following?
I. Peer auditors
II. Audit clients
III. Audit supervisors
IV. Audit managers
A.III
B.IV
C.III and IV
D.I, II, III, and IV
The Answer D is Correct

A 360-degree review is a comprehensive review of an auditor's performance as seen by many others,
such as peer auditors (colleagues), audit clients, audit supervisors, and audit managers. This includes
all the people an auditor connected with or worked with, either directly or indirectly, who can say
something about the auditor's job performance.
A.Incorrect. This is a partial answer. More reviewers are needed.

B.Incorrect. This is a partial answer. More reviewers are needed.
C.Incorrect. This is a partial answer. More reviewers are needed.
5.The best way to protect data on personal computers against ransomware attacks is to:
A.Store a company backup data on a cloud storage system.

B.Store central backup data on local flash drives.
C.Store central backup data on central servers.
D.Store local backup data on local servers.

Once a company's personal computer (PC) is under a ransomware attack, the only way to not pay a
ransom amount to hackers is to store a backup copy of the PC data on a cloud storage system way
before the attack. This approach keeps the PC data far away from it in an uninfected condition and is
available as a ready backup to recover from the damage. In other words, the cloud storage acts as a data
insurance.
B.Incorrect. Local flash drives could be infected if they are constantly connected to personal
computers.
C.Incorrect. Central servers could be infected if they are constantly connected to personal computers.
D.Incorrect. Local servers could be infected if they are constantly connected to personal computers.
6.Which of the following is not a common form of ransomware attack methods?
A.Malicious email attachments

B.Exploit kits
C.Brute force attacks
D.Malicious email links

Brute force attacks are used to crack passwords. They are not common ransomware attacks because
there are so many sophisticated attacks available to break passwords. Also, brute force attacks are
unsophisticated traditional methods whereas ransomware attacks are much more modern and
sophisticated attacks and are much more damaging than the brute force attacks. Ransomware attacks
are very damaging to individuals and organizations and often are undetectable.
A.Incorrect. Malicious email attachments are common ransomware attack methods. Ransomware
attacks are very damaging to individuals and organizations and often are undetectable.
B.Incorrect. Exploit kits are common ransomware attack methods. Ransomware attacks are very
damaging to individuals and organizations and often are undetectable.
D.Incorrect. Malicious email links are common ransomware attack methods. Ransomware attacks are
very damaging to individuals and organizations and often are undetectable.
7.Which of the following mobile device policy is not risky to user organizations?
A.Bring your own device (BYOD)

B.Bring your own applications (BYOA)
C.Choose your own device (CYOD)
D.Wear your own device (WYOD)

CYOD differs from BYOD by allowing end users to select from a predetermined and approved list of
personal device types for work rather than using any device. This is not a risky policy because devices
are company-approved devices.
A.Incorrect. BYOD is a policy that permits employees to bring personally owned devices to their
workplace and use them to access restricted company data, information, and applications. This is a
risky policy because devices are not company-approved devices.
B.Incorrect. BYOA is a policy similar to BYOD that involves employees using third-party applications
in the workplace or on a work device. This is a risky policy because devices are not company-approved
devices.
D.Incorrect. WYOD is a program similar to BYOD that allows end users to use personal wearable
devices (watches and virtual reality goggles) to perform a company's tasks and functions. This is a
risky policy because devices are not company-approved devices.
8.Regarding web-based advertising, click fraud is related to which of the following metrics?
A.Pay per bounce

B.Pay per click
C.Pay per lead
D.Pay per load
The Answer B is Correct

Web advertisers get paid for running a company's web advertisement based on the number of potential
customers clicking on the advertisement. Generally, the greater the number of browser clicks made, the
greater the level of customer interest and the greater the payments to advertisers. The click activity
could result in click fraud, or it could indicate genuine interest.
A.Incorrect. Pay per bounce is not a relevant metric here because the term “bounce” is used in the
context of bounced emails and being bounced out of websites.
C.Incorrect. The pay-per-lead metric refers to paying some money for each sales lead.
D.Incorrect. The pay-per-load metric deals with page loading time on a website.
9.When an organization is hit by a ransomware attack, which of the following can be higher than
the ransomware money demanded by hackers?
A.Prevention costs
B.Detection costs
C.Administrative costs
D.Recovery costs
Many organizations are learning that total recovery costs are much higher than ransomware payments
made to hackers due to extensive damage caused, working with backup data, working with technical
consultants and law enforcement authorities, and restoring the system and data files to the stage before
the attack. In addition, the costs of lost sales, profits, employee morale, customer goodwill, and
employee productivity must be considered as part of the recovery costs. An organization's response
program and incident readiness make a big difference between its success or failure in handling
ransomware attacks.
A.Incorrect. Often ransomware attacks cannot be prevented because they are so vicious and sudden.
B.Incorrect. Often ransomware attacks cannot be detected because they are so aggressive and hidden.
C.Incorrect. Administrative costs, such as negotiating with hackers regarding payment amounts and
doing other nontechnical activities, are part of recovery costs.
10.Between authentication and encryption activities, which one of the following items is more
secure than the other three items?
A.Authenticate and encrypt

B.Authenticate then encrypt
C.Encrypt and authenticate
D.Encrypt then authenticate

The important issue here is which step should be done first and which should be done next. Encrypting
a plaintext should be done first. Later, authentication is done with a time gap. This is very secure.
A.Incorrect. Authentication and encryption at the same time is out of sequence and does not provide
security. Encryption should be done first. For security, there should be a time gap between encryption
and authentication.
B.Incorrect. Authentication first and encryption next is out of sequence and does not provide security.
Encryption should be done first. For security, there should be a time gap between encryption and
authentication.
C.Incorrect. Encryption and authentication should not be done at the same time as it does not provide
security. For security, there should be a time gap between encryption and authentication.
11.Which of the following is an example of a single point of failure?
A.Cloud storage
B.Working storage
C.Secondary storage
D.Closed storage

Because all the data is stored and concentrated in one place, cloud storage is subject to a single point of
failure, which is a risky situation. This means that if an attacker breaks into the cloud storage, all
customer data can be lost or stolen. Hence, cloud storage requires strong, layered, and defense-in-depth
security controls. On a positive note, cloud backup storage can act as a faster recovery mechanism in
case of a ransomware attack.
B.Incorrect. Working storage is that portion of storage, usually computer main memory (i.e., central
processing unit), reserved for the temporary results of computer operations.
C.Incorrect. Secondary storage consists of nonvolatile auxiliary memory, such as disks or tapes, used
for the long-term storage of computer programs and data.
D.Incorrect. Closed storage refers to the storage of classified information within an accredited
government facility where the documents containing classified information are stored in approved
secure containers. This storage is closed to the outside world.
12. Which of the following is likely to utilize the assurance maps the most?
A.External assurance function

B.Internal risk management function
C.Internal audit function
D.Internal compliance review function

Internal auditors are the most likely to utilize assurance maps to their fullest extent. This is because the
internal audit function has several responsibilities, such as providing comprehensive reviews and
evaluations; coordinating between internal and external service providers; and assuring the board and
senior management about governance, risk management, and control processes.
A. Incorrect. The external assurance function may use assurance maps, but not the most of the choices
provided.
B.Incorrect. The internal risk management function may use assurance maps, but not the most of the
choices provided.
D.Incorrect. The internal compliance review function may use assurance maps, but not the most of the
choices provided.
13.Regarding construction audits, contract leakages are handled better in which of the following
construction audit phases?
A.Preconstruction audit
B.Interim construction audit
C.Postconstruction audit
D.Comprehensive construction audit

Contract leakages occur due to overpayments, billing errors, and erroneous payments made to
contractors and subcontractors. These overpayments are due to misunderstandings, misinterpretations,
or misapplications of contractual terms and conditions. The sooner one can detect these contract
leakages, the better off it is for all parties. The preconstruction phase is the right place and the right
time to address these issues in order to avoid contract leakages.
B. Incorrect. The interim construction audit phase is too late to avoid contract leakages.
C.Incorrect. The postconstruction audit phase is too late to avoid contract leakages.
D.Incorrect. The comprehensive construction audit phase is too late to avoid contract leakages.
14.Which of the following is the major decision point to make regarding outsourcing an internal
audit function?
A.What to outsource
B.When to outsource
C.Where to outsource
D.Whom to outsource

What to outsource is the major decision point because management needs to decide which part of the
internal audit function to outsource. That is: Is it the information technology audits? The consulting
audit engagements? or: The compliance audit engagements? Another relevant question is: Is it a partial
or a full outsource?
B.Incorrect. When to outsource is not the major decision point; it is a minor point that follows the
major point.
C.Incorrect. Where to outsource is not the major decision point; it is a minor point that follows the
major point.
D.Incorrect: Whom to outsource is not the major decision point; it is a minor point that follows the
major point.
15.Due diligence reviews do not mean:
A.Exercising extraordinary care.

B.Exercising reasonable care.
C.Exercising due care.
D.Exercising standard care.

The people who are conducting diligence reviews need not exercise extraordinary care; ordinary care is
good enough.
B.Incorrect. The people who are conducting diligence reviews need to exercise reasonable care only.
This can lead to a good due diligence defense to a defendant.
C.Incorrect. The people who are conducting diligence reviews need to exercise due care only. This can
lead to a good due diligence defense to a defendant.
D. Incorrect. The people who are conducting diligence reviews need to exercise standard care, meaning
meeting minimum standards of work, not maximum standards. This can lead to a good due diligence
defense to a defendant.
16. Which of the following is not applicable to a due diligence review?
A.Due process
B.Due care
C.Due regard
D.Standard care

Due process is the legal principle that governmental agencies must respect all of the legal rights that are
owed to all citizens per the law. Hence, due process does not apply to due diligence reviews done by
individual organizations or individuals.
B.Incorrect. Due care applies to due diligence reviews, and they go together.
C.Incorrect. Due regard applies to due diligence reviews. Due regard requires giving equal respect to
and showing equal interest in all people.
D.Incorrect. Standard care applies to due diligence reviews. Standard care is minimum care.
17.Which of the following is the common element between outsourcing vendors and third-party
service providers?
A.Contractors
B.Due diligence reviews
C.Contract
D.Service

Due diligence reviews are the common element required, whether the review is done for an outsourced
vendor or a third-party service provider. Conducting a due diligence review is good business practice
as it provides a safety valve for the hiring organization (i.e., less risk).
A.Incorrect. The nature and the type of contractors could be different between outsourced vendor work
and third-party service work.
C.Incorrect. The nature and the type of contract (i.e., the legal document with terms and conditions)
could be different between outsourced vendor work and third-party service work.
D.Incorrect. The nature and the type of service (i.e., technology, supply, or distribution service) could
be different between outsourced vendor work and third-party service work.
18.Due diligence reviews are not performed with:
A.Due care.
B.Absolute care.
C.Reasonable care.
D.Possible care.

Correct. Due diligence reviews are not performed with absolute care, which is too much to expect.
A.Incorrect. Due diligence reviews are performed with due care that any prudent person would do.
C.Incorrect. Due diligence reviews are performed with reasonable care that any prudent person would
do.
D.Incorrect. Due diligence reviews are performed with possible care that any prudent person would do.
19.The scope of value-for-money (VFM) audits includes which of the following elements?
i. Expertise
ii. Economy
iii. Efficiency
iv. Effectiveness
A.I only
B.I and II
C.III and IV

The scope of VFM audits includes all four elements of expertise, economy, efficiency, and
effectiveness. Here, “expertise” refers to the combined knowledge, skills, and abilities that auditors
possess in conducting VFM audits. “Economy” refers to the use of resources in a cost-effective manner.
“Efficiency” refers to the use of resources in a productive manner. “Effectiveness” refers to the use of
resources to achieve the intended objectives.
A.Expertise is the only one element of the scope of VFM audits. Here, “expertise” refers to the
combined knowledge, skills, and abilities that auditors possess in conducting VFM audits.
B.Incorrect. Economy is the only one element of the scope of VFM audits. Here, “economy” refers to
the use of resources in a cost-effective manner.
C.Incorrect. Efficiency and effectiveness are only two elements of the scope of VFM audits. Here,
“efficiency” refers to the use of resources in a productive manner. “Effectiveness” refers to the use of
resources to achieve the intended objectives.
20.Which one of the following items considers all the other three items in concert?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls

Correct. Vulnerabilities → Threats → Risks → Controls
A.Incorrect. Vulnerabilities → Threats → Risks → Controls

B.Incorrect. Vulnerabilities → Threats → Risks → Controls
C.Incorrect. Vulnerabilities → Threats → Risks → Controls
21.When conducting identify theft activities, fraudsters use which of the following to perpetrate
identity fraud?
A.Mobile texting
B.SMS texting
C.Pretexting
D.MMS texting
Pretexting is the tool that fraudsters use to perpetrate identity theft with a prepared and known text
based on stolen information. It is a specifically targeted example of a social engineering scheme. The
fraudster calls a bank to find out additional information on a bank customer's account that was stolen.
A.Incorrect. Mobile texting is a generic and broad meaning of texting and is not specifically targeted.
B.Incorrect. SMS texting is short message service (SMS) texting and is not specifically targeted.
D.Incorrect. MMS texting is multimedia messaging service (MMS) texting and is not specifically
targeted.
22.Which of the following can help victims recover from ransomware attacks?
A.Encryption key
B.File and system backups
C.Decryption key
D.Patched and updated software

File and system backups, especially maintained in a cloud storage system, are like insurance policies.
When computer files are infected with ransomware, a backup version of the files is the best way to
recover the critical data.
A.Incorrect. Hackers encrypt the victims’ files with an encryption key so that victims cannot use the
files until they pay a ransom amount. An encryption key does not help victims recover from
ransomware attacks.
C.Incorrect. Hackers decrypt victims’ encrypted files with a decryption key after victims pay the
ransom amount. A decryption key does not help recover from ransomware attacks.
D.Incorrect. Using patched and updated software is a good practice, but it alone cannot help victims
recover from ransomware attacks.
23.Which of the following could be treated as a legal contract?
A.A letter of intent

B.A memorandum of understanding
C.A memorandum of meeting
D.A letter of introduction

A letter of intent could be treated as a legal contract or not. It depends on whether the letter of intent
document is specific (narrow) or general (broad) in nature. When a specific letter of intent contains
very detailed information about the scope and nature of work, work completion dates, who is doing
what work, money payments, and milestone dates, then it is considered a legal contract. These details
meet all the elements of a contract. If a letter of intent document is general and vague, then it is not a
legal contract because it does not have all the element of a contact. Simply stated, a general letter of
intent is not binding, and a specific letter of intent is binding.
B.Incorrect. A memorandum of understanding is not considered a legal contract because it does not
have all the elements of a contract.
C.Incorrect. A memorandum of meeting is not considered a legal contract because it does not have all
the elements of a contract.
D.Incorrect. A letter of introduction is not considered a legal contract because it does not have all the
elements of a contract.
24.Cyberthreats and cyberattacks on all types of organizations have occurred during which of
the following web generations?
A.Web 1.0
B.Web 2.0
C.Web 3.0
D.Web 4.0
Web 2.0 presents read-write features, blogs, wikis, tweets, and others. Cyberthreats and cyberattacks
have become common with malware and spyware software.
A.Incorrect. Web 1.0 provided basic features, such as browsing, static web format, and mostly
read-only features.
C.Incorrect. Web 3.0 has become the personal, portable, and executable web.
D.Incorrect. Web 4.0 focuses on mobile web connections.
25.Social media platforms or networks were born during which web generation?
A.Web 1.0
B.Web 2.0
C.Web 3.0
D.Web 4.0

Web 2.0 presents read-write features, blogs, wikis, tweets, and others. Cyberthreats and cyberattacks
have become common with malware and spyware software.
A.Incorrect. Web 1.0 provided basic features, such as browsing, static web format, and mostly
read-only features.
C.Incorrect. Web 3.0 has become the personal, portable, and executable web.
D.Incorrect. Web 4.0 focuses on mobile web connections.
26.Which of the following can perform click fraud in online marketing advertisements?
A.Web beacons
B.Bots
C.Cookies
D.Web bugs

Bots are computer programs that reside on a computer and provide remote command and control access
via a variety of protocols, including Internet Relay Chat (IRC), HTTP, instant messaging, and
peer-to-peer protocols. Bots can support illicit activities, such as pay-per-click services, resulting in
click fraud in marketing an online advertisement. This means that bots perform the illegal clicks that
dishonest people do. This, in turn, increases the number of clicks made because payments are based on
each click.
A.Incorrect. Web beacons cannot perform click fraud as they are the same as the web bugs. Web
beacons are placed on web pages and websites to track the use of web servers and collect web
addresses.
C.Incorrect. Cookies cannot perform click fraud. Cookies are used to uniquely identify website visitors.
D.Incorrect. Web bugs cannot perform click fraud as they are the same as web beacons. They are
placed on web pages and websites to track the use of web servers and collect web addresses.
27.An internal auditor has misplaced or lost her digital tablet during audit-related travel. Which
of the following actions can keep her tablet safe and secure?
I. Activate global positioning system (GPS) feature.
II. Disable Bluetooth services.
III. Enable a remote-wiping feature.
IV. Disable Wi-Fi services.
A.I only
B.I and II
C.I and III
D.II and IV

Activating a GPS feature can locate the lost tablet, which is not enough. Enabling a remote-wiping
feature can erase the data on the tablet so that valuable information could not get into the wrong hands.
A.Incorrect. This is a partial answer.

B.Incorrect. This is a partial answer.
D.Incorrect. Disabling Bluetooth services and Wi-Fi services are good security protections when not
using mobile devices.
28.Regarding mobile devices, the features of which one of the following items is different from
the features of the other three items?
A.Jailbreaking
B.Tampering
C.Jamming
D.Rooting

Jamming is an attack in which a mobile device is used to emit electromagnetic energy on a wireless
network's frequency to make the network unusable. Jamming is used in denial-of-service attacks.
Jamming attacks can take place based on how a mobile device was designed and developed;
jailbreaking, tampering, and rooting attacks can take place based on what users are doing to their
mobile devices.
A.Incorrect. Jailbreaking is removing the limitations imposed on a device by the manufacturer, often
through the installation of custom operating system components or other third-party software.
Jailbreaking makes a device more vulnerable to attacks because it removes important safeguards
against malware attacks. Some users prefer to bypass the operating system's lockout features in order to
install apps that could be malicious in nature. Doing jailbreaking is risky.
B.Incorrect. Tampering is modifying data, software, firmware, or hardware without authorization.
Modifying data in transit, inserting tampered hardware or software into a supply chain, repackaging a
legitimate app with malware, modifying network or device configuration (e.g., jailbreaking or rooting a
phone) are examples of tampering. Doing tampering is risky.
D.Incorrect. Rooting, similar to jailbreaking, is removing the limitations imposed on a device by the
manufacturer, often through the installation of custom operating system components or other
third-party software. Rooting makes a device more vulnerable to attacks because it removes important
safeguards against malware attacks. Some users prefer to bypass the operating system's lockout
features in order to install apps that could be malicious in nature. Doing rooting is risky.
29.Which of the following can help hackers evade detection?
A.Scripting tools
B.Antivirus software
C.Intrusion detection system
D.Intrusion prevention system

Scripting tools (e.g., JavaScript, VBScript, cross-site scripting, and cross-zone scripting) are tools of
the trade for bad actors, hackers, attackers, or intruders in cyberspace to conduct malicious acts.
Scripting tools can help bad actors to evade detection. Scripting tools are computer programs and
commands written by hackers.
B.Incorrect. Antivirus software can help detect bad actions and protect users.
C.Incorrect. Intrusion detection systems can help detect bad incidents and protect users.
D.Incorrect. Intrusion prevention systems can help prevent bad incidents and protect users.
30.Regarding cybersecurity, defenders are attack-victim organizations and offenders are the
hackers attacking individuals and organizations. Which of the next represents a strategic aspect
that is completely opposite for defenders and offenders?
A.Expertise
B.Resources
C.Attack surface
D.Tool kits

An attack surface is the total amount of cyberspace available for a hacker to exploit or target
individuals or organizations. The attack surface is the strategic aspect for hackers. Defenders’
objectives are to reduce the attack surface to be as small as possible; hackers’ objectives are to expand
attack surfaces to be as large as possible. So, defenders’ objectives and hackers’ objectives reflect
diverse or opposite viewpoints. The attack surface is a strategic workspace for hackers to launch
attacks.
A.Incorrect. Both defenders and offenders want higher levels of expertise (i.e., technical knowledge
and skills). However, expertise represents an operational aspect for offenders, not a strategic aspect.
B.Incorrect. Both defenders and offenders want greater amounts of resources (i.e., money, time, and
staff). However, resources represent an operational aspect for offenders, not a strategic aspect.
D.Incorrect. Both defenders and offenders want several types of tool kits (i.e., hardware and software)
available to them. However, tool kits represent an operational aspect for offenders, not a strategic
aspect.
Tool kits represent an operational aspect for hackers, not a strategic aspect.
31.Management of a cyberattack victim organization needs to pay great attention to which of the
following before developing cybersecurity technical strategies to defend against attackers?
A.Attack-in-depth strategies
B.Attackers’ detection-evasion tactics
C.Attackers’ technical savvy
D.Attackers’ destructive behavior

Management of an organization that has suffered a cyberattack must understand a great deal about the
attackers, whether they are insiders (e.g., employees and contractors) or outsiders (e.g., hackers and
intruders). Management needs to understand the attackers’ ambition, disruptive behavior, opportunities,
and resources. In other words, organizations need to ask what assets attackers want that they have? And
how to protect that asset from attacks?
A.Incorrect. An attack-in-depth strategy is what attackers formulate and implement to achieve their
goals.
B.Incorrect. Detection-evasion tactics are those tools and practices that attackers use to hide or evade
detection by the victim organization so attackers have more time to continue or expand their attack
surface.
C.Incorrect. Attackers with a higher levels of technical savvy can do a lot more damage than attackers
with a low level of technical savvy.
32.What is the real reason why hackers succeed in their various types of cyberattacks?
A.They use sophisticated attack-in-depth strategies.

B.They use stronger detection-evasion tools.
C.They outsmart an organization's information technology (IT) staff.
D.They nullify the organization's anti-malware tools.

The real reason for hackers succeed in their cyberattacks is that they outsmart an organization's ITIT
staff in terms of technical knowledge, skills, and abilities.
A.Incorrect. It is true that some hackers do use sophisticated attack-in-depth strategies that are updated
frequently. This is not the real reason for their success, however.
B.Incorrect. It is true that some hackers do use stronger detection-evasion tools such as scripts. This is
not the real reason for their success, however.
D.Incorrect. Hackers can kill the effectiveness and functionality of anti-malware tools so they don't
work as expected. This is not the real reason for their success, however.
33.Which of the following can provide the strongest security control mechanism?
A.Passwords
B.One-time passwords
C.Passcode
D.Passphrases

One-time passwords provide the strongest security control mechanism because they are not reusable.
A.Incorrect. Regular passwords are basic, weak, and reusable, not the strongest security control
mechanism.
C.Incorrect. Regular passcodes are basic, weak, and reusable, not the strongest security control
mechanism.
D.Incorrect. Regular passphrases are basic, weak, and reusable, not the strongest security control
mechanism.
34.Which of the following can act as the strongest security control mechanism in a multifactor
authentication process?
A.Passwords
B.Biometrics
C.Passcodes
D.Personal identification numbers

Biometrics, when combined with other security controls such as passwords, passcodes, or passphrases,
provide the strongest security control mechanism in a multifactor authentication process because
biometrics cannot be compromised. Biometrics represent one factor in a multifactor authentication and
provide a strong security control when compared to passwords, passcodes, and personal identification
numbers (PINs). For example, a multifactor authentication process is a combination of something you
know and something you are (e.g., user ID, PIN, password, passcode, passphrase, and biometric
sample).
A.Incorrect. Regular passwords are basic, weak, and reusable, not the strongest security control
mechanism even in a multifactor authentication process because they can be broken. Regular
passwords represent a one-factor authentication.
C.Incorrect. Regular passcodes are basic, weak, and reusable, not the strongest security control
mechanism even in a multifactor authentication process because they can be broken. Regular passcodes
represent a one-factor authentication.
D.Incorrect. Regular personal identification numbers (PINs) are basic, weak, and reusable, not the
strongest security control mechanism even in a multifactor authentication process because they can be
broken. Regular PINs represent a one-factor authentication.
35.Which of the following is not a variant of phishing attacks?
A.Spear phishing
B.Vishing
C.Smishing
D.SIM card swapping

Subscriber identity module (SIM) card swapping involves an identity thief approaching a wireless
carrier with fake proof of identity and obtains a duplicate SIM card for a victim's mobile/cell phone to
perpetrate fraud. The wireless carrier deactivates the original SIM card and issues a replacement one.
Then the fraudster uses the new SIM card and carries out unauthorized and illegal account transactions
without the victim's knowledge.
A.Incorrect. Spear phishing or whaling is a variant of phishing attacks. It is a very serious and targeted
attack.
B.Incorrect. Vishing is a variant of phishing attacks. It uses voicemail to attack.
C.Incorrect. Smishing is a variant of phishing attacks. It uses text messages to attack.
36.Risk-based internal audit plans are directly related to which of the following?
A.Risk profiles
B.Risk registers
C.Risk appetite
D.Risk maturity

Risk appetite is the amount and level of risk that an organization is prepared to accept in pursuit of its
objectives, and before action is deemed necessary to reduce the risk. Organizations manage those risks
in relation to their risk appetites. Hence, an organization should develop risk-based internal audit plans
to accommodate its risk appetite.
A.Incorrect. Risk profiles show all the significant (material) risks and key risks that an organization is
exposed to. Risk ownership is derived from risk profiles. Risk profiles are not related to risk-based
audit plans.
B.Incorrect. Risk registers are risk logs that document all risks below an organization's strategic level
(i.e., operational and functional level risks). Risk registers show a complete inventory of all types of
risks and are not related to risk-based audit plans.
D.Incorrect. Risk maturity deals whether an organization's risk management framework is complete or
incomplete, effective or ineffective, and old or new. It also asks whether the current maturity fits with
the current business. Risk maturity is not related to risk-based audit plans.
37.Risk-based internal audit plans should focus on which of the following?
A.Business size risk

B.Business complexity risk
C.Business risk appetite
D.Business managers’ tolerance for risk

Business risk appetite reflects the total risks facing an organization and is equal to risk universe, which,
in turn, equal to audit universe. Audit plans are developed from the audit universe.
A.Incorrect. Business size risk is a part of a business risk appetite.

B.Incorrect. Business complexity risk is a part of a business risk appetite.
D.Incorrect. Business managers’ tolerance for risk is a part of a business risk appetite.
38.Which of the following is the least important deciding factor when outside auditors plan to
rely on the work of internal auditors?
A.Budget for the internal audit department

B.Independence of the internal audit department
C.Objectivity of internal auditors
D.Competency of internal auditors

Generally speaking, budget is the most important financial factor to operate a business function,
operation, or department. But budget is the least important deciding factor here because it has nothing
to do external auditors’ evaluating the fitness of internal auditors’ work.
B.Incorrect. Independence of the internal audit department is one of the most important deciding
factors.
C.Incorrect. Objectivity of internal auditors is one of the most important deciding factors.
D.Incorrect. Competency of internal auditors is one of the most important deciding factors.
39.Regarding consulting audit engagements, which of the following objectively results in “lessons
learned” insights?
A.Retrospective reviews
B.Prospective reviews
C.Hindsight reviews
D.Contemporary reviews

Lessons, whether good or bad, are learned based by objective reviewing past work products (reports),
approaches, and outcomes, such as fraud, bribes, cyberattacks, and data breaches. Retrospective
reviews, which are comprehensive, move from the present to the past.
B.Incorrect. Prospective reviews are look-forward and before-the-fact reviews focusing on the future.
These limited reviews move from the present to the future.
C.Incorrect. Hindsight reviews are look-afterward and what-went-wrong subjective reviews focusing
on the past due, in part, based on individual's memory, gut feeling, and second-guessing. These narrow
reviews move from the present to the past.
D.Incorrect. Contemporary reviews are look-now and what-can-go-wrong reviews focusing on the
present. These customized reviews move from the past to the present.
40.Regarding related-party transactions, which of the following is a major concern for internal
auditors and external auditors?
A.Lack of arm's-length transactions

B.Insufficient disclosures of transactions
C.Unclear executive compensation arrangements
D.Unaccounted transactions with shareholders

Insufficient disclosures of transactions are a major concern of related-party transactions due to their
conflicting motives and opposing objectives.
A.Incorrect. This is not a major concern.

C.Incorrect. This is not a major concern.
D.Incorrect. This is not a major concern.
41.Which of the following is the first step to take after the board and senior management of a
publicly held corporation decide to outsource its internal audit function?
A.Review the charter and bylaws of the outsourced provider.

B.Perform a due diligence review on the outsourced provider.
C.Review professionalism of the outsourced provider's staff members.
D.Conduct a thorough background check of the outsourced provider.

Performing a due diligence review on the outsourced provider should be the first step to take because
this review indicates whether the outsourced provider has what it takes to operate the internal audit
function. This review is a professional fitness test.
A.Incorrect. Reviewing the charter and bylaws of the outsourced provider could be done after a due
diligence review.
C.Incorrect. Reviewing professionalism of the outsourced provider's staff members could be part of the
due diligence review.
D.Incorrect. Conducting a thorough background check of the outsourced provider could be the last step
to take before hiring or engaging the outsourced provider.
42.Which of the following is the major common concern to internal auditors and external
auditors?
A.Governance
B.Risk management
C.Internal controls
D.Compliance with regulations

Internal auditors and external auditors have a major common concern in the area of internal controls.
Internal auditors review internal controls as part of their operational audits; external auditors review
internal controls as part of their financial audit, which is a part of the attestation audit.
A.Incorrect. Internal auditors review the governance area as part of their internal audit plan, but
external auditors review the governance area only as requested by their clients. In other words,
reviewing governance is not a part of the routine attestation audit of external auditors.
B.Incorrect. Internal auditors review the risk management area as part of their internal audit plan, but
external auditors review the risk management area only as requested by their clients. In other words,
reviewing risk management is not a part of the routine attestation audit of external auditors.
D.Incorrect. Internal auditors and regulatory auditors examine compliance with regulations. Review of
compliance with regulations is not a part of external auditors’ routine attestation audit, but they could
review the area based on client requests.
43.Which one of the following items drives the other three items when conducting
value-for-money (VFM) audits?
A.Expertise
B.Economy
C.Efficiency
D.Effectiveness

Expertise drives the other three items of economy, efficiency, and effectiveness, which are the four
pillars of a VFM audit. Here, expertise refers to the combined knowledge, skills, and abilities that
auditors possess in conducting the VFM audits.
B.Incorrect. Economy refers to the use of resources in a cost-effective manner. Economy is driven by
expertise.
C.Incorrect. Efficiency refers to the use of resources in a productive manner. Efficiency is driven by
expertise.
D.Incorrect. Effectiveness refers to the use of resources to achieve the intended objectives.
Effectiveness is driven by expertise.
44.Regarding mobile security, encryption can be used to protect which of the following to prevent
data loss?
I. Data at rest
II. Data in motion
III. Data in processing
IV. Data in use
A.I and II
B.II and III
C.I and IV
D.III and IV

Encryption provides confidentiality for and integrity of sensitive information and can be used to protect
data at rest and data in motion (i.e., data in transit). “Data at rest” means data are temporarily or
permanently stored on internal storage devices and external storage devices (e.g., cloud storage) and/or
in volatile or nonvolatile memory.
B.Incorrect. Encryption can be applied to data in motion, not to data in processing. “Data in
processing” means that data are being acted on by an automated process, such as a program or
command.
C.Incorrect. Encryption can be applied to data at rest, not to data in use. “Data in use” means data are
actively being updated, modified, or used by end users.
D.Incorrect. Encryption cannot be applied to data in processing or data in use. “Data in processing”
means that data are being acted on by an automated process, such as a program or command. “Data in
use” means data are actively being updated, modified, or used by end users.
45.Which of the following statement is true about audit assurance?
A.It is the same as quality assurance.

B.It is the inverse of audit risk.
C.It is the same as statistical assurance.
D.It is the complement of control risk.

The audit assurance level is the inverse of audit risk, where the latter is based on an auditor's judgment.
For example, if allowable audit risk is 5%, then the audit assurance level is 95%. (i.e., 100% – 5%).
Note that the assurance level is not same as confidence level, which relates to an individual sample.
A.Incorrect. Quality assurance in manufacturing deals with establishing quality plans, objectives, and
outcomes.
C.Incorrect. Statistical assurance deals with mathematics, probabilities, mean (average), mode, median,
and variances.
D.Incorrect. This choice is not relevant to audit assurance.
46.The IIA Standard 2050, Coordination, refers to which of the following to provide assurance as
a first line of defense over risks and controls?
A.Internal auditors
B.Senior managers
C.Risk managers
D.Operations managers

Operations managers and their employees provide a first line of defense because they are close to the
action at frontline operations, a form of line function.
A.Incorrect. Internal auditors provide the third line of defense and perform a review and evaluation
function.
B.Incorrect. Senior managers provide the second line of defense and perform an oversight function.
C.Incorrect. Risk managers provide the second line of defense and perform a staff function.
47.Which of the following provides a safety valve to management when planning to acquire,
merge, and consolidate with other businesses?
A.Due diligence reviews

B.Security audits
C.Contract audits
D.Quality audits

The purpose of due diligence reviews is to provide a safety valve to management that is planning to
acquire, merge, or consolidate its business with other businesses. These reviews provide comfort levels
or assurance levels indicating that everything is done properly.
B.Incorrect. Security audits do not provide a safety valve.

C.Incorrect. Contract audits do not provide a safety valve.
D.Incorrect. Quality audits do not provide a safety valve.
48.Engagement results from which of the following engagements are fed into the other three
types of engagements?
A.Operational engagement
B.Compliance engagement
C.Consulting engagement
D.Financial engagement

Consulting engagements are advisory in nature and provide great insights to clients. Because of the
broad scope of work, consulting auditors can bring their work observations and results to share with
other auditors, such as assurance, compliance, financial, performance, and IT auditors, and others.
A.Incorrect. The scope of operational engagement is narrow and specific, and its results could not be
fed into other types of audit engagements.
B.Incorrect. The scope of compliance engagement is narrow and specific, and its results could not be
fed into other types of audit engagements.
D.Incorrect. The scope of financial engagement is narrow and specific, and its results could not be fed
into other types of audit engagements.
49.Which of the following statement is not true about bitcoins?
A.Bitcoins use a distributed ledger.

B.Bitcoins use a centralized ledger.
C.Bitcoins use a decentralized ledger.
D.Bitcoins use a community ledger.

A ledger is a chronological listing of all business transactions in one place to provide a clear and
complete picture of all transactions. Bitcoins do not use a centralized ledger.
A.Incorrect. Bitcoins do use a distributed ledger.

C.Incorrect. Bitcoins do use a decentralized ledger.
D.Incorrect. Bitcoins do use a community ledger.
50.During consulting engagements, internal auditors should focus on which of the following?
A.Evidence chain
B.Value chain
C.Critical chain
D.Incident chain

A value chain can either create or destroy value. It is a series of business processes or steps that follow
each other in succession to form a solid chain that is unbroken and long lasting.
A.Incorrect. An evidence chain is used in legal cases and forensic analysis.

C.Incorrect. A critical chain is used in project management and in manufacturing.
D.Incorrect. An incident chain is used to link or track an attacker's bad behavior.
51.Economy, as it relates to organizations, is closely related to which of the following?
A.Performance
B.Efficiency
C.Effectiveness
D.Economics

Economy deals with the use of resources in a cost-effective manner, using a cost-benefit analysis.
Efficiency deals with producing more goods (outputs) with less resources in a productive manner. Both
economy and efficiency deal with increased quantity of goods produced using fewer resources. The
same concept applies to services.
A.Incorrect. Performance is achieving the expected or targeted goals and objectives effectively and
efficiently.
C.Incorrect. Effectiveness refers to the use of resources to achieve the intended objectives.
D.Incorrect. Economics deals with the allocation and utilization of scarce resources (e.g., men, money,
materials, and machinery; 4Ms) to produce goods and provide services.
52.Which of the following statements are true about bitcoin transactions?

i. Transactions cannot be changed.
ii. Transactions cannot be deleted.
iii. Transactions cannot be updated.
iv. Transactions cannot be trusted.
A.II only
B.I, II, and IV
C.IV only

Unfortunately, bitcoin transactions cannot be changed, deleted, or updated. They can only be created
and read. Moreover, bitcoin transactions cannot be trusted because the systems are permission-less.
A.Incorrect. It is partially true.

C.Incorrect. It is partially true.
D.Incorrect. It is partially true.
53.Which of the following items should be analyzed and focused on first?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls

Correct. Vulnerabilities → Threats → Risks → Controls

D.Incorrect. Vulnerabilities → Threats → Risks → Controls
54.Which of the following are the common variants of ransomware attacks?

I. Bots and botnets
II. Spam emails
III. Drive-by downloads
IV. Malvertizing
I only
I and II
I, II, and IV
I, II, III, and IV

Bots and, botnets, spam emails, drive-by downloads, and malvertizing are common types of
ransomware attacks. Bots and botnets can spread through computer networks at a faster rate than other
attacks. Ransomware attacks can infect computers when a user clicks a spam email. Drive-by
downloads are the transfer of malicious software to a victim's computer without any action by the
victim. Malvertizing is the use of malicious advertisements on legitimate websites without any action
from the user, using an adware software.
A.Incorrect. Bots and botnets are types of ransomware attacks because they can spread through
computer networks at a faster rate than other attacks.
B.Incorrect. Bots and botnets and spam emails are common types of ransomware attacks. Bots and
botnets can spread through computer networks at a faster rate than other attacks. Ransomware attacks
can infect computers when a user clicks a spam email.
C.Incorrect. Bots and botnets, spam emails, and malvertizing are common types of ransomware attacks.
Bots and botnets can spread through computer networks at a faster rate than other attacks. Ransomware
attacks can infect computers when a user clicks a spam email. Malvertizing is the use of malicious
advertisements on legitimate websites without any action from the user, using an adware software.
55. The U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act
(SOX) did not recommend which of the following to become the financial expert representing the
audit committee of a publicly held corporation?
A.Internal auditor
B.External auditor
C.Principal financial officer
D.Principal accounting officer

Both the SEC and SOX do not recommend that the internal auditor be the financial expert sitting on the
audit committee.
B.Incorrect. Both the SEC and SOX do recommend that the external auditor be the financial expert
sitting on the audit committee.
C.Incorrect. Both the SEC and SOX do recommend that the principal financial officer be represent the
financial expert sitting on the audit committee.
D.Incorrect. Both the SEC and SOX do recommend that the principal accounting officer be the
financial expert sitting on the audit committee.
56.According to the U.S. Securities and Exchange Commission (SEC) and the U.S.
Sarbanes-Oxley Act (SOX), what is the proper term for when a chief executive officer (CEO) and
chief financial officer (CFO) need to give up their bonuses and incentives based on financial
results that later had to be restated or proved to be fraudulent?
A.Pushback provision
B.Clawback provision
C.Pullback provision
D.Rollback provision

The clawback provision requires that the CEO and CFO of a corporation give up bonuses and
incentives received based on financial results of their company that later had to be restated or were
found to be fraudulent. There is a bad intent on the part of the company management.
A.Incorrect. There is no bad intent with the pushback provision. For example, some governmental
policies and laws can be pushed back if citizens protest them.
C.Incorrect. There is no bad intent with the pullback provision. For example, retailers can pull back
some merchandise from their store shelves if they are deemed to be unsafe.
D.Incorrect. There is no bad intent with the rollback provision. For example, retailers can roll back
their merchandise provision or some laws can be rolled back if citizens protest them.
57.According to the U.S. Securities and Exchange Commission (SEC) and the U.S.
Sarbanes-Oxley Act (SOX), what is the term used when a company misrepresents the dates on
which stock options were granted to executives and employees?
A.End-of-year dating
B.Backdating
C.End-of-month dating
D.End-of-quarter dating
Backdating is a management fraud, resulting in an artificially low exercise price for stock options
granted to executives and employees that could lead to financial restatements. Backdating represents a
bad intent of unnecessarily favoring executives and employees in reducing their tax burden by
manipulating the stock options issue date. Both the SEC and SOX enforcers have ended the backdating
of stock options.
A.Incorrect. There is no bad intent with end-of-year dating.

C.Incorrect. There is no bad intent with end-of-month dating.
D.Incorrect. There is no bad intent with end-of-quarter dating.
58.Bitcoins deploy which of the following technologies?

i. Investment chain
ii. Blockchain
iii. Incident chain
iv. Hash chain
A.I and II
B.II only
C.II and IV
D.I and III

Both blockchain and hash chain technologies are supporting the bitcoin currency.
A.Incorrect. This is partially true about the blockchain technology supporting the bitcoin currency. The
investment chain is not relevant.
B.Incorrect. This is partially true about the blockchain technology supporting the bitcoin currency. The
investment chain is not relevant.
D.Incorrect. Both the investment chain and incident chain are unrelated to the blockchain technology
supporting the bitcoin currency.
59.Hackers accept which of the following payment methods from victims for their ransomware
attacks?
I. Bitcoins
II. Credit cards
III. Green dot cards
IV. Debit cards
A.I only
B.I or III
C.I, II, or IV

Hackers accept either bitcoins or green dot cards as a valid payment method for ransomware attacks to
avoid tracing. Green dot cards are prepaid cash cards.

C.Incorrect. This is a partial answer. Both credit cards and debit cards show a clear trace of the payee,
payor, and bank involved in the payment, which is not good for hackers.
D.Incorrect. This is a partial answer. Both credit cards and debit cards show a clear trace of the payee,
the payor, and the bank involved in the payment, which is not good for hackers.
60.Some basic privacy rules require that web service providers and social media platform
providers give which of the following choices to users?
A.Sign-in and sign-out

B.Check-in and check-out
C.Opt-in and opt-out
D.Log-in and log-out

Opt-in and opt-out choices help protect users’ privacy rights.
A.Incorrect. Sign-in and sign-out choices are not relevant to privacy rules.
B.Incorrect. Check-in and check-out choices are not relevant to privacy rules.
D.Incorrect. Log-in and log-out choices are not relevant to privacy rules.
61.The cybersecurity framework should act as a:
A.First line of defense.

B.Second line of defense.
C.Third line of defense.
D.Last line of defense.

The cybersecurity framework should act as the first line of defense for all organizations, whether in the
public sector or the private sector, to protect against cyberthreats and cyberattacks.
B.Incorrect. Acting as the second line of defense is too late.

C.Incorrect. Act as the third line of defense is too late.
D.Incorrect. Acting as the last line of defense is too late.
62.System resilience plans are developed and implemented in which of the following
cybersecurity framework functions?
A.Protect
B.Detect
C.Recover
D.Respond

During the recover function, system resilience plans are developed and implemented, and any
capabilities or services that were impaired due to a cybersecurity event are restored.
A.Incorrect. “Protect” means developing and implementing the appropriate safeguards (controls) to
ensure delivery of critical infrastructure services.
B.Incorrect. “Detect” means developing and implementing the appropriate activities to identify the
occurrence of a cybersecurity event.
D.Incorrect. “Respond” means developing and implementing the appropriate activities to take action
regarding a detected cybersecurity event.
63.During an audit, an internal auditor observed that an employee in the audit client department
is watching online sports on his desktop computer during working hours. Which of the following
policies should the auditor refer to determine whether the employee's actions are acceptable?
A.Acceptable use policies

B.Business-only internet use policies
C.Software restriction policies
D.Mobile device use policies

Business-only internet use policies deal with whether employees can access outside, nonbusiness
websites during their work hours. Examples of this type of access include: checking baseball scores at
lunchtime, accessing a dating website, making online gambling bets, playing online games, and
checking stock market prices. Here, the employee is accessing the internet to watch online sports using
his desktop computer.
A.Acceptable use policies require that a system user, an end user, or an administrator (e.g., system,
security, and network administrator) agrees to comply with acceptable use policies prior to accessing
computer systems, internal networks, and external networks (the internet). These policies also discuss
how guest accounts, temporary accounts, terminated accounts, and privileged accounts are treated and
maintained. Acceptable use is based on authorized access.
C.Software restriction policies should state what type of employees are allowed to bring their own
software from home for use at work and under what circumstances. The types of restricted software can
include game, entertainment (movies), sports, investment, open sourced, and other non-business-related
software. Software policies should also state what the company's official computer programs can be run
from temporary folders supporting popular internet browsers, compression and decompression
programs, or app folders. It is very risky to run computer programs from temporary folders due to
programming poor code quality and possibility of malware.
D. Mobile device use policies include turning off Bluetooth and Wi-Fi connections while reducing the
threat surface to which a mobile device is exposed. These policies should also state that important
functions are deactivated to reduce the security exposure until requested by users. Here, the employee
is using his desktop computer and no mobile device.
64.Which of the following is the key characteristic of bitcoins?
A.Data immutability
B.Data mining
C.Data wrangling
D.Data masking

Data immutability means data cannot be changed or modified. It also means data can be written only as
it applies to bitcoins and blockchain technology. It is the key characteristic of bitcoins.
B.Incorrect. Data mining is data analysis to bring out hidden data patterns and data relationships for
application to business functions. For example, data mining can be used to study what products and
services are sold to customers in what demographic areas, including customer buying habits and
preferences.
C.Incorrect. Data wrangling software is used to convert unstructured data (i.e., irregular or diverse data
with no apparent value) into structured data that has some real value.
D.Incorrect. Data masking is making sure that sensitive data is not available to unauthorized
individuals to read and use. Data could be encrypted first to make it unreadable for some and later
could be made decrypted for others to read.
65.When protecting customer information from identity theft, which of the following is highly
secure when customers are using their charge cards?
A.Card and signature

B.Card and PIN
C.Card with chip and PIN
D.Card with chip and no PIN

This is highly secure due to using the chip and PIN, representing a two-factor authentication process.
Here, the card with a chip is one factor and the PIN is the second factor.
A.Incorrect. This is least secure due to no chip and no PIN.

B.Incorrect. This is least secure due to no chip.
D.Incorrect. This is not highly secure due because no PIN is used.
66.Which of the following can result from Bluetooth wireless technology?
A.Session hijack attack

B.Man-in-the-middle attack
C.Signal interception attack
D.Signal injection attack
A session hijack attack results from using Bluetooth wireless technology due to its vulnerability in
facilitating a key negotiation hijack attack during session initialization.
B.Incorrect. A man-in-the-middle attack results from using Wi-Fi wireless network communication
technology. This is an attack on the authentication protocol run in which the attacker positions him- or
herself between the claimant and verifier to intercept and alter data traveling between them.
C.Incorrect. A signal interception attack can result from using a credit card or debit card during the
card's transmission of signals using signal analyzers.
D.Incorrect. A signal injection attack can result from using a credit card or debit card during the card's
transmission of signals using signal analyzers.
67.Which of the following are the most popular methods of identity theft using charge cards?
i. Card skimming
ii. Card tampering
iii. Card jamming
iv. Card cloning
A.I and II
B.II and III
C.I and IV
D.II and IV

Card skimming and card cloning are the two most popular methods of identity theft. Card skimming
involves placing skimming devices to steal credit card numbers and personal identification information
(e.g., placing skimming devices on gas pumps at gas stations). Card cloning involves the purchase of
stolen credit card numbers belonging to victims, which are then used to fabricate cloned credit cards.
A.Incorrect. Card skimming is a popular method of identity theft, but card tampering is not.
B.Incorrect. Both card tampering and card jamming methods are not popular methods of identity theft
due to the difficulty in accomplishing them.
D.Incorrect. Card tampering is not a popular methods of identity theft, but card cloning is a popular
method.
68.Which of the following are risky situations facing organizations?

I. False antispyware tools
II. Autonomous spyware
III. Advanced persistent threats
IV. Bots and botnets
A.I and II
B.III only
C.V only

All four items are risky situations for organizations. Some internet websites advertise themselves as
spyware detection or removal tools when in fact they themselves are spyware tools. These false tools
are a deliberate selling of anti- spyware tools.
Autonomous spyware injects itself into other processes running on a computer system when a user logs
in. Examples of autonomous spyware include keyloggers, bots, email and web monitoring tools, and
packet sniffers.
In advanced persistent threats (APTs), a hacker employs stealth and multiple attack methods over an
extended period of time to conduct sabotage and/or espionage activities on a target computer system or
an organization (e.g., a government agency, military facility, high-tech manufacturing company, or
utility company). APTs last longer than other normal threats with repeated and layered attempts, dig
deeper, and operate in aggressive and escalation modes, all resulting in bigger damages to victim
organizations.
Computers infected with bots (zombies) and botnets can be used to distribute spam (a type of malware)
to make it harder to track and prosecute spammers. Bots can also conduct distributed denial of service
(DDoS) attacks that can exhaust computing resources.

C.Incorrect. This is a partial answer.
69.Which of the following is used to identify healthcare providers who bill for more services in a
single day than the number of services that most similar providers bill in a single day?
A.Rules-based techniques
B.Anomaly-based techniques
C.Network-based techniques
D.Predictive-based techniques

Anomaly-based techniques are ways of comparing definitions of what activity is considered normal
against observed activity to identify significant deviations. Simply stated, anomaly-based techniques
compare normal activity against abnormal activity and against peers.
A.Incorrect. Rules-based techniques filter claims data that an individual submitted for an unreasonable
number of services.
C.Incorrect. Network-based techniques discover knowledge with associated link analysis. For example,
these techniques can link bad actors involved in fraud to their addresses and phone numbers.
D.Incorrect. Predictive-based techniques use historical data to identify patterns associated with fraud.
70.Which of the following shows future events and outcomes?
A.Traditional data analytics

B.Streaming data analytics
C.Embedded data analytics
D.Social media data analytics

Embedded data analytics show future events and outcomes.
A.Incorrect. Traditional data analytics show past events and outcomes.

B.Incorrect. Streaming data analytics show current events and outcomes.
D.Incorrect. Social media data analytics show past events and outcomes.
71.Which of the following uses web-call-center notes and web-chat notes to detect fraud?
A.Text-based data analytics

B.Open source data analytics
C.Visual data analytics
D.Streaming data analytics

Since web-call-center notes and web-chat notes are written in words, text-based data analytics are
useful to identify fraud. This analytic is based on matching keywords.
B.Incorrect. Open source data analytics could use a combination of graphs, tables, figures, and words.
C.Incorrect. Visual data analytics mainly uses graphs, tables, and figures, not so much words.
D.Incorrect. Streaming data analytics are performed in real time and in memory where they collect data
from electronic sensors to produce time-series data.
72.When data dashboards are built into business-oriented application systems, this situation is
called:
A.Fraud data analytics.
B.Streaming data analytics.
C.Web-based data analytics.
D.Embedded data analytics.

This is the definition of embedded data analytics.
A.Incorrect. This is not the definition of fraud data analytics.

B.Incorrect. This is not the definition of streaming data analytics.
C.Incorrect. This is not the definition of web-based data analytics.
73.The metric click-to-conversion time can be measured with which of the following?
A.Behavioral analytics
B.Location analytics
C.Advanced analytics
D.Content analytics

Behavioral analytics show how people behave in doing certain things. For example, these analytics can
show how many different clicks and navigation paths have taken place before a customer purchases a
product or service from a retailer's website. This can be measured as click-to-conversion time.
B.Incorrect. Location analytics show tracking of people, machines, places, and inventory.
C.Incorrect. Advanced analytics cannot measure click-to-conversion time because they indicate what
could happen as in statistical modeling or data mining.
D.Content analytics are used in content analysis of text in words. Content analysis is a set of
procedures for transforming unstructured written material into a format for analysis and is also used for
making numerical comparisons among and within documents. It is a means of extracting insights from
already existing data sources. Its potential applications include identifying goals, describing activities,
and determining results.
74.Regarding big data, data ownership and data usage policies are addressed in which of the
following?
A.Data reliability standards

B.Data governance standards
C.Data quality standards
D.Information quality standards

Data governance standards deal with oversight-related data issues, such as data ownership, data
stewardship, data custodian, data usage policies, and data access rules.
A.Incorrect. Data reliability standards ensure that data is reasonably complete, accurate, consistent, and
valid.
C.Incorrect. Data quality standards ensure that data is relevant, accurate, credible, and timely.
D.Incorrect. Information quality standards ensure that data is objective and has utility and integrity
attributes.
75.Airline companies use which of the following most to determine airline ticket prices for
passengers?
A.Customer analytics
B.Prescriptive analytics
C.Behavioral analytics
D.Statistical analytics
Airline companies use prescriptive analytics most to determine airline ticket prices because these
analytics indicate or help decide what should happen in the future. Airline companies may use a
combination of prescriptive analytics, customer analytics, behavioral analytics, statistical analytics, and
other analytics.
A.Incorrect. Customer analytics show customer online shopping behavior.

C.Incorrect. Behavioral analytics show the behavior of people when they use electronic commerce sites,
social media platforms, and online games.
D.Incorrect. Statistical analytics is used in time-series and regression models to forecast sales and
inventory.
76.When big data is turned into new insights, it refers to which of the following characteristic of
big data?
A.Volume
B.Variety
C.Value
D.Velocity

Value means organizations can benefit from the use of big data where the benefits are derived from the
insights provided by that data.
A.Incorrect. Volume is the amount of data being created that is big compared to traditional data sources.
Volume has nothing to do with value.
B.Incorrect. Variety of data comes from all types of data formats, both internally and externally.
Variety has nothing to do with value.
D.Incorrect. Velocity means data is being generated extremely quickly and continuously with greater
speed. Velocity has nothing to do with value.
77.Which of the following characteristics of big data is the main technical driver of investment in
big data?
A.Volume
B.Velocity
C.Veracity
D.Variety

Variety is the main technical driver of investment in big data because more variety means more
insights, more decisions, and more opportunities. Variety of data comes from all types of data formats,
both internally and externally.
A.Incorrect. Volume is the amount of data being created that is big compared to traditional data sources.
Volume has nothing to do with the investment.
B.Incorrect. Velocity means data is being generated extremely quickly and continuously with greater
speed. Velocity has nothing to do with the investment.
C.Incorrect. Veracity means data must be able to be verified based on both accuracy and context.
Veracity has nothing to do with the investment.
78.Which of the following characteristics of big data are the main business drivers of investment
in big data?
Volume and variety

Value and velocity
Velocity and veracity
Variety and variability

Value and velocity are the main business drivers of investment in big data because they provide better
insights at greater speeds.
A.Incorrect. Volume and variety are not the main business drivers of investment in big data because
they do not provide insights and speed.
C.Incorrect. Velocity and veracity are not the main business drivers of investment in big data because
D.Incorrect. Variety and variability are not the main business drivers of investment in big data because
79.Which of the following is an example of unstructured data?
A.Data in disconnected computer systems

B.Data in data warehouses
C.Data in databases
D.Web pages on the internet

Data in disconnected computer systems is unstructured due to multiple and dissimilar systems
collecting data with different formats and with different structures.
B.Incorrect. Data in data warehouses is structured.

C.Incorrect. Data in databases is structured.
D.Incorrect. Web pages on the internet are semistructured.
80.Which of the following thrives on big data?
A.Prescriptive analytics
B.Descriptive analytics
C.Predictive analytics
D.Advanced predictive analytics

Prescriptive analytics thrive on big data because they indicate or help decide what should happen in the
future.
B.Incorrect. Descriptive analytics do not thrive on big data because they indicate what happened in the
past.
C.Incorrect. Predictive analytics do not thrive on big data because indicate what could happen. In the
future.
D.Incorrect. Advanced predictive analytics do not thrive on big data because they indicate what could
happen, as in statistical modeling or data mining.
81.Credit bureaus use which of the following to develop credit scores for individuals?
A.Behavioral analytics
B.Customer analytics
C.Big data analytics
D.Predictive analytics

Credit bureaus use predictive analytics to develop credit scores for individuals. Predictive analytics
collect several data items, such as income, credit history, outstanding loan balances, payment history,
and account activity, to predict whether someone has the financial ability to pay current and future
debts.
A.Incorrect. Behavioral analytics focus on customers’ online purchase behavior. They are not relevant
in developing credit scores.
B.Incorrect. Customer analytics focus on online shopping and online search behavior. They are not
relevant in developing credit scores.
C.Incorrect. Big data analytics is too general and of no value in developing credit scores.
82.The ultimate goal of big data is which of the following?
A.Data collection and validation

B.Data insights
C.Data-driven decision making
D.Data-driven models

Data-driven decision making is the ultimate goal of big data. The aim of all efforts put into developing
data models and collecting and validating data is to obtain new insights, which, in turn, are turned into
decisions and actions.
A.Incorrect. Data collection and validation is not the ultimate goal; it is an intermediary goal of big
data.
B.Incorrect. Data insights is not the ultimate goal, it is an intermediary goal of big data.
D.Incorrect. Data-driven models are not the ultimate goal; they are an intermediary goal of big data.
83.Which of the following would not establish acceptable data use policies and access rules?
A.Data owners
B.Data users
C.Data stewards
D.Data custodians

Data users would not and should not establish acceptable data use policies and access rules because
those policies and rules are written to control users’ work behavior.
A.Incorrect. Data owners are responsible for safeguarding or securing data with security controls,
classifying data (i.e., sensitive or not sensitive), and defining and establishing data usage and access
rules (i.e., grant or deny).
C.Incorrect. Data stewards are responsible for managing a specific set of data resources. They define,
specify, establish, and standardize data assets of an organization within and across all functional areas
of business.
D.Incorrect. Data custodians are responsible for managing a specific set of data resources. They define,
specify, establish, and standardize data assets of an organization within and across all functional areas
of a business.
84.Which of the following poses a major risk to organizations?
A.Challenge-response passwords
B.One-time passwords
C.Hard-coded passwords
D.Long and complex passwords

Hard-coded passwords are a major risk because they are embedded in a computer program code in
plaintext for hackers to see very easily.
A.Incorrect. Challenge response is an authentication procedure that requires calculating a correct

response to an unpredictable challenge between verifier (administrator) and claimant (user) with a
shared secret. When the shared secret is a password, an eavesdropper does not directly intercept the
password itself but may be able to find the password with an offline password guessing attack. The
challenge-response passwords pose a minor risk.
B.Incorrect. In one-time passwords, a password is changed after each use. This method is useful when
the password is not adequately protected from compromise during login (e.g., the communication line
is suspected of being tapped). This poses a minor risk.
D.Incorrect. Long and complex passwords are usually, by definition, stronger and more secure than
short and simple passwords. Here “long” means lengthy in size, and “complex” means a combination
of letters with upper and lower cases, numbers, and special characters. This poses a minor risk.
85.Use of cookies on websites raises which of the following issues?
A.Integrity issue
B.Privacy issue
C.Connectivity issue
D.Accountability issue

Cookies were invented to allow websites to remember its users from visit to visit. Since cookies collect
personal information about web users, they raise privacy issues, such as what information is collected
and how it is used.
A.Incorrect. Cookies do not raise integrity issues. Here, “integrity” means that websites are carefully
and properly designed, tested, and implemented.
C.Incorrect. Cookies do not raise connectivity issues. Here, “connectivity” means websites connecting
to other websites through networks and devices.
D.Incorrect. Cookies do not raise accountability issues. Here, “accountability” means website owners
are responsible for posting their own content.
86.Most spyware detection and removal utility software specifically look for which of the
following?
A.Encrypted cookies
B.Session cookies
C.Persistent cookies
D.Tracking cookies

Information collected by tracking cookies is often sold to other parties and used to target
advertisements and other content at the user. Most spyware detection and removal utility software
specifically looks for tracking cookies on systems. A tracking cookie is placed on a user's computer by
a hacker or others to track the user's activity on different websites, creating a detailed profile of the
user's behavior.
A.Incorrect. Encrypted cookies protect the data from unauthorized access. Some websites create
encrypted cookies to protect data from unauthorized access.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session. A
session cookie is erased when the user closes the web browser and is stored in temporary memory.
C.Incorrect. Persistent cookies are stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies are set with expiration dates and are valid
until the user deletes them.
87.If website owners want to protect data from unauthorized access, what should they do?
A.Create encrypted cookies.

B.Create session cookies.
C.Create persistent cookies.
D.Create tracking cookies.

A cookie is a small data file that holds information regarding the use of a particular website. Cookies
often store data in plaintext, which could allow an unauthorized party that accesses a cookie to use or
alter the data stored in it. Some websites create encrypted cookies, which protect the data from
unauthorized access during a user's web browsing session.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session.
They are erased when the user closes the web browser and is stored in temporary memory.
C.Incorrect. Persistent cookies are stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies can help websites serve their users more
effectively. These cookies are set with expiration dates and are valid until the user deletes them.
Unfortunately, persistent cookies also can be misused as spyware to track a user's web browsing
activities without the user's knowledge or consent.
D.Incorrect. Tracking cookies are placed on a user's computer by a hacker or others to track the user's
activity on different websites, creating a detailed profile of the user's behavior.
88.Which of the following can pose a high risk?
A.Encrypted cookies
B.Session cookies
C.Persistent cookies
D.Tracking cookies

Persistent cookies are cookies stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies are set with expiration dates and are valid
until the user deletes them. Hence, persistent cookies pose a higher risk than session cookies because
they remain on the computer longer. They pose a high risk.
A.Incorrect. Encrypted cookies are created by some websites to protect data from unauthorized access.
They pose little or no risk.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session.
They are cleared or erased when the browser is closed and stored in a temporary memory. They pose a
little or no risk.
D.Incorrect. Tracking cookies are cookies placed on a user's computer to track the user's activity on
different websites, creating a detailed profile of the user's behavior. They pose little or no risk.
89.Which of the following types of cookies have similar functionality?

i. Session cookies
ii. Persistent cookies
iii. Tracking cookies
iv. Encrypted cookies
A.I and II
B.I and III
C.II and III
D.II and IV

Persistent cookies and tracking cookies have similar functionality in terms of misuse of a user's
information at a website. Persistent cookies can be misused as spyware to track a user's web browsing
activities for questionable reasons (i.e., for use in advertisements) without the user's knowledge or
consent. For example, a marketing firm could place ads on many websites and use a single cookie on a
user's computer to track the user's activity on all of those websites, creating a detailed profile of the
user's behavior. Cookies used in this way are known as tracking cookies. Most spyware detection and
removal utility programs specifically look for tracking cookies on computer systems.
A.Incorrect. Session cookies and persistent cookies do not have similar functionality. Session cookies
are temporary cookies that are valid only for a single website session. Persistent cookies are cookies
stored on a computer's hard drive indefinitely so that a website can identify the user during subsequent
visits.
B.Incorrect. Session cookies and tracking cookies do not have similar functionality. Session cookies
are temporary cookies that are valid only for a single website session. Tracking cookies are cookies
placed on a user's computer to track the user's activity on different websites, creating a detailed profile
of the user's behavior.
D.Incorrect. Persistent cookies and encrypted cookies do not have similar functionality. Persistent
cookies are cookies stored on a computer's hard drive indefinitely so that a website can identify the user
during subsequent visits. Some websites create encrypted cookies to protect the data from unauthorized
access.
90.Mobile devices are subjected to which of the following threats?

I. Jamming
II. Flooding
III. Geotracking
IV. Geotagging
A.I and III

B.I and IV
C.III and IV

Jamming is a threat that interferes with the reception or transmission of wireless communications. Any
wireless protocol that is used on a mobile device is vulnerable to jamming, including global positioning
system (GPS), cellular, Wi-Fi, and Bluetooth. A flooding attack inundates a computer system with
more information than it can process; its vulnerabilities are same as that of jamming.
Geotracking can be performed via a mobile device's geolocation services, which is useful for both
legitimate purposes (e.g., locating a lost device) and illegitimate ones (e.g., gathering intelligence). For
example, data mining can be performed by looking for geotagged records, data, and pictures to identify
use patterns for intelligence gathering purposes.
Geotagging is the process of adding geographical identification-related information to various media,
such as photographs or videos. Data mining of geotagged data by a mobile device is a method that
allows tracking for legitimate and illegitimate reasons.
A.Incorrect. This is a partial answer as all four items are threats.

B.Incorrect. This is a partial answer as all four items are threats.
C.Incorrect. This is a partial answer as all four items are threats.
91.Which of the following potentially risky activities are actively taking place when cloud services
and mobile devices directly interact?
i. Data in exchange
ii. Data in transit
iii. Data in hiding
iv. Data in dispute
A.I and II
B.I and III
C.III and IV

Hackers can target data in exchange (i.e., data in transfer) and data in transit (i.e., data in motion)
during interactions between cloud services and mobile devices. A man-in-the-middle attack is possible
here, which results from using the Wi-Fi wireless network communication technology.

C.Incorrect. This choice is not applicable because data in hiding and data in dispute are not risky and
do not need protection.
D.Incorrect. This choice is a mix of correct and incorrect answers.
92.An essential security control requirement to protect data in transit against attacks is a:
A.Virtual local area network.

B.Virtual private dial network.
C.Virtual private network.
D.Virtual password.

Data in transit (i.e., data on the wire) deals with protecting the integrity and confidentiality of
transmitted information across internal and external networks. A virtual private network (VPN) is used
to protect highly confidential information during data transmission. VPNs provide an end-to-end secure
communication channel by enforcing strong authentication and encryption requirements and providing
confidentiality and integrity protection for data in transit. Specifically, line encryption protects the data
in transit and data in transfer.
A.Incorrect. A virtual local area network (VLAN) is a network configuration in which network frames
are broadcast within the VLAN and routed between VLANs. VLANs separate the logical topology of
LANs from their physical topology.
B.Incorrect. A virtual private dial network (VPDN) is a virtual private network (VPN) tailored
specifically for dial-up access.
D.Incorrect. A virtual password is a password computed from a passphrase that meets the requirements
of password storage.
93.John (the seller) and Tom (the buyer) entered into a contract for the sale and purchase of item
K for $15,000 (contract price). Later, John finds out that Tom wants to resell the item to Gary, a
reseller, for a 10% profit after the purchase. John breaches the contract and sells the item
directly to Gary instead of to Tom. The market price of item K at the time of breach is $20,000.
Tom sues John for breach of contract. How much Tom can expect in compensatory damages and
consequential damages respectively?
A.$5,000, $0
B.$0, $1,500
C.$5,000, $1,500
D.$1500, $0

Compensatory damage = Market price – contract price = $20,000 – $15,000 = $5,000
Consequential damage = Profit percentage of contract price = 10% of $15,000 = $1,500
A.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
B.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
D.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
94.Which one of the following items leads to the other three items?
A.Best practices
B.Leading practices
C.Legacy practices
D.Promising practices

Legacy practices are the old and inefficient, ineffective procedures and processes found across most or
all departments or functions of an organization. A report should be developed to capture legacy
practices in order to communicate and share their unsuccessful stories (mission failures) and unpleasant
experiences (lessons learned) with other departments and functions for possible avoidance of the same
problems and moving to promising practices, leading practices, or even best practices.
Legacy Practices → Promising Practices → Leading Practices → Best Practices
A.Best practices are the processes, procedures, and systems identified in public and private
organizations that are performed exceptionally well and are widely recognized as improving an
organization's performance and efficiency in specific areas. Successfully identifying and applying best
practices can reduce business expenses and improve organizational efficiency.
B.Leading practices are successful strategies, actions, and polices that are true, tried, tested, and proven
over a time period that result in increase in revenues and profits, reduced costs, and a competitive
advantage in the marketplace. Leading practices can become best practices when more and more
organization implement leading practices and benefit from them.
D.When properly managed, promising practices can turn into either best practices or leading practices
because they have been proven to be successful and effective. In order to achieve that goal, the
promising practices must be defined in terms of context that led to their success, challenges faced must
be described, problems and solutions applied must be indicated, and results obtained must be
documented.
95.Which of the following items should be eliminated first?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls

Vulnerabilities → Threats → Risks → Controls

D.Incorrect. Vulnerabilities → Threats → Risks → Controls
96.An organization was severely hit with a ransomware attack. Which of the following is critical
to manage?
A.Time to prevent
B.Time to recover
C.Time to detect
D.Time to pay

Ransomware is malicious software (malware) that denies access to computer files until the victim pays
a ransom amount. Ransomware is a type of cyberattack that prevents users from using their computer
until they pay a certain amount of money. It is essentially extortion with all the data on users’
computers at risk unless users pay.
All organizations and all individuals using computer systems and networks should develop a recovery
plan with details about backup source methods, storage policy, schedules, and duration and rotation and
retention of backup files. The integrity of the backup files and programs should be verified by testing
the restoration process to ensure it is working. Because of these extensive and time-consuming
recovery activities, the time to recover is more important to manage than the time-to-prevent,
time-to-detect, and time-to-pay activities.
A.Incorrect. It is difficult to prevent ransomware attacks because hackers can conceal their acts.
C.Incorrect. It is difficult to detect ransomware attacks because hackers can conceal their acts.
D.Incorrect. Organizations have no choice in not paying the ransom amount because they need the data
to work. However, hackers can take the money and ask for more money before releasing the data. This
is a risky and dirty game played by some hackers. Here, organizations are at the mercy of hackers.
97.Which of the following uses a distributed ledger system to raise new capital in the securities
marketplace?
A.Initial public offering

B.Initial coin offering
C.Initial private offering
D.Initial equity offering

Businesses and individuals are promoting the initial coin offering or token sales to raise a new capital
in the form of bitcoin digital currency. A blockchain, which is the technology behind the bitcoin, is an
electronic distributed ledger system or list of entities. The distributed ledger, which is like a stock
ledger that is maintained by various participants in a network of blockchain computers. Blockchains
use cryptographic techniques to process and verify transactions in the ledger, providing assurance to
bitcoin users that the ledger entries are secure. Distributed ledgers are riskier than centralized ledgers
because distributed ledgers are uncontrolled due to lack of centralization.
A.Incorrect. This does not use a distributed ledger system.

C.Incorrect. This does not use a distributed ledger system.
D.Incorrect. This does not use a distributed ledger system.
98.From an access control security viewpoint, which one of the following parties is different from
the other three parties?
A.Ordinary user
B.Privileged user
C.Trusted user
D.Authorized user

An ordinary user is different from the privileged user, trusted user, and authorized user in terms of what
the ordinary user can perform. The ordinary user is restricted in performing some security functions.
B.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. A privileged user is both a trusted user and an authorized
user.
C.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. A trusted user is both a privileged user and an authorized
user.
D.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. An authorized user is both a privileged user and a trusted
user.
99.When conducting information systems security audits, internal auditors must be most
concerned with which of the following?
A.Blacklist
B.Whitelist
C.Blacklisting
D.Blocked listing
A.I
B.I and II
C.I and III
D.II, III, and IV

Internal auditors must be most concerned with the blacklist because it is a list of email senders who
have previously sent spam to a user. It is also a list of host networks or application systems that have
been previously determined to be associated with malicious activity using malware and other
dangerous programs. A blacklist indicates unsafe and unsecure entities.
B.Incorrect. This choice is a partial answer. A whitelist is a list of host networks or application systems
that are known to be benign or mild and are approved for use within an organization and/or information
system. A whitelist indicates safe and secure entities.
C.Incorrect. This choice is a partial answer. Blacklisting is the process of a system invalidating a user
ID based on the user's inappropriate actions. A blacklisted user ID cannot be used to log on to the
system even with the correct authenticator. A blacklisting indicates safe and secure actions.
D.Incorrect. A blocked listing is a part of blacklisting. The term “blocked listing” applies to blocks
placed against Internet Protocol addresses to prevent inappropriate or unauthorized use of the Internet
resources. A blocked listing indicates safe and secure actions.
100.Which of the following cannot reduce the total costs of data breaches?
A.Security metrics
B.Incident response team
C.Encryption
D.Mobile platforms

Extensive and uncontrolled use of mobile platforms (e.g., operating systems and devices) can increase
risks and costs due to their unchecked usage and growth, resulting in increased data breaches.
A.Incorrect. Security metrics can reduce the total costs of data breaches due to insights they provide
regarding threats, attacks, and hackers. Use of metrics is a proactive thinking.
B.Incorrect. The existence of an incident response team can reduce the total costs of data breaches due
to the team's expertise and readiness to prevent, detect, and recover from threats and attacks. Use of
incident response team is a proactive thinking.
C.Incorrect. Use of encryption in computer programs and data files can reduce the total costs of data
breaches because encryption protects against hacker attacks. Use of encryption is a proactive thinking.
101.Which of the following are the opportunity costs resulting from a data breach?
I. Lost sales
II. Lost profits
III. Customer defection costs
IV. Customer acquisition costs
A.I
B.I and II
C.III
D.III and IV

Customer defection costs and customer acquisition costs are examples of opportunity costs that would
have not been incurred in the absence of a data breach.
A.Incorrect. Lost sales are an indirect cost.

B.Incorrect. Lost sales and lost profits are indirect costs.
C.Incorrect. This is a partial answer. Customer defection costs are opportunity costs.
102.Total costs of data breaches are directly related to which of the following?
A.Time to identify a data breach

B.Time to plan a remedy to handle a data breach
C.Time to implement a remedy to handle a data breach
D.Time to contain a data breach

Failure to quickly contain a data breach will lead to higher costs. Hence, there is a direct relationship
between time and cost.
A.Incorrect. This choice is a part of time to contain.

B.Incorrect. This choice is a part of time to contain.
C.Incorrect. This choice is a part of time to contain.
103.Which of the following is not a direct cost resulting from a data breach?
A.Digital forensic cost

B.Technical consulting cost
C.Internal investigative cost
D.Legal consulting cost

Internal investigative cost is an indirect cost.
A.Incorrect. Digital forensic cost is a direct cost.

B.Incorrect. Technical consulting cost is a direct cost.
D.Incorrect. Legal consulting cost is a direct cost.
104.An internal audit function is effective when:
A.An audit plan is prepared.

B.An audit budget is approved.
C.The audit's mission is accomplished.
D.All auditors are trained.

This is the major goal.
A.Incorrect. This is one of the minor goals.

B.Incorrect. This is one of the minor goals.
D.Incorrect. This is one of the minor goals.
105.Which of the following can aid in measuring the effectiveness of an internal audit function?
A.Pareto principle
B.Stevens’ power law
C.Gresham's law
D.Kano principle

The Kano principle can be applied to a feedback process from audit clients using three rating scales,
such as satisfied, neutral, and dissatisfied, for measuring the effectiveness of the internal audit function.
A.Incorrect. The Pareto principle states that there are a vital few (20%) and a trivial many (80%) things
in the world.
B.Incorrect. The Stevens’ power law states that there are four types of scales that can be used to define
how things or data can be measured, arranged, or counted. These scales are nominal, ordinal, interval,
and ratio scales, and they are used as data counting methods in big-data analytics.
C.Incorrect. Gresham's law of planning states that managers pay more attention and put more time and
effort into planning programmed activities (i.e., routine and simple tasks) than nonprogrammed
activities (i.e., rare and complex tasks).
106.An internal audit function is effective when:
A.The audit function provides value.

B.An audit manual is developed.
C.All auditors are efficient.
D.All auditors are certified.

This is the major goal.
B.Incorrect. This is one of the minor goals.

C.Incorrect. This is one of the minor goals.
D.Incorrect. This is one of the minor goals.
107.Agile audits are best described as:
A.Historical audits.
B.Scheduled audits.
C.Anticipatory audits.
D.Cycle audits.

Anticipatory audits are sudden and unexpected audits based on current events that just happened or are
about to happen in the immediate future.
A.Incorrect. Agile audits are not historical audits because they have no resemblance to the past events.
B.Incorrect. Scheduled audits are cycle audits with a known frequency.
D.Incorrect. Cycle audits are repeatable audits with a known frequency.
108.An internal audit function is effective in the minds of the board and senior management
when it is performing:
A.Error-seeking audits.
B.Value-adding audits.
C.Nitpicking audits.
D.Fault-blaming audits.

The term “value-adding audits” means something good is added to a function or operation that was not
there before. Consulting auditors can provide this value.
A.Incorrect. Error-seeking audits are low-level audits that the board and senior management may not
prefer because errors are possible events with human beings, meaning errors are normal and common.
No value is provided to audit clients.
C.Incorrect. Nitpicking audits are surface audits based on using a superficial audit scope and objectives.
No value is provided to audit clients.
D.Incorrect. Fault-blaming audits are finger-pointing audits blaming policies, procedures, and practices
based on past events and data. No value is provided to audit clients.
109.Which of the following provides a logical barrier that constrains the operation of program
code, data, and/or users within a defined area of a mobile device?
A.Inbox
B.Substitution box
C.Sandbox
D.Permutation box

A sandbox is a system that allows an untrusted application program to run in a highly controlled
environment (e.g., Java applet). Anything assigned to a sandbox has access to resources within the
sandbox but has controlled or no access to resources outside the sandbox.
A.Incorrect. An inbox is used for storing and displaying email messages. It has nothing to do with
mobile device security.
B.Incorrect. A substitution box consists of electrical circuits deployed in cryptographic algorithms for
signal propagation. It has nothing to do with the mobile device security.
D.Incorrect. A permutation box consists of electrical circuits deployed in cryptographic algorithms for
signal propagation. It has nothing to do with the mobile device security.
110.Regarding mobile security, which of the following uses attack signatures?

i. Firewalls
ii. Access control lists
iii. Anti-malware systems
iv. Intrusion detection and prevention systems (IDS/IPS)
A.I and II
B.II and IV
C.III and IV

Both anti-malware systems and IDS/IPS) inspect data for malicious activity based on attack signatures.
These signatures may look for malicious code in a data stream (anti-malware) or may look for
malicious traffic patterns (IDS/IPS). New signatures are constantly being added to detect new attack
vectors.
A.Incorrect. Both firewalls and access control lists (ACLs) use rule-based criteria to permit or deny
communication based on rulesets defined by protocol standards and/or by information technology staff.
Firewalls and ACLs do not use attack signatures, and anti-malware systems and IDS/IPS systems do
not use rulesets.
D.Incorrect. This choice contains both correct and incorrect answers.
111.Which of the following provides encryption as a basic service and becomes a form of double
encryption when it is sent through an encrypted tunnel?
A.Value-added network
B.Virtual private network
C.Body area network
D.Personal area network

A virtual private network (VPN) is the application of encryption, data integrity, and authentication
protocols to provide a secure connection between a user organization and a remote device or user.
When the data stream itself is also encrypted, the use of VPN to send already-encrypted
communication through an encrypted tunnel is a type of double encryption.
A.Incorrect. A value-added network is used in electronic data interchange transactions in procurement

or purchasing to place purchase orders.
C.Incorrect. A body area network is used in medical field when performing an operation on a human
body.
D.Incorrect. A personal area network is used for an individual using personal computers at home,
home-office, or in small business.
112.Which of the following are examples of major uses of system-based audit trails?
I. Acts as an insurance policy
II. Provides support for operations
III. Identifies performance problems
IV. Detects security violations
A.II only
B.III only
C.IV only

System-based audit trails have multiple uses, such as acting as an insurance policies, providing
support for operations, identifying performance problems, detecting security violations, and detecting
flaws in application systems.
As an insurance policy, audit trails are passive electronic records but are not used unless needed, such
as after a system outage or other abnormality (e.g., data breach). As a support for operations, audit
trails are used to help system administrators ensure that systems or resources have not been harmed by
hackers, contractors, or insiders (employees) or due to technical problems (e.g., program glitches).

113.Mobile devices operating in a high-risk computing environment should not be configured

with which of the following?
A.Login attempts
B.Application accesses
C.Remote logging
D.Login data

Remote logging over unsecured networks (i.e., high-risk computing environments) should not be
configured due to potential security issues it can bring to a company.
A.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations of all network connections (i.e., login data), all
login attempts, and all accesses to application programs or systems.
B.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations of all network connections (i.e., login data), all
D.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations, of all network connections (i.e., login data), all
114.What is it called when a cloud service provider of a mobile device makes a dual connection to
multiple networks?
A.Split tunneling
B.Split controls
C.Split knowledge
D.Split domains

When a cloud service provider of a mobile device makes a connection to multiple networks, it is called
split tunneling, and it should be prohibited. Cloud connections should be restricted to a mutually
authenticated and approved cloud service provider, and the security policy for the mobile device should
also prohibit split tunneling, which is risky. Here, “split tunneling” means some traffic is secured while
other traffic is unsecured.
B.Incorrect. With split controls, safeguards are divided into two or more parts, thus reducing the
strength of the controls.
C.Incorrect. Split knowledge represents a condition under which two or more parties separately have
part of the data, but no party has all the data.
D.Incorrect. Split domains represent split domain name systems (split DNS), where one physical file is
required for external clients and one physical file is required for internal clients.
115.Controls over a mobile device upon employee termination or reassignment include which of
the following?
i. Sanitize the stored information.
ii. Keep the user's personal information.
iii. Clear the device's memory contents.
iv. Dispose of the device.
A.I and III

B.I and IV
C.III and IV

Controls over a mobile device upon employee termination or reassignment include repossessing the
device, fully sanitizing the stored information prior to disposal, clearing the device's memory contents
in case of classified or sensitive information spillage, and keeping the user's personal information on
the device for tracing purposes.

116.Best practices in the use of mobile devices include which of the following?
I. Install application filters.
II. Enable firewalls.
III. Disable all unnecessary features.
IV. Update virus signatures.
A.II and III

B.II, III, and IV
C.III and IV

Best practices in the use of mobile devices include allowing mobile communications to authorized
methods only; installing filters to limit which application has access to a specific device, enabling
firewalls, disabling all unnecessary features, and updating virus signatures on antivirus software
frequently.

117.Regarding mobile devices configuration, organizations should exercise controls over which of
the following procurement considerations?
i. Selection of service provider
ii. Selection of hardware
iii. Selection of operating system
iv. Selection of application systems
A.I and II
B.I and III
C.III and IV

Mobile device procurement considerations include the selection of mobile device's service provider,
hardware, operating system, and application systems, including version control.

118.Regarding mobile device configuration, organizations should exercise controls over which of
the following provisioning considerations?
I. Enabling necessary features
II. Planning for storage controls
III. Preparing for device disposal
IV. Implementing authentication techniques
A.I only
B.II only
C.III only

Organizations should carefully plan what features will be provisioned and deprovisioned according to
risk levels. Management should decide what features will be enabled (e.g., GPS, Bluetooth, and
camera), what storage controls are needed (cloud or traditional), what methods to use in disposing of a
device, and what authentication techniques to be used (single factor or multiple factors).

119.Regarding mobile device operating in a high-risk environment, which of the following

mobile-infrastructure diagnostic audit records must be securely stored in a central location?
i. Configuration files
ii. Security files
iii. Application system files
iv. Operating system files
A.I only
B.II only
C.III and IV

Mobile-infrastructure diagnostic audit records, such as configuration files, security files, application
files, operating system files, and system call log files, must be transferred from the mobile device to a
centralized storage location for later retrieval and analysis.

120.Which of the following is at the core of the definition of total quality management (TQM)?
A.Customer surveys
B.Continuous improvement
C.Employee satisfaction
D.Supplier inspections

Continuous improvement is at the core of the definition of TQM and its principles.
A.Incorrect. Customer surveys are not at the core of TQM.

C.Incorrect. Employee satisfaction is not at the core of TQM.
D.Incorrect. Supplier inspections are not at the core of TQM.
121.The total quality management (TQM) program needs to be anchored to an organization's:
A.Policy.
B.Procedure.
C.Culture.
D.Standards.

TQM involves creating an organizational culture committed to continuous improvement of products or
services. Culture is the major anchor point.
A.Incorrect. Policy is a minor anchor point.
B.Incorrect. Procedure is a minor anchor point.
D.Incorrect. Standards are a minor anchor point.
122.Which of the following is not one of the principles of total quality management (TQM)?
A.Do it right the first time.

B.Strive for zero defects.
C.Be customer-centered.
D.Build teamwork and empowerment.

“Strive for zero defects” is the goal of manufacturing management achieved through statistical
process control and Six Sigma methodologies, which are subsets of TQM. Striving for zero defects is
not one of the principles of TQM.
A.Incorrect. “Do it right the first time” is one of the principles of TQM.
C.Incorrect. “Be customer-centered” is one of the principles of TQM.
D.Incorrect. “Build teamwork and empowerment” is one of the principles of TQM.
123.In the context of total quality management (TQM), a cause-and-effect analysis can be carried
out with:
A.Kaizen.
B.A scatter diagram.
C.A fishbone diagram.
D.Pareto diagram

Fishbone diagrams help TQM teams visualize important cause-and-effect relationships.
A.Incorrect. Kaizen practitioners view quality as an endless journey, not a final destination and not a
specific program or procedure.
B.Incorrect. Scatter diagrams are used to plot the correlation between two variables.
D.Incorrect. The Pareto diagram helps TQM teams to analyze vital few and trivial many (20/80 pattern
or rule). It is most efficient to focus on the few things that make the biggest difference.
124.Total quality management (TQM) should be viewed as:
A.Customer centered and employee driven.

B.Management centered and technology driven.
C.Policy centered and procedure driven.
D.Goal centered and standard driven.

Customers can be internal and external to an organization. Organizations exist to serve and help
external customers with goods and services. Building teamwork and empowering employees can
inspire and encourage internal customers, TQM empowers employees at all levels in order to tap their
full potential of creativity, motivation, and commitment.
B.Incorrect. Being management centered and technology driven does not serve and help external
customers with goods and services.
C.Incorrect. Being policy centered and procedure driven does not serve and help external customers
with goods and services.
D.Incorrect. Being goal centered and standard driven does not serve and help external customers with
goods and services.
125.When a product conforms to its design specifications, it is called:
A.Product-based quality.
B.Value-based quality.
C.Judgment-based quality.
D.Manufacturing-based quality.

Manufacturing-based quality deals with conformance to requirements, such as design specifications,
customer requirements, or blueprints.
A.Incorrect. Product-based quality assumes that higher levels or amounts of product characteristics are
equivalent to higher quality and that quality has a direct relationship with price.
B.Incorrect. Value-based quality focuses on the relationship between the usefulness of or satisfaction
with a product or service and its price.
C.Incorrect. Judgment-based quality is synonymous with superiority or excellence, which is abstract,
subjective, and difficult to quantify.
126.Which of the following total quality management (TQM) process improvement tools
monitors actual versus desired quality measurements during repetitive operations?
A.A run chart

B.A histogram
C.A flowchart
D.A control chart

A control chart helps operations maintain key quality measurements within an acceptable range of an
upper and a lower control limit. It monitors actual versus desired quality measurements during
repetitive operations.
A.Incorrect. A run chart (also called a time-series or trend chart) tracks the frequency or amount of a
given variable over time. Significant deviations from the standard signal the need for corrective action.
B.Incorrect. A histogram is a bar chart showing whether repeated measurements in an operation
conform to a standard bell-shaped curve (normal curve).
C.Incorrect. A flowchart is a graphic representation of a sequence of activities and decisions.
Flowcharts identify unnecessary work steps so that they can be either combined or eliminated.
127.The costs of providing training and technical support to the supplier in order to increase the
quality of purchased materials are examples of
A.Prevention costs.
B.Appraisal costs.
C.Internal failure costs.
D.External failure costs.

Prevention costs are costs incurred to prevent defects from occurring during the design and delivery of
products or services. Prevention costs can keep both appraisal and failure costs to a minimum.
B.Incorrect. Appraisal costs are costs to detect, measure, evaluate, and audit products and processes to
ensure that they conform to customer requirements and performance standards. They include the costs
of inspecting raw materials, testing goods throughout the manufacturing process, and testing the final
product.
C.Incorrect. Internal failure costs are the costs associated with defects that are discovered before the
product is shipped or before the service is delivered to the customer. They include the costs of the
material, labor, and other manufacturing costs incurred in reworking defective products and the costs of
scrap and spoilage.
D.Incorrect. External failure costs are associated with defects found during or after delivery of the
product or service to the customer. They include the costs of repairs made under warranty or product
recalls.
128.In the Six Sigma methodology, the mistake-proofing tool is used in which of the following
stages?
A.Define.
B.Control.
C.Measure.
D.Improve.

A mistake-proofing tool removes the opportunity for error before it happens. It is a way to detect and
correct an error where is occurs and avoid passing the error to the next worker or operation. This tool is
used in the “control” stage to prevent an error from becoming a defect in the process. Mistake-proofing
techniques are used to improve organizational processes. Typical mistakes in production are omitted
processing, processing errors, setup errors, missing parts, wrong parts, and machine adjustment errors.
Poka-yoke is an approach for mistake-proofing processes using automatic devices or methods to avoid
simple human or machine errors.
A.Incorrect. The “define” stage is too early to use the mistake-proofing tool.
C.Incorrect. The “measure” stage is too late to use the mistake-proofing tool.
D.Incorrect. The “improve” stage is too late to use the mistake-proofing tool
129.A process mapping tool is not used in which of the following Six Sigma methodology stages?
A.Define.
B.Control.
C.Measure.
D.Analyze.

Process mapping is a very useful tool in the “define, measure, analyze, and improve” stages but not in
the “control” stage because the process is already in control. In the “control” stage, systems and
structures are in place to institutionalize the improvements. Process mapping is a high-level visual
representation of the current process step, looking beyond the functional activities and rediscovering
core processes. The objective of process mapping is to understand the process before it is improved.
A.Incorrect. A process mapping tool is used in the “define” stage to improve organizational processes.
C.Incorrect. A process mapping tool is used in the “measure” stage to improve organizational
processes.
D.Incorrect. A process mapping tool is used in the “analyze” stage to improve organizational processes.
130.The cause-and-effect diagram is used in which of the following Six Sigma methodology
stages?
A.Define.
B.Analyze.
C.Improve.
D.Control.

The cause-and-effect diagram is a tool for analyzing process variables. The diagram shows the main
cause and subcauses leading to an effect (symptom). This tool is used in both the “define and measure”
stages.
B.Incorrect. The “analyze” stage comes after the “define” stage.

C.Incorrect. The “improve” stage comes before the “control” stage.
D.Incorrect. The “control” stage monitors the ongoing performance of a process and improvement of a
product. This stage is a transition from improvement to controlling the process. It ensures that new
improvements are implemented and institutionalized.
131.Both common causes and special causes are identified in which of the following stages of the
Six Sigma methodology?
A.Define.
B.Measure.
C.Control.
D.Improve.

Common causes affect everyone working in a process and affect all of the outcomes of a process.
These causes are always present and thus are generally predictable. Special causes are not always
present in a process, do not affect everyone working in it, and do not affect all its outcomes. Special
causes are not predictable. The “measure” stage identifies common and special causes and collects data
about current performance that pinpoints opportunities and provides a structure for making
improvements.
A.Incorrect. In the “define” stage, brainstorming techniques are used to define the problem and to make
improvements. This stage It is a better way to identify bottlenecks, process/machine breakdowns, and
non-value-added work steps.
C.Incorrect. The “control” stage monitors the ongoing performance of a process and improvement of a
product. This stage is a transition from improvement to controlling the process. It ensures that new
improvements are implemented and institutionalized.
D.Incorrect. The “improve” stage is the final objective to accomplish. Both common and special causes
are identified before this stage.
132.In the Six Sigma training environment, which of the following roles is primarily dependent
on others to acquire data?
A.Green belts
B.Black belts
C.Master black belts
D.Sponsors

Six Sigma green belts work directly with black belts and cross-functional project leaders to carry out
identified improvement projects. Green belts implement Six Sigma improvement tools by being
competent at detailed and routine tasks and by collecting the required data.
B.Incorrect. The role of Six Sigma black belts is based on the principle of contributing independently
and applying the appropriate tools and techniques in the process of resolving quality problems and
issues in the organization. Black belts assume responsibility for definable projects and possess
technical competence and ability.
C.Incorrect. Master black belts ensure that they contribute through others based on their leadership
skills. They are involved as managers, mentors, or idea leaders in developing others. They have the
technical breadth and skills that, can build a strong network of people, and can resolve conflicts.
D.Incorrect. Sponsors are the champions of quality. They have project management skills, understand
the risk management techniques, and have leadership skills. They have the vision and knowledge of
their organization's culture.
133.All of the following are effective ways to prevent service mistakes from occurring except:
A.Source inspections.
B.Self-inspections.
C.Sequence checks.
D.Mass inspections.

Mistake-proofing a service requires identifying when and where failures occur. Once a failure is
identified, the source must be found. The final step is to prevent the mistake occurring through source
inspections, self-inspections, or sequence checks. Mass or final inspections are expensive,
time-consuming, and ineffective, as they take place too late in the game.
A.Incorrect. Source inspections are effective ways to prevent service mistakes from occurring.
B.Incorrect. Self-inspections are effective ways to prevent service mistakes from occurring.
C.Incorrect. Sequence checks are effective ways to prevent service mistakes from occurring.
134.In an organization with empowered work teams, organizational policies:
A.Should define the limits or constraints within which the work teams must act if they are to remain
self-directing.
B.Become more important than ever. Without clear rules to follow, empowered work teams are almost
certain to make mistakes.
C.Should be few or none. Work teams should have the freedom to make their own decisions.
D.Should be set by the teams themselves in periodic joint meetings.

Work teams are not “empowered” to do anything they please. The organization has certain expectations
for what is to be accomplished and how teams are to go about accomplishing these things. Once the
organization defines the objectives (what is to be accomplished) and sets appropriate policies (how it is
to be done), work teams are free to make and implement decisions within those boundaries. Policies in
this work team area are usually quite broad (e.g., relating to ethical business conduct) but nevertheless
important.
B.Incorrect. Empowered teams are important but not more important than ever. Policies in this context
should not be “rules,” and the distrust implicit in the phrase “is almost certain to make mistakes” is
inconsistent with empowerment.
C.Incorrect. Work teams are not “empowered” to do anything they please.
D.Incorrect. Work teams are not “empowered” to do anything they please.
135.One of the main reasons that implementation of a total quality management (TQM) program
works better through the use of teams is because:
A.Teams are more efficient and help an organization reduce its staffing.
B.Employee motivation is always higher for team members than for individual contributors.
C.Teams are a natural vehicle for sharing ideas, which leads to process improvement.
D.The use of teams eliminates the need for supervision, thereby allowing a company to reduce staffing.

Teams are excellent vehicles for encouraging the sharing of ideas and removing process improvement
obstacles.
A.Incorrect. Teams are often inefficient and costly.

B.Incorrect. Although employee motivation may be high for some team members, such potential high
motivation does not directly affect process improvement, which is key to quality improvement.
D.Incorrect. The use of teams in TQM is not aimed at less supervision and reduced staffing, although
that may be a by-product.
136.One of the main reasons total quality management (TQM) can be used as a strategic weapon
is that:
A.The cumulative improvement from a company's TQM efforts cannot readily be copied by
competitors.
B.Introducing new products can lure customers away from competitors.
C.Reduced costs associated with better quality can support higher stockholder dividends.
D.TQM provides a comprehensive strategic management for a business.

The cumulative effect of TQM's continuous improvement process can attract and hold customers and
cannot be duplicated by competitors.
B.Incorrect. New products can be quickly copied by competitors; therefore, they do not provide a
sustained competitive advantage.
C.Incorrect. TQM does not focus on cost reduction.
D.Incorrect. TQM is only one strategic management tool; other tools have to be used for proper
strategic management.
137.Focusing on customers, promoting innovation, learning new philosophies, driving out fear,
and providing extensive training are all elements of a major change in organizations. These
elements are aimed primarily at:
A.Copying leading organizations to better compete with them.

B.Focusing on the total quality of products and services.
C.Being efficient and effective at the same time, in order to indirectly affect profits.
D.Better management of costs of products and services, in order to become the low-cost provider.

All the elements presented in the question are part of the total quality movement in the manufacturing
and service sectors.
A.Incorrect. Competition with leading organizations is not the only goal of the total quality movement.
C.Incorrect. The goal is quality first and foremost. A total quality movement may reduce some costs in
the long run.
D.Incorrect. The focus of the elements presented is not cost management.
138.Total quality management in a manufacturing environment is best exemplified by:
A.Identifying and reworking production defects before sale.

B.Designing the product to minimize defects.
C.Performing inspections to isolate defects as early as possible.
D.Making machine adjustments periodically to reduce defects.

This response describes the design-it-in approach, which promotes keeping quality in mind right from
the start.
A.Incorrect. This choice describes the fix-it-in approach, which is the first step to do. Inspectors
identify defects and report on defects that have them reworked or fixed.
C.Incorrect. This choice describes the inspect-it-in approach, which applies the fix-it-in approach to
in-process work.
D.Incorrect. This choice describes the adjust-it-in approach, which is the same as the inspect-it-in
approach.
139.Which of the following is a characteristic of total quality management (TQM)?
A.Management by objectives
B.On-the-job training by other workers
C.Quality by final inspection
D.Education and self-improvement

Education and self-improvement should be the number-one career objective for everyone in the
organization.
A.Incorrect. Management by objectives causes aggressive pursuance of numerical quotas.

B.Incorrect. On-the-job training serves to entrench bad work habits.
C.Incorrect. Quality by final inspection is unnecessary if quality is built in from the start.
140.In which of the following organizational structures does total quality management (TQM)
work best?
A.Hierarchical organizational structure

B.Teams of people from the same specialty
C.Small teams of people from different specialties
D.Specialists working individually

Small teams of people from different specialties empowered to make decision are highly effective.
A.Incorrect. A hierarchical organizational structure actually stifles TQM.

B.Incorrect. TQM works best with teams of people from different specialties.
D.Incorrect. Teamwork is essential for TQM.
141.A company is experiencing a high level of customer returns for a particular product because
it does not meet the rigid dimensions required. Each return is reworked on a milling machine
and sent back through all of the subsequent finishing steps. This is a costly process. Identify the
best method for reducing the quality failure costs.
A.Customer surveys
B.Increased finished goods inspections
C.Defect prevention
D.Increased work-in-process inspections

Prevention of a defect is felt in reduced costs throughout the entire manufacturing and quality
inspection cycle. This is a preventive control and a feedforward (proactive) control.
A.Incorrect. Customer surveys are examples of feedback (reactive) controls and are not as effective as
a feedforward (proactive) control.
B.Incorrect. Increased finished goods inspections are examples of feedback (reactive) controls and are
not as effective as a feedforward (proactive) control.
D.Incorrect. Increased work-in-process inspections are examples of feedback (reactive) controls and
are not as effective as a feedforward (proactive) control.
142.Which statement best describes total quality management (TQM)?
A.TQM emphasizes reducing the cost of inspection.

B.TQM emphasizes better statistical quality control techniques.
C.TQM emphasizes doing each job right the first time.
D.TQM emphasizes encouraging cross-functional teamwork.

Superior product quality is not attained just through more inspection, better statistical quality control,
and cross-functional teamwork. Manufacturers must make fundamental changes in the way they
produce products and do each job right the first time.
A.Incorrect. This choice is only a part of the TQM emphasis.

B.Incorrect. This choice is only a part of the TQM emphasis.
D.Incorrect. This choice is only a part of the TQM emphasis.
143.Management of a company is attempting to build a reputation as a world-class manufacturer

of quality products. On which of the next four costs should it spend the majority of its funds?
I. Prevention costs. This involves eliminating the production of products that do not conform to
quality requirements. Costs include product and process design and testing, supplier evaluation
and training, employee training, and preventive maintenance.
II. Appraisal costs. This involves detecting products that do not conform to quality requirements.
Costs include inspection, testing, and statistical quality control.
III. Internal failure costs. This involves correcting or scrapping nonconforming products before they
are shipped. Costs include rework, scrap, retesting, and changes in the design of the product or
process.
IV. External failure costs. This involves customers detecting nonconforming products after shipment.
Costs include allowances, customer complaints, service, warranty, product liability, lost customer
goodwill, and returned products.
A.I only
B.II only
C.III only
D.IV only

The firm would do well to spend the bulk of its funds on prevention through better product and process
design and testing, supplier evaluation and training, employee training, and preventive maintenance.
The aim is to prevent quality breakdowns before the product is produced.
B.Incorrect. Spending funds in the appraisal area will improve quality, but funds are better spent on
prevention than on appraisal area.
C.Incorrect. Spending funds in the internal failure area will improve quality, but funds are better spent
on prevention than on the internal failure area.
D.Incorrect. Spending funds in the external failure area will improve quality, but funds are better spent
on prevention than on the external failure area.

of quality products. Which of the next four costs would be the most damaging to its ability to
build a reputation as a world-class manufacturer?
i. Prevention costs. This involves eliminating the production of products that do not conform to
quality requirements. Costs include product and process design and testing, supplier evaluation
and training, employee training, and preventive maintenance.
ii. Appraisal costs. This involves detecting products that do not conform to quality requirements.
Costs include inspection, testing, and statistical quality control.
iii. Internal failure costs. This involves correcting or scrapping nonconforming products before they
are shipped. Costs include rework, scrap, retesting, and changes in the design of the product or
process.
iv. External failure costs. This involves customers detecting nonconforming products after shipment.
Costs include allowances, customer complaints, service, warranty, product liability, lost customer
goodwill, and returned products.
A.I only
B.II only
C.III only
D.IV only

The firm must avoid external failures. If low-quality products are discovered by a firm's customers, the
firm will not be able to build a reputation as a world-class manufacturer. The firm should spend its
funds on prevention, appraisal, and internal failure, in that order. That is, it should prevent quality
breakdowns before the product is produced and shipped so that customers never receive poor-quality
products.
A.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
poor-quality products.
B.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
C.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving

of quality products. Which of the following measures would not be used by the firm to measure
quality?
A.The percentage of shipments returned by customers because of poor quality.

B.The number of parts shipped per day.
C.The number of defective parts per million.
D.The percentage of products passing quality tests the first time.

The number of parts shipped per day is not a good measure of quality of the product. It relates to the
quantity of products shipped.
A.Incorrect. This choice is a good measure of product quality.

C.Incorrect. This choice is a good measure of product quality.
D.Incorrect. This choice is a good measure of product quality.
146.Prior to finalizing an outsourcing arrangement for a business process or function,

management should perform which of the following first?
A.Risk and result analysis

B.In-source versus outsource analysis
C.Competence and cost analysis
D.Contract-or-service analysis

From an economics point of view, management should first perform an in-source versus outsource
analysis to determine whether the planned outsourcing arrangement for a business process or function
can be performed internally more efficiently, effectively, and economically than the outsourced
vendors. The scope of in-source versus outsource analysis includes functional need requirements, skills
requirements and their availability, opportunity costs of outsourcing, incremental costs and revenues
for internal wok and external work, potential risks and opportunities of outsourcing, and
legal/regulatory requirements and methods needed to comply with legal/regulatory requirements
internally or externally.
A.Incorrect. Risk and result analysis can be part of or separate from the in-source versus outsource
analysis.
C.Incorrect. Competence and cost analysis can be part of or separate from the in-source versus
outsource analysis.
D.Incorrect. Contract-or-service analysis can be part of or separate from the in-source versus outsource
analysis.
147.Which of the following statements is not true about the benefits of outsourcing a business
process or function?
A.It improves performance of systems and employees.

B.It reduces operating costs and capital investments,
C.It reduces control over outside vendors.
D.It prevents a firm from hiring additional employees to meet temporary needs.

This choice is not a true statement about the benefits of outsourcing. Many organizations turn to
outsourcing to improve performance (system and people) and to reduce operating costs. On a positive
note, outsourcing offers solutions when there is a shortage of in-house skills, when a high-risk and
high-overhead project needs to be managed, and when there is an unacceptable lead time to complete a
project using company personnel.
The benefits from outsourcing usually focus on performance improvements and/or cost reduction.
Another benefit is that it allows internal management to focus time and resources more to the core
business and the company's future. Outsourcing enables a firm to avoid hiring additional employees to
meet temporary needs. However, outsourcing does not mean surrendering control and internal
management responsibility of subcontracted functions and projects to outside vendors.
A.Incorrect. This choice is a true statement about the benefits of outsourcing.

B.Incorrect. This choice is a true statement about the benefits of outsourcing.
D.Incorrect. This choice is a true statement about the benefits of outsourcing.
148.Which of the following service-level metrics are more reasonable and practical for an
outsourced vendor than for a non-outsourced vendor?
A.Absolute numbers
B.Rolling numbers
C.Range of numbers
D.Average numbers

Service-level metrics (e.g., number of system user complaints received for each application system)
cannot be absolute numbers, rolling numbers, or average numbers because actual performance
measurements can vary based on the peak and nonpeak times. So a range of numbers (i.e., minimum to
maximum numbers) is more meaningful than the single numbers (e.g., low (nonpeak) and high (peak)
numbers.
A.Incorrect. Absolute numbers do not show low (nonpeak) and high (peak) performance.
B.Incorrect. Rolling numbers do not show low (nonpeak) and high (peak) performance.
D.Incorrect. Average numbers do not show low (nonpeak) and high (peak) performance.
149.In a global outsourcing environment, which of the following selection factors for an
outsourced vendor does not matter that much?
A.Attitudes of a vendor's personnel

B.Reputation of a vendor
C.Knowledge, skills, and abilities of a vendor
D.Proximity of a vendor

In a global outsourcing environment, potential vendors can come from anywhere in the world.
Proximity of a vendor (local or global) to a user organization does not matter that much. It is the least
important selection factor.
A.Incorrect. This choice does matter in selecting an outsourced vendor.

B.Incorrect. This choice does matter in selecting an outsourced vendor.
C.Incorrect. This choice does matter in selecting an outsourced vendor.
150.In a global outsourcing environment, which of the following should be in place by an

outsourced vendor in order to succeed?
A.Project governance
B.Vendor governance
C.Customer governance
D.Service governance

Vendor governance requires a vendor to establish written policies, procedures, standards, and
guidelines regarding how to deal with its customers or clients in a professional and businesslike manner.
It also requires establishing an oversight mechanism and implementing best practices in the industry.
A.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective, project
governance is a part of vendor governance.
C.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective,
customer governance is a part of vendor governance.
D.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective, service
governance is a part of vendor governance.
151.Which of the following scope items for an outsourced vendor takes on a significant dimension
in a supply-chain environment?
A.Liabilities and guarantees

B.Well-defined service levels
C.Licensing of services and products
D.Changes to terms and conditions of services

In a supply-chain environment, there could be several suppliers and integrators in developing or
delivering a specific product or service to a user customer or client. So, liabilities and guarantees take
on a significant dimension in order to pin down each party's roles, responsibilities, liabilities,
guarantees, and remedies to problems encountered.
B.Incorrect. This choice is important, not significant.

C.Incorrect. This choice is important, not significant.
D.Incorrect. This choice is important, not significant.
152.Which of the following is required to periodically monitor an outsourced vendor's

contractual agreements?
A.Due diligence review

B.Independent audit
C.Statement of work
D.Rules of engagement

An independent audit by a third party, who is fully independent of the outsourced vendor and the user
organization, is required to periodically monitor the outsourced vendor's contractual agreement and
performance. The audit should focus on operational systems and functions of the external service
provider.
A.Incorrect. Due diligence review comes before the independent audit.

C.Incorrect. The statement of work comes before the independent audit.
D.Incorrect. The rules of engagement come before the independent audit.
153.Which of the following involves identifying, studying, and building on the best practices of
other organizations?
A.Kaizen
B.Benchmarking
C.Plan, do, check, and act cycle
D.Total quality management

Benchmarking is identifying, studying, and building on the best practices of other organizations.
Benchmarking establishes standards that provide feed-forward control by warning people when they
deviate from standards.
A.Incorrect. Kaizen is continuous improvement.

C.Incorrect. The plan, do, check and act (PDCA) cycle, called the Shewhart cycle in quality, was later
modified by Deming to be the plan, do, study, and act (PDSA) cycle.
D.Incorrect. Total quality management (TQM) is a management philosophy about the quality of
products and services.
154.Which of the following is true of benchmarking?
A.It is typically accomplished by comparing an organization's performance with the performance of its
closest competitors.
B.It can be performed using either qualitative or quantitative comparisons.
C.It is normally limited to manufacturing operations and production processes.
D.It is accomplished by comparing an organization's performance to that of best-performing
organizations.
Benchmarking is accomplished by comparing an organization's performance to that of best-performing
organizations.
A.Incorrect. Benchmarking involves a comparison against industry leaders or world-class operations.

Benchmarking either uses industry-wide figures (to protect the confidentiality of information provided
by participating organizations) or figures from cooperating organizations.
B.Incorrect. Benchmarking requires measurements, which involve quantitative comparisons.
C.Incorrect. Benchmarking can be applied to all functional areas in a company whether it is
manufacturing or service. Production processes in manufacturing are industry-specific activities. On
the other hand, processing a customer order and paying an invoice to a vendor are common activities
among industries. Regardless of common or specific activities, benchmarking provides a greater
opportunity to improve by learning from global companies.
155.Which of the following is an example of an internal nonfinancial benchmark?
A.The labor rate of comparably skilled employees at a major competitor's plant.

B.The average actual cost per pound of a specific product at the company's most efficient plant
becomes the benchmark for the company's other plants.
C.The company setting a benchmark of $50,000 for employee training programs at each of the
company's plants.
D.The percentage of customer orders delivered on time at the company's most efficient plant becomes
the benchmark for the company's other plants.

This is an example of an internal nonfinancial benchmark.
A.Incorrect. This choice is an example of an external financial benchmark.

B.Incorrect. This choice is an example of an internal financial benchmark.
C.Incorrect. This choice is an example of an internal operational benchmark.
156.A company that has many branch stores has decided to benchmark one store for the purpose
of analyzing the accuracy and reliability of branch store financial reporting. Which one of the
following is the most likely measure to be included in a financial benchmark?
A.High turnover of employees

B.High level of employee participation in setting budgets
C.High amount of bad debt write-offs
D.High number of suppliers

A high amount of bad debt write-offs could indicate fraud and the compromising of financial report
accuracy and reliability.
A.Incorrect. A high turnover of employees may indicate a morale problem but not necessarily a
problem with the accuracy and reliability of financial reports.
B.Incorrect. A high level of employee participation in budget setting is an example of decentralization
and would not necessarily impact the accuracy and reliability of financial reports.
D.Incorrect. A high number of suppliers would not necessarily indicate a problem with the accuracy
and reliability of financial reports.
157.Which of the following can reflect the effectiveness of a firm's human resource department?
A.The ratio of total hiring costs to the total number of hires.

B.The elapsed time between the number of employees hired and the number of employees retired is
within the established time ranges.
C.A comparison of the average number of days from the date the approved vacant position requisition
is received until the date the new hire starts work.
D.The ratio of the number of job offers accepted to the number of job offers extended.
Effectiveness measures the degree to which a predetermined objective is met (i.e., established time
ranges).
A.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
C.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
D.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
158.A new, midsize manufacturing company in a small town was fined heavily for unknowingly
polluting the nearby drinking water system with harmful chemicals that leaked from its
manufacturing plant. What this company could have done, if anything, to prevent such heavy
fines that it cannot afford to pay?
A.Conduct business impact analysis.

B.Conduct environmental impact analysis.
C.Conduct sustainability impact analysis.
D.Conduct survivability impact analysis.

Conducting environmental impact analysis requires performing a risk assessment exercise. It includes
three steps: (1) Identify all environmental concerns faced by the company; (2) Categorize these
concerns into high risk (high impact), moderate risk (medium impact), or low risk (low impact); and (3)
Direct financial resources to those concerns that pose the greatest potential threat to the company's
long-term existence.
A.Incorrect. Conducting business impact analysis is not directly applicable here because its scope is too
broad and includes studying products, services, sales, costs, and profits.
C.Incorrect. Conducting sustainability impact analysis is not directly applicable here because it focuses
on whether a company can survive or die over a long period.
D.Incorrect. Conducting survivability impact analysis is not directly applicable here because it is a part
of sustainability impact analysis.
159.The balanced scorecard system is a(n):
A.Internal control system.

B.Accounting control system.
C.Management control system.
D.Operational control system.

The balanced scorecard system is a comprehensive management control system (an umbrella system)
that balances traditional financial measures (e.g., internal and accounting control) with nonfinancial
measures (e.g., operational control) relating to a company's critical success factors.
A.Incorrect. An internal control system is a part of a management control system.

B.Incorrect. An accounting control system is a part of a management control system.
D.Incorrect. An operational control system is a part of a management control system.
160.Which of the following is the heart of a balanced scorecard system?
A.Strategic management system

B.Tactical management system
C.Functional management system
D.Operational management system

The balanced scorecard system started as a management control system but is now becoming a
strategic management system because of its importance to a company's overall progress in terms of
long-term value, vision, and strategy.
B.Incorrect. A tactical management system supports the strategic management system.

C.Incorrect. A functional management system supports the strategic management system.
D.Incorrect. An operational management system supports the strategic management system.
161.The balanced scorecard system reflects which of the following?

I. Lag indicators
II. Lead indicators
III. Financial indicators
IV. Nonfinancial indicators
A.I and II
B.II and III
C.III and IV

Financial measures are lag indicators focusing on past actions and promoting short-term behavior.
Companies also need lead indicators focusing on value creators or drivers, promoting long-term
behavior, and equally emphasizing nonfinancial measures such as quality and service. Examples of
financial indicators include return on assets, net income after taxes, and return on equity.

162.Which of the following is not a perspective of the balanced scorecard approach?
A.Timeliness
B.Productivity
C.Efficiency
D.Quantity

The four perspectives of the balanced scorecard approach include measures of quality, productivity,
efficiency and timeliness, and marketing success. Quantity is not one of the perspectives.
A.Incorrect. This choice is a valid perspective of the balanced scorecard approach.

B.Incorrect. This choice is a valid perspective of the balanced scorecard approach.
C.Incorrect. This choice is a valid perspective of the balanced scorecard approach.
163.The balanced scorecard approach does not require looking at performance from which of the
following perspectives?
A.Financial
B.Competitor
C.Customer
D.Internal business processes

The balanced scorecard approach requires looking at performance from four different but related
perspectives: financial, customer, internal business processes, and learning and growth. The scorecard
does not require a competitor's perspective.
A.Incorrect. This choice is a required perspective.

C.Incorrect. This choice is a required perspective.
D.Incorrect. This choice is a required perspective.
164.All of the following are critical success factors under the customer perspective of the
balanced scorecard approach except:
A.Increasing customer service.

B.Reducing prices.
C.Increasing quality.
D.Reducing delivery time.

This choice is not a critical success factor. Reducing prices has a temporary effect while the other three
choices have a permanent effect on customers. The number of product or service warranty claims filed,
number of returned products, customer response time, and percentage of on-time deliveries are also
critical success factors.
A.Incorrect. This choice is a critical success factor.

C.Incorrect. This choice is a critical success factor.
D.Incorrect. This choice is a critical success factor.
165.Which of the following perspectives of the balanced scorecard deal with objectives across a
company's entire value chain?
A.Financial
B.Customer
C.Internal business processes
D.Learning and growth

The value chain of a company includes all activities from research and development to post-sale
customer service and everything in between. The scope of internal business processes also includes
improving quality throughout the production process, increasing productivity, increasing efficiency of
resources, and timeliness of information.
A.Incorrect. The financial perspective focuses on only one activity – finance, which does not address
the entire value chain consisting of several activities.
B.Incorrect. The customer perspective focuses on only one activity – customer, which does not address
the entire value chain consisting of several activities.
D.Incorrect. The learning and growth perspective focuses on only one activity – learning and growth,
which does not address the entire value chain consisting of several activities.
166.Which of the following perspectives of the balanced scorecard deal with objectives of
increasing market share and penetrating into new markets?
A.Financial
B.Customer

The customer perspective deals with taking care of customer interests as well as acquiring and retaining
more customers. This includes increasing market share and entering into new markets.
A.Incorrect. The financial perspective does not directly deal with increasing market share and
penetrating into new markets.
C.Incorrect. The internal business processes perspective does not directly deal with increasing market
share and penetrating into new markets.
D.Incorrect. The learning and growth perspective does not directly deal with increasing market share
and penetrating into new markets.
167.Which of the following perspectives of the balanced scorecard deal with the objectives of
product improvement?
A.Financial
B.Customer

Learning and growth perspectives deal with product improvement and innovation, information systems
capabilities, efficient and effective use of employees, and overall company growth.
A.Incorrect. The financial perspective does not directly deal with the objectives of product
improvement.
B.Incorrect. The customer perspective does not directly deal with the objectives of product
improvement.
C.Incorrect. The internal business processes perspective does not directly deal with the objectives of
product improvement.
168.Which of the following items represent nonfinancial measures under the balanced scorecard
approach?
i. Costs
ii. Sales margins
iii. Quality
iv. Customer service
A.III only
B.IV only
C.I and II
D.III and IV

The balanced scorecard approach integrates financial and nonfinancial performance measures of a
company. Costs and sales margins are financial measures while quality and customer service are
nonfinancial measures.
A.Incorrect. Costs and sales margins are financial measures while quality and customer service are
B.Incorrect. Costs and sales margins are financial measures while quality and customer service are
C.Incorrect. Costs and sales margins are financial measures while quality and customer service are
169.Which of the following statements is not true about nonfinancial measures of performance
under the balanced scorecard approach?
A.At times quality may be more important than cost.

B.At times timeliness may be more important than meeting budget.
C.At times customer service may be more important than financial returns.
D.At times traditional measures may be more important than nontraditional measures.

This choice is not a true statement. Traditional measures are basically financial and are not adequate to
fully assess the total performance of companies. Traditional measures mainly deal with historical
accounting and financial data (e.g., return on investment) and cannot answer nontraditional measures
(e.g., customer satisfaction, quality improvement, productivity, efficient utilization of resources,
employee morale, and employee satisfaction). Both traditional and nontraditional measures are
important.
A.Incorrect. This choice is a true statement about nonfinancial measures.

B.Incorrect. This choice is a true statement about nonfinancial measures.
C.Incorrect. This choice is a true statement about nonfinancial measures.
170.Which of the following perspectives of the balanced scorecard deal with the objective of
shortening the time to market a new product?
A.Financial
B.Customer

Time to market a new product is a marketing metric and is a part of the learning and growth
perspective of the balanced scorecard. This metric should be shorter to gain entry into a market faster.
A.Incorrect. The financial perspective does not directly deal with the objective of shortening the
time-to-market metric.
B.Incorrect. The customer perspective does not directly deal with the objective of shortening the
time-to-market metric.
C.Incorrect. The internal business processes perspective does not directly deal with the objective of
shortening the time-to-market metric.
171.All of the following are examples of customer-performance scorecard measures except:
A.Lost customers.
B.Dissatisfied customers.
C.Product or service quality.
D.Machine downtime.

Machine downtime, rework time, and plant waste are examples of production-performance scorecard
measures.
A.Incorrect. Examples of customer-performance scorecard measures include customers (new,

dissatisfied, satisfied, or lost); target market awareness or preference; relative product or service quality;
and on-time delivery.
B.Incorrect. Examples of customer-performance scorecard measures include customers (new,
C.Incorrect. Examples of customer-performance scorecard measures include customers (new,
172.Which of the following balanced scorecard measures is difficult to identify and implement?
A.Market-based performance scorecard.

B.Production-based performance scorecard.
C.Stakeholder-based performance scorecard.
D.Human resource–based performance scorecard.

The stakeholder-based performance scorecard measure are difficult to identify and implement because
stakeholders are external to a corporation. The difficulties include: (1) dealing with so many diverse
constituents (shareholders, employees, unions, governments, investors, creditors, bankers, distributors,
wholesalers, retailers, suppliers and vendors); (2) reaching them on a day-to-day basis; (3)
communicating with them periodically; (4) coordinating with them; and (5) reaching conclusions on
issues due to their diverging viewpoints and conflicting objectives.
A.Incorrect. The market-based performance scorecard measure is relatively easy to identify and
implement because the marketing function is internal to a corporation.
B.Incorrect. The production-based performance scorecard measure is relatively easy to identify and
implement because the production function is internal to a corporation.
D.Incorrect. The human resource–based performance scorecard measure is relatively easy to identify
and implement because the human resource function is internal to a corporation.
173.A good balanced scorecard system contains which of the following?

I. Lag measures
II. Lead measures
III. Interlinking measures
IV. Interrelationship digraph
A.I and II
B.III and IV
C.I, II, and III

A good balanced scorecard system contains lag measures, lead measures, and interlinking measures.
Financial measures are lag indicators focusing on past actions and promoting short-term behavior.
Companies also need lead indicators focusing on value creators or drivers, promoting long-term
behavior, and emphasizing nonfinancial measures such as quality and service. A good balanced
scorecard contains both leading and lagging measures and links them through logical cause-and-effect
relationships. Interlinking measure is the quantitative modeling of cause-and-effect relationships
between internal and external performance measures.
A.Incorrect. This is a partially correct answer. (i.e., lag measures and lead measures).
B.Incorrect. This choice contains both valid answers (i.e., interlinking measures) and invalid answers
(i.e., interrelationship digraph).
An interrelationship digraph identifies and explores causal relationships among related concepts or
ideas. It shows that every idea can be logically linked with more than one other idea at time and allows
for lateral thinking rather than linear thinking. The graph is used after the affinity diagram has clarified
issues and problems.
D.Incorrect. This choice contains both valid answers (i.e., lead measures, lag measures, and
interlinking measures) and invalid answers (i.e., interrelationship digraph).
An interrelationship digraph identifies and explores causal relationships among related concepts or
ideas. It shows that every idea can be logically linked with more than one other idea at time and allows
for lateral thinking rather than linear thinking. The graph is used after the affinity diagram has clarified
issues and problems.
174.When a customer presents her credit card with a smart chip and a personal identification
number (PIN) to pay for merchandise purchases at a retail store, she is using a:
A.Zero-factor authentication.
B.Single-factor authentication.
C.Two-factor authentication.
D.Three-factor authentication.

The credit card with a smart chip is one factor and the PIN is the second factor. Hence, it is a
two-factor authentication.
A.Incorrect. There is an evidence of authentication factors used with card, chip, and PIN.
B.Incorrect. There is an evidence of more than one authentication factors used with card, chip, and
PIN.
D.Incorrect. Only two authentication factors are used where the card and chip is one factor and the PIN
is the second factor.
175.In electronic authentication, using one token to gain access to a second token is called a:
A.Single-token, multifactor scheme.

B.Single-token, single-factor scheme.
C.Multitoken, multifactor scheme.
D.Multistage authentication scheme.

Using one token to gain access to a second token is considered a single-token and a single-factor
scheme because all that is needed to gain access is the initial token. Therefore, when this scheme is
used, the compound solution is only as strong as the token with the lowest assurance level.
A.Incorrect. This choice is not applicable because multifactor scheme is not used.
C.Incorrect. This choice is not applicable because a multitoken and multifactor scheme is not used.
D.Incorrect. This choice is not applicable because a multistage authentication scheme is not used.
176.Token duplication is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the token duplication threat?
A.Use tokens that generate high-entropy authenticators.

B.Use hardware cryptographic tokens.
C.Use tokens with dynamic authenticators.
D.Use multifactor tokens.

In token duplication, the subscriber's token is copied with or without the subscriber's knowledge. A
countermeasure is to use hardware cryptographic tokens that are difficult to duplicate. Physical security
mechanisms can also be used to protect a stolen token from duplication because they provide tamper
evidence, detection, and response capabilities.
A.Incorrect. This choice cannot handle a duplicate token problem.

C.Incorrect. This choice cannot handle a duplicate token problem.
D.Incorrect. This choice cannot handle a duplicate token problem.
177.Eavesdropping is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the eavesdropping threat?
A.Use tokens that generate high-entropy authenticators.


A countermeasure to mitigate the eavesdropping threat is to use tokens with dynamic authenticators
where knowledge of one authenticator does not help in deriving a subsequent authenticator.
A.Incorrect. This choice cannot provide dynamic authentication. Entropy is a measure of the amount of
uncertainty that an attacker faces to determine the value of a secret.
B.Incorrect. This choice cannot provide dynamic authentication.
D.Incorrect. This choice cannot provide dynamic authentication.
178.Identifier management is applicable to which of the following accounts?
A.Group accounts
B.Local user accounts
C.Guest accounts
D.Anonymous accounts

All users accessing an organization's information systems must be uniquely identified and
authenticated. Identifier management is applicable to local user accounts where the account is valid
only on a local computer and its identity can be traced to an individual.
A.Incorrect. Identifier management is not applicable to shared information system accounts, such as
group, guest, default, blank, anonymous, and nonspecific user accounts.
C.Incorrect. Identifier management is not applicable to shared information system accounts, such as
D.Incorrect. Identifier management is not applicable to shared information system accounts, such as
179.Phishing or pharming is a threat to the tokens used for electronic authentication. Which of
the following is a countermeasure to mitigate the phishing or pharming threat?
A.Use tokens that generate highly robust authenticators.


A countermeasure to mitigate the phishing or pharming threat is to use tokens with dynamic
authenticators where knowledge of one authenticator does not assist in deriving a subsequent
authenticator.
Phishing is tricking individuals into disclosing sensitive personal information through deceptive
computer-based means. Phishing attacks use social engineering and technical subterfuge to steal
consumers’ personal identity data and financial account credentials. It involves internet fraudsters who
send spam or pop-up messages to gain personal information (e.g., credit card numbers, bank account
information, social security numbers, passwords, or other sensitive information) from unsuspecting
victims.
Pharming is misdirecting users to fraudulent websites or proxy servers, typically through
denial-of-service hijacking or poisoning.
A.Incorrect. This choice cannot provide dynamic authentication.

180.Theft is a threat to the tokens used for electronic authentication. Which of the following is a
countermeasure to mitigate the theft threat?


A countermeasure to mitigate the threat of token theft is to use multifactor tokens that need to be
activated through a personal identification number or biometric.
A.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
B.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
C.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
181.Social engineering is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the social engineering threat?


A countermeasure to mitigate the social engineering threat is to use tokens with dynamic authenticators
where knowledge of one authenticator does not assist in deriving a subsequent authenticator.
A.Incorrect. This choice cannot provide dynamic authentication.
182.Authorization controls are a part of which of the following?
A.Directive controls
B.Preventive controls
C.Detective controls
D.Corrective controls

Authorization controls, such as access control matrices and capability tests, are a part of preventive
controls because they block unauthorized access. Preventive controls deter security incidents from
happening in the first place.
A.Incorrect. Directive controls are broad-based controls to handle security incidents, and they include
management's policies, procedures, and directives.
C.Incorrect. Detective controls enhance security by monitoring the effectiveness of preventive controls
and by detecting security incidents where preventive controls were circumvented.
D.Incorrect. Corrective controls are procedures to react to security incidents and to take remedial
actions on a timely basis. Corrective controls require proper planning and preparation as they rely
heavily on human judgment.
183.Serious vulnerabilities exist when:
A.An untrusted individual has been granted unauthorized access to a system.

B.A trusted individual has been granted authorized access to a system.
C.An untrusted individual has been granted authorized access to a system.
D.A trusted individual has been granted unauthorized access to a system

Serious vulnerabilities typically result when an untrusted individual is granted unauthorized access to a
system. Granting unauthorized access is riskier than granting authorized access to an untrusted
individual, and trusted individuals are better than untrusted individuals. Both trust and authorization are
important to minimize vulnerabilities.
B.Incorrect. Serious vulnerabilities may not exist with trusted individuals.

C.Incorrect. Serious vulnerabilities may not exist with it.
D.Incorrect. Serious vulnerabilities may not exist with it.
184.From an access control point of view, separation of duty is not related to which of the
following?
A.Safety
B.Reliability
C.Fraud
D.Security

Computer systems must be designed and developed with security, fraud, and safety in mind because
unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline
systems). With separation of duty (SOD), fraud can be minimized when sensitive tasks are separated
from each other (e.g., signing a check from requesting a check). Reliability is more of an engineering
term in that a computer system is expected to perform with the required precision on a consistent basis.
SOD deals with people and their work-related actions, which are not precise and consistent.
A.Incorrect. Computer systems must be designed and developed with safety in mind because unsecure
and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems).
C.Incorrect. Computer systems must be designed and developed with fraud in mind because unsecure
and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems).
D.Incorrect. Computer systems must be designed and developed with security in mind because
unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline
systems).
185.Which of the following access authorization policies applies to when an organization has a list
of software not authorized to execute on an information system?
A.Deny all, permit by exception

B.Allow all, deny by exception
C.Allow all, deny by default
D.Deny all, accept by permission

An organization employs a deny-all, permit-by-exception authorization policy to identify software not
allowed to execute on the system. The correct answer is based on a specific access authorization policy.
B.Incorrect. The access policy is not based on a specific access authorization policy.
C.Incorrect. The access policy is not based on a specific access authorization policy.
D.Incorrect. The access policy is not based on a specific access authorization policy.
186.Encryption is a part of which of the following?

Encryption prevents unauthorized access and protects data and programs when they are in storage (at
rest) or in transit. Preventive controls deter security incidents from happening in the first place.
187.Which of the following are needed when it is difficult to enforce normal security policies,
procedures, and rules?
i. Compensating controls
ii. Close supervision
iii. Team review of work
iv. Peer review of work
A.I only
B.II only
C.I and II

When the enforcement of normal security policies, procedures, and rules is difficult, enforcement takes
on a different dimension from that of requiring contracts, separation of duties, and system access
controls. Under these situations, compensating controls in the form of close supervision, followed by
peer and team review of quality of work, are needed.

188.Host and application system hardening procedures are a part of which of the following?

Host and application system hardening procedures are a part of preventive controls, as they include
antivirus software, firewalls, and user account management. Preventive controls deter security
incidents from happening in the first place.
189.Which of the following authentication techniques is appropriate for accessing nonsensitive

information technology (IT) assets with multiple uses of the same authentication factor?
A.Single-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Multifactor authentication

Multiple uses of the same authentication factor (e.g., using the same password more than once) is
appropriate for accessing nonsensitive IT assets and is known as single-factor authentication.
B.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
C.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
D.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
190.From an access control effectiveness viewpoint, which of the following represents biometric
verification when a user submits a combination of a personal identification number (PIN) first
and biometric sample next for authentication?
A.One-to-one matching
B.One-to-many matching
C.Many-to-one matching
D.Many-to-many matching

This combination of authentication represents something that you know (PIN) and something that you
are (biometric). At the authentication system prompt, the user enters the PIN and then submits a
biometric live-captured sample. The system compares the biometric sample to the biometric reference
data associated with the PIN entered, which is a one-to-one matching of biometric verification.
B.Incorrect. This choice does not properly define the statement in the question.
C.Incorrect. This choice does not properly define the statement in the question.
D.Incorrect. This choice does not properly define the statement in the question.
191.From an access control effectiveness viewpoint, which of the following represents biometric
identification when a user submits a combination of a biometric sample first and a personal
identification number (PIN) next for authentication?
A.One-to-one matching
B.One-to-many matching
C.Many-to-one matching
D.Many-to-many matching

This combination of authentication represents something that you are (biometric) and something that
you know (PIN). The user presents a biometric sample first to the sensor, and the system conducts a
one-to-many matching of biometric identification. The user is prompted to supply a PIN that provides
the biometric reference data. The biometric identification with one-to-many matching can result in
slow system-response-times because the PIN is entered as a second authentication factor. This type of
matching can be more expensive because checking the biometric data takes more time than checking
the PIN data. The reason is that the size of biometric database can be larger.
The biometric verification with one-to-one matching can result in faster system response times and can
be less expensive because the PIN is entered as a first authenticator and the matching is quick.
A.Incorrect. This choice does not properly define the statement in the question.
C.Incorrect. This choice does not properly define the statement in the question.
D.Incorrect. This choice does not properly define the statement in the question.
192.From an access control effectiveness viewpoint, which of the following is represented when a
user submits a combination of a hardware token and a personal identification number (PIN) for
authentication?
I. A weak form of two-factor authentication
II. A strong form of two-factor authentication
III. Supports physical access
IV. Supports logical access
A.I only
B.II only
C.I and III
D.II and IV

This combination represents something that you have (i.e., hardware token) and something that you
know (i.e., PIN). The hardware token can be lost or stolen. Therefore, this is a weak form of two-factor
authentication that can be used to support unattended access controls for physical access only.

B.Incorrect. This is not true.
D.Incorrect. Logical access controls are software based and as such do not support a hardware token.
193.A combination of something you have (one time), something you have (second time), and
something you know is used to represent which of the following personal authentication proofing
schemes?
A.One-factor authentication
D.Four-factor authentication

Use of the same factor multiple times (i.e., something you have is used two times) results in one-factor
authentication. When this is combined with something you know, it results in a two-factor
authentication scheme.
A.Incorrect. This choice is not applicable because two factors are used.
C.Incorrect. This choice is not applicable because two factors are used.
D.Incorrect. This choice is not applicable because two factors are used.
194.Remote access controls are a part of which of the following?

Remote access controls are a part of preventive controls, as they include Internet Protocol (IP) packet
filtering by border routers and firewalls using access control lists. Preventive controls deter security
incidents from happening in the first place.
195.What is using two different passwords for accessing two different systems in the same session
called?

Requiring two different passwords for accessing two different systems in the same session is more
secure than requiring one password for two different systems. This authentication equates to two-factor
authentication. Requiring multiple proofs of authentication presents multiple barriers to entry access by
intruders. Using the same password (one-factor) for accessing multiple systems in the same session is a
one-factor authentication, because only one type (and the same type) of proof is used. The key point is
whether the type of proof presented is the same or different.
A.Incorrect. This choice is not applicable because two factors are used..
196.What is using a personal identity card with attended access (e.g., a security guard) and a
personal identification number (PIN) called?

On the surface, this situation may seem to be three-factor authentication, but in reality, it is two-factor
authentication, because only a card (proof of one factor) and PIN (proof of second factor) are used,
resulting in a two-factor authentication. Note that it is not the strongest two-factor authentication
because of the attended access. A security guard is an example of attended access; the guard checks for
the validity of the card and is counted as one-factor authentication. Other examples of attended access
include peers, colleagues, and supervisors who will vouch for the identify of a visitor who is accessing
physical facilities.
A.Incorrect. This choice is not applicable because two factors are used.
197.A truck driver, who is an employee of a defense contractor, transports highly sensitive parts
and components from a defense contractor's manufacturing plant to a military installation at a
highly secure location. The military's receiving department tracks the driver's physical location
to ensure that there are no security problems on the way to the installation. Upon arrival at the
installation, the truck driver shows an employee badge with photo ID issued by the defense
contractor, enters a password and personal identification number (PIN), and presents a
fingerprint for biometric sampling prior to entering the installation and unloading the truck's
contents. What type of authentication is represented in this scenario?

Tracking the driver's physical location (perhaps with GPS or a wireless sensor network) is an example
of somewhere you are (proof of first factor). Showing an employee a physical badge with photo ID is
an example of something you have (proof of second factor). Entering a password and PIN is an
example of something you know (proof of third factor). Taking a biometric sample of fingerprint is an
example of something you are (proof of fourth factor). Therefore, this scenario represents four-factor
authentication. The key point is that it does not matter whether the proof presented is one item or more
items in the same category (e.g., somewhere you are, something you have, something you know, and
something you are).
A.Incorrect. This choice is not applicable because four factors are used.
B.Incorrect. This choice is not applicable because four factors are used.
C.Incorrect. This choice is not applicable because four factors are used.
198.All the following storage encryption authentication products may use the operating system's
authentication for single sign-on except:
A.Full-disk encryption.
B.Volume encryption.
C.Virtual disk encryption.
D.File encryption.

Products such as volume encryption, virtual disk encryption, or ../../content/cia/html/file/folder
encryption may use the operating system's authentication for single sign-on. After a user authenticates
to the operating system at login time, the user can access the encrypted file without further
authentication, which is risky. The same single-factor authenticator should not be used for multiple
purposes. A full-disk encryption provides better security than the other three choices because the entire
disk is encrypted, not just part of it.
B.Incorrect. Volume encryption is the process of encrypting an entire volume, which is a logical unit of
storage comprising a file system, and permitting access to the data on the volume only after proper
authentication is provided.
C.Incorrect. Virtual disk encryption is the process of encrypting a container, which can hold many files
and folders, and permitting access to the data within the container only after proper authentication is
provided. A container is a file encompassing and protecting other files.
D.Incorrect. File encryption is the process of encrypting individual files on a storage medium and
permitting access to the encrypted data only after proper authentication is provided.
199.CIA.P2D1Q199_TB_1810
Use V-O keys to navigate.

Which of the following security mechanisms for high-risk storage encryption authentication
products provides protection against authentication-guessing attempts and favors security over
functionality?
A.Alert consecutive failed login attempts.

B.Lock the computer for a specified period of time.
C.Increase the delay between attempts.
D.Delete the protected data from the device.

For high-security situations, storage encryption authentication products can be configured so that too
many failed attempts cause the product to delete all the protected data from the device. This approach
strongly favors security over functionality.
A.Incorrect. This choice can be used for low-security situations.

B.Incorrect. This choice can be used for low-security situations.
C.Incorrect. This choice can be used for low-security situations.
200.Recovery mechanisms for storage encryption authentication solutions require which of the
following?
A.A trade-off between confidentiality and security

B.A trade-off between integrity and security
C.A trade-off between availability and security
D.A trade-off between accountability and security

Recovery mechanisms increase the availability of storage encryption authentication solutions for
individual users, but they can also increase the likelihood that an attacker can gain unauthorized access
to encrypted storage by abusing the recovery mechanism. Therefore, information security management
should consider the trade-off between availability and security when selecting and planning recovery
mechanisms.
A.Incorrect. This choice does not provide recovery mechanisms.

B.Incorrect. This choice does not provide recovery mechanisms.
D.Incorrect. This choice does not provide recovery mechanisms.
201.Regarding password management, which of the following enforces password strength

requirements effectively?
A.Educate users on password strength.

B.Run a password cracker program to identify weak passwords.
C.Perform a cracking operation offline.
D.Use a password filter utility program.

One way to ensure password strength is to add a password filter utility program (also known as a
password complexity enforcement program), which is specifically designed to verify that a password
created by a user complies with the password policy. Adding a password filter is a more rigorous and
proactive solution than without the filter.
A.Incorrect. This choice is a less rigorous and reactive solution.

B.Incorrect. This choice is a less rigorous and reactive solution.
C.Incorrect. This choice is a less rigorous and reactive solution.
202.Which of the following controls over telecommuting use tokens and/or one-time passwords?
A.Firewalls
B.Robust authentication
C.Port protection devices
D.Encryption

Robust authentication increases security in two significant ways. It can require the user to possess a
token in addition to a password or personal identification number (PIN). Tokens, when used with PINs,
provide significantly more security than passwords. With this type of authentication, a hacker or other
would-be impersonator must have both a valid token and the corresponding PIN. This is much more
difficult than obtaining a valid password and user ID combination. Robust authentication can also
create one-time passwords. Electronic monitoring (eavesdropping or sniffing) or observing a user type
in a password is not a threat with one-time passwords because each time a user is authenticated to the
computer, a different “password” is used. A hacker could learn the one-time password through
electronic monitoring, but it would be of no value.
A.Incorrect. A firewall uses a secure gateway or series of gateways to block or filter access between
two networks, often between a private network and a larger, more public network, such as the internet
or a public-switched network (e.g., the telephone system). A firewall does not use tokens and
passwords as much as robust authentication does.
C.Incorrect. A port protection device (PPD) is connected to a communications port of a host computer
and authorizes access to the port itself, prior to and independent of the computer's own access control
functions. A PPD can be a separate device in the communications stream or may be incorporated into a
communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a
password, to access the communications port. One of the most common PPDs is the dial-back modem.
PPD does not use tokens and passwords as much as robust authentication does.
D.Incorrect. Encryption is more expensive than robust authentication. It is most useful if highly
confidential data needs to be transmitted or if moderately confidential data is transmitted in a
high-threat area. Encryption is most widely used to protect the confidentiality of data and its integrity
(it detects changes to files). Encryption does not use tokens and passwords as much as robust
authentication does.
203.Which of the following statements about an access control system is not true?
A.It is typically enforced by a specific application.

B.It indicates what a specific user could have done.
C.It records failed attempts to perform sensitive actions.
D.It records failed attempts to access restricted data.

Some applications use access control (typically enforced by the operating system) to restrict access to
certain types of information or application functions. This can be helpful to determine what a particular
application user could have done. Some applications record information related to access control, such
as failed attempts to perform sensitive actions or access restricted data. It is not true that an access
control system is typically enforced by a specific application.
B.Incorrect. This choice is a true statement.

C.Incorrect. This choice is a true statement.
D.Incorrect. This choice is a true statement.
204.Which of the following is not a preventive measure against network intrusion attacks?
A.Firewalls
B.Auditing
C.System configuration
D.Intrusion detection system

Auditing is a detection activity, not a preventive measure.
A.Incorrect. Firewalls are preventive measures against network intrusion attacks.

B.Incorrect. System configuration is a preventive measure against network intrusion attacks.
D.Incorrect. An intrusion detection system is a preventive measure against network intrusion attacks.
205.Smart card authentication is an example of which of the following?
A.Proof by knowledge
B.Proof by property
C.Proof by possession
D.Proof of concept

Smart cards are credit card size plastic cards that hold embedded computer chips containing an
operating system, programs, and data. Smart card authentication is perhaps the best-known example of
proof by possession (e.g., key, card, or token).
A.Incorrect. Passwords are examples of proof by knowledge.

B.Incorrect. Fingerprints are examples of proof by property.
D.Incorrect. Proof of concept deals with testing a product prior to developing an actual product.
206.Which of the following is a component that provides a security service for a smart card
application used in a mobile device authentication?
A.Challenge-response protocol
B.Service provider
C.Resource manager
D.Driver for the smart card reader

The underlying mechanism used to authenticate users via smart cards relies on a challenge-response
protocol between the mobile device and the smart card. For example, a personal digital assistant (PDA)
challenges the smart card for an appropriate and correct response that can be used to verify that the
card is the one originally enrolled by the PDA device owner. The challenge-response protocol provides
a security service.
B.Incorrect. This choice is a software component that supports a smart card application and does not
provide a challenge-response protocol.
C.Incorrect. This choice is a software component that supports a smart card application and does not
D.Incorrect. This choice is a software component that supports a smart card application and does not
207.Which of the following is not a sophisticated technical attack against smart cards?
A.Reverse engineering
B.Fault injection
C.Signal leakage
D.Impersonating

For user authentication, the fundamental threat is when an attacker impersonates a user and gains
control of the device and its contents. Impersonating is a unsophisticated technical attack.
A.Incorrect. Reverse engineering is a sophisticated technical attack against smart cards. Smart cards are
designed to resist tampering and monitoring of the cards, including sophisticated technical attacks.
B.Incorrect. Fault injection is a sophisticated technical attack against smart cards. Smart cards are
C.Incorrect. Signal leakage is a sophisticated technical attack against smart cards. Smart cards are
208.Which of the following is an example of nonpolled authentication?

A.Smart card
B.Password
C.Memory token
D.Communications signal

Nonpolled authentication is discrete and unsecure. After the verdict is determined, it is inviolate until
the next authentication attempt. Examples of nonpolled authentication include password, fingerprint,
and voice verification.
A.Incorrect. A smart card is an example of polled authentication. Polled authentication is continuous

and secure where (1) the presence of some card, token, or signal determines the authentication status
and (2) the absence of some card, token, or signal triggers a nonauthenticated condition.
C.Incorrect. A memory token is an example of polled authentication. Polled authentication is
continuous and secure where (1) the presence of some card, token, or signal determines the
authentication status and (2) the absence of some card, token, or signal triggers a nonauthenticated
condition.
D.Incorrect. A communications signal is an example of polled authentication. Polled authentication is
continuous and secure where (1) the presence of some card, token, or signal determines the
authentication status and (2) the absence of some card, token, or signal triggers a nonauthenticated
condition.
209.Sniffing precedes which of the following?
A.Phishing and pharming

B.Spoofing and hijacking
C.Snooping and scanning
D.Cracking and scamming

Sniffing is observing and monitoring packets passing by on the network traffic using packet sniffers.
Sniffing precedes either spoofing or hijacking. Spoofing, in part, is using various techniques to subvert
Internet Protocol (IP)–based access control by masquerading as another system by using its IP address.
Spoofing is an attempt to gain access to a system by posing as an authorized user. Other examples of
spoofing include spoofing packets to hide the origin of attack in a denial-of-service situation, spoofing
email headers to hide spam, and spoofing phone numbers to fool caller-ID. Spoofing is synonymous
with impersonating, masquerading, or mimicking and is not synonymous with sniffing. Hijacking is an
attack that occurs during an authenticated session with a database or system.
A.Incorrect. Phishing is tricking individuals into disclosing sensitive personal information through
deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to
steal consumers’ personal identity data and financial account credentials. It involves internet fraudsters
who send spam or pop-up messages to obtain personal information (e.g., credit card numbers, bank
account information, Social Security number, passwords, or other sensitive information) from
unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically
through domain name system hijacking or poisoning.
C.Incorrect. Snooping, scanning, and sniffing are all actions that search for required and valuable
information. They involve looking around for vulnerabilities and planning to attack. These are
preparatory actions prior to launching serious penetration attacks.
D.Incorrect. Cracking is breaking to get passwords and bypassing software controls in an electronic
authentication system, such as user registration. Scamming is impersonating a legitimate business using
the internet. Buyers should check out sellers before buying goods or services. Seller should give out a
physical address with a working telephone number.
210.Passwords and personal identification numbers (PINs) are examples of which of the
following?
A.Procedural access controls

B.Physical access controls
C.Logical access controls
D.Administrative access controls

Passwords, PINs, and encryption are examples of logical access controls.
A.Incorrect. This choice represents a type of access control.

B.Incorrect. This choice represents a type of access control.
D.Incorrect. This choice represents a type of access control.
211.Each user is granted the lowest clearance needed to perform authorized tasks. Which of the
following principles is this?
A.The principle of least privilege

B.The principle of separation of duties
C.The principle of system clearance
D.The principle of system accreditation

The principle of least privilege requires that each subject (user) in a system be granted the most
restrictive set of privileges (or lowest clearances) needed to perform authorized tasks. The application
of this principle limits the damage that can result from accident, error, and/or unauthorized use.
B.Incorrect. The principle of separation of duties states that no single person can have complete control
over a business transaction or task.
C.Incorrect. The principle of system clearance states that users’ access rights should be based on their
job clearance status (i.e., sensitive or nonsensitive).
D.Incorrect. The principle of system accreditation states that all systems should be approved by
management prior to making them operational.
212.Which of the following statements is true about intrusion detection systems (IDS) and
firewalls?
A.Firewalls are a substitution for an IDS.

B.Firewalls are an alternative to an IDS.
C.Firewalls are a complement to an IDS.
D.Firewalls are a replacement for an IDS.

An IDS should be used as a complement to a firewall, not as a substitute, alternative, or replacement
for it. Together, they provide a synergistic effect.
A.Incorrect. This choice is not true.

B.Incorrect. This choice is not true.
D.Incorrect. This choice is not true.
213.Which of the following cannot prevent shoulder surfing?
A.Promoting education and awareness

B.Protecting keys while entering the password
C.Installing encryption techniques
D.Asking people not to watch while a password is typed

The key point in preventing shoulder surfing is to make sure that no one watches users while they type
their passwords. Encryption does not help here because it is applied after a password is entered, not
before. Proper education and awareness and using difficult-to-guess passwords can eliminate this
problem.
A.Incorrect. This choice can help prevent shoulder surfing.

B.Incorrect. This choice can help prevent shoulder surfing.
D.Incorrect. This choice can help prevent shoulder surfing.
214.Which one of the following is not an authentication mechanism?
A.What the user knows

B.What the user has
C.What the user can do
D.What the user is

“What the user can do” is defined in access rules or user profiles, which comes after a successful
authentication process. Hence, this choice is not an authentication mechanism.
A.Incorrect. This choice is a part of an authentication process. The authenticator factor “knows” means
using a password or personal identification number.
B.Incorrect. This choice is a part of an authentication process. The authenticator factor “has” means
using a key or card.
D.Incorrect. This choice is a part of an authentication process. The authenticator factor “is” means
using a biometric identity (e.g., fingerprint or thumb print).
215.How is authorization different from authentication?
A.Authorization comes after authentication.

B.Authorization and authentication are the same.
C.Authorization is verifying the identity of a user.
D.Authorization comes before authentication.

Authorization comes after authentication because users are granted access to a program (authorization)
after they are fully authenticated. Authorization is permission to do something with information in a
computer.
B.Incorrect. Authorization and authentication are not the same. Authorization refers to verifying the
user's permission; authentication refers to verifying the identity of a user.
C.Incorrect. Authorization is permission to do something with information in a computer.
D.Incorrect. Authorization comes after authentication.
216.Which of the following statements is not true about discretionary access control?
A.Access is based on the authorization granted to the user.

B.It uses access control lists.
C.It uses grant access or revoke access to objects.
D.Users and owners are different.

In discretionary access control, the granting and revoking of access control privileges is left to the
discretion of individual users. A discretionary access control mechanism enables users to grant or
revoke access to any of the objects under their control. As such, users are said to be the owners of the
objects under their control. This mechanism uses access control lists. This choice is not a true statement
about discretionary access control.
A.Incorrect. This choice is a true statement about discretionary access control.

B.Incorrect. This choice is a true statement about discretionary access control.
C.Incorrect. This choice is a true statement about discretionary access control.
217.Which of the following does not provide robust authentication?
A.Kerberos
B.Secure remote procedure calls
C.Reusable passwords
D.Digital certificates

Reusable passwords provide weak authentication. Robust authentication means strong authentication
that should be required for accessing internal computer systems. Robust authentication is provided by
Kerberos, one-time passwords, challenge-response exchanges, digital certificates, and secure remote
procedure calls.
A.Incorrect. This choice provides a robust authentication. Kerberos is an authentication tool used in
local logins, remote authentication, and client-server requests. It is a means of verifying the identities
of principals on an open network.
B.Incorrect. This choice provides robust authentication.
D.Incorrect. This choice provides robust authentication.
218.Which of the following is not an example of nondiscretionary access control?
A.Identity-based access control

B.Mandatory access control
C.Role-based access control
D.Temporal constraints

In nondiscretionary access control policies, rules are not established at the discretion of the user. These
controls can be changed only through administrative action and not by users. An identity-based access
control (IBAC) decision grants or denies a request based on the presence of an entity on an access
control list. IBAC and discretionary access control are considered equivalent and are not examples of
nondiscretionary access controls.
B.Incorrect. This choice is an example of a nondiscretionary access control. Mandatory access control
deals with rules.
C.Incorrect. This choice is an example of a nondiscretionary access controls. Role-based access control
deals with job titles and functions.
D.Incorrect. This choice is an example of a nondiscretionary access controls. Temporal constraints deal
with time-based restrictions and control time-sensitive activities.
219.How does a rule-based access control mechanism work?
A.It is based on filtering rules.

B.It is based on identity rules.
C.It is based on access rules.
D.It is based on business rules.

A rule-based access control mechanism is based on specific rules relating to the nature of the subject
and object. These specific rules are embedded in access rules.
A.Incorrect. Filtering rules are specified in firewalls.

B.Incorrect. Identity rules are applied to individuals.
D.Incorrect. Business rules are too broad to apply here.
220.Individual accountability does not include which of the following?
A.Unique user identifiers

B.Access authorization rules
C.Audit trails
D.Policies and procedures

A basic tenet of information technology security is that individuals must be accountable for their
actions. If this idea is not followed and enforced, it is not possible to successfully prosecute those who
intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects.
Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves,
they do not exact individual accountability.
A.Incorrect. This choice provides individual accountability. The concept of individual accountability
drives the need for many security safeguards, such as unique user identifiers, audit trails, and access
authorization rules.
B.Incorrect. This choice provides individual accountability. The concept of individual accountability
C.Incorrect. This choice provides individual accountability. The concept of individual accountability
221.From an access control viewpoint, which of the following is computed from a passphrase?
A.Access password
B.Personal password
C.Valid password
D.Virtual password

A virtual password is a password computed from a passphrase that meets the requirements of password
storage in terms of its length and size (e.g., 56 bits for Data Encryption Standard (DES). A passphrase
is a sequence of characters, longer than the acceptable length of a regular password, which is
transformed by a password system into a virtual password of acceptable length.
A.Incorrect. An access password is not computed from a passphrase This password is used to authorize
access to data and is distributed to all those who are authorized to have similar access to that data.
B.Incorrect. A personal password is not computed from a passphrase. It is known by only one person
and is used to authenticate that person's identity.
C.Incorrect. A valid password is not computed from a passphrase. It is a personal password that
authenticates the identity of an individual when presented to a password system. It is also an access
password that enables the requested access when presented to a password system.
222.Which of the following user identification and authentication techniques depend on reference
profiles or templates?
A.Memory tokens
B.Smart cards
C.Cryptography
D.Biometric systems

Biometric systems require the creation and storage of profiles or templates of individuals wanting
system access. This includes physiological attributes, such as fingerprints, hand geometry, or retina
patterns, or behavioral attributes, such as voice patterns and handwritten signatures.
A.Incorrect. Memory tokens do not depend on reference profiles or templates. Memory tokens involve
the creation and distribution of a token device with a personal identification number (PIN) and data that
tell the computer how to recognize valid tokens or PINs.
B.Incorrect. Smart cards do not depend on reference profiles or templates. Smart cards involve the
creation and distribution of a token device with a personal identification number (PIN) and data that
tell the computer how to recognize valid tokens or PINs.
C.Incorrect. Cryptography does not depend on reference profiles or templates. Cryptography requires
the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys as in
encryption.
223.What is the objective of separation of duties?

A.No one person has complete control over a transaction or an activity.
B.Employees from different departments do not work together well.
C.Controls are available to protect all supplies.
D.Controls are in place to operate all equipment.

The objective is to limit what people can do, especially in conflict situations or incompatible functions,
in such a way that no one person has complete control over a transaction or an activity from start to
finish. The goal is to limit the possibility of hiding irregularities or fraud.
B.Incorrect. This choice is not related to separation of duties.

C.Incorrect. This choice is not related to separation of duties.
D.Incorrect. This choice is not related to separation of duties.
224.What names are used in an access control matrix?
A.Users in each row and names of objects in each column

B.Programs in each row and names of users in each column
C.Users in each column and names of devices in each row
D.Subjects in each column and names of processes in each row

A discretionary access control is a process to identify users and objects. An access control matrix can
be used to implement a discretionary access control mechanism, where names of users (subject) are
placed in each row and names of objects are placed in each column of a matrix. A subject is an active
entity, generally in the form of a person, process, or device that causes information to flow among
objects or changes the system's state. An object is a passive entity that contains or receives information.
Access to an object potentially implies access to the information it contains. Examples of objects
include records, programs, pages, files, and directories. Hence, an access control matrix describes an
association of objects and subjects for authentication of access rights.
B.Incorrect. This choice does not describe the contents of an access control matrix.
C.Incorrect. This choice does not describe the contents of an access control matrix.
D.Incorrect. This choice does not describe the contents of an access control matrix.
225.Which of the following types of access control mechanism does not rely on physical access
controls?
A.Encryption controls
B.Application system access controls
C.Operating system access controls
D.Utility programs

Encryption controls depend solely on the strength of the algorithm and the secrecy of the key it uses.
Encryption does not rely on physical access controls.
B.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
someone can physically access the central processing unit or major components, for example, restarting
the system with different software. Logical access controls are therefore dependent on physical access
controls. Application systems, operating systems, and utility programs are heavily dependent on
physical access controls to protect against unauthorized use.
C.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
D.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
226.An inherent risk is associated with logical access that is difficult to prevent or mitigate but
can be identified via a review of audit trails. Which of the following types of access is this risk
most associated with?
A.Properly used authorized access

B.Misused authorized access
C.Unsuccessful unauthorized access
D.Successful unauthorized access

Properly used authorized access and misused authorized access can use audit trail data for analysis.
However, misused authorized access require a greater review of audit trail data due to its high risk.
Although users cannot be prevented from using resources to which they have legitimate access
authorization, audit trail analysis is used to examine users actions. Hence, misused authorized access
requires a greater review of audit trails.
A.Incorrect. Properly used authorized access can use audit trail analysis, but the risk is much lower
than the misused authorized access.
C.Incorrect. Unauthorized access attempts, whether successful or not, can be detected through the
analysis of audit trails.
D.Incorrect. Unauthorized access attempts, whether successful or not, can be detected through the
analysis of audit trails.
227.Which of the following is the most effective method for password creation?
A.Using password generators

B.Using password advisors
C.Assigning passwords to users
D.Implementing user-selected passwords

Password advisors are computer programs that examine user choices for selecting passwords and
inform users if passwords are weak. Hence, this is the most effective method for password creation.
A.Incorrect. Passwords produced by password generators are difficult to remember, whereas

user-selected passwords are easy to guess. Hence, this is the least effective method for password
creation.
C.Incorrect. Users write down assigned passwords on paper. Hence, this is the least effective method
for password creation.
D.Incorrect. This choice comes after the selection of passwords.
228.Which of the following is not a technical security control?
A.Encryption
B.Smart cards
C.Social engineering
D.Access control lists

Social engineering is not a technical security control. It is a nontechnical intrusion that relies heavily on
human interaction and often involves tricking other people to break normal security controls and
procedures. Different forms of social engineering include phishing, vishing, and smishing. Phishing is
the criminal act of attempting to manipulate a user victim into providing sensitive information by
masquerading as a trustworthy entity. Vishing is an approach that leverages voice communications in
enticing a user victim to call a certain phone number and divulge sensitive information; it uses voice
over internet protocol (VoIP) solutions and broadcasting services. Smishing exploits text messages,
which can contain links to such things as webpages, email addresses, web browsers, and phone
numbers that are highly integrated to increase the likelihood that users will fall victim to engineered
malicious activity. Exploitation by social engineering is lucrative and will increase in the mobile
market. People-based security controls are needed to educate employees about social engineering
intrusions.
A.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
and software-based controls used to provide automated protection to computer systems or applications
as they operate within these systems or applications. Technical security controls are far-reaching in
scope and encompass such technologies as encryption, smart cards, network authentication, access
control lists, and file integrity auditing software.
B.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
D.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
229.Which of the following results when software vulnerabilities are not mitigated in a timely
manner?
I. Zero-day threats
II. Zero-day exploits
III. Zero-day warez
IV. Zero-day incidents
A.I and II
B.I, II, and III
C.I, II, and IV

Large numbers of skilled attackers are discovering vulnerabilities at a significant rate. Software
suppliers and vendors with a good record of security fixes often gain early insight into security
vulnerabilities that are included on message boards and blogs. Examples of these vulnerabilities
include zero-day threats, zero-day exploits, and zero-day incidents, not zero-day warez. A zero-day
threat tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to
the software vendor, or for which no security fix is available. Note that the terms “zero-day threats,”
“zero-day exploits,” and “zero-day incidents” refer to the same thing. A zero-day warez refers to
content (e.g., software, games, videos, music, or data) unlawfully released or obtained on the day of
public release or earlier. Either a hacker or an employee of the releasing company is involved in
copying the content on the day of the official, public release or earlier. “Zero-day warez” is called
“negative day” or counted as a minus day from a calendar date because the content is released either on
the day of public release or earlier.

D.Incorrect. This is a partial answer.
230.What is the major purpose of system hardening?
A.To remove all nonessential software

B.To remove all dangerous utility programs
C.To eliminate as many security risks as possible
D.To remove computer programs providing backdoor access into a system

The major purpose of system hardening is to eliminate as many security risks as possible in order to
make the system secure and strong. System hardening is achieved by removing all nonessential
software and dangerous utility programs from the computer. While some utility programs may offer
useful features to users, if they provide backdoor access to the system, they must be removed during
the system hardening process.
A.Incorrect. This choice is a minor purpose of system hardening.

B.Incorrect. This choice is a minor purpose of system hardening.
D.Incorrect. This choice is a minor purpose of system hardening.
231.Which of the following are examples of security boundary controls?
A.Patches and probes

B.Firewalls and fences
C.Tags and labels
D.Encryption and smart cards

A firewall is an example of logical access control while fences provide physical security and perimeter
access control. When these two controls are combined, they provide a total boundary control. By
limiting access to host systems and services, firewalls provide a necessary line of perimeter defense
against attacks and thus provide a logical security boundary control. Similarly, perimeter fences
provide a physical security boundary control for a facility or building.
A.Incorrect. A patch is a modification to software that fixes an error in an operational application

system on a computer. Patches are generally supplied by the software vendor. A probe is a device
programmed to gather information about a system or its users.
C.Incorrect. Tags and labels are used in access controls.
D.Incorrect. Encryption and smart cards are used in user identification and authentication mechanisms.
232.Which of the following cannot defend login spoofing?
A.Providing a secure channel between the user and the system

B.Installing a hardware reset button
C.Implementing cryptographic authentication techniques
D.Installing input overflow checks

Input overflow checks ensure that input is not lost during data entry or processing and are good against
input overflow attacks, which can be avoided by proper program design..
A.Incorrect. Login spoofing can be defended against by providing a secure channel between the user
and the system.
B.Incorrect. A hardware-reset button on a personal computer can be very effective in removing some
kinds of spoofing attacks.
C.Incorrect. Cryptographic authentication techniques can increase security, but only for complex
systems.
233.Because much of the data involved in daily operations would be helpful to competitors if they
had access to it, a company authorizes access for employees to only the data required for
accomplishing their jobs. This approach is known as access on a(n):
A.Need-to-know basis.
B.Individual accountability basis.
C.Just-in-time basis.
D.Management-by-exception basis.

Access on a need-to-know basis means that access is authorized only as is required for employees to
perform authorized job functions.
B.Incorrect. “Individual accountability” means that individuals with access to data are responsible for
the use and security of data obtained via their access privileges.
C.Incorrect. “Just-in-time” means arranging delivery of inventory or materials as close to the time they
would be incorporated into products as is possible rather than maintaining large quantities of inventory
or materials.
D.Incorrect. “Management by exception” means spending managerial time on exceptional conditions
on the grounds that attending to exceptions is a better approach to management than spending time on
transactions or processes that are operating in their normal ranges.
234.The best preventive measure against a computer virus is to:
A.Compare software in use with authorized versions of the software.

B.Execute virus exterminator programs periodically on the system.
C.Allow only authorized software from known sources to be used on the system.
D.Prepare and test a plan for recovering from a virus.

Allowing only authorized software from known sources to be used on the system reduces the likelihood
of introducing a computer virus onto the system via software.
A.Incorrect. Comparing software in use with authorized versions of the software is a detective measure,
not a preventive measure.
B.Incorrect. Executing virus exterminator programs periodically on the system is a detective/corrective
measure, not a preventive measure.
D.Incorrect. Preparing and testing a plan for recovering from a virus is a corrective measure, not a
preventive measure.
235.A controller became aware that a competitor appeared to have access to the company's
pricing information. The internal auditor determined that the leak of information was occurring
during the electronic transmission of data from branch offices to the head office. Which of the
following controls would be most effective in preventing the leak of information?
A.Asynchronous transmission
B.Encryption
C.Use of fiber optic transmission lines
D.Use of passwords

Encryption is the conversion of data into a code. While data may be accessed by tapping into the
transmission line, an encryption “key” is necessary in order to understand the data being sent.
A.Incorrect. Asynchronous transmission does not prevent theft of data; it speeds up the transmission
process.
C.Incorrect. Fiber optic transmission lines will improve the quality of the transmission but will not
prevent theft of data.
D.Incorrect. Use of passwords will control access at the sending location and will limit access to the
head office computer. Passwords, however, will not prevent someone from tapping into the
transmission line.
236.An insurance firm uses a wide area network to allow agents away from the home office to
obtain current rates and client information and to submit approved claims using notebook
computers and dial-in modems. In this situation, which of the following methods would provide
the best data security?
A.Dedicated phone lines

B.Call-back features
C.Frequent changes of user IDs and passwords
D.End-to-end data encryption

Encryption of data from its entry point to the network and its return would provide the best data
security.
A.Incorrect. Dedicated phone lines would not be cost effective or available to field agents.
B.Incorrect. Field agents would not always be located at the same phone line to permit dial-up call back
usage.
C.Incorrect. User IDs and passwords can be compromised by an attacker's computer software.
237.When protecting a bank's customer information from identity theft, a bank's disclosure
policy would not respond to which of the following types of request?
A.An email
B.A pretext telephone call
C.A text message
D.A personal letter

A bank's policy would not respond to a fraudster's pretext telephone call. Pretext callers use pieces of a
customer's personal information to impersonate an account holder to gain access to that individual's
account information. Banks can take actions to reduce the incidence of pretext calling, such as limiting
the circumstances under which customer information may be disclosed by telephone. A bank's policy
could be that customer information is disclosed only through email, text message, a letter, or in-person
meeting.
A.Incorrect. A bank's disclosure policy would respond to an email from a bank's customer.
C.Incorrect. A bank's disclosure policy would respond to a text message from a bank's customer.
D.Incorrect. A bank's disclosure policy would respond to a personal letter from a bank's customer.
238.Which of the following is not a key value driver of an organization?
A.Strategies and goals

B.Culture and ethics
C.Products and services
D.Shareholders

Shareholders are not key value drivers because they are outsiders and play a little or no role in the
day-to-day operations of an organization, either to create or destroy value. Instead, they receive value
from the organization in the form of dividends, increase in stock market price, and increase in wealth.
Key value drivers are core elements that can make an organization either a value creator or a value
destroyer.
A.Incorrect. Strategies and goals are key value drivers of an organization that can create value. Key
value drivers are core elements that can make an organization either a value creator or a value
destroyer.
B.Incorrect. Culture and ethics are key value drivers of an organization that can create value. Key value
drivers are core elements that can make an organization either a value creator or a value destroyer.
C.Incorrect. Products and services are key value drivers of an organization that can create value. Key
value drivers are core elements that can make an organization either a value creator or a value
destroyer.
239.Reengineering is the thorough analysis, fundamental rethinking, and complete redesign of

essential business processes. The intended result is a dramatic improvement in service, quality,
speed, and cost. An internal auditor's involvement in reengineering should include all of the
following except:
A.Determining whether the process has senior management's support.

B.Recommending areas for consideration.
C.Developing audit plans for the new system.
D.Directing the implementation of the redesigned process.
Internal auditors should not become directly involved in the implementation of the redesign process.
This would impair their independence and objectivity. Internal auditors should not perform this
function.
A.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
B.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
C.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
240.Auditors are operating in organizations in which management is in the process of

reengineering operations with strong emphasis on total quality management (TQM) techniques.
In the quest to gain efficiency in processing, many of the traditional control procedures are being
deleted from the organization's control structure. As part of this change, management is:
A.Placing more emphasis on monitoring control activities.

B.Making different assumptions about human performance and the nature of human motivation than
was done under traditional control techniques.
C.Placing more emphasis on self-correcting control activities and process automation.
D.All of the above.

All of the actions taken in the other three choices are proper and meaningful to the organization.
A.Incorrect. All of the statements are reflective of the differences in approaches to controls in
reengineered organizations. Reengineering places more emphasis on monitoring controls to let
management know when an operation may be out of control and signals the need for corrective action.
This choice reflects management's proper action.
B.Incorrect. Most of the reengineering and TQM techniques assume that humans will be motivated to
actively work to improve the process when they are involved from the beginning. This choice reflects
management's proper action.
C.Incorrect. There is an increasing emphasis on self-correcting and automated controls. This choice
reflects management's proper action.
241.An organization has decided to reengineer several major processes. Of the following reasons
for employees to resist this change, which is least likely to happen?
A.Threat of loss of jobs

B.Required attendance at training classes
C.C Breakup of existing work groups
D.Imposition of new processes by top management without prior discussion

Employee training programs facilitate doing jobs in a new or different way. This choice is least likely
to happen. Reengineering is the thorough analysis, fundamental rethinking, and complete redesign of
essential business processes. The intended result is a dramatic improvement in service, quality, speed,
and cost.
A.Incorrect. Real or imagined loss of jobs is a common reason for employees to resist any change. This
choice is most likely to happen. Reengineering is the thorough analysis, fundamental rethinking, and
complete redesign of essential business processes. The intended result is a dramatic improvement in
service, quality, speed, and cost.
C.Incorrect. Members of work groups often exert peer pressure on one another to resist change,
especially if social relationships are changed. This choice is most likely to happen. Reengineering is the
thorough analysis, fundamental rethinking, and complete redesign of essential business processes. The
intended result is a dramatic improvement in service, quality, speed, and cost.
D.Incorrect. Management's lack of communication and discussion of the need for switching to new
processes threatens the status quo. This choice is most likely to happen. Reengineering is the thorough
analysis, fundamental rethinking, and complete redesign of essential business processes. The intended
result is a dramatic improvement in service, quality, speed, and cost.
242.Which of the following paired items have a direct relationship with each other?
A.Sampling errors and confidence level

B.Risk appetite and value-at-risk
C.Sampling risk and reliability level
D.Audit risk and audit assurance

Risk appetite and value-at-risk have a direct relationship with each other. As the risk appetite increases,
the value-at-risk increases.
A.Incorrect. Sampling errors and confidence level have an inverse relationship with each other.
Sampling error is (1 minus confidence level), meaning as the sampling error increases, the confidence
level decreases.
C.Incorrect. Sampling risk and reliability level have an inverse relationship with each other. Sampling
risk is (1 minus reliability level), meaning as the sampling risk increases, the reliability level decreases.
D.Incorrect. Audit risk and audit assurance have an inverse relationship with each other. As the audit
risk increases, the audit assurance decreases.
243.Which of the following paired items have an inverse relationship with each other?
A.Audit reliance and audit assurance

B.Risk and return
C.Risk appetite and residual risk
D.Risk agility and risk resiliency

Risk appetite and residual risk have an inverse relationship with each other. As the risk appetite
decreases, the residual risk increases.
A.Incorrect. Audit reliance and audit assurance have a direct relationship with each other. As the audit
reliance increases, the audit assurance increases.
B.Incorrect. Risk and return have a direct relationship with each other. As the risk increases, the return
increases.
D.Incorrect. Risk agility and risk resiliency have a direct relationship with each other. As the risk
agility increases, the risk resiliency increases.
A.De-risking and residual risk

B.Sample size and sampling risk
C.Probability of ruin and value of an asset
D.Time-to-contain and cost of data breach

Time-to-contain and cost of data breach have a direct relationship with each other. As the
time-to-contain a data breach increases, the cost of data breach increases.
A.Incorrect. De-risking and residual risk have an inverse relationship with each other. As the de-risking
increases, the residual risk decreases.
B.Incorrect. Sample size and sampling risk have an inverse relationship with each other. As the sample
size increases, the sampling risk decreases.
C.Incorrect. Probability of ruin and value of an asset have an inverse relationship with each other. As
the probability of ruin increases, the value of an asset decreases.
245.Which of the following paired items have an inverse relationship with each other?
A.Click fraud rate and click-to-conversion time
B.Risk universe and audit universe
C.Competence and Judgment
D.Proficiency and competence

Click fraud rate and click-to-conversion time have an inverse relationship with each other. As the click
fraud rate increases, the click-to-conversion time decreases.
B.Incorrect. Risk universe and audit universe have a direct relationship with each other. As the risk
universe increases, the audit universe increases.
C.Incorrect. Competence and judgment have a direct relationship with each other. As the competence
increases, the judgment increases.
D.Incorrect. Proficiency and competence have a direct relationship with each other. As the proficiency
increases, the competence increases.
A.Production volume and production costs

B.Audit risk scores and audit cycle frequency
C.Tolerable error and sample size
D.Precision limits and sample size

Production volume and production costs have a direct relationship with each other. As the production
volume increases, the associated production costs would also increase.
B.Incorrect. Audit risk scores and audit cycle frequency have an inverse relationship with each other.
As the audit risk scores increase, the audit cycle frequency gets decreased (i.e., shorter time intervals
between audits to address higher risk areas).
C.Incorrect. Tolerable error and sample size have an inverse relationship with each other. The lower
the tolerance for error, the larger the number of items that needs to be selected in a sample (i.e., need a
larger sample size).
D.Incorrect. Precision limits and sample size have an inverse relationship with each other. The smaller
the precision limits, the larger the size of the sample selected.
247.Relatively speaking, which of the following poses a minor risk to an organization?
A.Anti-debugging software
B.Anti-malware software
C.Anti-spyware software
D.Anti-spamming software

A major purpose of a debugging software is to identify, detect, and remove bugs (errors) automatically
in applications software or operating system software. Even if hackers install anti-debugging software
to kill the automated features of debugging, computer programmers can do the same debugging work
manually, despite its inefficiency and ineffectiveness. In reality, hackers do not even bother to install
the anti-debugging software because they have nothing big to gain by doing so. This choice poses a
minor risk.
B.Incorrect. A major purpose of anti-malware software is to scan computer resources (e.g., files and
devices) for the presence of malware and protect such computer resources from getting infected with
malware. However, hackers can deactivate the anti-malware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous malware in the
place of the official anti-malware to conduct their attacks. This choice poses a major risk.
C.Incorrect. A major purpose of anti-spyware software is to scan computer resources (e.g., files and
devices) for the presence of spyware and protect such computer resources from getting infected with
spyware. However, hackers can deactivate the anti-spyware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous spyware in the
place of the official anti-spyware to conduct their attacks. This choice poses a major risk.
D.Incorrect. A major purpose of anti-spamming software is to scan computer resources (e.g., files and
devices) for the presence of spamware and protect such computer resources from getting infected with
spamware. However, hackers can deactivate the anti-spamware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous spamware in the
place of the official anti-spamware to conduct their attacks. This choice poses a major risk.
248.Software piracy violates which of the following?
A.Trademarks
B.Copyrights
C.Trade secrets
D.Patents

Software is copyrighted most of the time. Because software is copyrightable, software piracy violates
the copyrights laws. A copyright protects the copyright holder (owner) against the infringement of any
of six exclusive rights in “original works of authorship fixed in any tangible medium of expression.”
This original work includes computer software; literary, musical; and dramatic works; motion pictures
and sound recordings; and pictorial, sculptural, and architectural works.
A.Incorrect. Software is not usually trademarked. A trademark is a valuable marketing asset in that it
identifies products and differentiates companies owing those products from other companies and
protects the trademark owner from infringement by others. It forms an association of a product with a
company in people's minds (i.e., minds and products). Trademarks are features such as designs, brand
names, or symbols which allow easy recognition of a product.
C.Incorrect. Software is not usually a trade secret. A trade secret can be of any form or type of
commercially-valuable information that the owner has taken reasonable measures to keep secret and
that has an independent economic value from the fact that it is a secret and cannot be readily
ascertained by the public. Trade secrets can include, for example, technical, scientific, and engineering
data; business records; or economic, financial, and marketing information (e.g., marketing strategies).
For example, a soup recipe for a soup company is a trade secret.
D.Incorrect. Software is not usually patented. In its simplest form, a patent is a property right for an
invention granted by the government to the inventor. A patent gives the owner the right to exclude
others from making, using, and selling devices that embody the claimed invention. Patents generally
protect features, products, and processes, not pure ideas.
249.How best to quantify the information value that is at risk?
A.The cost of using information

B.The cost of protecting information
C.The cost of not using information
D.The cost of not protecting information

The cost of not protecting information is the best way to quantify the information value at risk because
it will indicate what the consequences would be if the information is not protected at all. Examples of
these consequences are greater vulnerability to threats and attacks and increased damages resulting
from such attacks. These damages could be financial, physical (buildings, equipment, and inventory),
non-physical (e.g., loss of intellectual property), and human (death resulting from wrongly prescribed
and dispensed medication based on incorrect medical records).
A.Incorrect. The cost of using information is not relevant here because it does not matter whether the
protected information is used or not. Protection is more important than use.
B.Incorrect. The cost of protecting information is important and can be calculated from adding up all
the costs incurred to acquire and install hardware and software and the costs to hire staff. The cost of
information protection, which represents a one-side of a coin, can become a routine and mechanical
exercise and can become a discretionary spending amount. To get a big-picture perspective, the cost of
protecting information should be compared with the cost of not protecting information, which is the
other side of the coin.
C.Incorrect. The cost of not using information is not relevant because it does not matter whether the
protected information is used or not.
250.Reporting to senior management and the board is an important part of the auditor's
obligation. Which of the following items is not required to be reported to senior management
and/or the board?
A.Subsequent to the completion of an audit, but prior to the issuance of an audit report, the audit senior
in charge of the audit was offered a permanent position in the auditee's department.
B.An annual report summary of the department's audit work schedule and financial budget.
C.Significant interim changes to the approved audit work schedule and financial budget.
D.An audit plan was approved by senior management and the board. Subsequent to the approval, senior
management informed the chief audit executive not to perform an audit of a division because the
division's activities were very sensitive.

This would not have to be communicated. The audit work was done. The chief audit executive would
have to determine that there was no impairment of the independence of the senior's work. If there was
none, the report could be issued without reporting the personnel change (IIA Standard 2020 –
Communication and Approval).
B.Incorrect. This is a standard part of the required reporting to senior management and the board.
C.Incorrect. This is a standard part of the required reporting to senior management and the board.
D.Incorrect. The audit plan had been approved by both senior management and the board. The change
dictated by senior management should be reported to the board.

Wiley Part 2 Domain 1

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Wiley Part 2 Domain 1

Hochgeladen von

Copyright:

Verfügbare Formate

WILEY PART 2 DOMAIN 1

A.Assurance audit engagements

The Answer C is Correct

The Answer A is Correct

The Answer C is Correct

The Answer D is Correct

A.Incorrect. This is a partial answer. More reviewers are needed.

A.Store a company backup data on a cloud storage system.

The Answer A is Correct

6.Which of the following is not a common form of ransomware attack methods?

A.Malicious email attachments

The Answer C is Correct

A.Bring your own device (BYOD)

The Answer C is Correct

A.Pay per bounce

The Answer B is Correct

A.Authenticate and encrypt

The Answer D is Correct

11.Which of the following is an example of a single point of failure?

The Answer A is Correct

A.External assurance function

The Answer C is Correct

The Answer A is Correct

The Answer A is Correct

A.Exercising extraordinary care.

The Answer A is Correct

16. Which of the following is not applicable to a due diligence review?

The Answer A is Correct

The Answer B is Correct

18.Due diligence reviews are not performed with:

The Answer B is Correct

The Answer D is Correct

The Answer D is Correct

A.Incorrect. Vulnerabilities → Threats → Risks → Controls

The Answer B is Correct

23.Which of the following could be treated as a legal contract?

A.A letter of intent

The Answer A is Correct

The Answer B is Correct

The Answer B is Correct

The Answer C is Correct

A.Incorrect. This is a partial answer.

The Answer C is Correct

29.Which of the following can help hackers evade detection?

The Answer A is Correct

The Answer C is Correct

The Answer D is Correct

A.They use sophisticated attack-in-depth strategies.

The Answer C is Correct

The Answer B is Correct

The Answer B is Correct

35.Which of the following is not a variant of phishing attacks?

The Answer D is Correct

The Answer C is Correct

37.Risk-based internal audit plans should focus on which of the following?

A.Business size risk

The Answer C is Correct

A.Incorrect. Business size risk is a part of a business risk appetite.

A.Budget for the internal audit department

The Answer A is Correct

The Answer A is Correct

A.Lack of arm's-length transactions

The Answer B is Correct

A.Incorrect. This is not a major concern.