Beruflich Dokumente
Kultur Dokumente
1.Risk-based internal auditing approach does not apply to which of the following?
A.Incorrect. Review of assurance audit engagements can be risk based because senior management and
internal audit management can decide what to audit and when to audit based on a risk assessment.
B.Incorrect. Review of consulting audit engagements can be risk based because senior management
and internal audit management can decide what to audit and when to audit based on a risk assessment.
D.Incorrect. Review of compliance with a company's policies and procedures can be risk based because
some policies could be high risk, some could be medium risk, and others could be low risk.
2.Which of the following is a useful tool when internal auditors are coordinating their audit work
with internal and external service providers in governance, risk, and control areas?
A.Assurance map
B.Control map
C.Risk map
D.Governance map
B.Incorrect. Control maps show an organization's understanding of its critical control points and major
controls at those control points.
C.Incorrect. Risk maps show an organization's understanding of its risk profiles and risk appetite.
D.Incorrect. Governance maps show an organization's understanding of its board of directors’ oversight,
stewardship, and fiduciary roles and responsibilities.
3.When selecting people to work in the internal audit department, the vetting process does not
apply to which of the following?
A.External assessors
B.Audit contractors
C.Guest auditors
D.External service providers
4.A 360-degree review of an internal auditor's performance assessment includes which of the
following?
I. Peer auditors
II. Audit clients
III. Audit supervisors
IV. Audit managers
A.III
B.IV
C.III and IV
D.I, II, III, and IV
5.The best way to protect data on personal computers against ransomware attacks is to:
B.Incorrect. Local flash drives could be infected if they are constantly connected to personal
computers.
C.Incorrect. Central servers could be infected if they are constantly connected to personal computers.
D.Incorrect. Local servers could be infected if they are constantly connected to personal computers.
A.Incorrect. Malicious email attachments are common ransomware attack methods. Ransomware
attacks are very damaging to individuals and organizations and often are undetectable.
B.Incorrect. Exploit kits are common ransomware attack methods. Ransomware attacks are very
damaging to individuals and organizations and often are undetectable.
D.Incorrect. Malicious email links are common ransomware attack methods. Ransomware attacks are
very damaging to individuals and organizations and often are undetectable.
7.Which of the following mobile device policy is not risky to user organizations?
A.Incorrect. BYOD is a policy that permits employees to bring personally owned devices to their
workplace and use them to access restricted company data, information, and applications. This is a
risky policy because devices are not company-approved devices.
B.Incorrect. BYOA is a policy similar to BYOD that involves employees using third-party applications
in the workplace or on a work device. This is a risky policy because devices are not company-approved
devices.
D.Incorrect. WYOD is a program similar to BYOD that allows end users to use personal wearable
devices (watches and virtual reality goggles) to perform a company's tasks and functions. This is a
risky policy because devices are not company-approved devices.
8.Regarding web-based advertising, click fraud is related to which of the following metrics?
A.Incorrect. Pay per bounce is not a relevant metric here because the term “bounce” is used in the
context of bounced emails and being bounced out of websites.
C.Incorrect. The pay-per-lead metric refers to paying some money for each sales lead.
D.Incorrect. The pay-per-load metric deals with page loading time on a website.
9.When an organization is hit by a ransomware attack, which of the following can be higher than
the ransomware money demanded by hackers?
A.Prevention costs
B.Detection costs
C.Administrative costs
D.Recovery costs
The Answer D is Correct
Many organizations are learning that total recovery costs are much higher than ransomware payments
made to hackers due to extensive damage caused, working with backup data, working with technical
consultants and law enforcement authorities, and restoring the system and data files to the stage before
the attack. In addition, the costs of lost sales, profits, employee morale, customer goodwill, and
employee productivity must be considered as part of the recovery costs. An organization's response
program and incident readiness make a big difference between its success or failure in handling
ransomware attacks.
A.Incorrect. Often ransomware attacks cannot be prevented because they are so vicious and sudden.
B.Incorrect. Often ransomware attacks cannot be detected because they are so aggressive and hidden.
C.Incorrect. Administrative costs, such as negotiating with hackers regarding payment amounts and
doing other nontechnical activities, are part of recovery costs.
10.Between authentication and encryption activities, which one of the following items is more
secure than the other three items?
A.Incorrect. Authentication and encryption at the same time is out of sequence and does not provide
security. Encryption should be done first. For security, there should be a time gap between encryption
and authentication.
B.Incorrect. Authentication first and encryption next is out of sequence and does not provide security.
Encryption should be done first. For security, there should be a time gap between encryption and
authentication.
C.Incorrect. Encryption and authentication should not be done at the same time as it does not provide
security. For security, there should be a time gap between encryption and authentication.
A.Cloud storage
B.Working storage
C.Secondary storage
D.Closed storage
B.Incorrect. Working storage is that portion of storage, usually computer main memory (i.e., central
processing unit), reserved for the temporary results of computer operations.
C.Incorrect. Secondary storage consists of nonvolatile auxiliary memory, such as disks or tapes, used
for the long-term storage of computer programs and data.
D.Incorrect. Closed storage refers to the storage of classified information within an accredited
government facility where the documents containing classified information are stored in approved
secure containers. This storage is closed to the outside world.
12. Which of the following is likely to utilize the assurance maps the most?
A. Incorrect. The external assurance function may use assurance maps, but not the most of the choices
provided.
B.Incorrect. The internal risk management function may use assurance maps, but not the most of the
choices provided.
D.Incorrect. The internal compliance review function may use assurance maps, but not the most of the
choices provided.
13.Regarding construction audits, contract leakages are handled better in which of the following
construction audit phases?
A.Preconstruction audit
B.Interim construction audit
C.Postconstruction audit
D.Comprehensive construction audit
B. Incorrect. The interim construction audit phase is too late to avoid contract leakages.
C.Incorrect. The postconstruction audit phase is too late to avoid contract leakages.
D.Incorrect. The comprehensive construction audit phase is too late to avoid contract leakages.
14.Which of the following is the major decision point to make regarding outsourcing an internal
audit function?
A.What to outsource
B.When to outsource
C.Where to outsource
D.Whom to outsource
B.Incorrect. When to outsource is not the major decision point; it is a minor point that follows the
major point.
C.Incorrect. Where to outsource is not the major decision point; it is a minor point that follows the
major point.
D.Incorrect: Whom to outsource is not the major decision point; it is a minor point that follows the
major point.
15.Due diligence reviews do not mean:
B.Incorrect. The people who are conducting diligence reviews need to exercise reasonable care only.
This can lead to a good due diligence defense to a defendant.
C.Incorrect. The people who are conducting diligence reviews need to exercise due care only. This can
lead to a good due diligence defense to a defendant.
D. Incorrect. The people who are conducting diligence reviews need to exercise standard care, meaning
meeting minimum standards of work, not maximum standards. This can lead to a good due diligence
defense to a defendant.
A.Due process
B.Due care
C.Due regard
D.Standard care
B.Incorrect. Due care applies to due diligence reviews, and they go together.
C.Incorrect. Due regard applies to due diligence reviews. Due regard requires giving equal respect to
and showing equal interest in all people.
D.Incorrect. Standard care applies to due diligence reviews. Standard care is minimum care.
17.Which of the following is the common element between outsourcing vendors and third-party
service providers?
A.Contractors
B.Due diligence reviews
C.Contract
D.Service
A.Incorrect. The nature and the type of contractors could be different between outsourced vendor work
and third-party service work.
C.Incorrect. The nature and the type of contract (i.e., the legal document with terms and conditions)
could be different between outsourced vendor work and third-party service work.
D.Incorrect. The nature and the type of service (i.e., technology, supply, or distribution service) could
be different between outsourced vendor work and third-party service work.
A.Due care.
B.Absolute care.
C.Reasonable care.
D.Possible care.
A.Incorrect. Due diligence reviews are performed with due care that any prudent person would do.
C.Incorrect. Due diligence reviews are performed with reasonable care that any prudent person would
do.
D.Incorrect. Due diligence reviews are performed with possible care that any prudent person would do.
19.The scope of value-for-money (VFM) audits includes which of the following elements?
i. Expertise
ii. Economy
iii. Efficiency
iv. Effectiveness
A.I only
B.I and II
C.III and IV
D.I, II, III, and IV
A.Expertise is the only one element of the scope of VFM audits. Here, “expertise” refers to the
combined knowledge, skills, and abilities that auditors possess in conducting VFM audits.
B.Incorrect. Economy is the only one element of the scope of VFM audits. Here, “economy” refers to
the use of resources in a cost-effective manner.
C.Incorrect. Efficiency and effectiveness are only two elements of the scope of VFM audits. Here,
“efficiency” refers to the use of resources in a productive manner. “Effectiveness” refers to the use of
resources to achieve the intended objectives.
20.Which one of the following items considers all the other three items in concert?
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
21.When conducting identify theft activities, fraudsters use which of the following to perpetrate
identity fraud?
A.Mobile texting
B.SMS texting
C.Pretexting
D.MMS texting
The Answer C is Correct
Pretexting is the tool that fraudsters use to perpetrate identity theft with a prepared and known text
based on stolen information. It is a specifically targeted example of a social engineering scheme. The
fraudster calls a bank to find out additional information on a bank customer's account that was stolen.
A.Incorrect. Mobile texting is a generic and broad meaning of texting and is not specifically targeted.
B.Incorrect. SMS texting is short message service (SMS) texting and is not specifically targeted.
D.Incorrect. MMS texting is multimedia messaging service (MMS) texting and is not specifically
targeted.
22.Which of the following can help victims recover from ransomware attacks?
A.Encryption key
B.File and system backups
C.Decryption key
D.Patched and updated software
A.Incorrect. Hackers encrypt the victims’ files with an encryption key so that victims cannot use the
files until they pay a ransom amount. An encryption key does not help victims recover from
ransomware attacks.
C.Incorrect. Hackers decrypt victims’ encrypted files with a decryption key after victims pay the
ransom amount. A decryption key does not help recover from ransomware attacks.
D.Incorrect. Using patched and updated software is a good practice, but it alone cannot help victims
recover from ransomware attacks.
B.Incorrect. A memorandum of understanding is not considered a legal contract because it does not
have all the elements of a contract.
C.Incorrect. A memorandum of meeting is not considered a legal contract because it does not have all
the elements of a contract.
D.Incorrect. A letter of introduction is not considered a legal contract because it does not have all the
elements of a contract.
24.Cyberthreats and cyberattacks on all types of organizations have occurred during which of
the following web generations?
A.Web 1.0
B.Web 2.0
C.Web 3.0
D.Web 4.0
The Answer B is Correct
Web 2.0 presents read-write features, blogs, wikis, tweets, and others. Cyberthreats and cyberattacks
have become common with malware and spyware software.
A.Incorrect. Web 1.0 provided basic features, such as browsing, static web format, and mostly
read-only features.
C.Incorrect. Web 3.0 has become the personal, portable, and executable web.
D.Incorrect. Web 4.0 focuses on mobile web connections.
25.Social media platforms or networks were born during which web generation?
A.Web 1.0
B.Web 2.0
C.Web 3.0
D.Web 4.0
A.Incorrect. Web 1.0 provided basic features, such as browsing, static web format, and mostly
read-only features.
C.Incorrect. Web 3.0 has become the personal, portable, and executable web.
D.Incorrect. Web 4.0 focuses on mobile web connections.
26.Which of the following can perform click fraud in online marketing advertisements?
A.Web beacons
B.Bots
C.Cookies
D.Web bugs
A.Incorrect. Web beacons cannot perform click fraud as they are the same as the web bugs. Web
beacons are placed on web pages and websites to track the use of web servers and collect web
addresses.
C.Incorrect. Cookies cannot perform click fraud. Cookies are used to uniquely identify website visitors.
D.Incorrect. Web bugs cannot perform click fraud as they are the same as web beacons. They are
placed on web pages and websites to track the use of web servers and collect web addresses.
27.An internal auditor has misplaced or lost her digital tablet during audit-related travel. Which
of the following actions can keep her tablet safe and secure?
I. Activate global positioning system (GPS) feature.
II. Disable Bluetooth services.
III. Enable a remote-wiping feature.
IV. Disable Wi-Fi services.
A.I only
B.I and II
C.I and III
D.II and IV
28.Regarding mobile devices, the features of which one of the following items is different from
the features of the other three items?
A.Jailbreaking
B.Tampering
C.Jamming
D.Rooting
A.Incorrect. Jailbreaking is removing the limitations imposed on a device by the manufacturer, often
through the installation of custom operating system components or other third-party software.
Jailbreaking makes a device more vulnerable to attacks because it removes important safeguards
against malware attacks. Some users prefer to bypass the operating system's lockout features in order to
install apps that could be malicious in nature. Doing jailbreaking is risky.
B.Incorrect. Tampering is modifying data, software, firmware, or hardware without authorization.
Modifying data in transit, inserting tampered hardware or software into a supply chain, repackaging a
legitimate app with malware, modifying network or device configuration (e.g., jailbreaking or rooting a
phone) are examples of tampering. Doing tampering is risky.
D.Incorrect. Rooting, similar to jailbreaking, is removing the limitations imposed on a device by the
manufacturer, often through the installation of custom operating system components or other
third-party software. Rooting makes a device more vulnerable to attacks because it removes important
safeguards against malware attacks. Some users prefer to bypass the operating system's lockout
features in order to install apps that could be malicious in nature. Doing rooting is risky.
A.Scripting tools
B.Antivirus software
C.Intrusion detection system
D.Intrusion prevention system
B.Incorrect. Antivirus software can help detect bad actions and protect users.
C.Incorrect. Intrusion detection systems can help detect bad incidents and protect users.
D.Incorrect. Intrusion prevention systems can help prevent bad incidents and protect users.
30.Regarding cybersecurity, defenders are attack-victim organizations and offenders are the
hackers attacking individuals and organizations. Which of the next represents a strategic aspect
that is completely opposite for defenders and offenders?
A.Expertise
B.Resources
C.Attack surface
D.Tool kits
A.Incorrect. Both defenders and offenders want higher levels of expertise (i.e., technical knowledge
and skills). However, expertise represents an operational aspect for offenders, not a strategic aspect.
B.Incorrect. Both defenders and offenders want greater amounts of resources (i.e., money, time, and
staff). However, resources represent an operational aspect for offenders, not a strategic aspect.
D.Incorrect. Both defenders and offenders want several types of tool kits (i.e., hardware and software)
available to them. However, tool kits represent an operational aspect for offenders, not a strategic
aspect.
Tool kits represent an operational aspect for hackers, not a strategic aspect.
31.Management of a cyberattack victim organization needs to pay great attention to which of the
following before developing cybersecurity technical strategies to defend against attackers?
A.Attack-in-depth strategies
B.Attackers’ detection-evasion tactics
C.Attackers’ technical savvy
D.Attackers’ destructive behavior
A.Incorrect. An attack-in-depth strategy is what attackers formulate and implement to achieve their
goals.
B.Incorrect. Detection-evasion tactics are those tools and practices that attackers use to hide or evade
detection by the victim organization so attackers have more time to continue or expand their attack
surface.
C.Incorrect. Attackers with a higher levels of technical savvy can do a lot more damage than attackers
with a low level of technical savvy.
32.What is the real reason why hackers succeed in their various types of cyberattacks?
A.Incorrect. It is true that some hackers do use sophisticated attack-in-depth strategies that are updated
frequently. This is not the real reason for their success, however.
B.Incorrect. It is true that some hackers do use stronger detection-evasion tools such as scripts. This is
not the real reason for their success, however.
D.Incorrect. Hackers can kill the effectiveness and functionality of anti-malware tools so they don't
work as expected. This is not the real reason for their success, however.
33.Which of the following can provide the strongest security control mechanism?
A.Passwords
B.One-time passwords
C.Passcode
D.Passphrases
A.Incorrect. Regular passwords are basic, weak, and reusable, not the strongest security control
mechanism.
C.Incorrect. Regular passcodes are basic, weak, and reusable, not the strongest security control
mechanism.
D.Incorrect. Regular passphrases are basic, weak, and reusable, not the strongest security control
mechanism.
34.Which of the following can act as the strongest security control mechanism in a multifactor
authentication process?
A.Passwords
B.Biometrics
C.Passcodes
D.Personal identification numbers
A.Incorrect. Regular passwords are basic, weak, and reusable, not the strongest security control
mechanism even in a multifactor authentication process because they can be broken. Regular
passwords represent a one-factor authentication.
C.Incorrect. Regular passcodes are basic, weak, and reusable, not the strongest security control
mechanism even in a multifactor authentication process because they can be broken. Regular passcodes
represent a one-factor authentication.
D.Incorrect. Regular personal identification numbers (PINs) are basic, weak, and reusable, not the
strongest security control mechanism even in a multifactor authentication process because they can be
broken. Regular PINs represent a one-factor authentication.
A.Spear phishing
B.Vishing
C.Smishing
D.SIM card swapping
36.Risk-based internal audit plans are directly related to which of the following?
A.Risk profiles
B.Risk registers
C.Risk appetite
D.Risk maturity
A.Incorrect. Risk profiles show all the significant (material) risks and key risks that an organization is
exposed to. Risk ownership is derived from risk profiles. Risk profiles are not related to risk-based
audit plans.
B.Incorrect. Risk registers are risk logs that document all risks below an organization's strategic level
(i.e., operational and functional level risks). Risk registers show a complete inventory of all types of
risks and are not related to risk-based audit plans.
D.Incorrect. Risk maturity deals whether an organization's risk management framework is complete or
incomplete, effective or ineffective, and old or new. It also asks whether the current maturity fits with
the current business. Risk maturity is not related to risk-based audit plans.
38.Which of the following is the least important deciding factor when outside auditors plan to
rely on the work of internal auditors?
B.Incorrect. Independence of the internal audit department is one of the most important deciding
factors.
C.Incorrect. Objectivity of internal auditors is one of the most important deciding factors.
D.Incorrect. Competency of internal auditors is one of the most important deciding factors.
39.Regarding consulting audit engagements, which of the following objectively results in “lessons
learned” insights?
A.Retrospective reviews
B.Prospective reviews
C.Hindsight reviews
D.Contemporary reviews
B.Incorrect. Prospective reviews are look-forward and before-the-fact reviews focusing on the future.
These limited reviews move from the present to the future.
C.Incorrect. Hindsight reviews are look-afterward and what-went-wrong subjective reviews focusing
on the past due, in part, based on individual's memory, gut feeling, and second-guessing. These narrow
reviews move from the present to the past.
D.Incorrect. Contemporary reviews are look-now and what-can-go-wrong reviews focusing on the
present. These customized reviews move from the past to the present.
40.Regarding related-party transactions, which of the following is a major concern for internal
auditors and external auditors?
41.Which of the following is the first step to take after the board and senior management of a
publicly held corporation decide to outsource its internal audit function?
A.Incorrect. Reviewing the charter and bylaws of the outsourced provider could be done after a due
diligence review.
C.Incorrect. Reviewing professionalism of the outsourced provider's staff members could be part of the
due diligence review.
D.Incorrect. Conducting a thorough background check of the outsourced provider could be the last step
to take before hiring or engaging the outsourced provider.
42.Which of the following is the major common concern to internal auditors and external
auditors?
A.Governance
B.Risk management
C.Internal controls
D.Compliance with regulations
A.Incorrect. Internal auditors review the governance area as part of their internal audit plan, but
external auditors review the governance area only as requested by their clients. In other words,
reviewing governance is not a part of the routine attestation audit of external auditors.
B.Incorrect. Internal auditors review the risk management area as part of their internal audit plan, but
external auditors review the risk management area only as requested by their clients. In other words,
reviewing risk management is not a part of the routine attestation audit of external auditors.
D.Incorrect. Internal auditors and regulatory auditors examine compliance with regulations. Review of
compliance with regulations is not a part of external auditors’ routine attestation audit, but they could
review the area based on client requests.
43.Which one of the following items drives the other three items when conducting
value-for-money (VFM) audits?
A.Expertise
B.Economy
C.Efficiency
D.Effectiveness
B.Incorrect. Economy refers to the use of resources in a cost-effective manner. Economy is driven by
expertise.
C.Incorrect. Efficiency refers to the use of resources in a productive manner. Efficiency is driven by
expertise.
D.Incorrect. Effectiveness refers to the use of resources to achieve the intended objectives.
Effectiveness is driven by expertise.
44.Regarding mobile security, encryption can be used to protect which of the following to prevent
data loss?
I. Data at rest
II. Data in motion
III. Data in processing
IV. Data in use
A.I and II
B.II and III
C.I and IV
D.III and IV
A.Incorrect. Quality assurance in manufacturing deals with establishing quality plans, objectives, and
outcomes.
C.Incorrect. Statistical assurance deals with mathematics, probabilities, mean (average), mode, median,
and variances.
D.Incorrect. This choice is not relevant to audit assurance.
46.The IIA Standard 2050, Coordination, refers to which of the following to provide assurance as
a first line of defense over risks and controls?
A.Internal auditors
B.Senior managers
C.Risk managers
D.Operations managers
A.Incorrect. Internal auditors provide the third line of defense and perform a review and evaluation
function.
B.Incorrect. Senior managers provide the second line of defense and perform an oversight function.
C.Incorrect. Risk managers provide the second line of defense and perform a staff function.
47.Which of the following provides a safety valve to management when planning to acquire,
merge, and consolidate with other businesses?
A.Operational engagement
B.Compliance engagement
C.Consulting engagement
D.Financial engagement
A.Incorrect. The scope of operational engagement is narrow and specific, and its results could not be
fed into other types of audit engagements.
B.Incorrect. The scope of compliance engagement is narrow and specific, and its results could not be
fed into other types of audit engagements.
D.Incorrect. The scope of financial engagement is narrow and specific, and its results could not be fed
into other types of audit engagements.
50.During consulting engagements, internal auditors should focus on which of the following?
A.Evidence chain
B.Value chain
C.Critical chain
D.Incident chain
A.Performance
B.Efficiency
C.Effectiveness
D.Economics
A.Incorrect. Performance is achieving the expected or targeted goals and objectives effectively and
efficiently.
C.Incorrect. Effectiveness refers to the use of resources to achieve the intended objectives.
D.Incorrect. Economics deals with the allocation and utilization of scarce resources (e.g., men, money,
materials, and machinery; 4Ms) to produce goods and provide services.
A.II only
B.I, II, and IV
C.IV only
D.I, II, III, and IV
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
I only
I and II
I, II, and IV
I, II, III, and IV
55. The U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act
(SOX) did not recommend which of the following to become the financial expert representing the
audit committee of a publicly held corporation?
A.Internal auditor
B.External auditor
C.Principal financial officer
D.Principal accounting officer
B.Incorrect. Both the SEC and SOX do recommend that the external auditor be the financial expert
sitting on the audit committee.
C.Incorrect. Both the SEC and SOX do recommend that the principal financial officer be represent the
financial expert sitting on the audit committee.
D.Incorrect. Both the SEC and SOX do recommend that the principal accounting officer be the
financial expert sitting on the audit committee.
56.According to the U.S. Securities and Exchange Commission (SEC) and the U.S.
Sarbanes-Oxley Act (SOX), what is the proper term for when a chief executive officer (CEO) and
chief financial officer (CFO) need to give up their bonuses and incentives based on financial
results that later had to be restated or proved to be fraudulent?
A.Pushback provision
B.Clawback provision
C.Pullback provision
D.Rollback provision
A.Incorrect. There is no bad intent with the pushback provision. For example, some governmental
policies and laws can be pushed back if citizens protest them.
C.Incorrect. There is no bad intent with the pullback provision. For example, retailers can pull back
some merchandise from their store shelves if they are deemed to be unsafe.
D.Incorrect. There is no bad intent with the rollback provision. For example, retailers can roll back
their merchandise provision or some laws can be rolled back if citizens protest them.
57.According to the U.S. Securities and Exchange Commission (SEC) and the U.S.
Sarbanes-Oxley Act (SOX), what is the term used when a company misrepresents the dates on
which stock options were granted to executives and employees?
A.End-of-year dating
B.Backdating
C.End-of-month dating
D.End-of-quarter dating
The Answer B is Correct
Backdating is a management fraud, resulting in an artificially low exercise price for stock options
granted to executives and employees that could lead to financial restatements. Backdating represents a
bad intent of unnecessarily favoring executives and employees in reducing their tax burden by
manipulating the stock options issue date. Both the SEC and SOX enforcers have ended the backdating
of stock options.
A.I and II
B.II only
C.II and IV
D.I and III
A.Incorrect. This is partially true about the blockchain technology supporting the bitcoin currency. The
investment chain is not relevant.
B.Incorrect. This is partially true about the blockchain technology supporting the bitcoin currency. The
investment chain is not relevant.
D.Incorrect. Both the investment chain and incident chain are unrelated to the blockchain technology
supporting the bitcoin currency.
59.Hackers accept which of the following payment methods from victims for their ransomware
attacks?
I. Bitcoins
II. Credit cards
III. Green dot cards
IV. Debit cards
A.I only
B.I or III
C.I, II, or IV
D.I, II, III, and IV
60.Some basic privacy rules require that web service providers and social media platform
providers give which of the following choices to users?
A.Incorrect. Sign-in and sign-out choices are not relevant to privacy rules.
B.Incorrect. Check-in and check-out choices are not relevant to privacy rules.
D.Incorrect. Log-in and log-out choices are not relevant to privacy rules.
62.System resilience plans are developed and implemented in which of the following
cybersecurity framework functions?
A.Protect
B.Detect
C.Recover
D.Respond
A.Incorrect. “Protect” means developing and implementing the appropriate safeguards (controls) to
ensure delivery of critical infrastructure services.
B.Incorrect. “Detect” means developing and implementing the appropriate activities to identify the
occurrence of a cybersecurity event.
D.Incorrect. “Respond” means developing and implementing the appropriate activities to take action
regarding a detected cybersecurity event.
63.During an audit, an internal auditor observed that an employee in the audit client department
is watching online sports on his desktop computer during working hours. Which of the following
policies should the auditor refer to determine whether the employee's actions are acceptable?
A.Data immutability
B.Data mining
C.Data wrangling
D.Data masking
B.Incorrect. Data mining is data analysis to bring out hidden data patterns and data relationships for
application to business functions. For example, data mining can be used to study what products and
services are sold to customers in what demographic areas, including customer buying habits and
preferences.
C.Incorrect. Data wrangling software is used to convert unstructured data (i.e., irregular or diverse data
with no apparent value) into structured data that has some real value.
D.Incorrect. Data masking is making sure that sensitive data is not available to unauthorized
individuals to read and use. Data could be encrypted first to make it unreadable for some and later
could be made decrypted for others to read.
65.When protecting customer information from identity theft, which of the following is highly
secure when customers are using their charge cards?
B.Incorrect. A man-in-the-middle attack results from using Wi-Fi wireless network communication
technology. This is an attack on the authentication protocol run in which the attacker positions him- or
herself between the claimant and verifier to intercept and alter data traveling between them.
C.Incorrect. A signal interception attack can result from using a credit card or debit card during the
card's transmission of signals using signal analyzers.
D.Incorrect. A signal injection attack can result from using a credit card or debit card during the card's
transmission of signals using signal analyzers.
67.Which of the following are the most popular methods of identity theft using charge cards?
i. Card skimming
ii. Card tampering
iii. Card jamming
iv. Card cloning
A.I and II
B.II and III
C.I and IV
D.II and IV
A.Incorrect. Card skimming is a popular method of identity theft, but card tampering is not.
B.Incorrect. Both card tampering and card jamming methods are not popular methods of identity theft
due to the difficulty in accomplishing them.
D.Incorrect. Card tampering is not a popular methods of identity theft, but card cloning is a popular
method.
A.I and II
B.III only
C.V only
D.I, II, III, and IV
69.Which of the following is used to identify healthcare providers who bill for more services in a
single day than the number of services that most similar providers bill in a single day?
A.Rules-based techniques
B.Anomaly-based techniques
C.Network-based techniques
D.Predictive-based techniques
A.Incorrect. Rules-based techniques filter claims data that an individual submitted for an unreasonable
number of services.
C.Incorrect. Network-based techniques discover knowledge with associated link analysis. For example,
these techniques can link bad actors involved in fraud to their addresses and phone numbers.
D.Incorrect. Predictive-based techniques use historical data to identify patterns associated with fraud.
71.Which of the following uses web-call-center notes and web-chat notes to detect fraud?
B.Incorrect. Open source data analytics could use a combination of graphs, tables, figures, and words.
C.Incorrect. Visual data analytics mainly uses graphs, tables, and figures, not so much words.
D.Incorrect. Streaming data analytics are performed in real time and in memory where they collect data
from electronic sensors to produce time-series data.
72.When data dashboards are built into business-oriented application systems, this situation is
called:
A.Fraud data analytics.
B.Streaming data analytics.
C.Web-based data analytics.
D.Embedded data analytics.
73.The metric click-to-conversion time can be measured with which of the following?
A.Behavioral analytics
B.Location analytics
C.Advanced analytics
D.Content analytics
B.Incorrect. Location analytics show tracking of people, machines, places, and inventory.
C.Incorrect. Advanced analytics cannot measure click-to-conversion time because they indicate what
could happen as in statistical modeling or data mining.
D.Content analytics are used in content analysis of text in words. Content analysis is a set of
procedures for transforming unstructured written material into a format for analysis and is also used for
making numerical comparisons among and within documents. It is a means of extracting insights from
already existing data sources. Its potential applications include identifying goals, describing activities,
and determining results.
74.Regarding big data, data ownership and data usage policies are addressed in which of the
following?
A.Incorrect. Data reliability standards ensure that data is reasonably complete, accurate, consistent, and
valid.
C.Incorrect. Data quality standards ensure that data is relevant, accurate, credible, and timely.
D.Incorrect. Information quality standards ensure that data is objective and has utility and integrity
attributes.
75.Airline companies use which of the following most to determine airline ticket prices for
passengers?
A.Customer analytics
B.Prescriptive analytics
C.Behavioral analytics
D.Statistical analytics
The Answer B is Correct
Airline companies use prescriptive analytics most to determine airline ticket prices because these
analytics indicate or help decide what should happen in the future. Airline companies may use a
combination of prescriptive analytics, customer analytics, behavioral analytics, statistical analytics, and
other analytics.
76.When big data is turned into new insights, it refers to which of the following characteristic of
big data?
A.Volume
B.Variety
C.Value
D.Velocity
A.Incorrect. Volume is the amount of data being created that is big compared to traditional data sources.
Volume has nothing to do with value.
B.Incorrect. Variety of data comes from all types of data formats, both internally and externally.
Variety has nothing to do with value.
D.Incorrect. Velocity means data is being generated extremely quickly and continuously with greater
speed. Velocity has nothing to do with value.
77.Which of the following characteristics of big data is the main technical driver of investment in
big data?
A.Volume
B.Velocity
C.Veracity
D.Variety
A.Incorrect. Volume is the amount of data being created that is big compared to traditional data sources.
Volume has nothing to do with the investment.
B.Incorrect. Velocity means data is being generated extremely quickly and continuously with greater
speed. Velocity has nothing to do with the investment.
C.Incorrect. Veracity means data must be able to be verified based on both accuracy and context.
Veracity has nothing to do with the investment.
78.Which of the following characteristics of big data are the main business drivers of investment
in big data?
A.Incorrect. Volume and variety are not the main business drivers of investment in big data because
they do not provide insights and speed.
C.Incorrect. Velocity and veracity are not the main business drivers of investment in big data because
they do not provide insights and speed.
D.Incorrect. Variety and variability are not the main business drivers of investment in big data because
they do not provide insights and speed.
A.Prescriptive analytics
B.Descriptive analytics
C.Predictive analytics
D.Advanced predictive analytics
B.Incorrect. Descriptive analytics do not thrive on big data because they indicate what happened in the
past.
C.Incorrect. Predictive analytics do not thrive on big data because indicate what could happen. In the
future.
D.Incorrect. Advanced predictive analytics do not thrive on big data because they indicate what could
happen, as in statistical modeling or data mining.
81.Credit bureaus use which of the following to develop credit scores for individuals?
A.Behavioral analytics
B.Customer analytics
C.Big data analytics
D.Predictive analytics
A.Incorrect. Behavioral analytics focus on customers’ online purchase behavior. They are not relevant
in developing credit scores.
B.Incorrect. Customer analytics focus on online shopping and online search behavior. They are not
relevant in developing credit scores.
C.Incorrect. Big data analytics is too general and of no value in developing credit scores.
A.Incorrect. Data collection and validation is not the ultimate goal; it is an intermediary goal of big
data.
B.Incorrect. Data insights is not the ultimate goal, it is an intermediary goal of big data.
D.Incorrect. Data-driven models are not the ultimate goal; they are an intermediary goal of big data.
83.Which of the following would not establish acceptable data use policies and access rules?
A.Data owners
B.Data users
C.Data stewards
D.Data custodians
A.Incorrect. Data owners are responsible for safeguarding or securing data with security controls,
classifying data (i.e., sensitive or not sensitive), and defining and establishing data usage and access
rules (i.e., grant or deny).
C.Incorrect. Data stewards are responsible for managing a specific set of data resources. They define,
specify, establish, and standardize data assets of an organization within and across all functional areas
of business.
D.Incorrect. Data custodians are responsible for managing a specific set of data resources. They define,
specify, establish, and standardize data assets of an organization within and across all functional areas
of a business.
A.Challenge-response passwords
B.One-time passwords
C.Hard-coded passwords
D.Long and complex passwords
A.Integrity issue
B.Privacy issue
C.Connectivity issue
D.Accountability issue
A.Incorrect. Cookies do not raise integrity issues. Here, “integrity” means that websites are carefully
and properly designed, tested, and implemented.
C.Incorrect. Cookies do not raise connectivity issues. Here, “connectivity” means websites connecting
to other websites through networks and devices.
D.Incorrect. Cookies do not raise accountability issues. Here, “accountability” means website owners
are responsible for posting their own content.
86.Most spyware detection and removal utility software specifically look for which of the
following?
A.Encrypted cookies
B.Session cookies
C.Persistent cookies
D.Tracking cookies
A.Incorrect. Encrypted cookies protect the data from unauthorized access. Some websites create
encrypted cookies to protect data from unauthorized access.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session. A
session cookie is erased when the user closes the web browser and is stored in temporary memory.
C.Incorrect. Persistent cookies are stored on a computer's hard drive indefinitely so that a website can
identify the user during subsequent visits. These cookies are set with expiration dates and are valid
until the user deletes them.
87.If website owners want to protect data from unauthorized access, what should they do?
A.Encrypted cookies
B.Session cookies
C.Persistent cookies
D.Tracking cookies
A.Incorrect. Encrypted cookies are created by some websites to protect data from unauthorized access.
They pose little or no risk.
B.Incorrect. Session cookies are temporary cookies that are valid only for a single website session.
They are cleared or erased when the browser is closed and stored in a temporary memory. They pose a
little or no risk.
D.Incorrect. Tracking cookies are cookies placed on a user's computer to track the user's activity on
different websites, creating a detailed profile of the user's behavior. They pose little or no risk.
A.I and II
B.I and III
C.II and III
D.II and IV
A.Incorrect. Session cookies and persistent cookies do not have similar functionality. Session cookies
are temporary cookies that are valid only for a single website session. Persistent cookies are cookies
stored on a computer's hard drive indefinitely so that a website can identify the user during subsequent
visits.
B.Incorrect. Session cookies and tracking cookies do not have similar functionality. Session cookies
are temporary cookies that are valid only for a single website session. Tracking cookies are cookies
placed on a user's computer to track the user's activity on different websites, creating a detailed profile
of the user's behavior.
D.Incorrect. Persistent cookies and encrypted cookies do not have similar functionality. Persistent
cookies are cookies stored on a computer's hard drive indefinitely so that a website can identify the user
during subsequent visits. Some websites create encrypted cookies to protect the data from unauthorized
access.
91.Which of the following potentially risky activities are actively taking place when cloud services
and mobile devices directly interact?
i. Data in exchange
ii. Data in transit
iii. Data in hiding
iv. Data in dispute
A.I and II
B.I and III
C.III and IV
D.I, II, III, and IV
92.An essential security control requirement to protect data in transit against attacks is a:
A.Incorrect. A virtual local area network (VLAN) is a network configuration in which network frames
are broadcast within the VLAN and routed between VLANs. VLANs separate the logical topology of
LANs from their physical topology.
B.Incorrect. A virtual private dial network (VPDN) is a virtual private network (VPN) tailored
specifically for dial-up access.
D.Incorrect. A virtual password is a password computed from a passphrase that meets the requirements
of password storage.
93.John (the seller) and Tom (the buyer) entered into a contract for the sale and purchase of item
K for $15,000 (contract price). Later, John finds out that Tom wants to resell the item to Gary, a
reseller, for a 10% profit after the purchase. John breaches the contract and sells the item
directly to Gary instead of to Tom. The market price of item K at the time of breach is $20,000.
Tom sues John for breach of contract. How much Tom can expect in compensatory damages and
consequential damages respectively?
A.$5,000, $0
B.$0, $1,500
C.$5,000, $1,500
D.$1500, $0
A.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
B.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
D.Incorrect. This choice results from a wrong calculation and not understanding the basic concepts of
damages.
94.Which one of the following items leads to the other three items?
A.Best practices
B.Leading practices
C.Legacy practices
D.Promising practices
A.Best practices are the processes, procedures, and systems identified in public and private
organizations that are performed exceptionally well and are widely recognized as improving an
organization's performance and efficiency in specific areas. Successfully identifying and applying best
practices can reduce business expenses and improve organizational efficiency.
Legacy Practices → Promising Practices → Leading Practices → Best Practices
B.Leading practices are successful strategies, actions, and polices that are true, tried, tested, and proven
over a time period that result in increase in revenues and profits, reduced costs, and a competitive
advantage in the marketplace. Leading practices can become best practices when more and more
organization implement leading practices and benefit from them.
Legacy Practices → Promising Practices → Leading Practices → Best Practices
D.When properly managed, promising practices can turn into either best practices or leading practices
because they have been proven to be successful and effective. In order to achieve that goal, the
promising practices must be defined in terms of context that led to their success, challenges faced must
be described, problems and solutions applied must be indicated, and results obtained must be
documented.
Legacy Practices → Promising Practices → Leading Practices → Best Practices
A.Vulnerabilities
B.Threats
C.Risks
D.Controls
96.An organization was severely hit with a ransomware attack. Which of the following is critical
to manage?
A.Time to prevent
B.Time to recover
C.Time to detect
D.Time to pay
A.Incorrect. It is difficult to prevent ransomware attacks because hackers can conceal their acts.
C.Incorrect. It is difficult to detect ransomware attacks because hackers can conceal their acts.
D.Incorrect. Organizations have no choice in not paying the ransom amount because they need the data
to work. However, hackers can take the money and ask for more money before releasing the data. This
is a risky and dirty game played by some hackers. Here, organizations are at the mercy of hackers.
97.Which of the following uses a distributed ledger system to raise new capital in the securities
marketplace?
98.From an access control security viewpoint, which one of the following parties is different from
the other three parties?
A.Ordinary user
B.Privileged user
C.Trusted user
D.Authorized user
B.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. A privileged user is both a trusted user and an authorized
user.
C.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. A trusted user is both a privileged user and an authorized
user.
D.Incorrect. A privileged user is someone who is authorized to perform security-relevant functions that
ordinary users are not authorized to perform. An authorized user is both a privileged user and a trusted
user.
99.When conducting information systems security audits, internal auditors must be most
concerned with which of the following?
A.Blacklist
B.Whitelist
C.Blacklisting
D.Blocked listing
A.I
B.I and II
C.I and III
D.II, III, and IV
B.Incorrect. This choice is a partial answer. A whitelist is a list of host networks or application systems
that are known to be benign or mild and are approved for use within an organization and/or information
system. A whitelist indicates safe and secure entities.
C.Incorrect. This choice is a partial answer. Blacklisting is the process of a system invalidating a user
ID based on the user's inappropriate actions. A blacklisted user ID cannot be used to log on to the
system even with the correct authenticator. A blacklisting indicates safe and secure actions.
D.Incorrect. A blocked listing is a part of blacklisting. The term “blocked listing” applies to blocks
placed against Internet Protocol addresses to prevent inappropriate or unauthorized use of the Internet
resources. A blocked listing indicates safe and secure actions.
100.Which of the following cannot reduce the total costs of data breaches?
A.Security metrics
B.Incident response team
C.Encryption
D.Mobile platforms
A.Incorrect. Security metrics can reduce the total costs of data breaches due to insights they provide
regarding threats, attacks, and hackers. Use of metrics is a proactive thinking.
B.Incorrect. The existence of an incident response team can reduce the total costs of data breaches due
to the team's expertise and readiness to prevent, detect, and recover from threats and attacks. Use of
incident response team is a proactive thinking.
C.Incorrect. Use of encryption in computer programs and data files can reduce the total costs of data
breaches because encryption protects against hacker attacks. Use of encryption is a proactive thinking.
101.Which of the following are the opportunity costs resulting from a data breach?
I. Lost sales
II. Lost profits
III. Customer defection costs
IV. Customer acquisition costs
A.I
B.I and II
C.III
D.III and IV
102.Total costs of data breaches are directly related to which of the following?
105.Which of the following can aid in measuring the effectiveness of an internal audit function?
A.Pareto principle
B.Stevens’ power law
C.Gresham's law
D.Kano principle
A.Incorrect. The Pareto principle states that there are a vital few (20%) and a trivial many (80%) things
in the world.
B.Incorrect. The Stevens’ power law states that there are four types of scales that can be used to define
how things or data can be measured, arranged, or counted. These scales are nominal, ordinal, interval,
and ratio scales, and they are used as data counting methods in big-data analytics.
C.Incorrect. Gresham's law of planning states that managers pay more attention and put more time and
effort into planning programmed activities (i.e., routine and simple tasks) than nonprogrammed
activities (i.e., rare and complex tasks).
A.Historical audits.
B.Scheduled audits.
C.Anticipatory audits.
D.Cycle audits.
A.Incorrect. Agile audits are not historical audits because they have no resemblance to the past events.
B.Incorrect. Scheduled audits are cycle audits with a known frequency.
D.Incorrect. Cycle audits are repeatable audits with a known frequency.
108.An internal audit function is effective in the minds of the board and senior management
when it is performing:
A.Error-seeking audits.
B.Value-adding audits.
C.Nitpicking audits.
D.Fault-blaming audits.
A.Incorrect. Error-seeking audits are low-level audits that the board and senior management may not
prefer because errors are possible events with human beings, meaning errors are normal and common.
No value is provided to audit clients.
C.Incorrect. Nitpicking audits are surface audits based on using a superficial audit scope and objectives.
No value is provided to audit clients.
D.Incorrect. Fault-blaming audits are finger-pointing audits blaming policies, procedures, and practices
based on past events and data. No value is provided to audit clients.
109.Which of the following provides a logical barrier that constrains the operation of program
code, data, and/or users within a defined area of a mobile device?
A.Inbox
B.Substitution box
C.Sandbox
D.Permutation box
A.Incorrect. An inbox is used for storing and displaying email messages. It has nothing to do with
mobile device security.
B.Incorrect. A substitution box consists of electrical circuits deployed in cryptographic algorithms for
signal propagation. It has nothing to do with the mobile device security.
D.Incorrect. A permutation box consists of electrical circuits deployed in cryptographic algorithms for
signal propagation. It has nothing to do with the mobile device security.
A.I and II
B.II and IV
C.III and IV
D.I, II, III, and IV
A.Incorrect. Both firewalls and access control lists (ACLs) use rule-based criteria to permit or deny
communication based on rulesets defined by protocol standards and/or by information technology staff.
Firewalls and ACLs do not use attack signatures, and anti-malware systems and IDS/IPS systems do
not use rulesets.
B.Incorrect. This is a partial answer.
D.Incorrect. This choice contains both correct and incorrect answers.
111.Which of the following provides encryption as a basic service and becomes a form of double
encryption when it is sent through an encrypted tunnel?
A.Value-added network
B.Virtual private network
C.Body area network
D.Personal area network
112.Which of the following are examples of major uses of system-based audit trails?
I. Acts as an insurance policy
II. Provides support for operations
III. Identifies performance problems
IV. Detects security violations
A.II only
B.III only
C.IV only
D.I, II, III, and IV
A.Login attempts
B.Application accesses
C.Remote logging
D.Login data
A.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations of all network connections (i.e., login data), all
login attempts, and all accesses to application programs or systems.
B.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations of all network connections (i.e., login data), all
login attempts, and all accesses to application programs or systems.
D.Incorrect. This choice should be configured. As a part of audit trails, mobile devices should be
configured to log the time, date, and possible locations, of all network connections (i.e., login data), all
login attempts, and all accesses to application programs or systems.
114.What is it called when a cloud service provider of a mobile device makes a dual connection to
multiple networks?
A.Split tunneling
B.Split controls
C.Split knowledge
D.Split domains
B.Incorrect. With split controls, safeguards are divided into two or more parts, thus reducing the
strength of the controls.
C.Incorrect. Split knowledge represents a condition under which two or more parties separately have
part of the data, but no party has all the data.
D.Incorrect. Split domains represent split domain name systems (split DNS), where one physical file is
required for external clients and one physical file is required for internal clients.
115.Controls over a mobile device upon employee termination or reassignment include which of
the following?
i. Sanitize the stored information.
ii. Keep the user's personal information.
iii. Clear the device's memory contents.
iv. Dispose of the device.
116.Best practices in the use of mobile devices include which of the following?
I. Install application filters.
II. Enable firewalls.
III. Disable all unnecessary features.
IV. Update virus signatures.
117.Regarding mobile devices configuration, organizations should exercise controls over which of
the following procurement considerations?
i. Selection of service provider
ii. Selection of hardware
iii. Selection of operating system
iv. Selection of application systems
A.I and II
B.I and III
C.III and IV
D.I, II, III, and IV
118.Regarding mobile device configuration, organizations should exercise controls over which of
the following provisioning considerations?
I. Enabling necessary features
II. Planning for storage controls
III. Preparing for device disposal
IV. Implementing authentication techniques
A.I only
B.II only
C.III only
D.I, II, III, and IV
A.I only
B.II only
C.III and IV
D.I, II, III, and IV
120.Which of the following is at the core of the definition of total quality management (TQM)?
A.Customer surveys
B.Continuous improvement
C.Employee satisfaction
D.Supplier inspections
A.Policy.
B.Procedure.
C.Culture.
D.Standards.
122.Which of the following is not one of the principles of total quality management (TQM)?
A.Incorrect. “Do it right the first time” is one of the principles of TQM.
C.Incorrect. “Be customer-centered” is one of the principles of TQM.
D.Incorrect. “Build teamwork and empowerment” is one of the principles of TQM.
123.In the context of total quality management (TQM), a cause-and-effect analysis can be carried
out with:
A.Kaizen.
B.A scatter diagram.
C.A fishbone diagram.
D.Pareto diagram
A.Incorrect. Kaizen practitioners view quality as an endless journey, not a final destination and not a
specific program or procedure.
B.Incorrect. Scatter diagrams are used to plot the correlation between two variables.
D.Incorrect. The Pareto diagram helps TQM teams to analyze vital few and trivial many (20/80 pattern
or rule). It is most efficient to focus on the few things that make the biggest difference.
B.Incorrect. Being management centered and technology driven does not serve and help external
customers with goods and services.
C.Incorrect. Being policy centered and procedure driven does not serve and help external customers
with goods and services.
D.Incorrect. Being goal centered and standard driven does not serve and help external customers with
goods and services.
A.Product-based quality.
B.Value-based quality.
C.Judgment-based quality.
D.Manufacturing-based quality.
A.Incorrect. Product-based quality assumes that higher levels or amounts of product characteristics are
equivalent to higher quality and that quality has a direct relationship with price.
B.Incorrect. Value-based quality focuses on the relationship between the usefulness of or satisfaction
with a product or service and its price.
C.Incorrect. Judgment-based quality is synonymous with superiority or excellence, which is abstract,
subjective, and difficult to quantify.
126.Which of the following total quality management (TQM) process improvement tools
monitors actual versus desired quality measurements during repetitive operations?
A.Incorrect. A run chart (also called a time-series or trend chart) tracks the frequency or amount of a
given variable over time. Significant deviations from the standard signal the need for corrective action.
B.Incorrect. A histogram is a bar chart showing whether repeated measurements in an operation
conform to a standard bell-shaped curve (normal curve).
C.Incorrect. A flowchart is a graphic representation of a sequence of activities and decisions.
Flowcharts identify unnecessary work steps so that they can be either combined or eliminated.
127.The costs of providing training and technical support to the supplier in order to increase the
quality of purchased materials are examples of
A.Prevention costs.
B.Appraisal costs.
C.Internal failure costs.
D.External failure costs.
B.Incorrect. Appraisal costs are costs to detect, measure, evaluate, and audit products and processes to
ensure that they conform to customer requirements and performance standards. They include the costs
of inspecting raw materials, testing goods throughout the manufacturing process, and testing the final
product.
C.Incorrect. Internal failure costs are the costs associated with defects that are discovered before the
product is shipped or before the service is delivered to the customer. They include the costs of the
material, labor, and other manufacturing costs incurred in reworking defective products and the costs of
scrap and spoilage.
D.Incorrect. External failure costs are associated with defects found during or after delivery of the
product or service to the customer. They include the costs of repairs made under warranty or product
recalls.
128.In the Six Sigma methodology, the mistake-proofing tool is used in which of the following
stages?
A.Define.
B.Control.
C.Measure.
D.Improve.
A.Incorrect. The “define” stage is too early to use the mistake-proofing tool.
C.Incorrect. The “measure” stage is too late to use the mistake-proofing tool.
D.Incorrect. The “improve” stage is too late to use the mistake-proofing tool
129.A process mapping tool is not used in which of the following Six Sigma methodology stages?
A.Define.
B.Control.
C.Measure.
D.Analyze.
A.Incorrect. A process mapping tool is used in the “define” stage to improve organizational processes.
C.Incorrect. A process mapping tool is used in the “measure” stage to improve organizational
processes.
D.Incorrect. A process mapping tool is used in the “analyze” stage to improve organizational processes.
130.The cause-and-effect diagram is used in which of the following Six Sigma methodology
stages?
A.Define.
B.Analyze.
C.Improve.
D.Control.
A.Define.
B.Measure.
C.Control.
D.Improve.
A.Incorrect. In the “define” stage, brainstorming techniques are used to define the problem and to make
improvements. This stage It is a better way to identify bottlenecks, process/machine breakdowns, and
non-value-added work steps.
C.Incorrect. The “control” stage monitors the ongoing performance of a process and improvement of a
product. This stage is a transition from improvement to controlling the process. It ensures that new
improvements are implemented and institutionalized.
D.Incorrect. The “improve” stage is the final objective to accomplish. Both common and special causes
are identified before this stage.
132.In the Six Sigma training environment, which of the following roles is primarily dependent
on others to acquire data?
A.Green belts
B.Black belts
C.Master black belts
D.Sponsors
B.Incorrect. The role of Six Sigma black belts is based on the principle of contributing independently
and applying the appropriate tools and techniques in the process of resolving quality problems and
issues in the organization. Black belts assume responsibility for definable projects and possess
technical competence and ability.
C.Incorrect. Master black belts ensure that they contribute through others based on their leadership
skills. They are involved as managers, mentors, or idea leaders in developing others. They have the
technical breadth and skills that, can build a strong network of people, and can resolve conflicts.
D.Incorrect. Sponsors are the champions of quality. They have project management skills, understand
the risk management techniques, and have leadership skills. They have the vision and knowledge of
their organization's culture.
133.All of the following are effective ways to prevent service mistakes from occurring except:
A.Source inspections.
B.Self-inspections.
C.Sequence checks.
D.Mass inspections.
A.Incorrect. Source inspections are effective ways to prevent service mistakes from occurring.
B.Incorrect. Self-inspections are effective ways to prevent service mistakes from occurring.
C.Incorrect. Sequence checks are effective ways to prevent service mistakes from occurring.
A.Should define the limits or constraints within which the work teams must act if they are to remain
self-directing.
B.Become more important than ever. Without clear rules to follow, empowered work teams are almost
certain to make mistakes.
C.Should be few or none. Work teams should have the freedom to make their own decisions.
D.Should be set by the teams themselves in periodic joint meetings.
B.Incorrect. Empowered teams are important but not more important than ever. Policies in this context
should not be “rules,” and the distrust implicit in the phrase “is almost certain to make mistakes” is
inconsistent with empowerment.
C.Incorrect. Work teams are not “empowered” to do anything they please.
D.Incorrect. Work teams are not “empowered” to do anything they please.
135.One of the main reasons that implementation of a total quality management (TQM) program
works better through the use of teams is because:
A.Teams are more efficient and help an organization reduce its staffing.
B.Employee motivation is always higher for team members than for individual contributors.
C.Teams are a natural vehicle for sharing ideas, which leads to process improvement.
D.The use of teams eliminates the need for supervision, thereby allowing a company to reduce staffing.
136.One of the main reasons total quality management (TQM) can be used as a strategic weapon
is that:
A.The cumulative improvement from a company's TQM efforts cannot readily be copied by
competitors.
B.Introducing new products can lure customers away from competitors.
C.Reduced costs associated with better quality can support higher stockholder dividends.
D.TQM provides a comprehensive strategic management for a business.
137.Focusing on customers, promoting innovation, learning new philosophies, driving out fear,
and providing extensive training are all elements of a major change in organizations. These
elements are aimed primarily at:
A.Incorrect. This choice describes the fix-it-in approach, which is the first step to do. Inspectors
identify defects and report on defects that have them reworked or fixed.
C.Incorrect. This choice describes the inspect-it-in approach, which applies the fix-it-in approach to
in-process work.
D.Incorrect. This choice describes the adjust-it-in approach, which is the same as the inspect-it-in
approach.
A.Management by objectives
B.On-the-job training by other workers
C.Quality by final inspection
D.Education and self-improvement
140.In which of the following organizational structures does total quality management (TQM)
work best?
141.A company is experiencing a high level of customer returns for a particular product because
it does not meet the rigid dimensions required. Each return is reworked on a milling machine
and sent back through all of the subsequent finishing steps. This is a costly process. Identify the
best method for reducing the quality failure costs.
A.Customer surveys
B.Increased finished goods inspections
C.Defect prevention
D.Increased work-in-process inspections
A.Incorrect. Customer surveys are examples of feedback (reactive) controls and are not as effective as
a feedforward (proactive) control.
B.Incorrect. Increased finished goods inspections are examples of feedback (reactive) controls and are
not as effective as a feedforward (proactive) control.
D.Incorrect. Increased work-in-process inspections are examples of feedback (reactive) controls and
are not as effective as a feedforward (proactive) control.
A.I only
B.II only
C.III only
D.IV only
B.Incorrect. Spending funds in the appraisal area will improve quality, but funds are better spent on
prevention than on appraisal area.
C.Incorrect. Spending funds in the internal failure area will improve quality, but funds are better spent
on prevention than on the internal failure area.
D.Incorrect. Spending funds in the external failure area will improve quality, but funds are better spent
on prevention than on the external failure area.
A.I only
B.II only
C.III only
D.IV only
A.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
poor-quality products.
B.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
poor-quality products.
C.Incorrect. Detecting poor-quality products at earlier stages prevents customers from ever receiving
poor-quality products.
A.Incorrect. Risk and result analysis can be part of or separate from the in-source versus outsource
analysis.
C.Incorrect. Competence and cost analysis can be part of or separate from the in-source versus
outsource analysis.
D.Incorrect. Contract-or-service analysis can be part of or separate from the in-source versus outsource
analysis.
147.Which of the following statements is not true about the benefits of outsourcing a business
process or function?
A.Absolute numbers
B.Rolling numbers
C.Range of numbers
D.Average numbers
A.Incorrect. Absolute numbers do not show low (nonpeak) and high (peak) performance.
B.Incorrect. Rolling numbers do not show low (nonpeak) and high (peak) performance.
D.Incorrect. Average numbers do not show low (nonpeak) and high (peak) performance.
149.In a global outsourcing environment, which of the following selection factors for an
outsourced vendor does not matter that much?
A.Project governance
B.Vendor governance
C.Customer governance
D.Service governance
A.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective, project
governance is a part of vendor governance.
C.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective,
customer governance is a part of vendor governance.
D.Incorrect. Because vendor governance provides a comprehensive and big-picture perspective, service
governance is a part of vendor governance.
151.Which of the following scope items for an outsourced vendor takes on a significant dimension
in a supply-chain environment?
153.Which of the following involves identifying, studying, and building on the best practices of
other organizations?
A.Kaizen
B.Benchmarking
C.Plan, do, check, and act cycle
D.Total quality management
A.It is typically accomplished by comparing an organization's performance with the performance of its
closest competitors.
B.It can be performed using either qualitative or quantitative comparisons.
C.It is normally limited to manufacturing operations and production processes.
D.It is accomplished by comparing an organization's performance to that of best-performing
organizations.
The Answer D is Correct
Benchmarking is accomplished by comparing an organization's performance to that of best-performing
organizations.
156.A company that has many branch stores has decided to benchmark one store for the purpose
of analyzing the accuracy and reliability of branch store financial reporting. Which one of the
following is the most likely measure to be included in a financial benchmark?
A.Incorrect. A high turnover of employees may indicate a morale problem but not necessarily a
problem with the accuracy and reliability of financial reports.
B.Incorrect. A high level of employee participation in budget setting is an example of decentralization
and would not necessarily impact the accuracy and reliability of financial reports.
D.Incorrect. A high number of suppliers would not necessarily indicate a problem with the accuracy
and reliability of financial reports.
157.Which of the following can reflect the effectiveness of a firm's human resource department?
A.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
C.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
D.Incorrect. This choice reflects an efficiency measure (i.e., inputs used to achieve a given level of
output).
158.A new, midsize manufacturing company in a small town was fined heavily for unknowingly
polluting the nearby drinking water system with harmful chemicals that leaked from its
manufacturing plant. What this company could have done, if anything, to prevent such heavy
fines that it cannot afford to pay?
A.Incorrect. Conducting business impact analysis is not directly applicable here because its scope is too
broad and includes studying products, services, sales, costs, and profits.
C.Incorrect. Conducting sustainability impact analysis is not directly applicable here because it focuses
on whether a company can survive or die over a long period.
D.Incorrect. Conducting survivability impact analysis is not directly applicable here because it is a part
of sustainability impact analysis.
A.I and II
B.II and III
C.III and IV
D.I, II, III, and IV
A.Timeliness
B.Productivity
C.Efficiency
D.Quantity
163.The balanced scorecard approach does not require looking at performance from which of the
following perspectives?
A.Financial
B.Competitor
C.Customer
D.Internal business processes
165.Which of the following perspectives of the balanced scorecard deal with objectives across a
company's entire value chain?
A.Financial
B.Customer
C.Internal business processes
D.Learning and growth
A.Incorrect. The financial perspective focuses on only one activity – finance, which does not address
the entire value chain consisting of several activities.
B.Incorrect. The customer perspective focuses on only one activity – customer, which does not address
the entire value chain consisting of several activities.
D.Incorrect. The learning and growth perspective focuses on only one activity – learning and growth,
which does not address the entire value chain consisting of several activities.
166.Which of the following perspectives of the balanced scorecard deal with objectives of
increasing market share and penetrating into new markets?
A.Financial
B.Customer
C.Internal business processes
D.Learning and growth
A.Incorrect. The financial perspective does not directly deal with increasing market share and
penetrating into new markets.
C.Incorrect. The internal business processes perspective does not directly deal with increasing market
share and penetrating into new markets.
D.Incorrect. The learning and growth perspective does not directly deal with increasing market share
and penetrating into new markets.
167.Which of the following perspectives of the balanced scorecard deal with the objectives of
product improvement?
A.Financial
B.Customer
C.Internal business processes
D.Learning and growth
A.Incorrect. The financial perspective does not directly deal with the objectives of product
improvement.
B.Incorrect. The customer perspective does not directly deal with the objectives of product
improvement.
C.Incorrect. The internal business processes perspective does not directly deal with the objectives of
product improvement.
168.Which of the following items represent nonfinancial measures under the balanced scorecard
approach?
i. Costs
ii. Sales margins
iii. Quality
iv. Customer service
A.III only
B.IV only
C.I and II
D.III and IV
A.Incorrect. Costs and sales margins are financial measures while quality and customer service are
nonfinancial measures.
B.Incorrect. Costs and sales margins are financial measures while quality and customer service are
nonfinancial measures.
C.Incorrect. Costs and sales margins are financial measures while quality and customer service are
nonfinancial measures.
169.Which of the following statements is not true about nonfinancial measures of performance
under the balanced scorecard approach?
A.Financial
B.Customer
C.Internal business processes
D.Learning and growth
A.Incorrect. The financial perspective does not directly deal with the objective of shortening the
time-to-market metric.
B.Incorrect. The customer perspective does not directly deal with the objective of shortening the
time-to-market metric.
C.Incorrect. The internal business processes perspective does not directly deal with the objective of
shortening the time-to-market metric.
A.Lost customers.
B.Dissatisfied customers.
C.Product or service quality.
D.Machine downtime.
172.Which of the following balanced scorecard measures is difficult to identify and implement?
A.Incorrect. The market-based performance scorecard measure is relatively easy to identify and
implement because the marketing function is internal to a corporation.
B.Incorrect. The production-based performance scorecard measure is relatively easy to identify and
implement because the production function is internal to a corporation.
D.Incorrect. The human resource–based performance scorecard measure is relatively easy to identify
and implement because the human resource function is internal to a corporation.
A.I and II
B.III and IV
C.I, II, and III
D.I, II, III, and IV
A.Incorrect. This is a partially correct answer. (i.e., lag measures and lead measures).
B.Incorrect. This choice contains both valid answers (i.e., interlinking measures) and invalid answers
(i.e., interrelationship digraph).
An interrelationship digraph identifies and explores causal relationships among related concepts or
ideas. It shows that every idea can be logically linked with more than one other idea at time and allows
for lateral thinking rather than linear thinking. The graph is used after the affinity diagram has clarified
issues and problems.
D.Incorrect. This choice contains both valid answers (i.e., lead measures, lag measures, and
interlinking measures) and invalid answers (i.e., interrelationship digraph).
An interrelationship digraph identifies and explores causal relationships among related concepts or
ideas. It shows that every idea can be logically linked with more than one other idea at time and allows
for lateral thinking rather than linear thinking. The graph is used after the affinity diagram has clarified
issues and problems.
174.When a customer presents her credit card with a smart chip and a personal identification
number (PIN) to pay for merchandise purchases at a retail store, she is using a:
A.Zero-factor authentication.
B.Single-factor authentication.
C.Two-factor authentication.
D.Three-factor authentication.
A.Incorrect. There is an evidence of authentication factors used with card, chip, and PIN.
B.Incorrect. There is an evidence of more than one authentication factors used with card, chip, and
PIN.
D.Incorrect. Only two authentication factors are used where the card and chip is one factor and the PIN
is the second factor.
175.In electronic authentication, using one token to gain access to a second token is called a:
A.Incorrect. This choice is not applicable because multifactor scheme is not used.
C.Incorrect. This choice is not applicable because a multitoken and multifactor scheme is not used.
D.Incorrect. This choice is not applicable because a multistage authentication scheme is not used.
176.Token duplication is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the token duplication threat?
177.Eavesdropping is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the eavesdropping threat?
A.Incorrect. This choice cannot provide dynamic authentication. Entropy is a measure of the amount of
uncertainty that an attacker faces to determine the value of a secret.
B.Incorrect. This choice cannot provide dynamic authentication.
D.Incorrect. This choice cannot provide dynamic authentication.
A.Group accounts
B.Local user accounts
C.Guest accounts
D.Anonymous accounts
179.Phishing or pharming is a threat to the tokens used for electronic authentication. Which of
the following is a countermeasure to mitigate the phishing or pharming threat?
180.Theft is a threat to the tokens used for electronic authentication. Which of the following is a
countermeasure to mitigate the theft threat?
A.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
B.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
C.Incorrect. This choice cannot provide multifactor tokens because they use only one factor.
181.Social engineering is a threat to the tokens used for electronic authentication. Which of the
following is a countermeasure to mitigate the social engineering threat?
A.Directive controls
B.Preventive controls
C.Detective controls
D.Corrective controls
A.Incorrect. Directive controls are broad-based controls to handle security incidents, and they include
management's policies, procedures, and directives.
C.Incorrect. Detective controls enhance security by monitoring the effectiveness of preventive controls
and by detecting security incidents where preventive controls were circumvented.
D.Incorrect. Corrective controls are procedures to react to security incidents and to take remedial
actions on a timely basis. Corrective controls require proper planning and preparation as they rely
heavily on human judgment.
184.From an access control point of view, separation of duty is not related to which of the
following?
A.Safety
B.Reliability
C.Fraud
D.Security
A.Incorrect. Computer systems must be designed and developed with safety in mind because unsecure
and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems).
C.Incorrect. Computer systems must be designed and developed with fraud in mind because unsecure
and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems).
D.Incorrect. Computer systems must be designed and developed with security in mind because
unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline
systems).
185.Which of the following access authorization policies applies to when an organization has a list
of software not authorized to execute on an information system?
B.Incorrect. The access policy is not based on a specific access authorization policy.
C.Incorrect. The access policy is not based on a specific access authorization policy.
D.Incorrect. The access policy is not based on a specific access authorization policy.
A.Directive controls
B.Preventive controls
C.Detective controls
D.Corrective controls
A.Incorrect. Directive controls are broad-based controls to handle security incidents, and they include
management's policies, procedures, and directives.
C.Incorrect. Detective controls enhance security by monitoring the effectiveness of preventive controls
and by detecting security incidents where preventive controls were circumvented.
D.Incorrect. Corrective controls are procedures to react to security incidents and to take remedial
actions on a timely basis. Corrective controls require proper planning and preparation as they rely
heavily on human judgment.
187.Which of the following are needed when it is difficult to enforce normal security policies,
procedures, and rules?
i. Compensating controls
ii. Close supervision
iii. Team review of work
iv. Peer review of work
A.I only
B.II only
C.I and II
D.I, II, III, and IV
188.Host and application system hardening procedures are a part of which of the following?
A.Directive controls
B.Preventive controls
C.Detective controls
D.Corrective controls
A.Incorrect. Directive controls are broad-based controls to handle security incidents, and they include
management's policies, procedures, and directives.
C.Incorrect. Detective controls enhance security by monitoring the effectiveness of preventive controls
and by detecting security incidents where preventive controls were circumvented.
D.Incorrect. Corrective controls are procedures to react to security incidents and to take remedial
actions on a timely basis. Corrective controls require proper planning and preparation as they rely
heavily on human judgment.
A.Single-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Multifactor authentication
B.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
C.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
D.Incorrect. This choice is not needed for authentication of nonsensitive assets with low security risk.
190.From an access control effectiveness viewpoint, which of the following represents biometric
verification when a user submits a combination of a personal identification number (PIN) first
and biometric sample next for authentication?
A.One-to-one matching
B.One-to-many matching
C.Many-to-one matching
D.Many-to-many matching
B.Incorrect. This choice does not properly define the statement in the question.
C.Incorrect. This choice does not properly define the statement in the question.
D.Incorrect. This choice does not properly define the statement in the question.
191.From an access control effectiveness viewpoint, which of the following represents biometric
identification when a user submits a combination of a biometric sample first and a personal
identification number (PIN) next for authentication?
A.One-to-one matching
B.One-to-many matching
C.Many-to-one matching
D.Many-to-many matching
A.Incorrect. This choice does not properly define the statement in the question.
C.Incorrect. This choice does not properly define the statement in the question.
D.Incorrect. This choice does not properly define the statement in the question.
192.From an access control effectiveness viewpoint, which of the following is represented when a
user submits a combination of a hardware token and a personal identification number (PIN) for
authentication?
I. A weak form of two-factor authentication
II. A strong form of two-factor authentication
III. Supports physical access
IV. Supports logical access
A.I only
B.II only
C.I and III
D.II and IV
193.A combination of something you have (one time), something you have (second time), and
something you know is used to represent which of the following personal authentication proofing
schemes?
A.One-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Four-factor authentication
A.Directive controls
B.Preventive controls
C.Detective controls
D.Corrective controls
A.Incorrect. Directive controls are broad-based controls to handle security incidents, and they include
management's policies, procedures, and directives.
C.Incorrect. Detective controls enhance security by monitoring the effectiveness of preventive controls
and by detecting security incidents where preventive controls were circumvented.
D.Incorrect. Corrective controls are procedures to react to security incidents and to take remedial
actions on a timely basis. Corrective controls require proper planning and preparation as they rely
heavily on human judgment.
195.What is using two different passwords for accessing two different systems in the same session
called?
A.One-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Four-factor authentication
A.Incorrect. This choice is not applicable because two factors are used..
C.Incorrect. This choice is not applicable because two factors are used.
D.Incorrect. This choice is not applicable because two factors are used.
196.What is using a personal identity card with attended access (e.g., a security guard) and a
personal identification number (PIN) called?
A.One-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Four-factor authentication
197.A truck driver, who is an employee of a defense contractor, transports highly sensitive parts
and components from a defense contractor's manufacturing plant to a military installation at a
highly secure location. The military's receiving department tracks the driver's physical location
to ensure that there are no security problems on the way to the installation. Upon arrival at the
installation, the truck driver shows an employee badge with photo ID issued by the defense
contractor, enters a password and personal identification number (PIN), and presents a
fingerprint for biometric sampling prior to entering the installation and unloading the truck's
contents. What type of authentication is represented in this scenario?
A.One-factor authentication
B.Two-factor authentication
C.Three-factor authentication
D.Four-factor authentication
A.Incorrect. This choice is not applicable because four factors are used.
B.Incorrect. This choice is not applicable because four factors are used.
C.Incorrect. This choice is not applicable because four factors are used.
198.All the following storage encryption authentication products may use the operating system's
authentication for single sign-on except:
A.Full-disk encryption.
B.Volume encryption.
C.Virtual disk encryption.
D.File encryption.
B.Incorrect. Volume encryption is the process of encrypting an entire volume, which is a logical unit of
storage comprising a file system, and permitting access to the data on the volume only after proper
authentication is provided.
C.Incorrect. Virtual disk encryption is the process of encrypting a container, which can hold many files
and folders, and permitting access to the data within the container only after proper authentication is
provided. A container is a file encompassing and protecting other files.
D.Incorrect. File encryption is the process of encrypting individual files on a storage medium and
permitting access to the encrypted data only after proper authentication is provided.
199.CIA.P2D1Q199_TB_1810
200.Recovery mechanisms for storage encryption authentication solutions require which of the
following?
202.Which of the following controls over telecommuting use tokens and/or one-time passwords?
A.Firewalls
B.Robust authentication
C.Port protection devices
D.Encryption
A.Incorrect. A firewall uses a secure gateway or series of gateways to block or filter access between
two networks, often between a private network and a larger, more public network, such as the internet
or a public-switched network (e.g., the telephone system). A firewall does not use tokens and
passwords as much as robust authentication does.
C.Incorrect. A port protection device (PPD) is connected to a communications port of a host computer
and authorizes access to the port itself, prior to and independent of the computer's own access control
functions. A PPD can be a separate device in the communications stream or may be incorporated into a
communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a
password, to access the communications port. One of the most common PPDs is the dial-back modem.
PPD does not use tokens and passwords as much as robust authentication does.
D.Incorrect. Encryption is more expensive than robust authentication. It is most useful if highly
confidential data needs to be transmitted or if moderately confidential data is transmitted in a
high-threat area. Encryption is most widely used to protect the confidentiality of data and its integrity
(it detects changes to files). Encryption does not use tokens and passwords as much as robust
authentication does.
203.Which of the following statements about an access control system is not true?
204.Which of the following is not a preventive measure against network intrusion attacks?
A.Firewalls
B.Auditing
C.System configuration
D.Intrusion detection system
A.Proof by knowledge
B.Proof by property
C.Proof by possession
D.Proof of concept
206.Which of the following is a component that provides a security service for a smart card
application used in a mobile device authentication?
A.Challenge-response protocol
B.Service provider
C.Resource manager
D.Driver for the smart card reader
B.Incorrect. This choice is a software component that supports a smart card application and does not
provide a challenge-response protocol.
C.Incorrect. This choice is a software component that supports a smart card application and does not
provide a challenge-response protocol.
D.Incorrect. This choice is a software component that supports a smart card application and does not
provide a challenge-response protocol.
207.Which of the following is not a sophisticated technical attack against smart cards?
A.Reverse engineering
B.Fault injection
C.Signal leakage
D.Impersonating
A.Incorrect. Reverse engineering is a sophisticated technical attack against smart cards. Smart cards are
designed to resist tampering and monitoring of the cards, including sophisticated technical attacks.
B.Incorrect. Fault injection is a sophisticated technical attack against smart cards. Smart cards are
designed to resist tampering and monitoring of the cards, including sophisticated technical attacks.
C.Incorrect. Signal leakage is a sophisticated technical attack against smart cards. Smart cards are
designed to resist tampering and monitoring of the cards, including sophisticated technical attacks.
A.Incorrect. Phishing is tricking individuals into disclosing sensitive personal information through
deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to
steal consumers’ personal identity data and financial account credentials. It involves internet fraudsters
who send spam or pop-up messages to obtain personal information (e.g., credit card numbers, bank
account information, Social Security number, passwords, or other sensitive information) from
unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically
through domain name system hijacking or poisoning.
C.Incorrect. Snooping, scanning, and sniffing are all actions that search for required and valuable
information. They involve looking around for vulnerabilities and planning to attack. These are
preparatory actions prior to launching serious penetration attacks.
D.Incorrect. Cracking is breaking to get passwords and bypassing software controls in an electronic
authentication system, such as user registration. Scamming is impersonating a legitimate business using
the internet. Buyers should check out sellers before buying goods or services. Seller should give out a
physical address with a working telephone number.
210.Passwords and personal identification numbers (PINs) are examples of which of the
following?
211.Each user is granted the lowest clearance needed to perform authorized tasks. Which of the
following principles is this?
B.Incorrect. The principle of separation of duties states that no single person can have complete control
over a business transaction or task.
C.Incorrect. The principle of system clearance states that users’ access rights should be based on their
job clearance status (i.e., sensitive or nonsensitive).
D.Incorrect. The principle of system accreditation states that all systems should be approved by
management prior to making them operational.
212.Which of the following statements is true about intrusion detection systems (IDS) and
firewalls?
A.Incorrect. This choice is a part of an authentication process. The authenticator factor “knows” means
using a password or personal identification number.
B.Incorrect. This choice is a part of an authentication process. The authenticator factor “has” means
using a key or card.
D.Incorrect. This choice is a part of an authentication process. The authenticator factor “is” means
using a biometric identity (e.g., fingerprint or thumb print).
B.Incorrect. Authorization and authentication are not the same. Authorization refers to verifying the
user's permission; authentication refers to verifying the identity of a user.
C.Incorrect. Authorization is permission to do something with information in a computer.
D.Incorrect. Authorization comes after authentication.
216.Which of the following statements is not true about discretionary access control?
A.Kerberos
B.Secure remote procedure calls
C.Reusable passwords
D.Digital certificates
A.Incorrect. This choice provides a robust authentication. Kerberos is an authentication tool used in
local logins, remote authentication, and client-server requests. It is a means of verifying the identities
of principals on an open network.
B.Incorrect. This choice provides robust authentication.
D.Incorrect. This choice provides robust authentication.
B.Incorrect. This choice is an example of a nondiscretionary access control. Mandatory access control
deals with rules.
C.Incorrect. This choice is an example of a nondiscretionary access controls. Role-based access control
deals with job titles and functions.
D.Incorrect. This choice is an example of a nondiscretionary access controls. Temporal constraints deal
with time-based restrictions and control time-sensitive activities.
A.Incorrect. This choice provides individual accountability. The concept of individual accountability
drives the need for many security safeguards, such as unique user identifiers, audit trails, and access
authorization rules.
B.Incorrect. This choice provides individual accountability. The concept of individual accountability
drives the need for many security safeguards, such as unique user identifiers, audit trails, and access
authorization rules.
C.Incorrect. This choice provides individual accountability. The concept of individual accountability
drives the need for many security safeguards, such as unique user identifiers, audit trails, and access
authorization rules.
221.From an access control viewpoint, which of the following is computed from a passphrase?
A.Access password
B.Personal password
C.Valid password
D.Virtual password
A.Incorrect. An access password is not computed from a passphrase This password is used to authorize
access to data and is distributed to all those who are authorized to have similar access to that data.
B.Incorrect. A personal password is not computed from a passphrase. It is known by only one person
and is used to authenticate that person's identity.
C.Incorrect. A valid password is not computed from a passphrase. It is a personal password that
authenticates the identity of an individual when presented to a password system. It is also an access
password that enables the requested access when presented to a password system.
222.Which of the following user identification and authentication techniques depend on reference
profiles or templates?
A.Memory tokens
B.Smart cards
C.Cryptography
D.Biometric systems
A.Incorrect. Memory tokens do not depend on reference profiles or templates. Memory tokens involve
the creation and distribution of a token device with a personal identification number (PIN) and data that
tell the computer how to recognize valid tokens or PINs.
B.Incorrect. Smart cards do not depend on reference profiles or templates. Smart cards involve the
creation and distribution of a token device with a personal identification number (PIN) and data that
tell the computer how to recognize valid tokens or PINs.
C.Incorrect. Cryptography does not depend on reference profiles or templates. Cryptography requires
the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys as in
encryption.
B.Incorrect. This choice does not describe the contents of an access control matrix.
C.Incorrect. This choice does not describe the contents of an access control matrix.
D.Incorrect. This choice does not describe the contents of an access control matrix.
225.Which of the following types of access control mechanism does not rely on physical access
controls?
A.Encryption controls
B.Application system access controls
C.Operating system access controls
D.Utility programs
B.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
someone can physically access the central processing unit or major components, for example, restarting
the system with different software. Logical access controls are therefore dependent on physical access
controls. Application systems, operating systems, and utility programs are heavily dependent on
physical access controls to protect against unauthorized use.
C.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
someone can physically access the central processing unit or major components, for example, restarting
the system with different software. Logical access controls are therefore dependent on physical access
controls. Application systems, operating systems, and utility programs are heavily dependent on
physical access controls to protect against unauthorized use.
D.Incorrect. This choice depends on physical access controls. Most systems can be compromised if
someone can physically access the central processing unit or major components, for example, restarting
the system with different software. Logical access controls are therefore dependent on physical access
controls. Application systems, operating systems, and utility programs are heavily dependent on
physical access controls to protect against unauthorized use.
226.An inherent risk is associated with logical access that is difficult to prevent or mitigate but
can be identified via a review of audit trails. Which of the following types of access is this risk
most associated with?
A.Incorrect. Properly used authorized access can use audit trail analysis, but the risk is much lower
than the misused authorized access.
C.Incorrect. Unauthorized access attempts, whether successful or not, can be detected through the
analysis of audit trails.
D.Incorrect. Unauthorized access attempts, whether successful or not, can be detected through the
analysis of audit trails.
227.Which of the following is the most effective method for password creation?
A.Encryption
B.Smart cards
C.Social engineering
D.Access control lists
A.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
and software-based controls used to provide automated protection to computer systems or applications
as they operate within these systems or applications. Technical security controls are far-reaching in
scope and encompass such technologies as encryption, smart cards, network authentication, access
control lists, and file integrity auditing software.
B.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
and software-based controls used to provide automated protection to computer systems or applications
as they operate within these systems or applications. Technical security controls are far-reaching in
scope and encompass such technologies as encryption, smart cards, network authentication, access
control lists, and file integrity auditing software.
D.Incorrect. This choice is a technical security control. Technical security controls consist of hardware
and software-based controls used to provide automated protection to computer systems or applications
as they operate within these systems or applications. Technical security controls are far-reaching in
scope and encompass such technologies as encryption, smart cards, network authentication, access
control lists, and file integrity auditing software.
229.Which of the following results when software vulnerabilities are not mitigated in a timely
manner?
I. Zero-day threats
II. Zero-day exploits
III. Zero-day warez
IV. Zero-day incidents
A.I and II
B.I, II, and III
C.I, II, and IV
D.I, II, III, and IV
A.Incorrect. Login spoofing can be defended against by providing a secure channel between the user
and the system.
B.Incorrect. A hardware-reset button on a personal computer can be very effective in removing some
kinds of spoofing attacks.
C.Incorrect. Cryptographic authentication techniques can increase security, but only for complex
systems.
233.Because much of the data involved in daily operations would be helpful to competitors if they
had access to it, a company authorizes access for employees to only the data required for
accomplishing their jobs. This approach is known as access on a(n):
A.Need-to-know basis.
B.Individual accountability basis.
C.Just-in-time basis.
D.Management-by-exception basis.
A.Incorrect. Comparing software in use with authorized versions of the software is a detective measure,
not a preventive measure.
B.Incorrect. Executing virus exterminator programs periodically on the system is a detective/corrective
measure, not a preventive measure.
D.Incorrect. Preparing and testing a plan for recovering from a virus is a corrective measure, not a
preventive measure.
235.A controller became aware that a competitor appeared to have access to the company's
pricing information. The internal auditor determined that the leak of information was occurring
during the electronic transmission of data from branch offices to the head office. Which of the
following controls would be most effective in preventing the leak of information?
A.Asynchronous transmission
B.Encryption
C.Use of fiber optic transmission lines
D.Use of passwords
A.Incorrect. Asynchronous transmission does not prevent theft of data; it speeds up the transmission
process.
C.Incorrect. Fiber optic transmission lines will improve the quality of the transmission but will not
prevent theft of data.
D.Incorrect. Use of passwords will control access at the sending location and will limit access to the
head office computer. Passwords, however, will not prevent someone from tapping into the
transmission line.
236.An insurance firm uses a wide area network to allow agents away from the home office to
obtain current rates and client information and to submit approved claims using notebook
computers and dial-in modems. In this situation, which of the following methods would provide
the best data security?
A.Incorrect. Dedicated phone lines would not be cost effective or available to field agents.
B.Incorrect. Field agents would not always be located at the same phone line to permit dial-up call back
usage.
C.Incorrect. User IDs and passwords can be compromised by an attacker's computer software.
237.When protecting a bank's customer information from identity theft, a bank's disclosure
policy would not respond to which of the following types of request?
A.An email
B.A pretext telephone call
C.A text message
D.A personal letter
A.Incorrect. A bank's disclosure policy would respond to an email from a bank's customer.
C.Incorrect. A bank's disclosure policy would respond to a text message from a bank's customer.
D.Incorrect. A bank's disclosure policy would respond to a personal letter from a bank's customer.
A.Incorrect. Strategies and goals are key value drivers of an organization that can create value. Key
value drivers are core elements that can make an organization either a value creator or a value
destroyer.
B.Incorrect. Culture and ethics are key value drivers of an organization that can create value. Key value
drivers are core elements that can make an organization either a value creator or a value destroyer.
C.Incorrect. Products and services are key value drivers of an organization that can create value. Key
value drivers are core elements that can make an organization either a value creator or a value
destroyer.
A.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
B.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
C.Incorrect. Internal auditors should perform this function as it would not impair their independence
and objectivity.
A.Incorrect. All of the statements are reflective of the differences in approaches to controls in
reengineered organizations. Reengineering places more emphasis on monitoring controls to let
management know when an operation may be out of control and signals the need for corrective action.
This choice reflects management's proper action.
B.Incorrect. Most of the reengineering and TQM techniques assume that humans will be motivated to
actively work to improve the process when they are involved from the beginning. This choice reflects
management's proper action.
C.Incorrect. There is an increasing emphasis on self-correcting and automated controls. This choice
reflects management's proper action.
241.An organization has decided to reengineer several major processes. Of the following reasons
for employees to resist this change, which is least likely to happen?
A.Incorrect. Real or imagined loss of jobs is a common reason for employees to resist any change. This
choice is most likely to happen. Reengineering is the thorough analysis, fundamental rethinking, and
complete redesign of essential business processes. The intended result is a dramatic improvement in
service, quality, speed, and cost.
C.Incorrect. Members of work groups often exert peer pressure on one another to resist change,
especially if social relationships are changed. This choice is most likely to happen. Reengineering is the
thorough analysis, fundamental rethinking, and complete redesign of essential business processes. The
intended result is a dramatic improvement in service, quality, speed, and cost.
D.Incorrect. Management's lack of communication and discussion of the need for switching to new
processes threatens the status quo. This choice is most likely to happen. Reengineering is the thorough
analysis, fundamental rethinking, and complete redesign of essential business processes. The intended
result is a dramatic improvement in service, quality, speed, and cost.
242.Which of the following paired items have a direct relationship with each other?
A.Incorrect. Sampling errors and confidence level have an inverse relationship with each other.
Sampling error is (1 minus confidence level), meaning as the sampling error increases, the confidence
level decreases.
C.Incorrect. Sampling risk and reliability level have an inverse relationship with each other. Sampling
risk is (1 minus reliability level), meaning as the sampling risk increases, the reliability level decreases.
D.Incorrect. Audit risk and audit assurance have an inverse relationship with each other. As the audit
risk increases, the audit assurance decreases.
243.Which of the following paired items have an inverse relationship with each other?
A.Incorrect. Audit reliance and audit assurance have a direct relationship with each other. As the audit
reliance increases, the audit assurance increases.
B.Incorrect. Risk and return have a direct relationship with each other. As the risk increases, the return
increases.
D.Incorrect. Risk agility and risk resiliency have a direct relationship with each other. As the risk
agility increases, the risk resiliency increases.
244.Which of the following paired items have a direct relationship with each other?
A.Incorrect. De-risking and residual risk have an inverse relationship with each other. As the de-risking
increases, the residual risk decreases.
B.Incorrect. Sample size and sampling risk have an inverse relationship with each other. As the sample
size increases, the sampling risk decreases.
C.Incorrect. Probability of ruin and value of an asset have an inverse relationship with each other. As
the probability of ruin increases, the value of an asset decreases.
245.Which of the following paired items have an inverse relationship with each other?
A.Click fraud rate and click-to-conversion time
B.Risk universe and audit universe
C.Competence and Judgment
D.Proficiency and competence
B.Incorrect. Risk universe and audit universe have a direct relationship with each other. As the risk
universe increases, the audit universe increases.
C.Incorrect. Competence and judgment have a direct relationship with each other. As the competence
increases, the judgment increases.
D.Incorrect. Proficiency and competence have a direct relationship with each other. As the proficiency
increases, the competence increases.
246.Which of the following paired items have a direct relationship with each other?
B.Incorrect. Audit risk scores and audit cycle frequency have an inverse relationship with each other.
As the audit risk scores increase, the audit cycle frequency gets decreased (i.e., shorter time intervals
between audits to address higher risk areas).
C.Incorrect. Tolerable error and sample size have an inverse relationship with each other. The lower
the tolerance for error, the larger the number of items that needs to be selected in a sample (i.e., need a
larger sample size).
D.Incorrect. Precision limits and sample size have an inverse relationship with each other. The smaller
the precision limits, the larger the size of the sample selected.
A.Anti-debugging software
B.Anti-malware software
C.Anti-spyware software
D.Anti-spamming software
B.Incorrect. A major purpose of anti-malware software is to scan computer resources (e.g., files and
devices) for the presence of malware and protect such computer resources from getting infected with
malware. However, hackers can deactivate the anti-malware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous malware in the
place of the official anti-malware to conduct their attacks. This choice poses a major risk.
C.Incorrect. A major purpose of anti-spyware software is to scan computer resources (e.g., files and
devices) for the presence of spyware and protect such computer resources from getting infected with
spyware. However, hackers can deactivate the anti-spyware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous spyware in the
place of the official anti-spyware to conduct their attacks. This choice poses a major risk.
D.Incorrect. A major purpose of anti-spamming software is to scan computer resources (e.g., files and
devices) for the presence of spamware and protect such computer resources from getting infected with
spamware. However, hackers can deactivate the anti-spamware software and can kill its features and
functions to make the software useless. Hackers can then insert their own dangerous spamware in the
place of the official anti-spamware to conduct their attacks. This choice poses a major risk.
A.Trademarks
B.Copyrights
C.Trade secrets
D.Patents
A.Incorrect. Software is not usually trademarked. A trademark is a valuable marketing asset in that it
identifies products and differentiates companies owing those products from other companies and
protects the trademark owner from infringement by others. It forms an association of a product with a
company in people's minds (i.e., minds and products). Trademarks are features such as designs, brand
names, or symbols which allow easy recognition of a product.
C.Incorrect. Software is not usually a trade secret. A trade secret can be of any form or type of
commercially-valuable information that the owner has taken reasonable measures to keep secret and
that has an independent economic value from the fact that it is a secret and cannot be readily
ascertained by the public. Trade secrets can include, for example, technical, scientific, and engineering
data; business records; or economic, financial, and marketing information (e.g., marketing strategies).
For example, a soup recipe for a soup company is a trade secret.
D.Incorrect. Software is not usually patented. In its simplest form, a patent is a property right for an
invention granted by the government to the inventor. A patent gives the owner the right to exclude
others from making, using, and selling devices that embody the claimed invention. Patents generally
protect features, products, and processes, not pure ideas.
A.Incorrect. The cost of using information is not relevant here because it does not matter whether the
protected information is used or not. Protection is more important than use.
B.Incorrect. The cost of protecting information is important and can be calculated from adding up all
the costs incurred to acquire and install hardware and software and the costs to hire staff. The cost of
information protection, which represents a one-side of a coin, can become a routine and mechanical
exercise and can become a discretionary spending amount. To get a big-picture perspective, the cost of
protecting information should be compared with the cost of not protecting information, which is the
other side of the coin.
C.Incorrect. The cost of not using information is not relevant because it does not matter whether the
protected information is used or not.
250.Reporting to senior management and the board is an important part of the auditor's
obligation. Which of the following items is not required to be reported to senior management
and/or the board?
A.Subsequent to the completion of an audit, but prior to the issuance of an audit report, the audit senior
in charge of the audit was offered a permanent position in the auditee's department.
B.An annual report summary of the department's audit work schedule and financial budget.
C.Significant interim changes to the approved audit work schedule and financial budget.
D.An audit plan was approved by senior management and the board. Subsequent to the approval, senior
management informed the chief audit executive not to perform an audit of a division because the
division's activities were very sensitive.
B.Incorrect. This is a standard part of the required reporting to senior management and the board.
C.Incorrect. This is a standard part of the required reporting to senior management and the board.
D.Incorrect. The audit plan had been approved by both senior management and the board. The change
dictated by senior management should be reported to the board.