CISA 100 Practice

Questions

1. An IS auditor, performing a review of an applications controls,

discovers a weakness in system software, which could materially impact
the application. The IS auditor should:
A. Disregard these control weaknesses as a system software review is
beyond the scope of this review.
B. Conduct a detailed system software review and report the control
weaknesses.
C. Include in the report a statement that the audit was limited to a review
of the applications controls.
D. Review the system software controls as relevant and recommend a
detailed system software review.

Answer: D
The IS auditor is not expected to ignore control weaknesses just
because they are outside the scope of a current review. Further, the
conduct of a detailed systems software review may hamper the audits
schedule and the IS auditor may not be technically competent to do
such a review at this time. If there are control weaknesses which have
been discovered by the IS auditor, they should be disclosed. By issuing
a disclaimer, this responsibility would be waived. Hence, the
appropriate option would be to review the systems software as
relevant to the review and recommend a detailed systems software for
which additional resources may be recommended.

2. The reason for having controls in an IS environment:

A. remains unchanged from a manual environment, but the implemented
control features may be different.
B. changes from a manual environment, therefore the implemented control
features may be different.
C. changes from a manual environment, but the implemented control features
will be the same.
D. remains unchanged from a manual environment and the implemented
control features will also be the same.

Answer: A
The internal control objectives apply to all areas, whether manual or
automated. There are additional objectives to be achieved in the IS
environment, when compared to the manual environment. Common
control objectives remain unchanged in both the IS environment and
manual environment, although the implementation of the control
functions may be different in the IS environment, e.g., the adequacy of
backup/recovery in a common internal control objective for IS and
manual environment. The specific IS control objective may be to
adequately back up the files to allow for proper recovery. This may be
achieved by implementing proper control procedures, such as business
continuity policy, in the IS department. Therefore, the implementation
of the control functions may be different in the IS environment. But the
common control objectives in an IS environment remains unchanged

3. Which of the following types of risks assumes an absence of

compensating controls in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk

Answer: C
The risk that an error exists that could be material or significant when
combined with other errors encountered during the audit, there being
no related compensating controls, is the inherent risk. Control risk is
the risk that a material error exists that will not be prevented or
detected on a timely basis by the system of internal controls.
Detection risk is the risk when an IS auditor uses an inadequate test
procedure and concludes that material errors do not exist, when they
do. Sampling risk is the risk that incorrect assumptions are made
about the characteristics of a population from which a sample is taken.

4. An IS auditor is conducting substantive audit tests of a new accounts

receivable module. The IS auditor has a tight schedule and limited computer
expertise. Which would be the BEST audit technique to use in this situation?
A. Test data
B. Parallel simulation
C. Integrated test facility
D. Embedded audit module

Answer: A
Test data uses a set of hypothetical transactions to verify the
program logic and internal control in short a time and for an
auditor with minimal IT background. In a parallel simulation,
the results produced for an actual program are compared with
the results from a program written for the IS auditor; this
technique can be time consuming and requires IT expertise. An
integrated test facility, enables test data to be continually
evaluated when transactions are processed online; this
technique is time consuming and requires IT expertise. An
embedded audit module is a programmed module that is
inserted into an application program to test controls; this
technique is time consuming and requires IT expertise.

5. The PRIMARY purpose of compliance tests is to verify whether:

A. controls are implemented as prescribed.
B. documentation is accurate and current.
C. access to users is provided as specified.
D. data validation procedures are provided.

Answer: A
Compliance tests are performed primarily to verify whether
controls, as chosen by management, are implemented.
Verification of documents is not directly related to compliance
testing. Verifying whether access to users is provided is an
example of compliance testing. Data validation procedures are
part of application controls. Testing whether these are set as
parameters and working as envisaged is compliance testing.

6. Which of the following BEST describes the early stages of an IS audit?

A. Observing key organizational facilities.
B. Assessing the IS environment.
C. Understanding business process and environment applicable to the review.
D. Reviewing prior IS audit reports.

Answer: C
Understanding the business process and environment applicable to
the review is most representative of what occurs early on, in the
course of an audit. Other choices relate to activities actually occurring
within this process.

7. The document used by the top management of organizations to delegate

authority to the IS audit function is the:
A. long-term audit plan.
B. audit charter.
C. audit planning methodology.
D. steering committee minutes.

Answer: B
The audit charter outlines the overall authority, scope and
responsibilities of the audit function to achieve the audit
objectives stated in it. This document serves as an instrument
for the delegation of authority to the IS audit function. Longterm audit planning relates to those aspects of the audit plan
that are impacted by the organizations IT strategy and
environment. Audit planning commences only after the audit
charter has been approved by the highest level of
management. The audit planning methodologies are decided
upon based on the analysis of both long- and short-term audit
issues. The steering committee minutes should address the
approval of the audit charter but is not the driver that

8. Before reporting results of an audit to senior management, an IS auditor

should:
A. Confirm the findings with auditees.
B. Prepare an executive summary and send it to auditee management.
C. Define recommendations and present the findings to the audit committee.
D. Obtain agreement from the auditee on findings and actions to be taken.

Answer: D
Upon completion of an audit, an IS auditor should discuss with
auditees the audit objectives for work performed, the test and
evaluation techniques used, and the outcome of those tests
that led to findings. The auditor should also obtain the
agreement/disagreement of the auditee regarding the findings
and the actions the auditor plans to take.

9. While developing a risk-based audit program, which of the following would

the IS auditor MOST likely focus on?
A. Business processes
B. Critical IT applications
C. Corporate objectives
D. Business strategies

Answer: A
A risk-based audit approach focuses on the understanding of the
nature of the business and being able to identify and categorize risk.
Business risks impact the long-term viability of a specific business.
Thus an IS auditor using a risk-based audit approach must be able to
understand business processes.

10. Which of the following is a substantive audit test?

A. Verifying that a management check has been performed regularly
B. Observing that user IDs and passwords are required to sign on the
computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable

Answer: D
A review of accounts receivable will provide evidence of the validity and
propriety of the financial statement balance. Choices A, B and C are
compliance tests to determine that policies and procedures are being followed.

11. Which of the following tasks is performed by the same person in a wellcontrolled information processing facility/computer center?
A. Security administration and management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance

Answer: D
It is common for system development and maintenance to be
undertaken by the same person. In both cases, the programmer
requires access to the source code in the development environment,
but should not be allowed access in the production environment.
Choice A is not correct because the roles of security administration
and change management are incompatible functions. The level of
security administration access rights could allow changes to go
undetected. Computer operations and system development (choice B)
are incompatible since it would be possible for an operator to run a
program that he/she had amended. Choice C is incorrect because the
combination of system development and change control would allow
program modifications to bypass change control approvals.

12. Where adequate segregation of duties between operations and

programming are not achievable, the IS auditor should look for:
A. compensating controls.
B. administrative controls.
C. corrective controls.
D. access controls.

Answer: A
The IS auditor should identify compensating controls such as strong
computer security, reviewing access control logs, end-user
reconciliation of control reports and control information in transaction
reports, where adequate segregation of duties is not achievable.
Administrative controls deal with operational effectiveness, efficiency
and adherence to management policies. Corrective controls are
designed to correct errors, omissions and unauthorized uses and
intrusions once they are detected. Access control is the process that
limits and controls access to resources of a computer system.

13. Which of the following would be included in an IS strategic plan?

A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department

Answer: B
IS strategic plans must address the needs of the business and meet future
business objectives. Hardware purchases may be outlined but not specified and
neither budget targets nor development projects are relevant choices. Choices
A, C and D are not strategic items.

14. The MOST important responsibility of a data security officer in an

organization is:
A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.

Answer: A
A data security officers prime responsibility is recommending and monitoring
data security policies. Promoting security awareness within the organization is
one of the responsibilities of a data security officer. But, it is not as important as
recommending and monitoring data security policies. The IT department, not
the data security officer, is responsible for establishing procedures for IT
security policies recommended by the data security officer and for the
administration of physical and logical access controls.

planning process?
A. The IT department will have either short-range or long-range plans
depending on the organizations broader plans and objectives.
B. The IT departments strategic plan must be time and project oriented, but
not so detailed as to address and help determine priorities to meet business
needs.
C. Long-range planning for the IT department should recognize
organizational goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated
into the short-range plans of the organization since technological advances
will drive the IT department plans much quicker than organizational plans.

Answer: C
Long-range planning for the IT department should recognize organizational
goals, technological advances and regulatory requirements. Typically, the IT
department will have both long-range and short-range plans that are consistent
and integrated with the organizations plans. These plans must be time- and
project-oriented, as well as addressing the organizations broader plans for
attaining the organizations goals.

16. When a complete segregation of duties cannot be achieved in an online

system environment, which of the following functions should be separated
from the others?
A. Origination
B. Authorization
C. Recording
D. Correction

Answer: B
Authorization should be separated from all aspects of record keeping
(origination, recording, and correction). Such a separation enhances the ability
to detect the recording of unauthorized transactions.

17. In a small organization, where segregation of duties is not practical, an

employee performs the function of computer operator and application
programmer. Which of the following controls should the IS auditor
recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes are
implemented
D. Access controls to prevent the operator from making program
modifications

Answer: C
In smaller organizations, it generally is not appropriate to recruit
additional staff to achieve a strict segregation of duties. The IS auditor
must look at alternatives. Of the choices, C is the only practical one
that has an impact. The IS auditor should recommend processes that
detect changes to production source and object code, such as code
comparisons so that the changes can be reviewed by a third party on
a regular basis. This would be a compensating control process.
Choice A, involving logging of changes to development libraries, would
not detect changes to production libraries. Choice D is in effect
requiring a third party to do the changes, which may not be practical
in a small organization.

18. An IT steering committee would MOST likely perform which of the

following functions?
A. Placement of a purchase order with the approved IT vendor
B. Installation of systems software and application software
C. Provide liaison between IT department and user department
D. Interview staff for the IT department

Answer: C
A steering committee for information technology is a mechanism to
ensure that the information systems strategies are in harmony with
the corporate mission and objectives. Such a committee typically
serves as a general review board for major IS projects and should not
become involved in routine operations. Placement of purchase orders,
installation of software and interviewing staff for the IT department are
routine operations that are performed by the respective departments.
A steering committee would provide a liaison between the IS
department and the user department.

19. An IS auditor is auditing the controls relating to employee termination.

Which of the following is the MOST important aspect to be reviewed?
A. The related company staff are notified about the termination
B. User ID and passwords of the employee have been deleted
C. The details of employee have been removed from active payroll files
D. Company property provided to the employee has been returned

Answer: B
The highest risk is logical access to information by a terminated employee. This
form of access is possible if the user id and password of the terminated
employee have not been deleted. If the user id is not disabled or deleted, it is
possible that the employee without physically visiting the company can access
the information. The potential of loss on account of access to information is
much higher, compared to payment of salary and non-return of company
property.

20. When reviewing a service level agreement for an outsourced computer

center an IS auditor should FIRST determine that:
A. the cost proposed for the services is reasonable.
B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of business needs.
D. audit access to the computer center is allowed under the agreement.

Answer: C
The first consideration in reviewing the agreement is to ensure that
the business is asking for the most appropriate services to meet its
business requirements. There should be evidence that they have
considered what services are required, both at present and in the
future. The cost is important (choice A), since the business may be
paying for levels of services that are not required or are not
appropriate, but is not of first importance. Both, audit access (choice
D) and security objectives, rather than security mechanisms (choice
B), are issues to be considered as part of the review, but are not of
first importance.

21. The PRIMARY benefit of database normalization is the:

A. minimization redundancy of information in tables required to satisfy users

needs.
B. ability to satisfy more queries.
C. maximization of database integrity by providing information in more than
one table.
D. minimization of response time through faster processing of information.

Answer: A
The normalization means the elimination of redundant data. Hence,
the objective of normalization in relational databases is to minimize
the quantum of information by eliminating redundant data in tables,
quickly processing users requests and maintaining data integrity.
Maximizing the quantum of information is against the rules of
normalization. If particular information is provided in difference tables,
the objective of data integrity may be violated because one table may
be updated and not others. Normalization rules advocate storing data
in only one table, hence, minimizing the response time through faster
processing of information.

22. Which of the following network topologies yields the GREATEST

redundancy in the event of the failure of one node?

A. Mesh
B. Star
C. Ring
D. Bus

Answer: A
In mesh configuration, devices are connected with many redundant
interconnections among network nodes, thereby, yielding the greatest
redundancy in the event that one of the nodes fail, in which case
network traffic can be redirected to another node. In star
configuration, each station is linked to the main hub. The main hub
establishes the connection between stations by message or line
switching. Therefore, failure of a node results in the disruption of the
network. In ring configuration, all nodes are connected to one another
forming a circle; therefore, the failure of a node results in the
disruption of the network. In bus configuration, all devices are linked
along one communication line with two end points called the
backbone; therefore, the failure of a node results in the disruption of
the network.

23. A vendor/contractors performance against service level agreements must

be evaluated by the:
A. customer.
B. contractor.
C. third-party.
D. contractors management.

Answer: A
Only the customer should evaluate the suppliers performance in a service level
agreement (SLA). This makes the customer confident of the service provided by
the supplier. However, the decision of what to measure must be decided by the
customer and the supplier.

24. When auditing a mainframe operating system, what would the IS auditor
do to establish which control features are in operation?
A. Examine the parameters used when the system was generated
B. Discuss system parameter options with the vendor
C. Evaluate the systems documentation and installation guide
D. Consult the systems programmers

Answer: A
The only way to establish which controls are functioning in a current operating
system is to determine what the parameter settings were at the time the
system was generated or created (often referred to as the initial program load
or IPL). Although the findings of this exercise may well be further evaluated by
discussion with the vendor, evaluating the documentation and consulting the
systems programmers, these actions would not, by themselves, establish
specific control features.

25. When conducting an audit of client/server database security, the IS

auditor would be MOST concerned about the availability of:
A. system utilities.
B. application program generators.
C. system security documentation.
D. access to stored procedures.

Answer: A
System utilities may enable unauthorized changes to be made to data
on the client-server database. In an audit of database security, the
controls over such utilities would be the primary concern of the IS
auditor. Application program generators are an intrinsic part of clientserver technology, and the IS auditor would evaluate the controls over
the generators access rights to the database rather than their
availability. Security documentation should be restricted to authorized
security staff, but this is not a primary concern, nor is access to stored
procedures.

26. Which of the following would allow a company to extend its enterprises
intranet across the Internet to its business partners?
A. Virtual private network
B. Client-Server
C. Dial-Up access
D. Network service provider

Answer: A
VPN technology allows external partners to securely participate in the
extranet using public networks as a transport or shared private
network. Because of low cost, using public networks (Internet) as a
transport is the principal method. VPNs rely on
tunneling/encapsulation techniques, which allow the Internet protocol
(IP) to carry a variety of different protocols (e.g., SNA, IPX, NETBEUI.)
Client-server does not address extending the network to business
partners (I.e., client-servers refers to a group of computers within an
organization connected by a communications network where the client
is the request machine and the server is the supplying machine.) A
network service provider may provide services to a shared private
network by providing Internet services, but it does not extended an

27. An IS auditor auditing hardware monitoring procedures should review

A. system availability reports.
B. cost-benefit reports.
C. response time reports.
D. database utilization reports.

Answer: A
An IS auditor while auditing hardware monitoring procedures will review system
availability reports. Cost-benefit reports are reviewed during the feasibility
study. Response time reports are related to applications, not hardware.
Database utilization reports are reviewed to check the optimal usage of the
database across the organization.

28. The device that connects two networks at the highest level of the ISO-OSI
framework ( i.e., application layer) is a
A. Gateway
B. Router
C. Bridge
D. Brouter

Anwer: A
Gateway is used to connect two networks using dissimilar protocols at the lower
layers through which connectivity is established namely physical, data link,
network and transport layers. Router is a network layer device for which the
two connecting networks must have the same network layer protocol. Bridge
operates in the data link layer. It should have data link layer protocols, such as
token ring, Ethernet, in use in both the networks. Brouter is essentially a bridge
with some routing functionality.

29. Which of the following statements relating to packet switching networks is

CORRECT?
A. Packets for a given message travel the same route.
B. Passwords cannot be embedded within the packet.
C. Packet lengths are variable and each packet contains the same amount of
information.
D. The cost charged for transmission is based on packet, not distance or route
traveled.

Answer: D
D is the correct answer since transmission charges are based on packets
transmitted, not the distance or route traveled. Passwords and other data can
be placed within a packet making choice B incorrect. Choices A and C are not
correct because a complete message is broken into transmission units
(packets), which are routed individually through the network.

30. An IS auditor when reviewing a network used for Internet

communications, will FIRST examine the:
A. validity of passwords change occurrences.
B. architecture of the client-server application.
C. network architecture and design.
D. firewall protection and proxy servers.

Answer: C
The first step in auditing a network is to understand the network architecture
and design. This would provide an overall picture of the network of the
enterprises and its connectivity. This will be starting point for identifying the
various layers of information and the access architecture across the various
layers, such as proxy servers, firewalls and client/server application. Reviewing
validity of password changes would be performed as part of substantive testing.

31. Which of the following BEST provides access control to payroll data being
processed on a local server?
A. Logging of access to personal information
B. Separate password for sensitive transactions
C. Software restricts access rules to authorized staff
D. System access restricted to business hours

Answer: C
The server and system security should be defined to allow only
authorized staff access to information about the staff whose records
they handle on a day to day basis. Choice A is a good control in that it
will allow access to be analyzed if there is concern that there is
unauthorized access. However, it will not prevent access. Choice B,
restricting access to sensitive transactions, will only restrict access to
part of the data. It will not prevent access to other data. Choice D,
system access restricted to business hours, only restricts when
unauthorized access can occur, and would not prevent such access at
other times.

32. Which of the following concerns about the security of an electronic

message would be addressed by digital signatures?
A. Unauthorized reading
B. Theft
C. Unauthorized copying
D. Alteration

Answer: D
A digital signature includes an encrypted hash total of the size of the message
as it was transmitted by its originator. This hash would no longer be accurate if
the message was subsequently altered, thus indicating that the alteration had
occurred. Digital signatures will not identify or prevent any of the other options.
The signature would neither prevent nor deter unauthorized reading, copying or
theft.

33. The MOST effective method for limiting the damage of an attack by a
software virus is:
A. software controls.
B. policies, standards and procedures.
C. logical access controls.
D. data communication standards.

Answer: A
Software controls in the form of virus detection and removal programs are the
most effective method way to detect and remove viruses. Policies, standards
and procedures are important, because they are people-based; however, they
are generally considered less effective than software controls. Choices C and D,
are not relevant to virus detection.

34. Which of the following BEST determines that complete encryption and
authentication protocols exist for protecting information while transmitted?
A. A digital signature with RSA has been implemented.
B. Work is being done in tunnel mode with the nested services of AH and ESP
C. Digital certificates with RSA are being used.
D. Work is being done in transport mode, with the nested services of AH and
ESP

Answer: B
Tunnel mode provides encryption and authentication of the complete IP
package. To accomplish this, the AH (authentication header) and ESP
(encapsulating security payload) services can be nested. The transport mode
provides primary protection for the protocols higher layers, this is, protection
extends to the data field (payload) of an IP package. The other two mechanisms
provide authentication and integrity.

35. Which of the following would be MOST appropriate to ensure the

confidentiality of transactions initiated via the Internet?
A. Digital signature
B. Data encryption standard (DES)
C. Virtual private network (VPN)
D. Public key encryption

Answer: D
Encryption is the only way to ensure Internet transactions are confidential, and
of the choices available, the use of public key encryption is the best method.
Digital signatures would ensure the transaction is not changed and cannot be
repudiated, but would not ensure confidentiality.

36. The PRIMARY objective of a firewall is to protect:

A. internal systems from exploitation by external threats.
B. external systems from exploitation by internal threats.
C. internal systems from exploitation by internal threats.
D. itself and attached systems against being used to attack other systems.

Answer: A
Firewall is placed at the point where the internal network connects to
the outside world I.e., Internet. It acts as a security guard to the
network, protecting it against malicious attacks from outside the
organizations network. It screens packets coming into and going out
of the internal network and prevents malicious packets from entering
it and denies access to prohibited resources on the Internet for the
internal users. It is neither the responsibility nor is it possible for the
organization to protect outside systems. Packets whose source and
destination IP addresses refer to hosts within the same network are
not sent out of the network and hence do not pose a security threat.
Choice D is not a primary objective as this is just one form of attack
hackers resort to that the firewall protects the internal network form.

37. Which of the following is an example of the physiological biometrics

technique?
A. Hand scans
B. Voice scans
C. Signature scans
D. Keystroke monitoring

Answer: A
Physiological biometrics are based on measurement of data derived from direct
measurement of a part of the human body. Choices B, C and D are examples of
behavior biometrics.

38. An IS auditor has just completed a review of an organization that has a

mainframe and a client-server environment where all production data reside.
Which of the following weaknesses would be considered the MOST serious?
A. The security officer also serves as the database administrator (DBA.)
B. Password controls are not administered over the client/server environment.
C. There is no business continuity plan for the mainframe systems noncritical applications.
D. Most LANs do not back up file server fixed disks regularly.

Answer: B
The absence of password controls on the client-server where production data
resides is the most critical weakness. All other findings, while they are control
weaknesses, do not carry the same disastrous impact.

39. An organization is proposing to install a single sign-on facility giving

access to all systems. The organization should be aware that:
A. Maximum unauthorized access would be possible if a password is
disclosed.
B. User access rights would be restricted by the additional security
parameters.
C. The security administrators workload would increase.
D. User access rights would be increased.

Answer: A
If a password is disclosed when single sign-on is enabled, there is a risk that
unauthorized access to all systems will be possible. User access rights should
remain unchanged by single sign-on as additional security parameters are not
necessarily implemented. One of the intended benefits of single sign-on is that
security administration would be simplified and an increased workload is
unlikely.

40. A B-to-C e-commerce web site as part of its information security program
wants to monitor, detect and prevent hacking activities and alert the system
administrator when suspicious activities occur. Which of the following
infrastructure components could be used for this purpose?
A. Intrusion detection systems
B. Firewalls
C. Routers
D. Asymmetric encryption

Answer: A
Intrusion detection systems detect intrusion activity based on the intrusion
rules. It can detect both, external and internal intrusion activity and send an
automated alarm message. Firewalls and routers prevent the unwanted and
well-defined communications between the internal and external networks.
They do not have any automatic alarm messaging systems.

41. During an audit of a reciprocal disaster recovery agreement between two

companies, the IS auditor would be PRIMARILY concerned about:
A. the soundness of the impact analysis.
B. hardware and software compatibility.
C. differences in IS policies and
procedures.
D. frequency of system testing.

Answer: B
For a reciprocal agreement to be effective, hardware and software at
the two sites must be compatible. Processes to ensure this occurred
must be in place. Choice D, frequency of system testing, is a concern,
but the reason for considering this is that it tests hardware and
software compatibility. Choice A is an issue when examining the
planning process, not the reciprocal agreement. Choice C is not an
issue since the organization can have differences in policies and
procedures and still be able to run their systems on each others sites
in the event of a disaster.

processing capability. Based on this, which of the following actions should the IS
auditor take?
A. Do nothing, because generally, less than twenty-five percent of all processing is
critical to an organizations survival and the backup capacity, therefore is
adequate.
B. Identify applications that could be processed at the alternate site and develop
manual procedures to backup other processing.
C. Ensure that critical applications have been identified and that the alternate site
could process all such applications.
D. Recommend that the information processing facility arrange for an alternate
processing site with the capacity to handle at least seventy-five percent of normal
processing.

Answer: C
Business continuity plans should provide for the recovery of critical
systems, not necessarily all systems. Perhaps only fifty percent of the
company's systems are critical. Therefore, careful assessment of
critical systems and capacity requirements should be part of the IS
auditor's test of the plan.

43. Which of the following components of a business continuity plan is

PRIMARILY the responsibility of an organizations IS department?

A. Developing the business continuity plan

B. Selecting and approving the strategy for business continuity plan
C. Declaring a disaster
D. Restoring the IS systems and data after a disaster

Answer: D
The correct choice is restoring the IT systems and data after a
disaster. The IT department of an organization is primarily
responsible for restoring the IT systems and data after a
disaster at the earliest possible time. The senior management
of the organization is primarily responsible for developing the
business continuity plan for an organization. They are also
responsible for selecting and approving the strategy for
developing and implementing a detailed business continuity
plan. The organization should identify a person in
management as responsible for declaring a disaster. Although
IT is involved in all the other three components, it is not
primarily responsible for them.

44. Which of the following issues should be included in the business

continuity plan?

A. The staff required to maintain critical business functions in the short,

medium and long term
B. The potential for a natural disaster to occur, such as an earthquake
C. Disastrous events impacting information systems processing and end-user
functions
D. A risk analysis that considers systems malfunctions, accidental file
deletions or other failures

Answer: A
Where a unified business continuity plan does not exist, the plan for information systems
processing should be extended to include planning for all units that are dependent upon
information systems processing functions. But, when formulating a thorough business
continuity plan, a very important issue to be considered is the staff that will be required to
maintain critical business functions over time, until the organization is fully operational
again. Another important issue is the configuration of the business facilities, e.g., desks,
chairs, telephones, etc., that will be needed to maintain critical business functions in the
short, medium and long term. Choice B is incorrect because it has to do with what a good
business continuity plan will take into account in case of disastrous events happening. This
could be considered as a subset of a business continuity plan, but it does not have the
same impact as the staff required and trained to perform in the event of a natural disaster.
Choice C is incorrect because, like in the natural disaster case, this could be considered a
subset of a business continuity plan, but it does not have the same impact as the staff
required and trained to perform in the event of a disaster that would impact information
systems processing and end-user functions. Choice A would be the subject and choices B
and C would be the cause to deploy the business continuity plan. Choice D is incorrect
because it deals with disruptions in service having their roots in systems malfunctions; but
again, this would be another aspect dealt with in the business continuity plan, but not a

45. In an audit of a business continuity plan, which of the following findings is

of MOST concern?
A. There is no insurance for the addition of assets during the year.
B. BCP manual is not updated on a regular basis.
C. Testing of the backup of data has not been done regularly.
D. Records for maintenance of access system have not been maintained.

Answer: C
The most vital asset for a company is data. In a business
continuity plan, it is critical to ensure that data is available.
Hence, regular testing of the backup of data must be done. If
testing is not done, the organization may not be able to
retrieve data when required during a disaster; hence, the
company may lose its most valuable asset and may not be able
to recover from the disaster. The loss on account of lack of
insurance is limited to the value of assets. If the BCP manual is
not updated, the company may find the BCP manual not fully
relevant for recovery during a disaster. However, recovery
could be still possible. Non maintenance of records in an
access system will not directly impact the relevance of the

46. Classification of information systems is essential in business continuity

planning. Which of the following system types can not be replaced by manual
methods?
A. Critical system
B. Vital system
C. Sensitive system
D. Non-critical system

Answer: A
The functions of a critical system can only be replaced by identical capabilities.
The functions of vital and sensitive systems can be performed manually. Choice
D is a distracter.

47. An IS auditor should be involved in:

A. observing tests of the disaster recovery plan.
B. developing the disaster recovery plan.
C. maintaining the disaster recovery plan.
D. reviewing the disaster recovery requirements of supplier contracts.

Answer: A
The IS auditor should always be present when disaster recovery
plans are tested, to ensure that the test meets the required
targets for restoration and recovery procedures are effective
and efficient, reporting on the results as appropriate. IS
auditors may be involved in overseeing plan development, but
they are unlikely to be involved in the actual development
process. Similarly, an audit of plan maintenance may be
conducted, but the IS auditor would not normally have any
responsibility for the actual maintenance. An IS auditor may be
asked to comment upon various elements of a supplier contract
but, again, this is not always the case.

48. The window of time recovery of information processing capabilities is

based on the:
A. criticality of the processes affected.
B. quality of the data to be processed.
C. nature of the disaster.
D. applications that are mainframe based.

Answer: A
The criticality of the processes that are affected by the disaster is the
basis for computing the window of time recovery. The quality of the
data to be processed and the nature of the disaster are not the basis
for determining the window of time. Being a mainframe application
does not of itself provide a window of time basis.

49. During an IT audit of a large bank, an IS auditor observes that no formal

risk assessment exercise has been carried out for the various business
applications to arrive at their relative importance and recovery time
requirements. The risk that the bank is exposed to is that the:
A. business continuity plan may not have been calibrated to the
relative
risk that disruption of each application poses to the organization.
B. business continuity plan may not include all relevant applications and
therefore may lack completeness in terms of its coverage.
C. business impact of a disaster may not have been accurately understood by
the management.
D. business continuity plan may lack an effective ownership by the business
owners of such applications.

Answer: A
The first and key step in developing a business continuity plan
is a risk assessment exercise that analyzes the various risks
that an organization faces and the impact of non-availability of
individual applications. Section 4.9.1.2 of BS 7799 (Standard on
Information Security Management ) states that a strategy
plan, based on appropriate risk assessment, shall be developed
for overall approach to business continuity.

50. Which of the following is necessary to have FIRST in the development of a

business continuity plan?

A. Risk-based classification of systems

B. Inventory of all assets
C. Complete documentation of all disasters
D. Availability of hardware and software

Answer: A
A well-defined, risk-based classification system for all assets and processes of
the organization is one of the most important component for initializing the
business continuity planning efforts. A well-defined risk-based classification
system would assist in identifying the criticality of each of the key processes
and assets used by the organization. This would assist in the easy identification
of key assets and processes to be secured and plans to be made to recover
these processes and assets at the earliest after a disaster. Inventory of critical
assets and not all assets is required for initiating a business continuity plan.
Complete documentation of all disasters is not a prerequisite for initiating a
business continuity plan, rather various disasters are considered while
developing the plan and only the one having an impact on the organization is
addressed in the plan. The availability of hardware and software is not required
for initiating the development of a plan; however, it is considered when
developing the detailed plan in accordance with the strategy adopted.

51. The application test plans are developed in which of the following systems
development life cycle (SDLC) phases?
A. Design
B. Testing
C. Requirement
D. Development

Answer: A
Developing test plans for the various levels of testing is one of the key activities
during the application development design phase. The test plans are used in
the actual software testing.

52. Which of the following tests confirm that the new system can operate in
its target environment?
A. Sociability testing
B. Regression testing
C. Validation testing
D. Black box testing

Answer: A
Sociability testing is used to confirm that the new or modified
system can operate in its target environment without adversely
impacting on existing system. Regression testing is the process
of rerunning a portion of a test scenario or test plan to ensure
that changes or corrections have not introduced new errors.
Validation testing is used to test the functionality of the system
against the detailed requirement to ensure that the software
that has been built is traceable to customer requirements.
Black box testing examines some aspect of the system during
integration testing with little regard for the internal logical
structure of the software.

53. The MOST appropriate person to chair the steering committee for a
system development project with significant impact on a business area would
be the:
A. business analyst.
B. chief information officer.
C. project manager.
D. executive level manager.

Answer: D
The chair of the steering committee should be a senior person
(executive level manager) with the authority to make decisions
relating to the business requirements, resources, priority and
deliverables of the system. The chief information officer (CIO)
would not normally be the chair, although the CIO or his
representative would be a member to provide input on
organization wide strategies. The project manager and the
business analyst do not have an appropriate level of authority
within the organization,

54. The PRIMARY purpose of undertaking a parallel run of a new system is to:
A. verify that the system provides required business functionality.
B. validate the operation of the new system against its predecessor.
C. resolve any errors in the program and file interfaces.
D. verify that the system can process the production load.

Answer: B
The objective of parallel running is to verify that the new
system produces the same results as the old system. The
verification of functionality is through acceptance testing, while
resolving errors in programs is accomplished through system
testing. Verifying that the system can handle the production
load may be a secondary outcome of a parallel run, but it is not
the primary purpose. If it were the primary purpose, it would be
a stress test probably run in the test environment.

55. Change control procedures to prevent scope creep during an application

development project should be defined during:
A. design.
B. feasibility.
C. implementation.
D. requirements definition.

Answer: A
The change control procedures are generally common for
applications within one organization; however, the applicationspecific change control procedures are to be defined during the
design phase of SDLC and should be based on the modules in
the software. The other choices are incorrect. It is too early to
define change control procedures during the feasibility phase,
and it would also be too late during the implementation phase
and after the implementation of software.

56. Which of the following would MOST likely ensure that a system
development project meets business objectives?
A. Maintenance of program change logs
B. Development of a project plan identifying all development activities
C. Release of application changes at specific times of the year
D. User involvement in system specification and acceptance

Answer: D
Effective user involvement (choice D) is the most critical factor in
ensuring that the application meets business objectives. Choices A, B
and C are project management tools and techniques and are not of
themselves methods for ensuring that the business objectives are met
by the application system.

57. Which of the following is a measure of the size of an information system

based on the number and complexity of a systems inputs, outputs and files?
A. Function point (FP)
B. Program evaluation review technique (PERT)
C. Rapid application design (RAD)
D. Critical path method (CPM)

Answer: A
Function point (FP) analysis is a measure of the size of an
information system based on the number and complexity of the
inputs, outputs and files with which a user sees and interacts
with. FPs are used in a manner analogous to LOC as a measure
of software productivity, quality and other attributes. PERT is a
network management technique used in both the planning and
control of projects. RAD is a methodology that enables
organizations to develop strategically important systems faster
while reducing development costs and maintaining quality. CPM
is used by network management techniques such as PERT, to
compute a critical path.

58. When auditing the requirements phase of a software acquisition, the IS

auditor should:
A. assess the feasibility of the project timetable.
B. assess the vendors proposed quality processes.
C. ensure that the best software package is acquired.
D. review the completeness of the specifications.

Answer: D
The purpose of the requirements phase is to specify the
functionality of the proposed system; therefore the IS auditor
would concentrate on the completeness of the specifications.
The decision to purchase a package from a vendor would come
after the requirements have been completed. Therefore
choices B and C are incorrect. Choice A is incorrect because a
project timetable normally would not be found in a
requirements document.

59. The purpose of debugging programs is to:

A. generate random data that can be used to test programs before
implementing them.
B. protect, during the programming phase, valid changes from being
overwritten by other changes.
C. define the program development and maintenance costs to be include in
the feasibility study.
D. ensure that program abnormal terminations and program coding flaws are
detected and corrected.

Answer: D
Debugging provides the basis for the programmer to correct the logic
errors in a program under development before it goes into production.
Tools such as logic paths monitors, memory dumps and output
analyzers aid in this process.

60. Software maintainability BEST relates to which of the following software

attributes?
A. Resources needed to make specified modifications.
B. Effort needed to use the system application.
C. Relationship between software performance and the resources needed.
D. Fulfillment of user needs.

Answer: A
Maintainability is the set of attributes that bears on the effort needed to make
specified modifications. Other choices relate to software attributes for usability,
efficiency and functionality respectively.

61. IT governance ensures that an organization aligns its IT strategy with:

A. Enterprise objectives.
B. IT objectives.
C. Audit objectives.
D. Finance objectives.

Answer: A
IT governance ensures that the organization aligns its IT strategy with the
enterprise/business objectives. Choices B, C and D are too limited.

62. A validation which ensures that input data are matched to predetermined
reasonable limits or occurrence rates, is known as:
A. Reasonableness check.
B. Validity check.
C. Existence check.
D. Limit check.

Answer: A
A reasonableness check ensures that input data are matched to
predetermined reasonable limits or occurrence rates. A validity
check is a programmed checking of the data validity in
accordance with predetermined criteria. Existence checks are
checks for data reentered correctly and agree with valid
predetermined criteria. A limit check ensures data does not
exceed a predetermined amount.

63. During which of the following steps in the business process reengineering
should the benchmarking team visit the benchmarking partner?
A. Observation
B. Planning
C. Analysis
D. Adaptation

Answer: A
During the observation stage, the team collects data and visits
the benchmarking partner. In the planning stage, the team
identifies the critical processes for the benchmarking purpose.
The analysis stage involves summarizing and interpreting the
data collected and analyzing the gaps between an
organizations process and its partners process. During the
adaptation step, the team needs to translate the findings into a
few core principles and work down from principles to
strategies, to action plans.

64. Which of the following procedures should be implemented to help ensure

the completeness of inbound transactions via electronic data interchange
(EDI)?
A. Segment counts built into the transaction set trailer
B. A log of the number of messages received, periodically verified with the
transaction originator
C. An electronic audit trail for accountability and tracking
D. Matching acknowledgement transactions received to the log of EDI
messages sent

Answer: A
Control totals built into the trailer record of each segment is the only
option that will ensure all individual transactions sent are completely
received. The other options provide supporting evidence, but their
findings are either incomplete or not timely.

65. A utility is available to update critical tables in case of data inconsistency.

This utility can be executed at the OS prompt or as one of menu options in an
application. The BEST control to mitigate the risk of unauthorized
manipulation of data is to:
A. delete the utility software and install it as and when required.
B. provide access to utility on a need-to-use basis.
C. provide access to utility to user management
D. define access so that the utility can be only executed in menu option.

Answer: B
Utility software in this case is a data correction program for
correcting any inconsistency in data. However, this utility can
be used to over-ride wrong update of tables directly. Hence,
access to this utility should be restricted on a need-to-use basis
and a log should be automatically generated whenever this
utility is executed. The senior management should review this
log periodically. Deleting the utility and installing it as and
when required may not be practically feasible as there would
be time delay. Access to utilities should not be provided to user
management. Defining access so that the utility can be
executed in a menu option may not generate a log.

66. When conducting a review of business process re-engineering, an IS

auditor found that a key preventive control had been removed. In this case,
the IS auditor should:
A. inform management of the finding and determine if management is willing
to accept the potential material risk of not having that preventing control.
B. determine if a detective control has replaced the preventive control during
the process and if so, not report the removal of the preventive control.
C. recommend that this and all control procedures that existed before the
process was reengineered be included in the new process.
D. develop a continuous audit approach to monitor the effects of the removal
of the preventive control.

Answer: A
Choice A is the best answer. Management should be informed
immediately to determine if they are willing to accept the
potential material risk of not having that preventive control in
place. The existence of a detective control instead of a
preventive control usually increases the risks that a material
problem may occur. Often during a BPR many non-value-added
controls will be eliminated. This is good, unless they increase
the business and financial risks. The IS auditor may wish to
monitor or recommend that management monitor the new
process, but this should be done only after management has
been informed and accepts the risk of not having the
preventive control in place.

67. Which of the following is an output control objective?

A. Maintenance of accurate batch registers
B. Completeness of batch processing
C. Appropriate accounting for rejections and exceptions
D. Authorization of file updates

Answer: C
Exceptions and rejections are output products that must be accounted for by
appropriate output controls. Choices A, B and D are input control objectives.

68. In a system that records all receivables for a company, the receivables
are posted on a daily basis. Which of the following would ensure that
receivables balances are unaltered between postings?
A. Range checks
B. Record counts
C. Sequence checking
D. Run-to-run control totals

Answer: D
Run-to-run control totals are totals of key fields - in this case
the totals of the receivables balances - taken when the
receivables are posted. If the totals are recalculated and
compared with previous balance, this would detect alterations
between postings. Both record counts and sequence checking
would only detect missing records. They would not detect
situations in which records are altered, but the number of
records are unchanged. Range checks would only detect when
the balances are outside a predetermined value range and not
changes to balances within those ranges.

69. Which of the following is the MOST important issue to the IS auditor in a
business process re-engineering (BPR) project would be?
A. The loss of middle management, which often is a result of a BPR project
B. That controls are usually given low priority in a BPR project
C. The considerable negative impact that information protection could have
on BPR
D. The risk of failure due to the large size of the task usually undertaken in a
BPR project

Answer: B
Controls should be given high priority during a BPR project, therefore
this would be a concern for the IS auditor if they are not adequately
considered by management. The fact that middle management is lost,
as stated in choice A, is not necessarily a concern as long as controls
are in place. Choices C and D do not have any relevance to a BPR
project.

70. To meet pre-defined criteria, which of the following continuous audit

techniques would BEST identify transactions to audit?
A. Systems Control Audit Review File and Embedded Audit Modules
(SCARF/EAM)
B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facilities (ITF)
D. Audit hooks

Answer: B
Continuous and Intermittent Simulation (CIS) is a moderately
complex set of programs that during a process run of a
transaction, simulates the instruction execution of its
application. As each transaction is entered, the simulator
decides whether the transaction meets certain predetermined
criteria and if so, audits the transaction. If not, the simulator
waits until it encounters the next transaction that meets the
criteria. Audits hooks which are of low complexity focus on
specific conditions instead of detailed criteria in identifying
transactions for review. ITF is incorrect because its focus is on
test versus live data. And SCARF/EAM focus is on controls
versus data.

71. In a risk-based audit approach, an IS auditor, in addition to risk, would be

influenced by:
A. the availability of CAATs.
B. management's representation.
C. organizational structure and job responsibilities.
D. the existence of internal and operational controls

Answer: D
The existence of internal and operational controls will have a
bearing on the IS auditor's approach to the audit. In a riskbased approach the IS auditor is not just relying on risk, but
also on internal and operational controls as well as knowledge
of the company and the business. This type of risk assessment
decision can help relate the cost-benefit analysis of the control
to the known risk, allowing practical choices. The nature of
available testing techniques and management's
representations, have little impact on the risk-based audit
approach. Although organizational structure and job
responsibilities need to be considered, they are not directly
considered unless they impact internal and operational

72. The extent to which data will be collected during an IS audit should be
determined, based on the:
A. availability of critical and required information.
B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done.

Answer: D
The extent to which data will be collected during an IS audit
should be related directly to the scope and purpose of the
audit. An audit with a narrow purpose and scope would result
most likely in less data collection, than an audit with a wider
purpose and scope. The scope of an IS audit should not be
constrained by the ease of obtaining the information or by the
auditor's familiarity with the area being audited. Collecting all
the required evidence is a required element of an IS audit and
the scope of the audit should not be limited by the auditee's
ability to find relevant evidence.

73. The PRIMARY advantage of a continuous audit approach is that it:

A. does not require an IS auditor to collect evidence on system reliability while
processing is taking place.
B. requires the IS auditor to review and follow up immediately on all
information collected.
C. can improve system security when used in time-sharing environments that
process a large number of transactions.
D. does not depend on the complexity of an organization's computer systems.

Answer: C
The use of continuous auditing techniques can actually improve
system security when used in time-sharing environments that
process a large number of transactions, but leave a scarce
paper trail. Choice A is incorrect since the continuous audit
approach often does require an IS auditor to collect evidence
on system reliability while processing is taking place. Choice B
is incorrect since an IS auditor normally would review and
follow up only on material deficiencies or errors detected.
Choice D is incorrect since the use of continuous audit
techniques does depend on the complexity of an organization's

74. Which of the following data entry controls provides the GREATEST
assurance that the data is entered correctly?
A. Using key verification
B. Segregating the data entry function from data entry verification
C. Maintaining a log/record detailing the time, date, employee's initials/user id
and progress of various data preparation and verification tasks
D. Adding check digits

Answer: A
Key verification or one-to-one verification will yield the highest
degree of confidence that data entered is error free. However,
this could be impractical for large amounts of data. The
segregation of the data entry function from data entry
verification is an additional data entry control but does not
address accuracy. Maintaining a log/record detailing the time,
date, employee's initials/user ID and progress of various data
preparation and verification tasks, provides an audit trail. A
check digit is added to data to ensure that original data have
not been altered. If a check digit is wrongly keyed, this would
lead to accepting incorrect data but would only apply to those
data elements having a check digit.

75. Capacity monitoring software is used to ensure:

A. maximum use of available capacity.
B. that future acquisitions meet user needs.
C. concurrent use by a large number of users.
D. continuity of efficient operations.

Answer: D
Capacity monitoring software shows the actual usage of online
systems versus their maximum capacity. The aim is to enable
software support staff to ensure that efficient operation, in the
form of response times, is maintained in the event that use
begins to approach the maximum available capacity. Systems
should never be allowed to operate at maximum capacity.
Monitoring software is intended to prevent this. Although the
software reports may be used to support a business case for
future acquisitions, it would not provide information on the
effect of user requirements and it would not ensure concurrent
usage of the system by users, other than to highlight levels of
user access.

76. Which of the following exposures associated with the spooling of sensitive
reports for offline printing would an IS auditor consider to be the MOST
serious?
A. Sensitive data can be read by operators.
B. Data can be amended without authorization.
C. Unauthorized report copies can be printed.
D. Output can be lost in the event of system failure.

Answer: C
Unless controlled, spooling for offline printing may enable additional
copies to be printed. Print files are unlikely to be available for online
reading by operators. Data on spool files are no easier to amend
without authority than any other file. There is usually a lesser threat of
unauthorized access to sensitive reports in the event of a system
failure.

77. Which of the following types of firewalls would BEST protect a network
from an Internet attack?
A. Screened subnet firewall
B. Application filtering gateway
C. Packet filtering router
D. Circuit-level gateway

Answer: A
A screened subnet firewall would provide the best protection.
The screening router can be a commercial router or a node with
routing capabilities and the ability to allow or avoid traffic
between nets or nodes based on addresses, ports, protocols,
interfaces, etc. Application-level gateways are mediators
between two entities that want to communicate, also known as
proxy gateways. The application level (proxy) works at the
application level, not only at a package level. The screening
controls at package level, addresses, ports, etc. but does not
see the contents of the package. A packet filtering router
examines the header of every packet or data traveling between
the Internet and the corporate network.

78. Applying a retention date on a file will ensure that:

A. data cannot be read until the date is set.
B. data will not be deleted before that date.
C. backup copies are not retained after that date.
D. datasets having the same name are differentiated.

Answer: B
A retention date will ensure that a file cannot be overwritten
before that date has passed. The retention date will not affect
the ability to read the file. Backup copies would be expected to
have a different retention date and therefore may well be
retained after the file has been overwritten. The creation date,
not the retention date, will differentiate files with the same
name.

79. A digital signature contains a message digest to:

A. show if the message has been altered after transmission.
B. define the encryption algorithm.
C. confirm the identity of the originator.
D. enable message transmission in a digital format.

Answer: A
The message digest is calculated and included in a digital
signature to prove that the message has not been altered. It
should be the same value as a recalculation performed upon
receipt. It does not define the algorithm or enable the
transmission in digital format and has no effect on the identity
of the user, being there to ensure integrity rather than identity.

80. Which of the following would be the BEST method for ensuring that critical
fields in a master record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report

Answer: D
A before-and-after maintenance report is the best answer because a visual
review would provide the most positive verification that updating was proper.

81. A TCP/IP-based environment is exposed to the Internet. Which of the

following BEST ensures that complete encryption and authentication protocols
exist for protecting information while transmitted?
A. Work is completed in tunnel mode with IP security using the nested
services of authentication header (AH) and encapsulating security payload
(ESP).
B. A digital signature with RSA has been implemented.
C. Digital certificates with RSA are being used.
D. Work is being completed in TCP services.

Answer: A
Tunnel mode with IP security provides encryption and authentication of
the complete IP package. To accomplish this, the AH (authentication
header) and ESP (encapsulating security payload) services can be
nested. Choices B and C provide authentication and integrity. TCP
services do not provide encryption and authentication.

82. To prevent an organization's computer systems from becoming part of a

distributed denial-of-service attack, IP packets containing addresses that are
listed as unroutable can be isolated by:
A. establishing outbound traffic filtering.
B. enabling broadcast blocking.
C. limiting allowable services.
D. network performance monitoring.

Answer: A
Routers programmed with outbound traffic filtering, drop outbound
packets that contain addresses from other than the user's
organization, including source addresses that can not be routed.
Broadcast blocking can be done by filtering routers or firewalls. When
programmed, IP packets coming from the Internet and using an
address that broadcasts to every computer on the destination
organization's network can be dropped. Firewalls and filtering routers
can be programmed to limit services not allowed by policy and can
help prevent use of the company's systems. However, this will not
isolate packets that can not be routed. Network performance
monitoring is a way to monitor system performance for potential
intrusions on a real-time basis and could help identify unusual traffic
volumes.

83. An IS auditor doing penetration testing during an audit of Internet

connections would:
A. evaluate configurations.
B. examine security settings.
C. ensure virus-scanning software is in use.
D. use tools and techniques that are available to a hacker.

Answer: D
Penetration testing is a technique used to mimic an experienced
hacker attacking a live site by using tools and techniques available to
a hacker. The other choices are procedures that an IS auditor would
consider undertaking during an audit of Internet connections, but are
not aspects of penetration testing techniques.

84. An IS auditor performing a telecommunication access control review

should be concerned PRIMARILY with the:
A. maintenance of access logs of usage of various system resources.
B. authorization and authentication of the user prior to granting access to
system resources.
C. adequate protection of stored data on servers by encryption or other
means.
D. accountability system and the ability to identify any terminal accessing
system resources.

Answer: B
The authorization and authentication of users is the most
significant aspect in a telecommunications access control
review as it is a preventive control. Weak controls at this level
can affect all other aspects. The maintenance of access logs of
usage of system resources is a detective control. The adequate
protection of data being transmitted to and from servers by
encryption or other means is a method of protecting
information during transmission and is not an access issue. The
accountability system and the ability to identify any terminal
accessing system resources deal with controlling access
through the identification of a terminal.

85. An organization is considering connecting a critical PC-based system to

the Internet. Which of the following would provide the BEST protection against
hacking?
A. An application-level gateway
B. A remote access server
C. A proxy server
D. Port scanning

Answer: A
An application-level gateway is the best way to protect against hacking
because it can define with detail rules that describe the type of user or
connection that is, or is not permitted. It analyzes in detail each package, not
only in layers one through four of the OSI model but also layers five through
seven, which means that it reviews the commands of each higher level protocol
(HTTP, FTP, SNMP, etc.) For a remote access server there is a device (server)
asking for username and passwords before entering the network. This is good
when accessing private networks, but it can be mapped or scanned from the
Internet creating security exposure. Proxy servers can provide protection based
on the IP address and ports. However, an individual is needed who really knows
how to do this, and second applications can use different ports for the different
sections of their program. Port scanning works when there is a very specific
task to do, but not when trying to control what comes from the Internet (or
when all the ports available need to be controlled somehow). For example, the
port for "Ping" (echo request) could be blocked and the IP addresses would be

86. If a database is restored using before-image dumps, where should the

process be restarted following an interruption?
A. Before the last transaction
B. After the last transaction
C. The first transaction after the latest checkpoint
D. The last transaction before the latest checkpoint

Answer: A
If before images are used, the last transaction in the dump will not
have updated the database prior to the dump being taken. The last
transaction will not have updated the database and must be
reprocessed. Program checkpoints are irrelevant in this situation.

87. Which of the following is a practice that should be incorporated into the
plan for testing disaster recovery procedures?
A. Invite client participation.
B. Involve all technical staff.
C. Rotate recovery managers.
D. Install locally stored backup.

Answer: C
Recovery managers should be rotated to ensure the experience of the
recovery plan is spread. Clients may be involved but not necessarily in
every case. Not all technical staff should be involved in each test.
Remote or offsite backup should always be used.

88. A large chain of shops with EFT at point-of-sale devices has a central
communications processor for connecting to the banking network. Which of
the following is the BEST disaster recovery plan for the communications
processor?
A. Offsite storage of daily backups
B. Alternative standby processor onsite
C. Installation of duplex communication links
D. Alternative standby processor at another network node

Answer: D
Having an alternative standby processor at another network
node would be the best. The unavailability of the central
communications processor would disrupt all access to the
banking network resulting in the disruption of operations for all
of the shops. This could be caused by failure of equipment,
power or communications. Offsite storage of backups would not
help since EFT tends to be an online process and offsite storage
will not replace the dysfunctional processor. The provision of an
alternate processor onsite would be fine if it were an
equipment problem, but would not help if the outage were
caused by power, for example. Installation of duplex
communication links would be most appropriate if it were only

89. Which of the following is an object-oriented technology characteristic that

permits an enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism

Answer: C
Encapsulation is a property of objects, which prevents
accessing either properties or methods, that have not been
previously defined as public. This means that any
implementation of the behavior of an object is not accessible.
An object defines a communication interface with the exterior
and only whatever belongs to that interface can be accessed.

90. When implementing an application software package, which of the

following presents the GREATEST risk?
A. Uncontrolled multiple software versions
B. Source programs that are not synchronized with object code
C. Incorrectly set parameters
D. Programming errors

Answer: C
Parameters that are not set correctly would be the greatest concern
when implementing an application software package. The other
choices, though important, are a concern of the provider, not the
organization that is implementing the software itself.

91. Which of the following controls would be MOST effective in ensuring that
production source code and object code are synchronized?
A. Release-to-release source and object comparison reports
B. Library control software restricting changes to source code
C. Restricted access to source code and object code
D. Date and time-stamp reviews of source and object code

Answer: D
Date and time stamp reviews of source and object code would ensure
that source code, which has been compiled, matches the production
object code. This is the most effective way to ensure that the
approved production source code is compiled and is the one being
used.

92. During a post-implementation review of an enterprise resource

management system, an IS auditor would MOST likely:
A. review access control configuration.
B. evaluate interface testing.
C. review detailed design documentation.
D. evaluate system testing.

Answer: A
Reviewing access control configuration would be first task
performed to determine whether security has been mapped
appropriately in the system. Since a post-implementation
review is done after user acceptance testing and actual
implementation, one would not engage in interface testing or
detailed design documentation. Evaluating interface testing
would be part of the implementation process. The issue of
reviewing detailed design documentation is not generally
relevant to an enterprise resource management system since
these are usually vendor packages with user manuals. System
testing should be performed before final user sign off.

93. Which of the following types of controls is designed to provide the ability
to verify data and record values through the stages of application processing?
A. Range checks
B. Run-to-run totals
C. Limit checks on calculated amounts
D. Exception reports

Answer: B
Run-to-run totals provide the ability to verify data values through the
stages of application processing. Run-to-run total verification ensures
that data read into the computer was accepted and then applied to
the updating process.

94. The BEST method of proving the accuracy of a system tax calculation is
by:
A. detailed visual review and analysis of the source code of the calculation
programs.
B. recreating program logic using generalized audit software to calculate
monthly totals.
C. preparing simulated transactions for processing and comparing the results
to predetermined results.
D. automatic flowcharting and analysis of the source code of the calculation
programs.

Answer: C
Preparing simulated transactions for processing and comparing the
results to predetermined results is the best method for proving
accuracy of a tax calculation. Detailed visual review, flowcharting and
analysis of source code are not effective methods, and monthly totals
would not address the accuracy of individual tax calculations.

95. IS management has recently informed the IS auditor of its decision to

disable certain referential integrity controls in the payroll system to provide
users with a faster report generator. This will MOST likely increase the risk of:
A. data entry by unauthorized users.
B. a nonexistent employee being paid.
C. an employee receiving an unauthorized raise.
D. duplicate data entry by authorized users.

Answer: B
Referential integrity controls prevent the occurrence of unmatched
foreign key values. Given that a nonexistent employee does not
appear in the employees' table, it will never have a corresponding
entry in the salary payments table. The other choices cannot be
detected by referential integrity controls.

96. Which of the following pairs of functions should not be combined to

provide proper segregation of duties?
A. Tape librarian and computer operator
B. Application programming and data entry
C. Systems analyst and database administrator
D. Security administrator and quality assurance

Answer: B
The role of application programming and data entry should not be combined
since no compensating controls exist that can mitigate the segregation of
duties risk. All other combined pairs of functions are acceptable.

97. An IS auditor who is reviewing application run manuals would expect

them to contain:
A. details of source documents.
B. error codes and their recovery actions.
C. program logic flowcharts and file definitions.
D. change records for the application source code.

Answer: B
Application run manuals should include actions taken on reported
errors that are essential for the operator to function properly. Source
documents and source code are irrelevant to the operator. Although
dataflow diagrams may be useful, detailed program diagrams and file
definitions are not.

98. Which of the following IS functions may be performed by the same

individual, without compromising on control or violating segregation of
duties?
A. Job control analyst and applications programmer
B. Mainframe operator and system programmer
C. Change/problem and quality control administrator
D. Applications and system programmer

Answer: C
The change/problem and quality control administrator are two
compatible functions that would not compromise control or violate
segregation of duties. The other functions listed, if combined, would
result in compromising control.

99. Which of the following is the MOST important function to be performed by

IT management within an outsourced environment?
A. Ensuring that invoices are paid to the provider
B. Participating in systems design with the provider
C. Renegotiating the provider's fees
D. Monitoring the outsourcing provider's performance

Answer: D
In an outsourcing environment, the company is dependent on
the performance of the service provider. Therefore it is critical
to monitor the outsourcing provider's performance to ensure
that it delivers services to the company as required. Payment
of invoices is a finance function which would be done per
contractual requirements. Participating in systems design is a
by-product of monitoring the outsourcing provider's
performance, while renegotiating fees is usually a one-time
activity.

100. An organization has outsourced network and desktop support. Although

the relationship has been reasonably successful, risks remain due to
connectivity issues. Which of the following controls should FIRST be
performed to assure the organization reasonably mitigates these possible
risks?
A. Network defense program
B. Encryption/Authentication
C. Adequate reporting between organizations
D. Adequate definition in contractual relationship

Answer: D
The most effective and necessary control that has to be in place first
when a partnering arrangement is used is the contract. The other
answers are all good techniques used to minimize/mitigate controls.
However, these may not be enforceable unless detailed in the
contractual arrangement.