Certificator.it Home Exams Taken exams Add exam Sign up Sign
inTop of
FormName:Subname:Number:PassingScore:TimeLimit:Version:Dateadded:Owner:Category:Vendor:Visible:Voteup:Votedown:Bottom
of FormISACA CISA 1An IS auditor, performing a review of an
application s controls, ? discovers a weakness in system software,
which could materially impact the application. The IS auditor
should: Disregard these control weaknesses as a system software
review is beyond thescope of this review. Conduct a detailed system
software review and report the control weaknesses. Include in the
report a statement that the audit was limited to a review of
theapplication?s controls. Review the system software controls as
relevant and recommend a detailedsystem software review.The reason
for having controls in an IS environment: remains unchanged from a
manual environment, but the implemented controlfeatures may be
different. changes from a manual environment, therefore the
implemented control featuresmay be different. changes from a manual
environment, but the implemented control features will bethe same.
remains unchanged from a manual environment and the implemented
controlfeatures will also be the same.Which of the following types
of risks assumes an absence of compensating controls in the area
being reviewed? Control risk Detection risk Inherent risk Sampling
riskAn IS auditor is conducting substantive audit tests of a new
accounts receivable module. The IS auditor has a tight schedule and
limited computer expertise. Which would be the BEST audit technique
to use in this situation? Test data Parallel simulation Integrated
test facility Embedded audit moduleThe PRIMARY purpose of
compliance tests is to verify whether: controls are implemented as
prescribed. documentation is accurate and current. access to users
is provided as specified. data validation procedures are
provided.Which of the following BEST describes the early stages of
an IS audit? Observing key organizational facilities. Assessing the
IS environment. Understanding business process and environment
applicable to the review. Reviewing prior IS audit reports.The
document used by the top management of organizations to delegate
authority to the IS audit function is the: long-term audit plan.
audit charter. audit planning methodology. steering committee
minutes.Before reporting results of an audit to senior management,
an IS auditor should: Confirm the findings with auditees. Prepare
an executive summary and send it to auditee management. Define
recommendations and present the findings to the audit committee.
Obtain agreement from the auditee on findings and actions to be
taken.While developing a risk-based audit program, which of the
following would the IS auditor MOST likely focus on? Business
processes Critical IT applications Corporate objectives Business
strategiesWhich of the following is a substantive audit test?
Verifying that a management check has been performed regularly
Observing that user IDs and passwords are required to sign on the
computer Reviewing reports listing short shipments of goods
received Reviewing an aged trial balance of accounts
receivableWhich of the following tasks is performed by the same
person in a wellcontrolled information processing facility/computer
center? Security administration and management Computer operations
and system development System development and change management
System development and systems maintenanceWhere adequate
segregation of duties between operations and programming are not
achievable, the IS auditor should look for: compensating controls.
administrative controls. corrective controls. access controls.Which
of the following would be included in an IS strategic plan?
Specifications for planned hardware purchases Analysis of future
business objectives Target dates for development projects Annual
budgetary targets for the IS departmentThe MOST important
responsibility of a data security officer in an organization is:
recommending and monitoring data security policies. promoting
security awareness within the organization. establishing procedures
for IT security policies. administering physical and logical access
controls.Which of the following BEST describes an IT department?s
strategic planning process? The IT department will have either
short-range or long-range plans dependingon the organization?s
broader plans and objectives. The IT department?s strategic plan
must be time and project oriented, but notso detailed as to address
and help determine priorities to meet business needs. Long-range
planning for the IT department should recognize
organizationalgoals, technological advances and regulatory
requirements. Short-range planning for the IT department does not
need to be integrated intothe short-range plans of the organization
since technological advances will drivethe IT department plans much
quicker than organizational plans.When a complete segregation of
duties cannot be achieved in an online system environment, which of
the following functions should be separated from the others?
Origination Authorization Recording CorrectionIn a small
organization, where segregation of duties is not practical, an
employee performs the function of computer operator and application
programmer. Which of the following controls should the IS auditor
recommend? Automated logging of changes to development libraries
Additional staff to provide segregation of duties Procedures that
verify that only approved program changes are implemented Access
controls to prevent the operator from making program
modificationsAn IT steering committee would MOST likely perform
which of the following functions? Placement of a purchase order
with the approved IT vendor Installation of systems software and
application software Provide liaison between IT department and user
department Interview staff for the IT departmentAn IS auditor is
auditing the controls relating to employee termination. Which of
the following is the MOST important aspect to be reviewed? The
related company staff are notified about the termination User ID
and passwords of the employee have been deleted The details of
employee have been removed from active payroll files Company
property provided to the employee has been returnedWhen reviewing a
service level agreement for an outsourced computer center an IS
auditor should FIRST determine that: the cost proposed for the
services is reasonable. security mechanisms are specified in the
agreement. the services in the agreement are based on an analysis
of business needs. audit access to the computer center is allowed
under the agreement.The PRIMARY benefit of database normalization
is the: minimization redundancy of information in tables required
to satisfy users?needs. ability to satisfy more queries.
maximization of database integrity by providing information in more
than one table. minimization of response time through faster
processing of information.Which of the following network topologies
yields the GREATEST redundancy in the event of the failure of one
node? Mesh Star Ring BusA vendor/contractor?s performance against
service level agreements must be evaluated by the: customer.
contractor. third-party. contractor?s management.When auditing a
mainframe operating system, what would the IS auditor do to
establish which control features are in operation? Examine the
parameters used when the system was generated Discuss system
parameter options with the vendor Evaluate the systems
documentation and installation guide Consult the systems
programmersWhen conducting an audit of client/server database
security, the IS auditor would be MOST concerned about the
availability of: system utilities. application program generators.
system security documentation. access to stored procedures.Which of
the following would allow a company to extend it?s enterprise?s
intranet across the Internet to it?s business partners? Virtual
private network Client-Server Dial-Up access Network service
providerAn IS auditor auditing hardware monitoring procedures
should review system availability reports. cost-benefit reports.
response time reports. database utilization reports.The device that
connects two networks at the highest level of the ISO-OSI framework
( i.e., application layer) is a Gateway Router Bridge BrouterWhich
of the following statements relating to packet switching networks
is CORRECT? Packets for a given message travel the same route.
Passwords cannot be embedded within the packet. Packet lengths are
variable and each packet contains the same amount ofinformation.
The cost charged for transmission is based on packet, not distance
or routetraveled.An IS auditor when reviewing a network used for
Internet communications, will FIRST examine the: validity of
passwords change occurrences. architecture of the client-server
application. network architecture and design. firewall protection
and proxy servers.Which of the following BEST provides access
control to payroll data being processed on a local server? Logging
of access to personal information Separate password for sensitive
transactions Software restricts access rules to authorized staff
System access restricted to business hoursWhich of the following
concerns about the security of an electronic message would be
addressed by digital signatures? Unauthorized reading Theft
Unauthorized copying AlterationThe MOST effective method for
limiting the damage of an attack by a software virus is: software
controls. policies, standards and procedures. logical access
controls. data communication standards.Which of the following BEST
determines that complete encryption and authentication protocols
exist for protecting information while transmitted? A digital
signature with RSA has been implemented. Work is being done in
tunnel mode with the nested services of AH and ESP Digital
certificates with RSA are being used. Work is being done in
transport mode, with the nested services of AH and ESPWhich of the
following would be MOST appropriate to ensure the confidentiality
of transactions initiated via the Internet? Digital signature Data
encryption standard (DES) Virtual private network (VPN) Public key
encryptionThe PRIMARY objective of a firewall is to protect:
internal systems from exploitation by external threats. external
systems from exploitation by internal threats. internal systems
from exploitation by internal threats. itself and attached systems
against being used to attack other systems.Which of the following
is an example of the physiological biometrics technique? Hand scans
Voice scans Signature scans Keystroke monitoringAn IS auditor has
just completed a review of an organization that has a mainframe and
a client-server environment where all production data reside. Which
of the following weaknesses would be considered the MOST serious?
The security officer also serves as the database administrator (DB)
Password controls are not administered over the client/server
environment. There is no business continuity plan for the mainframe
system?s non-criticalapplications. Most LANs do not back up file
server fixed disks regularly.An organization is proposing to
install a single sign-on facility giving access to all systems. The
organization should be aware that: Maximum unauthorized access
would be possible if a password is disclosed. User access rights
would be restricted by the additional security parameters. The
security administrator s workload ? would increase. User access
rights would be increased.A B-to-C e-commerce web site as part of
its information security program wants to monitor, detect and
prevent hacking activities and alert the system administrator when
suspicious activities occur. Which of the following infrastructure
components could be used for this purpose? Intrusion detection
systems Firewalls Routers Asymmetric encryptionDuring an audit of a
reciprocal disaster recovery agreement between two companies, the
IS auditor would be PRIMARILY concerned about: the soundness of the
impact analysis. hardware and software compatibility. differences
in IS policies and # procedures. frequency of system testing.An IS
auditor discovers that an organization?s business continuity plan
provides for an alternate processing site that will accommodate
fifty percent of the primary processing capability. Based on this,
which of the following actions should the IS auditor take? Do
nothing, because generally, less than twenty-five percent of all
processingis critical to an organization?s survival and the backup
capacity, therefore isadequate. Identify applications that could be
processed at the alternate site and developmanual procedures to
backup other processing. Ensure that critical applications have
been identified and that the alternatesite could process all such
applications. Recommend that the information processing facility
arrange for an alternateprocessing site with the capacity to handle
at least seventy-five percent ofnormal processing.Which of the
following components of a business continuity plan is PRIMARILY the
responsibility of an organization ?s IS department? ? Developing
the business continuity plan Selecting and approving the strategy
for business continuity plan Declaring a disaster Restoring the IS
systems and data after a disasterWhich of the following issues
should be included in the business continuity plan? The staff
required to maintain critical business functions in the short,
mediumand long term The potential for a natural disaster to occur,
such as an earthquake Disastrous events impacting information
systems processing and end-userfunctions A risk analysis that
considers systems malfunctions, accidental file deletionsor other
failuresIn an audit of a business continuity plan, which of the
following findings is of MOST concern?? There is no insurance for
the addition of assets during the year. BCP manual is not updated
on a regular basis. Testing of the backup of data has not been done
regularly. Records for maintenance of access system have not been
maintained.Classification of information systems is essential in
business continuity planning. Which of the following system types
can not be replaced by manual methods? Critical system Vital system
Sensitive system Non-critical systemAn IS auditor should be
involved in: observing tests of the disaster recovery plan.
developing the disaster recovery plan. maintaining the disaster
recovery plan. reviewing the disaster recovery requirements of
supplier contracts.The window of time recovery of information
processing capabilities is based on the: criticality of the
processes affected. quality of the data to be processed. nature of
the disaster. applications that are mainframe based.During an IT
audit of a large bank, an IS auditor observes that no formal risk
assessment exercise has been carried out for the various business
applications to arrive at their relative importance and recovery
time requirements. The risk that the bank is exposed to is that
the: business continuity plan may not have been calibrated to the
relative risk thatdisruption of each application poses to the
organization. business continuity plan may not include all relevant
applications andtherefore may lack completeness in terms of its
coverage. business impact of a disaster may not have been
accurately understood by themanagement. business continuity plan
may lack an effective ownership by the business ownersof such
applications.Which of the following is necessary to have FIRST in
the development of a business continuity plan? Risk-based
classification of systems Inventory of all assets Complete
documentation of all disasters Availability of hardware and
softwareThe application test plans are developed in which of the
following systems development life cycle (SDLC) phases? Design
Testing Requirement DevelopmentWhich of the following tests confirm
that the new system can operate in its target environment?
Sociability testing Regression testing Validation testing Black box
testingThe MOST appropriate person to chair the steering committee
for a system development project with significant impact on a
business area would be the: business analyst. chief information
officer. project manager. executive level manager.The PRIMARY
purpose of undertaking a parallel run of a new system is to: verify
that the system provides required business functionality. validate
the operation of the new system against its predecessor. resolve
any errors in the program and file interfaces. verify that the
system can process the production load.Change control procedures to
prevent scope creep during an application development project
should be defined during: design. feasibility. implementation.
requirements definition.Which of the following would MOST likely
ensure that a system development project meets business objectives?
Maintenance of program change logs Development of a project plan
identifying all development activities Release of application
changes at specific times of the year User involvement in system
specification and acceptanceWhich of the following is a measure of
the size of an information system based on the number and
complexity of a system s inputs, ? outputs and files? Function
point (FP) Program evaluation review technique (PERT) Rapid
application design (RAD) Critical path method (CPM)When auditing
the requirements phase of a software acquisition, the IS auditor
should: assess the feasibility of the project timetable. assess the
vendor?s proposed quality processes. ensure that the best software
package is acquired. review the completeness of the
specifications.The purpose of debugging programs is to: generate
random data that can be used to test programs before
implementingthem. protect, during the programming phase, valid
changes from being overwritten byother changes. define the program
development and maintenance costs to be include in thefeasibility
study. ensure that program abnormal terminations and program coding
flaws are detectedand corrected.Software maintainability BEST
relates to which of the following software attributes? Resources
needed to make specified modifications. Effort needed to use the
system application. Relationship between software performance and
the resources needed. Fulfillment of user needs.IT governance
ensures that an organization aligns its IT strategy with:
Enterprise objectives. IT objectives. Audit objectives. Finance
objectives.A validation which ensures that input data are matched
to predetermined reasonable limits or occurrence rates, is known
as: Reasonableness check. Validity check. Existence check. Limit
check.During which of the following steps in the business process
reengineering should the benchmarking team visit the benchmarking
partner? Observation Planning Analysis AdaptationWhich of the
following procedures should be implemented to help ensure the
completeness of inbound transactions via electronic data
interchange (EDI)? Segment counts built into the transaction set
trailer A log of the number of messages received, periodically
verified with thetransaction originator An electronic audit trail
for accountability and tracking Matching acknowledgement
transactions received to the log of EDI messages sentA utility is
available to update critical tables in case of data inconsistency.
This utility can be executed at the OS prompt or as one of menu
options in an application. The BEST control to mitigate the risk of
unauthorized manipulation of data is to: delete the utility
software and install it as and when required. provide access to
utility on a need-to-use basis. provide access to utility to user
management define access so that the utility can be only executed
in menu option.When conducting a review of business process
re-engineering, an IS auditor found that a key preventive control
had been removed. In this case, the IS auditor should: inform
management of the finding and determine if management is willing
toaccept the potential material risk of not having that preventing
control. determine if a detective control has replaced the
preventive control during theprocess and if so, not report the
removal of the preventive control. recommend that this and all
control procedures that existed before the processwas reengineered
be included in the new process. develop a continuous audit approach
to monitor the effects of the removal ofthe preventive
control.Which of the following is an output control objective?
Maintenance of accurate batch registers Completeness of batch
processing Appropriate accounting for rejections and exceptions
Authorization of file updatesIn a system that records all
receivables for a company, the receivables are posted on a daily
basis. Which of the following would ensure that receivables
balances are unaltered between postings? Range checks Record counts
Sequence checking Run-to-run control totalsWhich of the following
is the MOST important issue to the IS auditor in a business process
re-engineering (BPR) project would be? The loss of middle
management, which often is a result of a BPR project That controls
are usually given low priority in a BPR project The considerable
negative impact that information protection could have on BPR The
risk of failure due to the large size of the task usually
undertaken in aBPR projectTo meet pre-defined criteria, which of
the following continuous audit techniques would BEST identify
transactions to audit? Systems Control Audit Review File and
Embedded Audit Modules (SCARF/EAM) Continuous and Intermittent
Simulation (CIS) Integrated Test Facilities (ITF) Audit hooksIn a
risk-based audit approach, an IS auditor, in addition to risk,
would be influenced by: the availability of CAATs. management's
representation. organizational structure and job responsibilities.
the existence of internal and operational controlsThe extent to
which data will be collected during an IS audit should be
determined, based on the: availability of critical and required
information. auditor's familiarity with the circumstances.
auditee's ability to find relevant evidence. purpose and scope of
the audit being done.The PRIMARY advantage of a continuous audit
approach is that it: does not require an IS auditor to collect
evidence on system reliability whileprocessing is taking place.
requires the IS auditor to review and follow up immediately on all
informationcollected. can improve system security when used in
time-sharing environments that processa large number of
transactions. does not depend on the complexity of an
organization's computer systems.Which of the following data entry
controls provides the GREATEST assurance that the data is entered
correctly? Using key verification Segregating the data entry
function from data entry verification Maintaining a log/record
detailing the time, date, employee's initials/user idand progress
of various data preparation and verification tasks Adding check
digitsCapacity monitoring software is used to ensure: maximum use
of available capacity. that future acquisitions meet user needs.
concurrent use by a large number of users. continuity of efficient
operations.Which of the following exposures associated with the
spooling of sensitive reports for offline printing would an IS
auditor consider to be the MOST serious? Sensitive data can be read
by operators. Data can be amended without authorization.
Unauthorized report copies can be printed. Output can be lost in
the event of system failure.Which of the following types of
firewalls would BEST protect a network from an Internet attack?
Screened subnet firewall Application filtering gateway Packet
filtering router Circuit-level gatewayApplying a retention date on
a file will ensure that: data cannot be read until the date is set.
data will not be deleted before that date. backup copies are not
retained after that date. datasets having the same name are
differentiated.A digital signature contains a message digest to:
show if the message has been altered after transmission. define the
encryption algorithm. confirm the identity of the originator.
enable message transmission in a digital format.Which of the
following would be the BEST method for ensuring that critical
fields in a master record have been updated properly? Field checks
Control totals Reasonableness checks A before-and-after maintenance
reportA TCP/IP-based environment is exposed to the Internet. Which
of the following BEST ensures that complete encryption and
authentication protocols exist for protecting information while
transmitted? Work is completed in tunnel mode with IP security
using the nested services ofauthentication header (AH) and
encapsulating security payload (ESP). A digital signature with RSA
has been implemented. Digital certificates with RSA are being used.
Work is being completed in TCP services.To prevent an
organization's computer systems from becoming part of a distributed
denial-of-service attack, IP packets containing addresses that are
listed as unroutable can be isolated by: establishing outbound
traffic filtering. enabling broadcast blocking. limiting allowable
services. network performance monitoring.An IS auditor doing
penetration testing during an audit of Internet connections would:
evaluate configurations. examine security settings. ensure
virus-scanning software is in use. use tools and techniques that
are available to a hacker.An IS auditor performing a
telecommunication access control review should be concerned
PRIMARILY with the: maintenance of access logs of usage of various
system resources. authorization and authentication of the user
prior to granting access to systemresources. adequate protection of
stored data on servers by encryption or other means. accountability
system and the ability to identify any terminal accessing
systemresources.An organization is considering connecting a
critical PC-based system to the Internet. Which of the following
would provide the BEST protection against hacking? An
application-level gateway A remote access server A proxy server
Port scanningIf a database is restored using before-image dumps,
where should the process be restarted following an interruption?
Before the last transaction After the last transaction The first
transaction after the latest checkpoint The last transaction before
the latest checkpointWhich of the following is a practice that
should be incorporated into the plan for testing disaster recovery
procedures? Invite client participation. Involve all technical
staff. Rotate recovery managers. Install locally stored backup.A
large chain of shops with EFT at point-of-sale devices has a
central communications processor for connecting to the banking
network. Which of the following is the BEST disaster recovery plan
for the communications processor? Offsite storage of daily backups
Alternative standby processor onsite Installation of duplex
communication links Alternative standby processor at another
network nodeWhich of the following is an object-oriented technology
characteristic that permits an enhanced degree of security over
data? Inheritance Dynamic warehousing Encapsulation
PolymorphismWhen implementing an application software package,
which of the following presents the GREATEST risk? Uncontrolled
multiple software versions Source programs that are not
synchronized with object code Incorrectly set parameters
Programming errorsWhich of the following controls would be MOST
effective in ensuring that production source code and object code
are synchronized? Release-to-release source and object comparison
reports Library control software restricting changes to source code
Restricted access to source code and object code Date and
time-stamp reviews of source and object codeDuring a
post-implementation review of an enterprise resource management
system, an IS auditor would MOST likely: review access control
configuration. evaluate interface testing. review detailed design
documentation. evaluate system testing.Which of the following types
of controls is designed to provide the ability to verify data and
record values through the stages of application processing? Range
checks Run-to-run totals Limit checks on calculated amounts
Exception reportsThe BEST method of proving the accuracy of a
system tax calculation is by: detailed visual review and analysis
of the source code of the calculationprograms. recreating program
logic using generalized audit software to calculate monthlytotals.
preparing simulated transactions for processing and comparing the
results topredetermined results. automatic flowcharting and
analysis of the source code of the calculationprograms.IS
management has recently informed the IS auditor of its decision to
disable certain referential integrity controls in the payroll
system to provide users with a faster report generator. This will
MOST likely increase the risk of: data entry by unauthorized users.
a nonexistent employee being paid. an employee receiving an
unauthorized raise. duplicate data entry by authorized users.Which
of the following pairs of functions should not be combined to
provide proper segregation of duties? Tape librarian and computer
operator Application programming and data entry Systems analyst and
database administrator Security administrator and quality
assuranceAn IS auditor who is reviewing application run manuals
would expect them to contain: details of source documents. error
codes and their recovery actions. program logic flowcharts and file
definitions. change records for the application source code.Which
of the following IS functions may be performed by the same
individual, without compromising on control or violating
segregation of duties? Job control analyst and applications
programmer Mainframe operator and system programmer Change/problem
and quality control administrator Applications and system
programmerWhich of the following is the MOST important function to
be performed by IT management within an outsourced environment?
Ensuring that invoices are paid to the provider Participating in
systems design with the provider Renegotiating the provider's fees
Monitoring the outsourcing provider's performanceAn organization
has outsourced network and desktop support. Although the
relationship has been reasonably successful, risks remain due to
connectivity issues. Which of the following controls should FIRST
be performed to assure the organization reasonably mitigates these
possible risks? Network defense program Encryption/Authentication
Adequate reporting between organizations Adequate definition in
contractual relationship