DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Master CISA Exams with Exam Questions & Study Materials, Certified Information Systems Auditor | SPOTO

Mastering the CISA exams requires a strategic approach, and using mock tests can be a game-changer in your preparation. Mock tests simulate the actual exam environment, allowing you to familiarize yourself with the format, timing, and difficulty level of questions. This hands-on experience helps boost your confidence and reduces anxiety on exam day.By practicing with mock exams, you can identify your strengths and weaknesses, enabling targeted study sessions to improve areas that need more attention. Additionally, mock tests provide valuable feedback on your performance, helping you track your progress and adjust your study plan accordingly.Accessing a variety of exam questions, sample questions, and online exam simulations through SPOTO's study materials ensures a comprehensive preparation journey. Take advantage of practice tests, free tests, exam dumps, and exam simulators to enhance your exam readiness and maximize your chances of success in the Certified Information Systems Auditor (CISA) certification exam.
Take other online exams

Question #1
A primary reason for an IS auditor's involvement in the development of a new application system is to ensure that:
A. adequate controls are built into the system
B. user requirements are satisfied by the system
C. sufficient hardware is available to process the system
D. data are being developed for pre-implementation testing of the system
View answer
Correct Answer: D
Question #2
Which of the following audit procedures would MOST likely be used in an audit of a systems development project?
A. Develop test transactions
B. Use code comparison utilities
C. Develop audit software programs
D. Review functional requirements documentation
View answer
Correct Answer: C
Question #3
An IS auditor performing an audit of the company's IS strategy would be LEAST likely to:
A. assess IS security procedures
B. review both short- and long-term IS strategies
C. interview appropriate corporate management personnel
D. ensure that the external environment has been considered
View answer
Correct Answer: A
Question #4
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:
A. hardware configuration
B. access control software
C. ownership of intellectual property
D. application development methodology
View answer
Correct Answer: C
Question #5
IS auditors reviewing access control should review data classification to ensure that encryption parameters are classified as:
A. sensitive
B. confidential
C. critical
D. private
View answer
Correct Answer: D
Question #6
Which of the following would normally be found in application run manuals?
A. Details of source documents
B. Error codes and their recovery actions
C. Program flowcharts and file definitions
D. Change records for the application source code
View answer
Correct Answer: A
Question #7
Identify the correct sequence of Business Process Reengineering (BPR) benchmarking process from the given choices below?
A. PLAN, RESEARCH, OBSERVE, ANALYZE, ADOPT and IMPROVE
B. OBSERVE, PLAN, RESEACH, ANALYZE, ADOPT and IMPROVE
C. PLAN, OBSERVE, RESEARCH, ANALYZE, ADOPT and IMPROVE
D. PLAN, RESEARCH, ANALYZE, OBSERVE, ADOPT and IMPROVE
View answer
Correct Answer: A
Question #8
A web-based bookstore has included the customer relationship management (CRM) system in its operations. An IS auditor has been assigned to perform a call center review. Which of the following is the MOST appropriate first step for the IS auditor to take?
A. Review the company's performance since the CRM was implemented
B. Review the IT strategy
C. Understand the business focus of the bookstore
D. Interview salespeople and supervisors
View answer
Correct Answer: A
Question #9
Which of the following software development methodology is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems?
A. Agile Developments
B. Software prototyping
C. Rapid application development
D. Component based development
View answer
Correct Answer: D
Question #10
Information requirement definitions, feasibility studies and user requirements are significant considerations when:
A. defining and managing service levels
B. identifying IT solutions
C. managing changes
D. assessing internal IT control
View answer
Correct Answer: B
Question #11
Which of the following database administrator (DBA) activities is unlikely to be recorded on detective control logs?
A. Deletion of a record
B. Change of a password
C. Disclosure of a password
D. Changes to access rights
View answer
Correct Answer: B
Question #12
The use of coding standards is encouraged by IS auditors because they:
A. define access control tables
B. detail program documentation
C. standardize dataflow diagram methodology
D. ensure compliance with field naming conventions
View answer
Correct Answer: D
Question #13
Which of the following type of network service is used by network computer to obtain an IP addresses and other parameters such as default gateway, subnet mask?
A. DHCP
B. DNS
C. Directory Service
D. Network Management
View answer
Correct Answer: C
Question #14
In which of the following WAN message transmission technique messages are divided into packets before they are sent and each packet is then transmitted individually and can even follow different routes to its destination?
A. Message Switching
B. Packet switching
C. Circuit switching
D. Virtual Circuits
View answer
Correct Answer: C
Question #15
A distinction that can be made between compliance testing and substantive testing is that compliance testing tests:
A. details, while substantive testing tests procedures
B. controls, while substantive testing tests details
C. plans, while substantive testing tests procedures
D. for regulatory requirements, while substantive testing tests validations
View answer
Correct Answer: A
Question #16
Which of the following would not prevent the loss of an asset but would assist in recovery by transferring part of the risk to a third party?
A. Full system backups
B. Insurance
C. Testing
D. Business impact analysis
View answer
Correct Answer: D
Question #17
Which of the following would an IS auditor place LEAST reliance on when determining management's effectiveness in communicating information systems policies to appropriate personnel?
A. Interviews with user and IS personnel
B. Minutes of IS steering committee meetings
C. User department systems and procedures manuals
D. Information processing facilities operations and procedures manuals
View answer
Correct Answer: D
Question #18
Which of the following ensures completeness and accuracy of accumulated data?
A. Processing control procedures
B. Data file control procedures
C. Output controls
D. Application controls
View answer
Correct Answer: D
Question #19
Applying a digital signature to data traveling in a network provides:
A. confidentiality and integrity
B. security and nonrepudiation
C. integrity and nonrepudiation
D. confidentiality and nonrepudiation
View answer
Correct Answer: C
Question #20
Which of the following is a strength of the program evaluation review technique (PERT) over other techniques? PERT:
A. considers different scenarios for planning and control projects
B. allows the user to input program and system parameters
C. tests system maintenance processes accurately
D. estimates costs of system projects
View answer
Correct Answer: D
Question #21
Capacity monitoring software is used to ensure:
A. maximum use of available capacity
B. that future acquisitions meet user needs
C. concurrent use by a large number of users
D. continuity of efficient operations
View answer
Correct Answer: C
Question #22
A company disposing of personal computers that once were used to store confidential data should first:
A. demagnetize the hard disk
B. low-level format the hard disk
C. delete all data contained on the hard disk
D. defragment the data contained on the hard disk
View answer
Correct Answer: A
Question #23
Which of the following message services provides the strongest protection that a specific action has occurred?
A. Proof of delivery
B. Nonrepudiation
C. Proof of submission
D. Message origin authentication
View answer
Correct Answer: D
Question #24
Which of the following is the MOST reliable sender authentication method?
A. Digital signatures
B. Asymmetric cryptography
C. Digital certificates
D. Message authentication code
View answer
Correct Answer: B
Question #25
An IS auditor needs to link his/her microcomputer to a mainframe system that uses binary synchronous data communications with block data transmission. However, the IS auditor's microcomputer, as presently configured, is capable of only asynchronous ASCII character data communications. Which of the following must be added to the IS auditor's computer to enable it to communicate with the mainframe system?
A. Buffer capacity and parallel port
B. Network controller and buffer capacity
C. Parallel port and protocol conversion
D. Protocol conversion and buffer capability
View answer
Correct Answer: C
Question #26
When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator?
A. READ access to data
B. DELETE access to transaction data files
C. Logged READ/EXECUTE access to programs
D. UPDATE access to job control language/script files
View answer
Correct Answer: A
Question #27
In a system development project the purpose of the program and procedure development phase is to:
A. prepare, test and document all programs and manual procedures
B. document a business or system problem to a level at which management can select a solution
C. prepare a high-level design of a proposed system solution and present reasons for adopting a solution
D. expand the general design of an approved solution so that program and procedure writing can begin
View answer
Correct Answer: A
Question #28
Which of the following IS functions may be performed by the same individual, without compromising on control or violating segregation of duties?
A. Job control analyst and applications programmer
B. Mainframe operator and system programmer
C. Change/problem and quality control administrator
D. Applications and system programmer
View answer
Correct Answer: B
Question #29
Which of the following software development methodology uses minimal planning and in favor of rapid prototyping?
A. Agile Developments
B. Software prototyping
C. Rapid application development
D. Component based development
View answer
Correct Answer: C
Question #30
The primary goal of a web site certificate is:
A. authentication of the web site to be surfed through
B. authentication of the user who surfs through that site
C. preventing surfing of the web site by hackers
D. the same purpose as that of a digital certificate
View answer
Correct Answer: A
Question #31
An enterprisewide network security architecture of public key infrastructure (PKI) would be comprised of:
A. A public key cryptosystem, private key cryptosystem and digital certificate
B. A public key cryptosystem, symmetric encryption and certificate authorities
C. A symmetric encryption, digital certificate and kerberos authentication
D. A public key cryptosystem, digital certificate and certificate authorities
View answer
Correct Answer: D
Question #32
An IS auditor conducting an access controls review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that:
A. exposure is greater since information is available to unauthorized users
B. operating efficiency is enhanced since anyone can print any report, any time
C. operating procedures are more effective since information is easily available
D. user friendliness and flexibility is facilitated since there is a smooth flow of information among users
View answer
Correct Answer: A
Question #33
The PRIMARY objective of a logical access controls review is to:
A. review access controls provided through software
B. ensure access is granted per the organization's authorities
C. walkthrough and assess access provided in the IT environment
D. provide assurance that computer hardware is protected adequately against abuse
View answer
Correct Answer: D
Question #34
In the development of an important application affecting the entire organization, which of the following would be the MOST appropriate project sponsor?
A. The information systems manager
B. A member of executive management
C. An independent management consultant
D. The manager of the key user department
View answer
Correct Answer: B
Question #35
An IS auditor, in evaluating proposed biometric control devices reviews the false rejection rates (FRRs), false acceptance rates (FARs) and equal error rates (ERRs) of three different devices. The IS auditor should recommend acquiring the device having the:
A. least ERR
B. most ERR
C. least FRR but most FAR
D. least FAR but most FRR
View answer
Correct Answer: A
Question #36
During a review of a large data center an IS auditor observed computer operators acting as backup tape librarians and security administrators. Which of these situations would be MOST critical to report?
A. Computer operators acting as tape librarians
B. Computer operators acting as security administrators
C. Computer operators acting as a tape librarian and security administrator
D. It is not necessary to report any of these situations
View answer
Correct Answer: A
Question #37
Which of the following type of a computer network covers a broad area such as city, region, nation or international link?
A. LAN
B. WAN
C. SAN
D. PAN
View answer
Correct Answer: A
Question #38
Which of the following is a ITU-T standard protocol suite for packet switched wide area network communication?
A. Point-to-point protocol
B. X
C. Frame Relay
D. ISDN
View answer
Correct Answer: D
Question #39
A universal serial bus (USB) port:
A. connects the network without a network card
B. connects the network with an Ethernet adapter
C. replaces all existing connections
D. connects the monitor
View answer
Correct Answer: A
Question #40
The database administrator has recently informed you of the decision to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of:
A. loss of audit trails
B. redundancy of data
C. loss of data integrity
D. unauthorized access to data
View answer
Correct Answer: D
Question #41
Which of the following is the FIRST step in a business process reengineering (BPR) project?
A. Defining the areas to be reviewed
B. Developing a project plan
C. Understanding the process under review
D. Reengineering and streamlining the process under review
View answer
Correct Answer: A
Question #42
The role of IT auditor in complying with the Management Assessment of Internal Controls (Section 404 of the Sarbanes-Oxley Act) is:
A. planning internal controls
B. documenting internal controls
C. designing internal controls
D. implementing internal controls
View answer
Correct Answer: C
Question #43
The security level of a private key system depends on the number of:
A. encryption key bits
B. messages sent
C. keys
D. channels used
View answer
Correct Answer: A
Question #44
Which of the following provides the framework for designing and developing logical access controls?
A. Information systems security policy
B. Access control lists
C. Password management
D. System configuration files
View answer
Correct Answer: C
Question #45
Which of the following concerns associated with the World Wide Web would be addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. A delay in Internet connectivity
D. A delay in downloading using file transfer protocol (FTP)
View answer
Correct Answer: A
Question #46
Which of the following is the MOST effective means of determining which controls are functioning properly in an operating system?
A. Consulting with the vendor
B. Reviewing the vendor installation guide
C. Consulting with the system programmer
D. Reviewing the system generation parameters
View answer
Correct Answer: C
Question #47
In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:
A. isolation
B. consistency
C. atomicity
D. durability
View answer
Correct Answer: A
Question #48
Which of the following audit techniques would an IS auditor place the MOST reliance on when determining whether an employee practices good preventive and detective security measures?
A. Observation
B. Detail testing
C. Compliance testing
D. Risk assessment
View answer
Correct Answer: D
Question #49
An IS auditor evaluating data integrity in a transaction driven system environment should review atomicity, to determine whether:
A. the database survives failures (hardware or software)
B. each transaction is separated from other transactions
C. integrity conditions are maintained
D. a transaction is completed or not, or a database is updated or not
View answer
Correct Answer: D
Question #50
IS management has recently informed the IS auditor of its decision to disable certain referential integrity controls in the payroll system to provide users with a faster report generator. This will MOST likely increase the risk of:
A. data entry by unauthorized users
B. a nonexistent employee being paid
C. an employee receiving an unauthorized raise
D. duplicate data entry by authorized users
View answer
Correct Answer: C
Question #51
Information for detecting unauthorized input from a terminal would be BEST provided by the:
A. console log printout
B. transaction journal
C. automated suspense file listing
D. user error report
View answer
Correct Answer: B
Question #52
The use of object-oriented design and development techniques would MOST likely:
A. facilitate the ability to reuse modules
B. improve system performance
C. enhance control effectiveness
D. speed up the system development life cycle
View answer
Correct Answer: B
Question #53
Assumptions while planning an IS project involve a high degree of risk because they are:
A. based on known constraints
B. based on objective past data
C. a result of lack of information
D. often made by unqualified people
View answer
Correct Answer: D
Question #54
Which of the following is the BEST form of transaction validation?
A. Use of key field verification techniques in data entry
B. Use of programs to check the transaction against criteria set by management
C. Authorization of the transaction by supervisory personnel in an adjacent department
D. Authorization of the transaction by a department supervisor prior to the batch process
View answer
Correct Answer: B
Question #55
A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and:
A. the length of service since this will help ensure technical competence
B. age as training in audit techniques may be impractical
C. IS knowledge since this will bring enhanced credibility to the audit function
D. ability, as an IS auditor, to be independent of existing IS relationships
View answer
Correct Answer: C
Question #56
An IS auditor involved as a team member in the detailed system design phase of a system under development would be MOST concerned with:
A. internal control procedures
B. user acceptance test schedules
C. adequacy of the user training program
D. clerical processes for resubmission of rejected items
View answer
Correct Answer: B
Question #57
Identify the correct sequence of Business Process Reengineering (BPR) application steps from the given choices below?
A. Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate
B. Initiate, Envision, Diagnose, Redesign, Reconstruct and Evaluate
C. Envision, Diagnose, Initiate, Redesign, Reconstruct and Evaluate
D. Evaluate, Envision, Initiate, Diagnose, Redesign, Reconstruct
View answer
Correct Answer: A
Question #58
In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability?
A. Appliances
B. Operating system based
C. Host based
D. Demilitarized
View answer
Correct Answer: A
Question #59
The purpose of debugging programs is to:
A. generate random data that can be used to test programs before implementing them
B. protect valid changes from being overwritten by other changes during programming
C. define the program development and maintenance costs to be include in the feasibility study
D. ensure that abnormal terminations and coding flaws are detected and corrected
View answer
Correct Answer: A
Question #60
Which of the following group/individuals should assume overall direction and responsibility for costs and timetables of system development projects?
A. User management
B. Project steering committee
C. Senior management
D. Systems development management
View answer
Correct Answer: A
Question #61
Which of the following statement INCORRECTLY describes packet switching technique?
A. Packet uses many different dynamic paths to get the same destination
B. Traffic is usually burst in nature
C. Fixed delays to reach each packet to destination
D. Usually carries data-oriented data
View answer
Correct Answer: A
Question #62
Which of the following represents the GREATEST potential risk in an EDI environment?
A. Transaction authorization
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of application controls
View answer
Correct Answer: B
Question #63
Which of the following is the initial step in creating a firewall policy?
A. A cost-benefits analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods
View answer
Correct Answer: D
Question #64
In a business continuity plan, there are several methods of providing telecommunication continuity. One method is diverse routing which involves:
A. providing extra capacity with the intent of using the surplus capacity should the normal primary transmission capability not be available
B. routing information via other alternate media such as copper cable or fiber optics
C. providing diverse long-distance network availability utilizing T-1 circuits among the major long-distance carriers
D. routing traffic through split-cable facilities or duplicate-cable facilities
View answer
Correct Answer: C
Question #65
Which of the following property of the core date warehouse layer of an enterprise data flow architecture uses common attributes to access a cross section of an information in the warehouse?
A. Drill up
B. Drill down
C. Drill across
D. Historical Analysis
View answer
Correct Answer: C
Question #66
Digital signatures require the:
A. signer to have a public key and the receiver to have a private key
B. signer to have a private key and the receiver to have a public key
C. signer and receiver to have a public key
D. signer and receiver to have a private key
View answer
Correct Answer: D
Question #67
Which of the following controls is LEAST likely to detect changes made online to master records?
A. Update access to master file is restricted to a supervisor independent of data entry
B. Clerks enter updates online and are finalized by an independent supervisor
C. An edit listing of all updates is produced daily and reviewed by an independent supervisor
D. An update authorization form must be approved by an independent supervisor before entry
View answer
Correct Answer: A
Question #68
An organization's disaster recovery plan should address early recovery of:
A. all information systems processes
B. all financial processing applications
C. only those applications designated by the IS manager
D. processing in priority order, as defined by business management
View answer
Correct Answer: C
Question #69
Electronic signatures can prevent messages from being:
A. suppressed
B. repudiated
C. disclosed
D. copied
View answer
Correct Answer: B
Question #70
When two or more systems are integrated, input/output controls must be reviewed by the IS auditor in the:
A. systems receiving the output of other systems
B. systems sending output to other systems
C. systems sending and receiving data
D. interfaces between the two systems
View answer
Correct Answer: B
Question #71
The BEST method of proving the accuracy of a system tax calculation is by:
A. detailed visual review and analysis of the source code of the calculation programs
B. recreating program logic using generalized audit software to calculate monthly totals
C. preparing simulated transactions for processing and comparing the results to predetermined results
D. automatic flowcharting and analysis of the source code of the calculation programs
View answer
Correct Answer: A
Question #72
Which of the following would an IS auditor expect to find in a console log?
A. Names of system users
B. Shift supervisor identification
C. System errors
D. Data edit errors
View answer
Correct Answer: B
Question #73
A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted?
A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP)
B. A digital signature with RSA has been implemented
C. Digital certificates with RSA are being used
D. Work is being completed in
View answer
Correct Answer: A
Question #74
A manufacturer has been purchasing materials and supplies for its business through an e-commerce application. Which of the following should this manufacturer rely on to prove that the transactions were actually made?
A. Reputation
B. Authentication
C. Encryption
D. Nonrepudiation
View answer
Correct Answer: A
Question #75
The information that requires special precaution to ensure integrity is termed?
A. Public data
B. Private data
C. Personal data
D. Sensitive data
View answer
Correct Answer: C
Question #76
When implementing and application software package, which of the following presents the GREATEST risk?
A. Uncontrolled multiple software versions
B. Source programs that are not synchronized with object code
C. Incorrectly set parameters
D. Programming errors
View answer
Correct Answer: B
Question #77
In a risk-based audit approach an IS auditor should FIRST complete a/an:
A. inherent risk assessment
B. control risk assessment
C. test of control assessment
D. substantive test assessment
View answer
Correct Answer: B
Question #78
With regard to sampling it can be said that:
A. sampling is generally applicable when the population relates to an intangible or undocumented control
B. if an auditor knows internal controls are strong, the confidence coefficient may be lowered
C. attribute sampling would help prevent excessive sampling of an attribute by stopping an audit test at the earliest possible moment
D. variable sampling is a technique to estimate the rate of occurrence of a given control or set of related controls
View answer
Correct Answer: A
Question #79
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, an IS auditor should:
A. identify and assess the risk assessment process used by management
B. identify information assets and the underlying systems
C. disclose the threats and impacts to management
D. identify and evaluate the existing controls
View answer
Correct Answer: D
Question #80
Testing the connection of two or more system components that pass information from one area to another is:
A. pilot testing
B. parallel testing
C. interface testing
D. regression testing
View answer
Correct Answer: B
Question #81
A network diagnostic tool that monitors and records network information is a/an:
A. online monitor
B. downtime report
C. help desk report
D. protocol analyzer
View answer
Correct Answer: A
Question #82
An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures the IS manager has been arbitrarily approving projects that can be completed in a short duration and referring other more complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that:
A. users participate in the review and approval process
B. formal approval procedures be adopted and documented
C. projects be referred to appropriate levels of management for approval
D. the IS manager's job description be changed to include approval authority
View answer
Correct Answer: A
Question #83
LANs:
A. protect against virus infection
B. protect against improper disclosure of data
C. provide program integrity from unauthorized changes
D. provide central storage for a group of users
View answer
Correct Answer: B
Question #84
Which of the ISO/OSI model layers provides for routing packets between nodes?
A. Data link
B. Network
C. Transport
D. Session
View answer
Correct Answer: C
Question #85
Which of the following is an IS control objective?
A. Output reports are locked in a safe place
B. Duplicate transactions do not occur
C. System backup/recovery procedures are updated periodically
D. System design and development meet users' requirements
View answer
Correct Answer: A
Question #86
During a review of the controls over the process of defining IT service levels, an IS auditor would MOST likely interview the:
A. systems programmer
B. legal staff
C. business unit manager
D. application programmer
View answer
Correct Answer: A
Question #87
Which of the following should be in place to protect the purchaser of an application package in the event that the vendor ceases to trade?
A. Source code held in escrow
B. Object code held by a trusted third party
C. Contractual obligation for software maintenance
D. Adequate training for internal programming staff
View answer
Correct Answer: D
Question #88
A goal of processing controls is to ensure that:
A. the data are delivered without compromised confidentiality
B. all transactions are authorized
C. accumulated data are accurate and complete through authorized routines
D. only authorized individuals perform sensitive functions
View answer
Correct Answer: A
Question #89
The BEST time to perform a control self-assessment involving line management, line staff and the audit department is at the time of:
A. compliance testing
B. the preliminary survey
C. substantive testing
D. the preparation of the audit report
View answer
Correct Answer: C
Question #90
Which of the following Internet security threats could compromise integrity?
A. Theft of data from the client
B. Exposure of network configuration information
C. A trojan horse browser
D. Eavesdropping on the net
View answer
Correct Answer: B
Question #91
A PING command is used to measure:
A. attenuation
B. throughput
C. delay distortion
D. latency
View answer
Correct Answer: D
Question #92
When reviewing the quality of an IS department's development process, the IS auditor finds that they do not use any formal, documented methodology and standards. The IS auditor's MOST appropriate action would be to:
A. complete the audit and report the finding
B. investigate and recommend appropriate formal standards
C. document the informal standards and test for compliance
D. withdraw and recommend a further audit when standards are implemented
View answer
Correct Answer: C
Question #93
According to the Committee of Sponsoring Organizations (COSO), the internal control framework consists of which of the following?
A. Processes, people, objectives
B. Profits, products, processes
C. Costs, revenues, margins
D. Return on investment, earnings per share, market share
View answer
Correct Answer: D
Question #94
Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster?
A. The alternate facility will be available until the original information processing facility is restored
B. User management was involved in the identification of critical systems and their associated critical recovery times
C. Copies of the plan are kept at the homes of key decision making personnel
D. Feedback to management assuring them that the business continuity plans are indeed workable and that the procedures are current
View answer
Correct Answer: C
Question #95
Which of the following fire suppressant systems would an IS auditor expect to find when conducting an audit of an unmanned computer center?
A. Carbon dioxide
B. Halon
C. Dry-pipe sprinkler
D. Wet-pipe sprinkler
View answer
Correct Answer: D
Question #96
Which of the following security techniques is the BEST method for authenticating a user's identity?
A. Smart card
B. Biometrics
C. Challenge-response token
D. User ID and password
View answer
Correct Answer: C
Question #97
Which of the following groups should assume ownership of a systems development project and the resulting system?
A. User management
B. Senior management
C. Project steering committee
D. Systems development management
View answer
Correct Answer: C
Question #98
As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis (BIA)?
A. Organizational risks, such as single point-of-failure and infrastructure risk
B. Threats to critical business processes
C. Critical business processes for ascertaining the priority for recovery
D. Resources required for resumption of business
View answer
Correct Answer: D
Question #99
Of the following, the MAIN purpose for periodically testing offsite backup facilities is to:
A. ensure the integrity of the data in the database
B. eliminate the need to develop detailed contingency plans
C. ensure the continued compatibility of the contingency facilities
D. ensure that program and system documentation remains current
View answer
Correct Answer: D
Question #100
Which of the following is a check (control) for completeness?
A. Check digits
B. Parity bits
C. One-for-one checking
D. Prerecorded input
View answer
Correct Answer: A
Question #101
Which is the first software capability maturity model (CMM) level to include a standard software development process?
A. Initial (level 1)
B. Repeatable (level 2)
C. Defined (level 3)
D. Optimizing (level 5)
View answer
Correct Answer: A
Question #102
Which of the following alternative business recovery strategies would be LEAST appropriate for an organization with a large database and online communications network environment?
A. Hot site
B. Cold site
C. Reciprocal agreement
D. Dual information processing facilities
View answer
Correct Answer: C
Question #103
The difference between whitebox testing and blackbox testing is that whitebox testing:
A. involves the IS auditor
B. is performed by an independent programmer team
C. examines a program's internal logical structure
D. uses the bottom-up approach
View answer
Correct Answer: B
Question #104
Which of the following controls would provide the GREATEST assurance of database integrity?
A. Audit log procedures
B. Table link/reference checks
C. Query/table access time checks
D. Rollback and rollforward database features
View answer
Correct Answer: B
Question #105
Which of the following is the MOST effective technique for providing security during data transmission?
A. Communication log
B. Systems software log
C. Encryption
D. Standard protocol
View answer
Correct Answer: A
Question #106
E-mail message authenticity and confidentiality is BEST achieved by signing the message using the:
A. sender's private key and encrypting the message using the receiver's public key
B. sender's public key and encrypting the message using the receiver's private key
C. the receiver's private key and encrypting the message using the sender's public key
D. the receiver's public key and encrypting the message using the sender's private key
View answer
Correct Answer: D
Question #107
The rate of change of technology increases the importance of:
A. outsourcing the IS function
B. implementing and enforcing good processes
C. hiring personnel willing to make a career within the organization
D. meeting user requirements
View answer
Correct Answer: B
Question #108
The implementation of cost-effective controls in an automated system is ultimately the responsibility of the:
A. system administrator
B. quality assurance function
C. business unit management
D. chief of internal audit
View answer
Correct Answer: C
Question #109
The responsibility, authority and accountability of the IS audit function is documented appropriately in an audit charter and MUST be:
A. approved by the highest level of management
B. approved by audit department management
C. approved by user department management
D. changed every year before commencement of IS audits
View answer
Correct Answer: C
Question #110
An IS auditor doing penetration testing during an audit of Internet connections would:
A. evaluate configurations
B. examine security settings
C. ensure virus-scanning software is in use
D. use tools and techniques that are available to a hacker
View answer
Correct Answer: D
Question #111
Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan?
A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and assist his/her company in implementing a complementary plan
B. Yes, because, based on the plan, the IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract
C. No, because the backup to be provided should be specified adequately in the contract
D. No, because the service bureau's business continuity plan is proprietary information
View answer
Correct Answer: D
Question #112
To share data in a multivendor network environment, it is essential to implement program-to-program communication. With respect to program-to-program communication features that can be implemented in this environment, which of the following makes implementation and maintenance difficult?
A. User isolation
B. Controlled remote access
C. Transparent remote access
D. The network environments
View answer
Correct Answer: C
Question #113
Which of the following should concern an IS auditor when reviewing security in a client-server environment?
A. Data is protected by an encryption technique
B. Diskless workstations prevent unauthorized access
C. Ability of users to access and modify the database directly
D. Disabling floppy drives on the users machines
View answer
Correct Answer: C
Question #114
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:
A. critical
B. vital
C. sensitive
D. noncritical
View answer
Correct Answer: A
Question #115
Which of the following represents the MOST pervasive control over application development?
A. IS auditors
B. Standard development methodologies
C. Extensive acceptance testing
D. Quality assurance groups
View answer
Correct Answer: A
Question #116
An IS auditor performing a review of the EFT operations of a retailing company would verify that the customers credit limit is checked before funds are transferred by reviewing the EFT:
A. system's interface
B. switch facility
C. personal identification number generating procedure
D. operation backup procedures
View answer
Correct Answer: B
Question #117
After implementation of a disaster recovery plan (DRP), pre-disaster and post-disaster operational cost for an organization will:
A. decrease
B. not change (remain the same)
C. increase
D. increase or decrease depending upon nature of the business
View answer
Correct Answer: C
Question #118
Which of the following provides nonrepudiation services for e-commerce transactions?
A. Public key infrastructure (PKI)
B. Data encryption standard (DES)
C. Message authentication code (MAC)
D. Personal identification number (PIN)
View answer
Correct Answer: A
Question #119
An advantage of the use of hot sites as a backup alternative is that:
A. the costs associated with hot sites are low
B. hot sites can be used for an extended amount of time
C. hot sites can be made ready for operation within a short period of time
D. they do not require that equipment and systems software be compatible with the primary site
View answer
Correct Answer: B
Question #120
Which of the following steps would an IS auditor normally perform FIRST in a data center security review?
A. Evaluate physical access test results
B. Determine the risks/threats to the data center site
C. Review business continuity procedures
D. Test for evidence of physical access at suspect locations
View answer
Correct Answer: A
Question #121
Which of the following layer in in an enterprise data flow architecture is directly death with by end user with information?
A. Desktop access layer
B. Data preparation layer
C. Data mart layer
D. Data access layer
View answer
Correct Answer: A
Question #122
The FIRST step in developing a business continuity plan (BCP) is to:
A. classify the importance of systems
B. establish a disaster recovery strategy
C. determine the critical recovery time period
D. perform a risk ranking
View answer
Correct Answer: C
Question #123
Identify the network topology from below diagram presented below: Network Topology
A. Bus
B. Star
C. Ring
D. Mesh
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: