Certificator.

it
Home
Exams
Taken exams
Add exam
Sign up
Sign in
Name:
ISACA CISA
Subname: Number:
100
PassingScore:TimeLimit:Version: Dateadded:
2013-06-03
Owner:
---------
Category:
ISACA
Vendor:
---------
Visible:
Unknown
Voteup:Votedown:
Submit

ISACA CISA 1
An IS auditor, performing a review of an application s controls, ?
discovers a weakness in system software, which could materially impact
the application. The IS auditor should:
Disregard these control weaknesses as a system software review is beyond
thescope of this review.
Conduct a detailed system software review and report the control weaknesses.
Include in the report a statement that the audit was limited to a review of
theapplication?s controls.
Review the system software controls as relevant and recommend a
detailedsystem software review.
The reason for having controls in an IS environment:
remains unchanged from a manual environment, but the implemented
controlfeatures may be different.
changes from a manual environment, therefore the implemented control
featuresmay be different.
changes from a manual environment, but the implemented control features will
bethe same.
remains unchanged from a manual environment and the implemented
controlfeatures will also be the same.
Which of the following types of risks assumes an absence of
compensating controls in the area being reviewed?
Control risk
Detection risk
Inherent risk
Sampling risk
An IS auditor is conducting substantive audit tests of a new accounts
receivable module. The IS auditor has a tight schedule and limited
computer expertise. Which would be the BEST audit technique to use in
this situation?
Test data
Parallel simulation
Integrated test facility
Embedded audit module
The PRIMARY purpose of compliance tests is to verify whether:
controls are implemented as prescribed.
documentation is accurate and current.
access to users is provided as specified.
data validation procedures are provided.
Which of the following BEST describes the early stages of an IS audit?
Observing key organizational facilities.
Assessing the IS environment.
Understanding business process and environment applicable to the review.
Reviewing prior IS audit reports.
The document used by the top management of organizations to delegate
authority to the IS audit function is the:
long-term audit plan.
audit charter.
audit planning methodology.
steering committee minutes.
Before reporting results of an audit to senior management, an IS auditor
should:
Confirm the findings with auditees.
Prepare an executive summary and send it to auditee management.
Define recommendations and present the findings to the audit committee.
Obtain agreement from the auditee on findings and actions to be taken.
While developing a risk-based audit program, which of the following
would the IS auditor MOST likely focus on?
Business processes
Critical IT applications
Corporate objectives
Business strategies
Which of the following is a substantive audit test?
Verifying that a management check has been performed regularly
Observing that user IDs and passwords are required to sign on the computer
Reviewing reports listing short shipments of goods received
Reviewing an aged trial balance of accounts receivable
Which of the following tasks is performed by the same person in a
wellcontrolled information processing facility/computer center?
Security administration and management
Computer operations and system development
System development and change management
System development and systems maintenance
Where adequate segregation of duties between operations and
programming are not achievable, the IS auditor should look for:
compensating controls.
administrative controls.
corrective controls.
access controls.
Which of the following would be included in an IS strategic plan?
Specifications for planned hardware purchases
Analysis of future business objectives
Target dates for development projects
Annual budgetary targets for the IS department
The MOST important responsibility of a data security officer in an
organization is:
recommending and monitoring data security policies.
promoting security awareness within the organization.
establishing procedures for IT security policies.
administering physical and logical access controls.
Which of the following BEST describes an IT department?s strategic
planning process?
The IT department will have either short-range or long-range plans dependingon
the organization?s broader plans and objectives.
The IT department?s strategic plan must be time and project oriented, but notso
detailed as to address and help determine priorities to meet business needs.
Long-range planning for the IT department should recognize organizationalgoals,
technological advances and regulatory requirements.
Short-range planning for the IT department does not need to be integrated
intothe short-range plans of the organization since technological advances will
drivethe IT department plans much quicker than organizational plans.
When a complete segregation of duties cannot be achieved in an online
system environment, which of the following functions should be
separated from the others?
Origination
Authorization
Recording
Correction
In a small organization, where segregation of duties is not practical, an
employee performs the function of computer operator and application
programmer. Which of the following controls should the IS auditor
recommend?
Automated logging of changes to development libraries
Additional staff to provide segregation of duties
Procedures that verify that only approved program changes are implemented
Access controls to prevent the operator from making program modifications
An IT steering committee would MOST likely perform which of the
following functions?
Placement of a purchase order with the approved IT vendor
Installation of systems software and application software
Provide liaison between IT department and user department
Interview staff for the IT department
An IS auditor is auditing the controls relating to employee termination.
Which of the following is the MOST important aspect to be reviewed?
The related company staff are notified about the termination
User ID and passwords of the employee have been deleted
The details of employee have been removed from active payroll files
Company property provided to the employee has been returned
When reviewing a service level agreement for an outsourced computer
center an IS auditor should FIRST determine that:
the cost proposed for the services is reasonable.
security mechanisms are specified in the agreement.
the services in the agreement are based on an analysis of business needs.
audit access to the computer center is allowed under the agreement.
The PRIMARY benefit of database normalization is the:
minimization redundancy of information in tables required to satisfy users?needs.
ability to satisfy more queries.
maximization of database integrity by providing information in more than one
table.
minimization of response time through faster processing of information.
Which of the following network topologies yields the GREATEST
redundancy in the event of the failure of one node?
Mesh
Star
Ring
Bus
A vendor/contractor?s performance against service level agreements
must be evaluated by the:
customer.
contractor.
third-party.
contractor?s management.
When auditing a mainframe operating system, what would the IS
auditor do to establish which control features are in operation?
Examine the parameters used when the system was generated
Discuss system parameter options with the vendor
Evaluate the systems documentation and installation guide
Consult the systems programmers
When conducting an audit of client/server database security, the IS
auditor would be MOST concerned about the availability of:
system utilities.
application program generators.
system security documentation.
access to stored procedures.
Which of the following would allow a company to extend it?s
enterprise?s intranet across the Internet to it?s business partners?
Virtual private network
Client-Server
Dial-Up access
Network service provider
An IS auditor auditing hardware monitoring procedures should review
system availability reports.
cost-benefit reports.
response time reports.
database utilization reports.
The device that connects two networks at the highest level of the ISO-
OSI framework ( i.e., application layer) is a
Gateway
Router
Bridge
Brouter
Which of the following statements relating to packet switching networks
is CORRECT?
Packets for a given message travel the same route.
Passwords cannot be embedded within the packet.
Packet lengths are variable and each packet contains the same amount
ofinformation.
The cost charged for transmission is based on packet, not distance or
routetraveled.
An IS auditor when reviewing a network used for Internet
communications, will FIRST examine the:
validity of passwords change occurrences.
architecture of the client-server application.
network architecture and design.
firewall protection and proxy servers.
Which of the following BEST provides access control to payroll data
being processed on a local server?
Logging of access to personal information
Separate password for sensitive transactions
Software restricts access rules to authorized staff
System access restricted to business hours
Which of the following concerns about the security of an electronic
message would be addressed by digital signatures?
Unauthorized reading
Theft
Unauthorized copying
Alteration
The MOST effective method for limiting the damage of an attack by a
software virus is:
software controls.
policies, standards and procedures.
logical access controls.
data communication standards.
Which of the following BEST determines that complete encryption and
authentication protocols exist for protecting information while
transmitted?
A digital signature with RSA has been implemented.
Work is being done in tunnel mode with the nested services of AH and ESP
Digital certificates with RSA are being used.
Work is being done in transport mode, with the nested services of AH and ESP
Which of the following would be MOST appropriate to ensure the
confidentiality of transactions initiated via the Internet?
Digital signature
Data encryption standard (DES)
Virtual private network (VPN)
Public key encryption
The PRIMARY objective of a firewall is to protect:
internal systems from exploitation by external threats.
external systems from exploitation by internal threats.
internal systems from exploitation by internal threats.
itself and attached systems against being used to attack other systems.
Which of the following is an example of the physiological biometrics
technique?
Hand scans
Voice scans
Signature scans
Keystroke monitoring
An IS auditor has just completed a review of an organization that has a
mainframe and a client-server environment where all production data
reside. Which of the following weaknesses would be considered the
MOST serious?
The security officer also serves as the database administrator (DB)
Password controls are not administered over the client/server environment.
There is no business continuity plan for the mainframe system?s non-
criticalapplications.
Most LANs do not back up file server fixed disks regularly.
An organization is proposing to install a single sign-on facility giving
access to all systems. The organization should be aware that:
Maximum unauthorized access would be possible if a password is disclosed.
User access rights would be restricted by the additional security parameters.
The security administrator s workload ? would increase.
User access rights would be increased.
A B-to-C e-commerce web site as part of its information security
program wants to monitor, detect and prevent hacking activities and
alert the system administrator when suspicious activities occur. Which of
the following infrastructure components could be used for this purpose?
Intrusion detection systems
Firewalls
Routers
Asymmetric encryption
During an audit of a reciprocal disaster recovery agreement between two
companies, the IS auditor would be PRIMARILY concerned about:
the soundness of the impact analysis.
hardware and software compatibility.
differences in IS policies and # procedures.
frequency of system testing.
An IS auditor discovers that an organization?s business continuity plan
provides for an alternate processing site that will accommodate fifty
percent of the primary processing capability. Based on this, which of the
following actions should the IS auditor take?
Do nothing, because generally, less than twenty-five percent of all processingis
critical to an organization?s survival and the backup capacity, therefore
isadequate.
Identify applications that could be processed at the alternate site and
developmanual procedures to backup other processing.
Ensure that critical applications have been identified and that the alternatesite
could process all such applications.
Recommend that the information processing facility arrange for an
alternateprocessing site with the capacity to handle at least seventy-five
percent ofnormal processing.
Which of the following components of a business continuity plan is
PRIMARILY the responsibility of an organization ?s IS department? ?
Developing the business continuity plan
Selecting and approving the strategy for business continuity plan
Declaring a disaster
Restoring the IS systems and data after a disaster
Which of the following issues should be included in the business
continuity plan?
The staff required to maintain critical business functions in the short, mediumand
long term
The potential for a natural disaster to occur, such as an earthquake
Disastrous events impacting information systems processing and end-
userfunctions
A risk analysis that considers systems malfunctions, accidental file deletionsor
other failures
In an audit of a business continuity plan, which of the following findings
is of MOST concern??
There is no insurance for the addition of assets during the year.
BCP manual is not updated on a regular basis.
Testing of the backup of data has not been done regularly.
Records for maintenance of access system have not been maintained.
Classification of information systems is essential in business continuity
planning. Which of the following system types can not be replaced by
manual methods?
Critical system
Vital system
Sensitive system
Non-critical system
An IS auditor should be involved in:
observing tests of the disaster recovery plan.
developing the disaster recovery plan.
maintaining the disaster recovery plan.
reviewing the disaster recovery requirements of supplier contracts.
The window of time recovery of information processing capabilities is
based on the:
criticality of the processes affected.
quality of the data to be processed.
nature of the disaster.
applications that are mainframe based.
During an IT audit of a large bank, an IS auditor observes that no
formal risk assessment exercise has been carried out for the various
business applications to arrive at their relative importance and recovery
time requirements. The risk that the bank is exposed to is that the:
business continuity plan may not have been calibrated to the relative risk
thatdisruption of each application poses to the organization.
business continuity plan may not include all relevant applications andtherefore
may lack completeness in terms of its coverage.
business impact of a disaster may not have been accurately understood by
themanagement.
business continuity plan may lack an effective ownership by the business
ownersof such applications.
Which of the following is necessary to have FIRST in the development of
a business continuity plan?
Risk-based classification of systems
Inventory of all assets
Complete documentation of all disasters
Availability of hardware and software
The application test plans are developed in which of the following
systems development life cycle (SDLC) phases?
Design
Testing
Requirement
Development
Which of the following tests confirm that the new system can operate in
its target environment?
Sociability testing
Regression testing
Validation testing
Black box testing
The MOST appropriate person to chair the steering committee for a
system development project with significant impact on a business area
would be the:
business analyst.
chief information officer.
project manager.
executive level manager.
The PRIMARY purpose of undertaking a parallel run of a new system is
to:
verify that the system provides required business functionality.
validate the operation of the new system against its predecessor.
resolve any errors in the program and file interfaces.
verify that the system can process the production load.
Change control procedures to prevent scope creep during an application
development project should be defined during:
design.
feasibility.
implementation.
requirements definition.
Which of the following would MOST likely ensure that a system
development project meets business objectives?
Maintenance of program change logs
Development of a project plan identifying all development activities
Release of application changes at specific times of the year
User involvement in system specification and acceptance
Which of the following is a measure of the size of an information system
based on the number and complexity of a system s inputs, ? outputs and
files?
Function point (FP)
Program evaluation review technique (PERT)
Rapid application design (RAD)
Critical path method (CPM)
When auditing the requirements phase of a software acquisition, the IS
auditor should:
assess the feasibility of the project timetable.
assess the vendor?s proposed quality processes.
ensure that the best software package is acquired.
review the completeness of the specifications.
The purpose of debugging programs is to:
generate random data that can be used to test programs before
implementingthem.
protect, during the programming phase, valid changes from being overwritten
byother changes.
define the program development and maintenance costs to be include in
thefeasibility study.
ensure that program abnormal terminations and program coding flaws are
detectedand corrected.
Software maintainability BEST relates to which of the following software
attributes?
Resources needed to make specified modifications.
Effort needed to use the system application.
Relationship between software performance and the resources needed.
Fulfillment of user needs.
IT governance ensures that an organization aligns its IT strategy with:
Enterprise objectives.
IT objectives.
Audit objectives.
Finance objectives.
A validation which ensures that input data are matched to
predetermined reasonable limits or occurrence rates, is known as:
Reasonableness check.
Validity check.
Existence check.
Limit check.
During which of the following steps in the business process reengineering
should the benchmarking team visit the benchmarking partner?
Observation
Planning
Analysis
Adaptation
Which of the following procedures should be implemented to help ensure
the completeness of inbound transactions via electronic data interchange
(EDI)?
Segment counts built into the transaction set trailer
A log of the number of messages received, periodically verified with
thetransaction originator
An electronic audit trail for accountability and tracking
Matching acknowledgement transactions received to the log of EDI messages
sent
A utility is available to update critical tables in case of data
inconsistency. This utility can be executed at the OS prompt or as one of
menu options in an application. The BEST control to mitigate the risk of
unauthorized manipulation of data is to:
delete the utility software and install it as and when required.
provide access to utility on a need-to-use basis.
provide access to utility to user management
define access so that the utility can be only executed in menu option.
When conducting a review of business process re-engineering, an IS
auditor found that a key preventive control had been removed. In this
case, the IS auditor should:
inform management of the finding and determine if management is willing
toaccept the potential material risk of not having that preventing control.
determine if a detective control has replaced the preventive control during
theprocess and if so, not report the removal of the preventive control.
recommend that this and all control procedures that existed before the
processwas reengineered be included in the new process.
develop a continuous audit approach to monitor the effects of the removal ofthe
preventive control.
Which of the following is an output control objective?
Maintenance of accurate batch registers
Completeness of batch processing
Appropriate accounting for rejections and exceptions
Authorization of file updates
In a system that records all receivables for a company, the receivables
are posted on a daily basis. Which of the following would ensure that
receivables balances are unaltered between postings?
Range checks
Record counts
Sequence checking
Run-to-run control totals
Which of the following is the MOST important issue to the IS auditor in
a business process re-engineering (BPR) project would be?
The loss of middle management, which often is a result of a BPR project
That controls are usually given low priority in a BPR project
The considerable negative impact that information protection could have on BPR
The risk of failure due to the large size of the task usually undertaken in aBPR
project
To meet pre-defined criteria, which of the following continuous audit
techniques would BEST identify transactions to audit?
Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)
Continuous and Intermittent Simulation (CIS)
Integrated Test Facilities (ITF)
Audit hooks
In a risk-based audit approach, an IS auditor, in addition to risk, would
be influenced by:
the availability of CAATs.
management's representation.
organizational structure and job responsibilities.
the existence of internal and operational controls
The extent to which data will be collected during an IS audit should be
determined, based on the:
availability of critical and required information.
auditor's familiarity with the circumstances.
auditee's ability to find relevant evidence.
purpose and scope of the audit being done.
The PRIMARY advantage of a continuous audit approach is that it:
does not require an IS auditor to collect evidence on system reliability
whileprocessing is taking place.
requires the IS auditor to review and follow up immediately on all
informationcollected.
can improve system security when used in time-sharing environments that
processa large number of transactions.
does not depend on the complexity of an organization's computer systems.
Which of the following data entry controls provides the GREATEST
assurance that the data is entered correctly?
Using key verification
Segregating the data entry function from data entry verification
Maintaining a log/record detailing the time, date, employee's initials/user idand
progress of various data preparation and verification tasks
Adding check digits
Capacity monitoring software is used to ensure:
maximum use of available capacity.
that future acquisitions meet user needs.
concurrent use by a large number of users.
continuity of efficient operations.
Which of the following exposures associated with the spooling of
sensitive reports for offline printing would an IS auditor consider to be
the MOST serious?
Sensitive data can be read by operators.
Data can be amended without authorization.
Unauthorized report copies can be printed.
Output can be lost in the event of system failure.
Which of the following types of firewalls would BEST protect a network
from an Internet attack?
Screened subnet firewall
Application filtering gateway
Packet filtering router
Circuit-level gateway
Applying a retention date on a file will ensure that:
data cannot be read until the date is set.
data will not be deleted before that date.
backup copies are not retained after that date.
datasets having the same name are differentiated.
A digital signature contains a message digest to:
show if the message has been altered after transmission.
define the encryption algorithm.
confirm the identity of the originator.
enable message transmission in a digital format.
Which of the following would be the BEST method for ensuring that
critical fields in a master record have been updated properly?
Field checks
Control totals
Reasonableness checks
A before-and-after maintenance report
A TCP/IP-based environment is exposed to the Internet. Which of the
following BEST ensures that complete encryption and authentication
protocols exist for protecting information while transmitted?
Work is completed in tunnel mode with IP security using the nested services
ofauthentication header (AH) and encapsulating security payload (ESP).
A digital signature with RSA has been implemented.
Digital certificates with RSA are being used.
Work is being completed in TCP services.
To prevent an organization's computer systems from becoming part of a
distributed denial-of-service attack, IP packets containing addresses that
are listed as unroutable can be isolated by:
establishing outbound traffic filtering.
enabling broadcast blocking.
limiting allowable services.
network performance monitoring.
An IS auditor doing penetration testing during an audit of Internet
connections would:
evaluate configurations.
examine security settings.
ensure virus-scanning software is in use.
use tools and techniques that are available to a hacker.
An IS auditor performing a telecommunication access control review
should be concerned PRIMARILY with the:
maintenance of access logs of usage of various system resources.
authorization and authentication of the user prior to granting access to
systemresources.
adequate protection of stored data on servers by encryption or other means.
accountability system and the ability to identify any terminal accessing
systemresources.
An organization is considering connecting a critical PC-based system to
the Internet. Which of the following would provide the BEST protection
against hacking?
An application-level gateway
A remote access server
A proxy server
Port scanning
If a database is restored using before-image dumps, where should the
process be restarted following an interruption?
Before the last transaction
After the last transaction
The first transaction after the latest checkpoint
The last transaction before the latest checkpoint
Which of the following is a practice that should be incorporated into the
plan for testing disaster recovery procedures?
Invite client participation.
Involve all technical staff.
Rotate recovery managers.
Install locally stored backup.
A large chain of shops with EFT at point-of-sale devices has a central
communications processor for connecting to the banking network.
Which of the following is the BEST disaster recovery plan for the
communications processor?
Offsite storage of daily backups
Alternative standby processor onsite
Installation of duplex communication links
Alternative standby processor at another network node
Which of the following is an object-oriented technology characteristic
that permits an enhanced degree of security over data?
Inheritance
Dynamic warehousing
Encapsulation
Polymorphism
When implementing an application software package, which of the
following presents the GREATEST risk?
Uncontrolled multiple software versions
Source programs that are not synchronized with object code
Incorrectly set parameters
Programming errors
Which of the following controls would be MOST effective in ensuring
that production source code and object code are synchronized?
Release-to-release source and object comparison reports
Library control software restricting changes to source code
Restricted access to source code and object code
Date and time-stamp reviews of source and object code
During a post-implementation review of an enterprise resource
management system, an IS auditor would MOST likely:
review access control configuration.
evaluate interface testing.
review detailed design documentation.
evaluate system testing.
Which of the following types of controls is designed to provide the ability
to verify data and record values through the stages of application
processing?
Range checks
Run-to-run totals
Limit checks on calculated amounts
Exception reports
The BEST method of proving the accuracy of a system tax calculation is
by:
detailed visual review and analysis of the source code of the
calculationprograms.
recreating program logic using generalized audit software to calculate
monthlytotals.
preparing simulated transactions for processing and comparing the results
topredetermined results.
automatic flowcharting and analysis of the source code of the
calculationprograms.
IS management has recently informed the IS auditor of its decision to
disable certain referential integrity controls in the payroll system to
provide users with a faster report generator. This will MOST likely
increase the risk of:
data entry by unauthorized users.
a nonexistent employee being paid.
an employee receiving an unauthorized raise.
duplicate data entry by authorized users.
Which of the following pairs of functions should not be combined to
provide proper segregation of duties?
Tape librarian and computer operator
Application programming and data entry
Systems analyst and database administrator
Security administrator and quality assurance
An IS auditor who is reviewing application run manuals would expect
them to contain:
details of source documents.
error codes and their recovery actions.
program logic flowcharts and file definitions.
change records for the application source code.
Which of the following IS functions may be performed by the same
individual, without compromising on control or violating segregation of
duties?
Job control analyst and applications programmer
Mainframe operator and system programmer
Change/problem and quality control administrator
Applications and system programmer
Which of the following is the MOST important function to be performed
by IT management within an outsourced environment?
Ensuring that invoices are paid to the provider
Participating in systems design with the provider
Renegotiating the provider's fees
Monitoring the outsourcing provider's performance
An organization has outsourced network and desktop support. Although
the relationship has been reasonably successful, risks remain due to
connectivity issues. Which of the following controls should FIRST be
performed to assure the organization reasonably mitigates these possible
risks?
Network defense program
Encryption/Authentication
Adequate reporting between organizations
Adequate definition in contractual relationship