Question 1 Answer A is correct. Using a statistical sample to inventory the tape library is an example of a substantive test. Question 2 Answer B is correct. If proper identification and authentication are not performed during access control, no accountability can exist for any action performed. Question 3 Answer C is correct. In planning an audit, the most critical step is identifying the areas of high risk. Question 4 Answer C is correct. When evaluating the collective effect of preventive, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system. Question 5 Answer D is correct. When implementing continuous-monitoring systems, an IS auditor's first step is to identify high-risk areas within the organization. Question 6 Answer D is correct. Inherent risk is associated with authorized program exits (trap doors). Question 7 Answer B is correct. Generalized audit software can be used to search for address field duplications. Question 8 Answer A is correct. Lack of reporting of a successful attack on the network is a great concern to an IS auditor. Question 9 Answer B is correct. An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated data. Question 10 Answer A is correct. It is true that an advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. Question 11 Answer A is correct. An IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function. Question 12 Answer B is correct. Business unit management is responsible for implementing cost-effective controls in an automated system. Question 13 Answer C is correct. The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals. Question 14 Answer A is correct. Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit. Question 15 Answer D is correct. When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster. Question 16 Answer B is correct. When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. Question 17 Answer C is correct. IS assessment methods allow IS management to determine whether the activities of the organization differ from the planned or expected levels. Question 18 Answer A is correct. Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan. Question 19 Answer A is correct. Allowing application programmers to directly patch or change code in production programs increases risk of fraud. Question 20 Answer B is correct. Security administrators are usually responsible for network security operations. Question 21 Answer A is correct. Proper segregation of duties does not prohibit a quality-control administrator from also being responsible for change control and problem management. Question 22 Answer A is correct. Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host provides a higher level of protection from external attack than all other answers. Question 23 Answer B is correct. The directory system of a database-management system describes the location of data and the access method. Question 24 Answer D is correct. Improper file access becomes a greater risk when implementing a database system. Question 25 Answer B is correct. To properly protect against unauthorized disclosure of sensitive data, hard disks should be demagnetized before disposal or release. Question 26 Answer C is correct. When reviewing print systems spooling, an IS auditor is most concerned with the potential for unauthorized printing of report copies. Question 27 Answer C is correct. Functioning as a protocol-conversion gateway for wireless TLS to Internet SSL, the WAP gateway is a component warranting critical concern and review for the IS auditor when auditing and testing controls that enforce message confidentiality. Question 28 Answer A is correct. Proper segregation of duties prevents a computer operator (user) from performing security administration duties. Question 29 Answer A is correct. Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to analog, and are required for analog transmissions to enter a digital network. Question 30 Answer B is correct. Neural networks are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem. Question 31 Answer A is correct. Diverse routing supports data transmission through split cable facilities, or duplicate cable facilities. Question 32 Answer C is correct. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic. Question 33 Answer D is correct. Inefficient and superfluous use of network devices such as hubs can degrade network performance. Question 34 Answer B is correct. Data mirroring and parallel processing are both used to provide near-immediate recoverability for time-sensitive systems and transaction processing. Question 35 Answer A is correct. Creating user accounts that automatically expire by a predetermined date is an effective control for granting temporary access to vendors and external support personnel. Question 36 Answer C is correct. Outbound traffic filtering can help prevent an organization's systems from participating in a distributed denial-of-service (DDoS) attack. Question 37 Answer C is correct. Improperly configured routers and router access lists are a common vulnerability for denial-of-service attacks. Question 38 Answer D is correct. Trojan horse programs are a common form of Internet attack. Question 39 Answer A is correct. Network performance-monitoring tools are used to measure and ensure proper network capacity management and availability of services. Question 40 Answer B is correct. Intrusion-detection systems (IDS) are used to gather evidence of network attacks. Question 41 Answer A is correct. Traffic analysis is a passive attack method used by intruders to determine potential network vulnerabilities. All others are active attacks. Question 42 Answer C is correct. Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most environmentally friendly. Question 43 Answer C is correct. A callback system is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database. Question 44 Answer A is correct. A dry-pipe sprinkler system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities. Question 45 Answer B is correct. Digital signatures require the sender to "sign" the data by encrypting the data with the sender's private key, to then be decrypted by the recipient using the sender's public key. Question 46 Answer A is correct. Although biometrics provides only single-factor authentication, many consider it to be an excellent method for user authentication. Question 47 Answer C is correct. A website certificate is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption. Question 48 Answer B is correct. The strength of a secret key within a symmetric key cryptosystem is determined by a combination of key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the key. Question 49 Answer D is correct. Authentication is used to validate a subject's identity. Question 50 Answer A is correct. Database integrity is most often ensured through table link verification and reference checks. Question 51 Answer B is correct. IS auditors should review access-control lists (ACL) to determine user permissions that have been granted for a particular resource. Question 52 Answer B is correct. IS auditors should always check to ensure that password files are encrypted. Question 53 Answer C is correct. User applications often encrypt and encapsulate data using protocols within the OSI session layer or farther down in the transport layer. Question 54 Answer B is correct. Systems administrators should always assess the impact of patches before installation. Question 55 Answer A is correct. Adopting and communicating a comprehensive antivirus policy is the most fundamental step in preventing virus attacks. All other antivirus prevention efforts rely upon decisions established and communicated via policy. Question 56 Answer A is correct. A major IS audit concern is users' ability to directly modify the database. Question 57 Answer D is correct. Intrusion-detection systems (IDS) are used to identify intrusion attempts on a network. Question 58 Answer B is correct. Instead of simply reviewing the effectiveness and utilization of assets, an IS auditor is more concerned with adequate access control, appropriate access policies, and effectiveness of safeguards and procedures. Question 59 Answer A is correct. If a programmer has update access to a live system, IS auditors are more concerned with the programmer's ability to initiate or modify transactions and the ability to access production than with the programmer's ability to authorize transactions. Question 60 Answer C is correct. Redundancy is the best answer because it provides both integrity and availability. Organizations should use off-site storage facilities to maintain redundancy of current and critical information within backup files. Question 61 Answer B is correct. The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster. Total elimination of risk is impossible. Question 62 Answer B is correct. If a database is restored from information backed up before the last system image, the system should be restarted before the last transaction because the final transaction must be reprocessed. Question 63 Answer B is correct. An off-site processing facility should not be easily identifiable externally because easy identification would create an additional vulnerability for sabotage. Question 64 Answer A is correct. Although the primary business objective of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating objective remains the protection of human life. Question 65 Answer B is correct. Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by geographically dispersing resources. Question 66 Answer A is correct. Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer. Question 67 Answer D is correct. Off-site data storage should be kept synchronized when preparing for the recovery of time-sensitive data such as that resulting from transaction processing. Question 68 Answer C is correct. Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing. Question 69 Answer D is correct. Off-site data backup and storage should be geographically separated, to mitigate the risk of a widespread physical disaster such as a hurricane or an earthquake. Question 70 Answer D is correct. A clause for requiring source code escrow in an application vendor agreement is important to ensure that the source code remains available even if the application vendor goes out of business. Question 71 Answer B is correct. Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion. Question 72 Answer C is correct. Source code escrow protects an application purchaser's ability to fix or change an application in case the application vendor goes out of business. Question 73 Answer A is correct. The project sponsor is ultimately responsible for providing requirement specifications to the software-development team. Question 74 Answer D is correct. Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors. Question 75 Answer A is correct. An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives. Question 76 Answer B is correct. Procedures to prevent scope creep are baselined in the design phase of the systems-development life cycle (SDLC) model. Question 77 Answer D is correct. Application controls should be considered as early as possible in the system-development process, even in the development of the project's functional specifications. Question 78 Answer A is correct. Rapid application development (RAD) is used to develop strategically important systems faster, reduce development costs, and still maintain high quality. Question 79 Answer A is correct. Test and development environments should be separated, to control the stability of the test environment. Question 80 Answer A is correct. Programmers should perform unit, module, and full regression testing following any changes to an application or system. Question 81 Answer B is correct. Rapid application development (RAD) uses a prototype that can be updated continually to meet changing user or business requirements. Question 82 Answer B is correct. Inadequate user participation during system requirements definition is the most common reason for information systems to fail to meet the needs of users. Question 83 Answer B is correct. The project steering committee is responsible for the overall direction, costs, and timetables for systems-development projects. Question 84 Answer A is correct. Plans for testing for user acceptance are usually prepared in the requirements definition phase of the systems-development project. Question 85 Answer A is correct. Above almost all other concerns, failing to perform user acceptance testing often results in the greatest negative impact on the implementation of new application software. Question 86 Answer C is correct. Input/output controls should be implemented for both the sending and receiving applications in an integrated systems environment Question 87 Answer B is correct. Authentication techniques for sending and receiving data between EDI systems are crucial to prevent unauthorized transactions. Question 88 Answer C is correct. After identifying potential security vulnerabilities, the IS auditor's next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities. Question 89 Answer D is correct. Transaction authorization is the primary security concern for EDI environments. Question 90 Answer B is correct. Threats exploit vulnerabilities to cause loss or damage to the organization and its assets. Question 91 Answer A is correct. Business process re-engineering often results in increased automation, which results in a greater number of people using technology. Question 92 Answer A is correct. Whenever business processes have been re-engineered, the IS auditor should attempt to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes. Question 93 Answer D is correct. An application-level edit check to verify availability of funds should be completed at the electronic funds transfer (EFT) interface before an EFT is initiated. Question 94 Answer A is correct. Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible. Question 95 Answer C is correct. Hash totals are used as a control to detect loss, corruption, or duplication of data. Question 96 Answer D is correct. Data edits are implemented before processing and are considered preventive integrity controls. Question 97 Answer A is correct. In small office environments, it is not always possible to maintain proper segregation of duties for programmers. If a programmer has access to production data or applications, compensatory controls such as the review of transaction results to approved input might be necessary. Question 98 Answer B is correct. Processing controls ensure that data is accurate and complete, and is processed only through authorized routines. Question 99 Answer C is correct. A reasonableness check is a data validation edit control that matches input data to an occurrence rate. Question 100 Answer A is correct. Database snapshots can provide an excellent audit trail for an IS auditor. |