Question 1 Answer B is correct. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator. Question 2 Answer A is correct. Audit responsibility enhancement is an objective of a control self-assessment (CSA) program. Question 3 Answer A is correct. IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. Think of it this way: If any reliance is placed on internal controls, that reliance must be validated through compliance testing. High control risk results in little reliance on internal controls, which results in additional substantive testing. Question 4 Answer C is correct. Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding of an organization's IT process than evidence directly collected. Question 5 Answer C is correct. The primary purpose of audit trails is to establish accountability and responsibility for processed transactions. Question 6 Answer B is correct. Allocation of auditing resources to the areas of highest concern is a benefit of a risk-based approach to audit planning. Question 7 Answer A is correct. After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing controls. Question 8 Answer A is correct. The use of statistical sampling procedures helps minimize detection risk. Question 9 Answer B is correct. Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist. Question 10 Answer C is correct. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can identify high-risk areas that might need a detailed review later. Question 11 Answer B is correct. A bottom-up approach to the development of organizational policies is often driven by risk assessment. Question 12 Answer A is correct. Data and systems owners are accountable for maintaining appropriate security measures over information assets. Question 13 Answer A is correct. Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. Question 14 Answer D is correct. If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented. Question 15 Answer A is correct. The board of directors is ultimately accountable for the development of an IS security policy. Question 16 Answer B is correct. Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities. Question 17 Answer D is correct. Above all else, an IS strategy must support the business objectives of the organization. Question 18 Answer D is correct. Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties. Question 19 Answer A is correct. Key verification is one of the best controls for ensuring that data is entered correctly. Question 20 Answer C is correct. A company's implementation of IT will be less likely to succeed if senior management is not committed to strategic planning. Question 21 Answer A is correct. Lack of employee awareness of a company's information security policy could lead to an unintentional loss of confidentiality. Question 22 Answer B is correct. A mesh network topology provides a point-to-point link between every network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance. Question 23 Answer A is correct. An IS auditor usually places more reliance on evidence directly collected, such as through personal observation. Question 24 Answer B is correct. The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols to ensure reliable communication. Question 25 Answer A is correct. Electronic data interface (EDI) supports intervendor communication while decreasing the time necessary for review because it is usually configured to readily identify errors requiring follow-up. Question 26 Answer B is correct. An IS auditor can expect to find system errors to be detailed in the console log. Question 27 Answer A is correct. Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. Question 28 Answer C is correct. When trying to determine the existence of unauthorized access to data by a user or program, the IS auditor will often review the system logs. Question 29 Answer C is correct. A graphical interface to the map of the network topology is essential for the IS auditor to obtain a clear understanding of network management. Question 30 Answer B is correct. If users have direct access to a database at the system level, risk of unauthorized and untraceable changes to the database increases. Question 31 Answer A is correct. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet. Question 32 Answer D is correct. Using capacity-monitoring software to monitor usage patterns and trends enables management to properly allocate resources and ensure continuous efficiency of operations. Question 33 Answer B is correct. A system downtime log can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program. Question 34 Answer C is correct. Concurrency controls are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information. Question 35 Answer B is correct. A long asymmetric encryption key (public key encryption) increases encryption overhead and cost. All other answers are single shared symmetric keys. Question 36 Answer A is correct. Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email. Question 37 Answer C is correct. Identifying network applications such as mail, web, or FTP servers to be externally accessed is an initial step in creating a proper firewall policy. Question 38 Answer B is correct. With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipient's public key; the data is then decrypted using the recipient's private key. Question 39 Answer D is correct. The SSL protocol provides confidentiality through symmetric encryption such as Data Encryption Standard, or DES. Question 40 Answer A is correct. Information systems security policies are used as the framework for developing logical access controls. Question 41 Answer C is correct. Time stamps are an effective control for detecting duplicate transactions such as payments made or received. Question 42 Answer C is correct. File encryption is a good control for protecting confidential data residing on a PC. Question 43 Answer B is correct. Logical access controls should be reviewed to ensure that access is granted on a least-privilege basis, per the organization's data owners. Question 44 Answer C is correct. PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions. Question 45 Answer A is correct. The primary purpose of digital signatures is to provide authentication and integrity of data. Question 46 Answer C is correct. A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value, or message digest, from the entire message contents. Upon receiving the data, the recipient can independently create its own message digest from the data for comparison and data integrity validation. Public and private keys are used to enforce confidentiality. Hashing algorithms are used to enforce integrity. Question 47 Answer D is correct. A fingerprint scanner facilitating biometric access control can provide a very high degree of server access control. Question 48 Answer B is correct. Logical access controls are often the primary safeguards for systems software and data. Question 49 Answer A is correct. Honeypots are often used as a detection and deterrent control against Internet attacks. Question 50 Answer A is correct. A monitored double-doorway entry system, also referred to as a mantrap or deadman door, is used as a deterrent control for the vulnerability of piggybacking. Question 51 Answer B is correct. Application-layer gateways, or proxy firewalls, are an effective method for controlling downloading of files via FTP. Because FTP is an OSI application-layer protocol, the most effective firewall needs to be capable of inspecting through the application layer. Question 52 Answer D is correct. Biometrics can be used to provide excellent physical access control. Question 53 Answer C is correct. Screensaver passwords are an effective control to implement as a countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off. Question 54 Answer C is correct. ISPs can use access control lists to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources. Question 55 Answer B is correct. A key distinction between encryption and hashing algorithms is that hashing algorithms are irreversible. Question 56 Answer A is correct. Data diddling involves modifying data before or during systems data entry. Question 57 Answer B is correct. When evaluating biometric access controls, a low equal error rate (EER) is preferred. EER is also called the crossover error rate (CER). Question 58 Answer C is correct. Data owners are ultimately responsible and accountable for reviewing user access to systems. Question 59 Answer D is correct. To properly implement data classification, establishing data ownership is an important first step. Question 60 Answer A is correct. End-user involvement is critical during the business impact assessment phase of business continuity planning. Question 61 Answer B is correct. Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan's effectiveness. Question 62 Answer D is correct. Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing. Question 63 Answer C is correct. Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test requires only that representatives from each operational area meet to review the plan. Question 64 Answer C is correct. Criticality of assets is often influenced by the business criticality of the data to be protected and by the scope of the impact upon the organization as a whole. For example, the loss of a network backbone creates a much greater impact on the organization as a whole than the loss of data on a typical user's workstation. Question 65 Answer A is correct. Of the three major types of off-site processing facilities (hot, warm, and cold), a cold site is characterized by at least providing for electricity and HVAC. A warm site improves upon this by providing for redundant equipment and software that can be made operational within a short time. Question 66 Answer A is correct. With the objective of mitigating the risk and impact of a major business interruption, a disaster-recovery plan should endeavor to reduce the length of recovery time necessary and the costs associated with recovery. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. Question 67 Answer A is correct. A cold site is often an acceptable solution for preparing for recovery of noncritical systems and data. Question 68 Answer B is correct. Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan. Question 69 Answer C is correct. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the board of directors. Question 70 Answer A is correct. Obtaining user approval of program changes is very effective for controlling application changes and maintenance. Question 71 Answer A is correct. Library control software restricts source code to read-only access. Question 72 Answer A is correct. Regression testing is used in program development and change management to determine whether new changes have introduced any errors in the remaining unchanged code. Question 73 Answer C is correct. Determining time and resource requirements for an application-development project is often the most difficult part of initial efforts in application development. Question 74 Answer C is correct. A primary high-level goal for an auditor who is reviewing a systems-development project is to ensure that business objectives are achieved. This objective guides all other systems development objectives. Question 75 Answer B is correct. Whenever an application is modified, the entire program, including any interface systems with other applications or systems, should be tested to determine the full impact of the change. Question 76 Answer B is correct. The quality of the metadata produced from a data warehouse is the most important consideration in the warehouse's design. Question 77 Answer B is correct. Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a system's inputs, outputs, and files. Question 78 Answer A is correct. User management assumes ownership of a systems-development project and the resulting system. Question 79 Answer B is correct. If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further comprehensive integration testing. Question 80 Answer B is correct. When participating in a systems-development project, an IS auditor should also strive to ensure that adequate and complete documentation exists for all projects. Question 81 Answer A is correct. A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a software-development project. Question 82 Answer D is correct. PERT is a program-evaluation review technique that considers different scenarios for planning and control projects. Question 83 Answer C is correct. If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, the auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented. Question 84 Answer A is correct. Inadequate software baselining often results in project scope creep because functional requirements are not defined as well as they could be. Question 85 Answer A is correct. Fourth-generation languages (4GLs) are most appropriate for designing the application's graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures. Question 86 Answer B is correct. Run-to-run totals can verify data through various stages of application processing. Question 87 Answer B is correct. The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security within IT governance. Question 88 Answer C is correct. Data-mining techniques can be used to help identify and investigate unauthorized transactions. Question 89 Answer A is correct. Network environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult. Question 90 Answer A is correct. Quantitative risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate. Question 91 Answer C is correct. An IS auditor must first understand relative business processes before performing an application audit. Question 92 Answer C is correct. Defining the scope of areas to be reviewed is the first step in a business process re-engineering project. Question 93 Answer D is correct. When storing data archives off-site, data must be synchronized to ensure data completeness. Question 94 Answer A is correct. A redundancy check can help detect transmission errors by appending especially calculated bits onto the end of each segment of data. Question 95 Answer A is correct. A completeness check is an edit check to determine whether a field contains valid data. Question 96 Answer B is correct. A transaction journal provides the information necessary for detecting unauthorized input from a terminal. Question 97 Answer B is correct. An intentional or unintentional disclosure of a password is not likely to be evident within control logs. Question 98 Answer C is correct. Benchmarking partners are identified in the research stage of the benchmarking process. Question 99 Answer B is correct. A check digit is an effective edit check to detect data-transposition and transcription errors. Question 100 Answer B is correct. Parity bits are a control used to validate data completeness. |