1. | An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered? |
2. | Which of the following would prevent accountability for an action performed, thus allowing nonrepudiation? |
3. | Which of the following is the MOST critical step in planning an audit? |
4. | To properly evaluate the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of which of the following? Choose the BEST answer. |
5. | What is the recommended initial step for an IS auditor to implement continuous-monitoring systems? |
6. | What type of risk is associated with authorized program exits (trap doors)? Choose the BEST answer. |
7. | Which of the following is best suited for searching for address field duplications? |
8. | Which of the following is of greatest concern to the IS auditor? |
9. | An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated data. True or false? |
10. | An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. True or false? |
11. | If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function, what is the auditor’s primary responsibility? |
12. | Who is responsible for implementing cost-effective controls in an automated system? |
13. | Why does an IS auditor review an organization chart? |
14. | Ensuring that security and control policies support business and IT objectives is a primary objective of: |
15. | When auditing third-party service providers, an IS auditor should be concerned with which of the following? Choose the BEST answer. |
16. | When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should especially focus on procedures in an audit of IS strategy. True or false? |
17. | What process allows IS management to determine whether the activities of the organization differ from the planned or expected levels? Choose the BEST answer. |
18. | When should reviewing an audit client’s business plan be performed relative to reviewing an organization’s IT strategic plan? |
19. | Allowing application programmers to directly patch or change code in production programs increases risk of fraud. True or false? |
20. | Who should be responsible for network security operations? |
21. | Proper segregation of duties does not prohibit a quality control administrator from also being responsible for change control and problem management. True or false? |
22. | What can be implemented to provide the highest level of protection from external attack? |
23. | The directory system of a database-management system describes: |
24. | How is the risk of improper file access affected upon implementing a database system? |
25. | In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be sanitized? |
26. | When reviewing print systems spooling, an IS auditor is MOST concerned with which of the following vulnerabilities? |
27. | Why is the WAP gateway a component warranting critical concern and review for the IS auditor when auditing and testing controls enforcing message confidentiality? |
28. | Proper segregation of duties prevents a computer operator (user) from performing security administration duties. True or false? |
29. | How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network? |
30. | Which of the following are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem? Choose the BEST answer. |
31. | What supports data transmission through split cable facilities or duplicate cable facilities? |
32. | What type(s) of firewalls provide(s) the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic? |
33. | Which of the following can degrade network performance? Choose the BEST answer. |
34. | Which of the following provide(s) near-immediate recoverability for time-sensitive systems and transaction processing? |
35. | What is an effective control for granting temporary access to vendors and external support personnel? Choose the BEST answer. |
36. | Which of the following help(s) prevent an organization’s systems from participating in a distributed denial-of-service (DDoS) attack? Choose the BEST answer. |
37. | What is a common vulnerability, allowing denial-of-service attacks? |
38. | What are trojan horse programs? Choose the BEST answer. |
39. | What is/are used to measure and ensure proper network capacity management and availability of services? Choose the BEST answer. |
40. | What can be used to gather evidence of network attacks? |
41. | Which of the following is a passive attack method used by intruders to determine potential network vulnerabilities? |
42. | Which of the following fire-suppression methods is considered to be the most environmentally friendly? |
43. | What is a callback system? |
44. | What type of fire-suppression system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities? |
45. | Digital signatures require the sender to “sign” the data by encrypting the data with the sender’s public key, to then be decrypted by the recipient using the recipient’s private key. True or false? |
46. | Which of the following provides the BEST single-factor authentication? |
47. | What is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption? |
48. | What determines the strength of a secret key within a symmetric key cryptosystem? |
49. | What process is used to validate a subject’s identity? |
50. | What is often assured through table link verification and reference checks? |
51. | Which of the following should an IS auditor review to determine user permissions that have been granted for a particular resource? Choose the BEST answer. |
52. | What should IS auditors always check when auditing password files? |
53. | Using the OSI reference model, what layer(s) is/are used to encrypt data? |
54. | When should systems administrators first assess the impact of applications or systems patches? |
55. | Which of the following is the most fundamental step in preventing virus attacks? |
56. | Which of the following is of greatest concern when performing an IS audit? |
57. | What are intrusion-detection systems (IDS) primarily used for? |
58. | Rather than simply reviewing the adequacy of access control, appropriateness of access policies, and effectiveness of safeguards and procedures, the IS auditor is more concerned with effectiveness and utilization of assets. True or false? |
59. | If a programmer has update access to a live system, IS auditors are more concerned with the programmer’s ability to initiate or modify transactions and the ability to access production than with the programmer’s ability to authorize transactions. True or false? |
60. | Organizations should use off-site storage facilities to maintain _________________ (fill in the blank) of current and critical information within backup files. Choose the BEST answer. |
61. | The purpose of business continuity planning and disaster-recovery planning is to: |
62. | If a database is restored from information backed up before the last system image, which of the following is recommended? |
63. | An off-site processing facility should be easily identifiable externally because easy identification helps ensure smoother recovery. True or false? |
64. | Which of the following is the dominating objective of BCP and DRP? |
65. | How can minimizing single points of failure or vulnerabilities of a common disaster best be controlled? |
66. | Mitigating the risk and impact of a disaster or business interruption usually takes priority over transference of risk to a third party such as an insurer. True or false? |
67. | Off-site data storage should be kept synchronized when preparing for recovery of time-sensitive data such as that resulting from which of the following? Choose the BEST answer. |
68. | What is an acceptable recovery mechanism for extremely time-sensitive transaction processing? |
69. | Off-site data backup and storage should be geographically separated so as to ________________ (fill in the blank) the risk of a widespread physical disaster such as a hurricane or earthquake. |
70. | Why is a clause for requiring source code escrow in an application vendor agreement important? |
71. | What uses questionnaires to lead the user through a series of choices to reach a conclusion? Choose the BEST answer. |
72. | What protects an application purchaser’s ability to fix or change an application in case the application vendor goes out of business? |
73. | Who is ultimately responsible for providing requirement specifications to the software-development team? |
74. | What should regression testing use to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors? |
75. | An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to: |
76. | Which of the following processes are performed during the design phase of the systems-development life cycle (SDLC) model? |
77. | When should application controls be considered within the system-development process? |
78. | What is used to develop strategically important systems faster, reduce development costs, and still maintain high quality? Choose the BEST answer. |
79. | Test and development environments should be separated. True or false? |
80. | What kind of testing should programmers perform following any changes to an application or system? |
81. | Which of the following uses a prototype that can be updated continually to meet changing user or business requirements? |
82. | What is the most common reason for information systems to fail to meet the needs of users? Choose the BEST answer. |
83. | Who is responsible for the overall direction, costs, and timetables for systems-development projects? |
84. | When should plans for testing for user acceptance be prepared? Choose the BEST answer. |
85. | Above almost all other concerns, what often results in the greatest negative impact on the implementation of new application software? |
86. | Input/output controls should be implemented for which applications in an integrated systems environment? |
87. | Authentication techniques for sending and receiving data between EDI systems is crucial to prevent which of the following? Choose the BEST answer. |
88. | After identifying potential security vulnerabilities, what should be the IS auditor’s next step? |
89. | What is the primary security concern for EDI environments? Choose the BEST answer. |
90. | Which of the following exploit vulnerabilities to cause loss or damage to the organization and its assets? |
91. | Business process re-engineering often results in ______________ automation, which results in _____________ number of people using technology. Fill in the blanks. |
92. | Whenever business processes have been re-engineered, the IS auditor attempts to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes. True or false? |
93. | When should an application-level edit check to verify that availability of funds was completed at the electronic funds transfer (EFT) interface? |
94. | ________________ (fill in the blank) should be implemented as early as data preparation to support data integrity at the earliest point possible. |
95. | What is used as a control to detect loss, corruption, or duplication of data? |
96. | Data edits are implemented before processing and are considered which of the following? Choose the BEST answer. |
97. | In small office environments, it is not always possible to maintain proper segregation of duties for programmers. If a programmer has access to production data or applications, compensatory controls such as the reviewing of transaction results to approved input might be necessary. True or false? |
98. | Processing controls ensure that data is accurate and complete, and is processed only through which of the following? Choose the BEST answer. |
99. | What is a data validation edit control that matches input data to an occurrence rate? Choose the BEST answer. |
100. | Database snapshots can provide an excellent audit trail for an IS auditor. True or false? |