1. | The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n): |
2. | What is the primary objective of a control self-assessment (CSA) program? |
3. | IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. True or false? |
4. | As compared to understanding an organization’s IT process from evidence directly collected, how valuable are prior audit reports as evidence? |
5. | What is the PRIMARY purpose of audit trails? |
6. | How does the process of systems auditing benefit from using a risk-based approach to audit planning? |
7. | After an IS auditor has identified threats and potential impacts, the auditor should: |
8. | The use of statistical sampling procedures helps minimize: |
9. | What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist? |
10. | A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can: |
11. | What type of approach to the development of organizational policies is often driven by risk assessment? |
12. | Who is accountable for maintaining appropriate security measures over information assets? |
13. | Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. True or false? |
14. | What should an IS auditor do if he or she observes that project-approval procedures do not exist? |
15. | Who is ultimately accountable for the development of an IS security policy? |
16. | Proper segregation of duties normally does not prohibit a LAN administrator from also having programming responsibilities. True or false? |
17. | A core tenant of an IS strategy is that it must: |
18. | Batch control reconciliation is a _____________________ (fill in the blank) control for mitigating risk of inadequate segregation of duties. |
19. | Key verification is one of the best controls for ensuring that: |
20. | If senior management is not committed to strategic planning, how likely is it that a company’s implementation of IT will be successful? |
21. | Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST answer. |
22. | What topology provides the greatest redundancy of routes and the greatest network fault tolerance? |
23. | An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence? |
24. | What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to ensure reliable communication? |
25. | How is the time required for transaction processing review usually affected by properly implemented Electronic Data Interface (EDI)? |
26. | What would an IS auditor expect to find in the console log? Choose the BEST answer. |
27. | Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. True or false? |
28. | Why does the IS auditor often review the system logs? |
29. | What is essential for the IS auditor to obtain a clear understanding of network management? |
30. | How is risk affected if users have direct access to a database at the system level? |
31. | What is the most common purpose of a virtual private network implementation? |
32. | What benefit does using capacity-monitoring software to monitor usage patterns and trends provide to management? Choose the BEST answer. |
33. | What can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program? Choose the BEST answer. |
34. | What are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information? Choose the BEST answer. |
35. | What increases encryption overhead and cost the most? |
36. | Which of the following best characterizes “worms”? |
37. | What is an initial step in creating a proper firewall policy? |
38. | What type of cryptosystem is characterized by data being encrypted by the sender using the recipient’s public key, and the data then being decrypted using the recipient’s private key? |
39. | How does the SSL network protocol provide confidentiality? |
40. | What are used as the framework for developing logical access controls? |
41. | Which of the following are effective controls for detecting duplicate transactions such as payments made or received? |
42. | Which of the following is a good control for protecting confidential data residing on a PC? |
43. | Which of the following is a guiding best practice for implementing logical access controls? |
44. | What does PKI use to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions? |
45. | Which of the following do digital signatures provide? |
46. | Regarding digital signature implementation, which of the following answers is correct? |
47. | Which of the following would provide the highest degree of server access control? |
48. | What are often the primary safeguards for systems software and data? |
49. | Which of the following is often used as a detection and deterrent control against Internet attacks? |
50. | Which of the following BEST characterizes a mantrap or deadman door, which is used as a deterrent control for the vulnerability of piggybacking? |
51. | Which of the following is an effective method for controlling downloading of files via FTP? Choose the BEST answer. |
52. | Which of the following provides the strongest authentication for physical access control? |
53. | What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Choose the BEST answer. |
54. | What can ISPs use to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources? Choose the BEST answer. |
55. | What is the key distinction between encryption and hashing algorithms? |
56. | Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry? |
57. | Which of the following is used to evaluate biometric access controls? |
58. | Who is ultimately responsible and accountable for reviewing user access to systems? |
59. | Establishing data ownership is an important first step for which of the following processes? Choose the BEST answer. |
60. | Which of the following is MOST is critical during the business impact assessment phase of business continuity planning? |
61. | What type of BCP test uses actual resources to simulate a system crash and validate the plan’s effectiveness? |
62. | Which of the following typically focuses on making alternative processes and resources available for transaction processing? |
63. | Which type of major BCP test only requires representatives from each operational area to meet to review the plan? |
64. | What influences decisions regarding criticality of assets? |
65. | Of the three major types of off-site processing facilities, what type is characterized by at least providing for electricity and HVAC? |
66. | With the objective of mitigating the risk and impact of a major business interruption, a disaster-recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with recovery. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false? |
67. | Of the three major types of off-site processing facilities, what type is often an acceptable solution for preparing for recovery of noncritical systems and data? |
68. | Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following? Choose the BEST answer. |
69. | Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the _______________. (fill-in-the-blank) |
70. | Obtaining user approval of program changes is very effective for controlling application changes and maintenance. True or false? |
71. | Library control software restricts source code to: |
72. | When is regression testing used to determine whether new application changes have introduced any errors in the remaining unchanged code? |
73. | What is often the most difficult part of initial efforts in application development? Choose the BEST answer. |
74. | What is a primary high-level goal for an auditor who is reviewing a system development project? |
75. | Whenever an application is modified, what should be tested to determine the full impact of the change? Choose the BEST answer. |
76. | The quality of the metadata produced from a data warehouse is _______________ in the warehouse’s design. Choose the BEST answer. |
77. | Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system’s inputs and outputs. True or false? |
78. | Who assumes ownership of a systems-development project and the resulting system? |
79. | If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further: |
80. | When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false? |
81. | What is a reliable technique for estimating the scope and cost of a software-development project? |
82. | Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects? |
83. | If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do? Choose the BEST answer. |
84. | What often results in project scope creep when functional requirements are not defined as well as they could be? |
85. | Fourth-Generation Languages (4GLs) are most appropriate for designing the application’s graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures. True or false? |
86. | Run-to-run totals can verify data through which stage(s) of application processing? |
87. | ________________ (fill in the blank) is/are are ultimately accountable for the functionality, reliability, and security within IT governance. Choose the BEST answer. |
88. | What can be used to help identify and investigate unauthorized transactions? Choose the BEST answer. |
89. | Network environments often add to the complexity of program-to-program communication, making the implementation and maintenance of application systems more difficult. True or false? |
90. | ______________ risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a _______________ risk assessment is more appropriate. Fill in the blanks. |
91. | What must an IS auditor understand before performing an application audit? Choose the BEST answer. |
92. | What is the first step in a business process re-engineering project? |
93. | When storing data archives off-site, what must be done with the data to ensure data completeness? |
94. | Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data? |
95. | What is an edit check to determine whether a field contains valid data? |
96. | A transaction journal provides the information necessary for detecting unauthorized _____________ (fill in the blank) from a terminal. |
97. | An intentional or unintentional disclosure of a password is likely to be evident within control logs. True or false? |
98. | When are benchmarking partners identified within the benchmarking process? |
99. | A check digit is an effective edit check to: |
100. | Parity bits are a control used to validate: |