CISA Exam Preparation Question Answer

Exam: 221 Questions, in 300 minutes

Five Domains:
1. Information Systems Auditing Process (21%)
2. Governance and Management of IT (17%)
3. Information Systems Acquisition, Development and Implementation (12%)
4. Information Systems Operations and Business Resilience (23%)
5. Protection of Information Assets (27%)

1|Page
CISA Exam Question & Answer 2023 ver. 2
Version: v2023-06

QUESTION 1
Which of the following is an advantage of an integrated test facility (ITF)?
A. It uses actual master files or dummies and the IS auditor does not have to review the source of the
transaction.
B. Periodic testing does not require separate test processes.
C. It validates application systems and tests the ongoing operation of the system.
D. The need to prepare test data is eliminated.

Answer: B
Explanation:
An integrated test facility creates a fictitious entity in the database to process test transactions simultaneously
with live input. Its advantage is that periodic testing does not require separate test processes. However,
careful planning is necessary, and test data must be isolated from production data.

QUESTION 2
A company laptop has been stolen and all photos on the laptop have been published on social media. Which
of the following is the IS auditor's BEST course of action?
A. Review the photos to determine whether they were for business or personal purposes
B. Determine if the laptop had the appropriate level of encryption
C. Verify the organization's incident reporting policy was followed
D. Ensure that the appropriate authorities have been notified

Answer: C

QUESTION 3
What must an IS auditor understand before performing an application audit? Choose the BEST answer.
A. The potential business impact of application risks.
B. Application risks must first be identified.
C. Relative business processes.
D. Relevant application risks.

Answer: C
Explanation:
An IS auditor must first understand relative business processes before performing an application audit.

QUESTION 4
You should know the difference between an exploit and a vulnerability. Which of the following refers to a
weakness in the system?
A. exploit
B. vulnerability

2|Page
C. Threat
D. Asset

Answer: B
Explanation:
You should know the difference between an exploit and a vulnerability. An exploit refers to software, data, or
commands capable of taking advantage of a bug, glitch or vulnerability in order to cause unintended behavior.
Vulnerability in this sense refers to a weakness in the system.

QUESTION 5
Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an
organization's incident response process?
A. Past incident response actions
B. Incident response staff experience and qualifications
C. Results from management testing of incident response procedures
D. Incident response roles and responsibilities

Answer: C

QUESTION 6
Which of the following should be the PRIMARY audience for a third-party technical security assessment
report?
A. Operational IT management
B. Legal counsel
C. Board of directors
D. External regulators

Answer: C

QUESTION 7
Which of the following type of honey pot essentially gives a hacker a real environment to attack?
A. High-interaction
B. Low-interaction
C. Med-interaction
D. None of the choices

Answer: A
Explanation:
High-interaction type of honey pot essentially gives an attacker a real environment to attack. Also, you should
know below information about honey pot for CISA exam:
A Honey pot is a software application that pretends to be an unfortunate server on the internet and is not set
up actively protect against break-ins.
There are two types of honey pot:

3|Page
High-interaction Honey pots - Essentially gives hacker a real environment to attack. High interaction honey
pots imitate the activities of the production systems that host a variety of services and, therefore, an attacker
may be allowed a lot of services to waste his time. According to recent research into high- interaction honey
pot technology, by employing virtual machines, multiple honey pots can be hosted on a single physical
machine. Therefore, even if the honey pot is compromised, it can be restored more quickly.
In general, high-interaction honey pots provide more security by being difficult to detect, but they are highly
expensive to maintain. If virtual machines are not available, one honey pot must be maintained for each
physical computer, which can be exorbitantly expensive. Example: Honey net.
Low interaction - Emulate production environment and therefore, provide more limited information. Low-
interaction honey pots simulate only the services frequently requested by attackers. Since they consume
relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual
systems have a short response time, and less code is required, reducing the complexity of the virtual system's
security. Example: Honeyed.

QUESTION 8
Which of the following is the BEST indication of effective IT investment management
A. IT investments are implemented and monitored following a system development life cycle (SDLC)
B. IT investments are mapped to specific business objectives
C. Key performance indicators (KPIs) are defined for each business requiring IT Investment
D. The IT Investment budget is significantly below industry benchmarks

Answer: B

QUESTION 9
Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?
A. Requiring a key code to be entered on the printer to produce hardcopy
B. Producing a header page with classification level for printed documents
C. Encrypting the data stream between the user's computer and the printer
D. Using passwords to allow authorized users to send documents to the printer

Answer: A

QUESTION 10
Which of the following would BEST facilitate the detection of internal fraud perpetrated by an individual?
A. Corporate fraud hotline
B. Segregation of duties
C. Mandatory leave
D. Flexible time

Answer: C

QUESTION 11
Which of the following is an IS auditor’s GREATEST concern when an organization does not regularly update
software on individual workstations in the internal environment?
A. The organization may not be in compliance with licensing agreement.
B. System functionality may not meet business requirements.
4|Page
C. The organization may be more susceptible to cyber-attacks.
D. The system may have version control issues.

Answer: B

QUESTION 12
An organization considers implementing a system that uses a technology that is not in line with the
organization's IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?
A. The business benefits are achieved even with extra costs
B. The organization has staff familiar with the technology
C. The system has a reduced cost of ownership
D. The system makes use of state-of-the-art technology

Answer: A

QUESTION 13
After discussing findings with an auditee, an IS auditor is required to obtain approval of the report from the
CEO before issuing it to the audit committee. This requirement affects the IS auditor's:
A. independence
B. judgment
C. effectiveness
D. integrity

Answer: A

QUESTION 14
What would be the MOST effective control for enforcing accountability among database users accessing
sensitive information?
A. implement a log management process
B. implement a two-factor authentication
C. Use table views to access sensitive data
D. Separate database and application servers

Answer: A
Explanation:
Accountability means knowing what is being done by whom. The best way to enforce the principle is to
implement a log management process that would create and store logs with pertinent information such as
user name, type of transaction and hour. Choice B, implementing a two-factor authentication, and choice C,
using table views to access sensitive data, are controls that would limit access to the database to authorized
users but would not resolve the accountability problem.
Choice D may help in a better administration or even in implementing access controls but, again, does not
address the accountability issues.

QUESTION 15

5|Page
Which of the following statement correctly describes the difference between total flooding and local application
extinguishing agent?
A. The local application design contain physical barrier enclosing the fire space where as physical barrier is
not present in total flooding extinguisher
B. The total flooding design contain physical barrier enclosing the fire space where as physical barrier is not
present in local application design extinguisher
C. The physical barrier enclosing fire space is not present in total flooding and local application extinguisher
agent
D. The physical barrier enclosing fire space is present in total flooding and local application extinguisher agent

Answer: B
Explanation:
For CISA exam you should know below information about Fire Suppression Systems Fire Suppression
System
This system is designed to automatically activate immediately after detection of heat, typically generated by
fire. Like smoke detectors, the system will produce an audible alarm when activated and be linked to a central
guard station that is regularly monitored. The system should also be inspected and tested annually.
Testing interval should comply with industry and insurance standard and guideline.
Broadly speaking there are two methods for applying an extinguisher agent: total flooding and local
application.
Total Flooding - System working under total flooding application apply an extinguishing agent to a three
dimensional enclosed space in order to achieve a concentration of the agent (volume percentage of agent in
air) adequate to extinguish the fire. These type of system may be operated automatically by detection and
related controls or manually by the operation of a system actuator.
Local Application - System working under a local application principle apply an extinguishing agent directly
onto a fire (usually a two dimensional area) or into a three dimensional region immediately surrounding the
substance or object on a fire. The main difference between local application and total flooding design is the
absence of physical barrier enclosing the fire space in the local application design.
The medium of fire suppression varies but usually one of the following:
Water based systems are typically referred to as sprinkler system. These systems are effective but are also
unpopular because they damage equipment and property. The system can be dry-pipe or charged (water is
always in system piping). A charged system is more reliable but has the disadvantage of exposing the facility
to expensive water damage if the pipe leak or break.
Dry-pipe sprinkling system do not have water in the pipe until an electronic fire alarm activates the water to
send water into system. This is opposed to fully charged water pipe system. Dry-pipe system has the
advantage that any failure in the pipe will not result in water leaking into sensitive equipment from above.
Since water and electricity do not mix these systems must be combined with an automatic switch to shut down
the electric supply to the area protected.
Holon system releases pressurize halos gases that removes oxygen from air, thus starving the fire. Holon was
popular because it is an inert gas and does not damage and does not damage equipment like water does.
Because halos adversely affect the ozone layer, it was banned in Montreal (Canada) protocol 1987, which
stopped Holon production as of 1 January 1994. As a banned gas, all Holon installation are now required by
international agreement to be removed. The Holon substitute is FM-200, which is the most effective
alternative.
FM-220TM: Also called heptafluoropropane, HFC-227 or HFC-227ea(ISO Name)is a colorless odorless
gaseous fire suppression agent. It is commonly used as a gaseous fire suppression agent.
Aragonite is the brand name for a mixture of 50% argon and 50% nitrogen. It is an inert gas used in gaseous
fire suppression systems for extinguishing fires where damage to equipment is to be avoided.
Although argon is a nontoxic, it does not satisfy the body's need for oxygen and is simple asphyxiate.
CO2 system releases pressurized carbon dioxide gas into the area protected to replace the oxygen required
for combustion. Unlike halos and its later replacement, however, CO2 is unable to sustain human life.
Therefore, in most of countries it is illegal to for such a system to be set to automatic release if any human

6|Page
may be in the area. Because of this, these systems are usually discharged manually, introducing an additional
delay in combating fire.
The following were incorrect answers:
The other presented options do not describe valid difference between total flooding and local application
extinguishing agent.

QUESTION 16
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion
prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a
sequence of logged events that could indicate an error in the IPS configuration?
A. Inherent risk
B. Sampling risk
C. Control risk
D. Detection risk

Answer: D

QUESTION 17
Input/output controls should be implemented for which applications in an integrated systems environment?
A. The receiving application
B. The sending application
C. Both the sending and receiving applications
D. Output on the sending application and input on the receiving application

Answer: C
Explanation:
Input/output controls should be implemented for both the sending and receiving applications in an integrated
systems environment.

QUESTION 18
A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should
require considerably less time for review and authorization and the system should be capable of identifying
errors that require follow up. Which of the following would BEST meet these objectives?
A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies
B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice
processing
C. Establishing an EDI system of electronic business documents and transactions with key suppliers,
computer to computer, in a standard format
D. Reengineering the existing processing and redesigning the existing system

Answer: C
Explanation:
EDI is the best answer. Properly implemented (e.g., agreements with trading partners transaction standards,
controls over network security mechanisms in conjunction with application controls), EDI is best suited to
identify and follow up on errors more quickly, given reduced opportunities for review and authorization.

7|Page
QUESTION 19
Which of the following risks could result from inadequate software baselining?
A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. inadequate controls

Answer: A
Explanation:
A software baseline is the cut-off point in the design and development of a system beyond which additional
requirements or modifications to the design do not or cannot occur without undergoing formal strict
procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the
requirements of a system through baselining can result in a number of risks. Foremost among these risks is
scope creep, the process through which requirements change during development. Choices B, C and D may
not always result, but choice A is inevitable.

QUESTION 20
Which of the following encryption methods uses a matching pair of key-codes, securely distributed, which are
used once-and-only-once to encode and decode a single message?
A. Blowfish
B. Tripwire
C. certificate
D. one-time pad

Answer: D
Explanation:
It's possible to protect messages in transit by means of cryptography. One method of encryption - the one-
time pad - has been proven to be unbreakable when correctly used. This method uses a matching pair of key-
codes, securely distributed, which are used once-and-only-once to encode and decode a single message.
Note that this method is difficult to use securely, and is highly inconvenient as well.

QUESTION 21
During an audit of a financial application, it was determined that many terminated users' accounts were not
disabled. Which of the following should be the IS auditors NEXT step?
A. Perform substantive testing of terminated users' access rights.
B. Communicate risks to the application owner.
C. Perform a review of terminated users' account activity.
D. Conclude that IT general controls are ineffective.

Answer: C

QUESTION 22
An IS auditor finds that conference rooms have active network ports. Which of the following is MOST
important to ensure?
A. The corporate network is using an intrusion prevention system (IPS)
B. This part of the network is isolated from the corporate network
8|Page
C. A single sign-on has been implemented in the corporate network
D. Antivirus software is in place to protect the corporate network

Answer: B
Explanation:
If the conference rooms have access to the corporate network, unauthorized users may be able to connect to
the corporate network; therefore, both networks should be isolated either via a firewall or being physically
separated. An IPS would detect possible attacks, but only after they have occurred. A single sign-on would
ease authentication management. Antivirus software would reduce the impact of possible viruses; however,
unauthorized users would still be able to access the corporate network, which is the biggest risk.

QUESTION 23
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to
processes and tools related to an organization's business continuity plan (BCP)?
A. Change management processes
B. Completed test plans
C. Updated Inventory of systems
D. Full test results

Answer: D

QUESTION 24
Which of the following is the MOST critical and contributes the greatest to the quality of data in a data
warehouse?
A. Accuracy of the source data
B. Credibility of the data source
C. Accuracy of the extraction process
D. Accuracy of the data transformation

Answer: A
Explanation:
Accuracy of source data is a prerequisite for the quality of the data in a data warehouse.
Credibility of the data source, accurate extraction processes and accurate transformation routines are all
important, but would not change inaccurate data into quality (accurate) data.

QUESTION 25
Which of the following observations should be of GREATEST concern to an IS auditor reviewing a hosted
virtualized environment where each guest operating system (OS) is running a production application?
A. The test environment of the applications is in a separate guest OS
B. Access to virtualization utilities and tools in the host is not restricted
C. All virtual machines are launching an application backup job at the same time
D. There are file shares between the host OS and the guest OS

Answer: B

9|Page
QUESTION 26
Which of the following would help to ensure the portability of an application connected to a database?
A. Verification of database import and export procedures
B. Usage of a structured query language (SQL)
C. Analysis of stored procedures/triggers
D. Synchronization of the entity-relation model with the database physical schema

Answer: B
Explanation:
The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures
better interfacing with other systems, analyzing stored procedures/triggers ensures proper
access/performance, and reviewing the design entity- relation model will be helpful, but none of these
contribute to the portability of an application connecting to a database.

QUESTION 27
The MOST likely explanation for the use of applets in an Internet application is that:
A. it is sent over the network from the server.
B. the server does not run the program and the output is not sent over the network.
C. they improve the performance of the web server and network.
D. it is a JAVA program downloaded through the web browser and executed by the web server of the client
machine.

Answer: C
Explanation:
An applet is a JAVA program that is sent over the network from the web server, through a web browser and to
the client machine; the code is then run on the machine. Since the server does not run the program and the
output is not sent over the network, the performance on the web server and network-over which the server
and client are connected-drastically improves through the use of applets. Performance improvement is more
important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in
most web browsers, the applet download through the web browser runs on the client machine from the web
browser, not from the web server, making choice D incorrect.

QUESTION 28
To optimize an organization's business contingency plan (BCP), an IS auditor should recommend conducting
a business impact analysis (BlA) in order to determine:
A. the business processes that generate the most financial value for the organization and therefore must be
recovered first.
B. the priorities and order for recovery to ensure alignment with the organization's business strategy.
C. the business processes that must be recovered following a disaster to ensure the organization's survival.
D. the priorities and order of recovery which will recover the greatest number of systems in the shortest time
frame.

Answer: C
Explanation:
To ensure the organization's survival following a disaster, it is important to recover the most critical business
processes first, it is a common mistake to overemphasize value (A) rather than urgency. For example, while
the processing of incoming mortgage loan payments is important from a financial perspective, it could be

10 | P a g e
delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not
generating direct revenue, is far more critical because of the possibility of regulatory problems, customer
complaints and reputation issues. Choices B and D are not correct because neither the long-term business
strategy nor the mere number of recovered systems has a direct impact at this point in time.

QUESTION 29
Which of the following term related to network performance refers to the delay that packet may experience on
their way to reach the destination from the source?
A. Bandwidth
B. Throughput
C. Latency
D. Jitter

Answer: C
Explanation:
Latency the delay between the sender and the receiver decoding it, this is mainly a function of the signals
travel time, and processing time at any nodes the information traverses.
In a network, latency, a synonym for delay, is an expression of how much time it takes for a packet of data to
get from one designated point to another. In some usages (for example, AT&T), latency is measured by
sending a packet that is returned to the sender and the round-trip time is considered the latency.
The latency assumption seems to be that data should be transmitted instantly between one point and another
(that is, with no delay at all).
The following answers are incorrect:
Bandwidth - Bandwidth is commonly measured in bits/second is the maximum rate that information can be
transferred
Throughput - Throughput is the actual rate that information is transferred
Jitter - Jitter is the variation in the time of arrival at the receiver of the information

QUESTION 30
Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related to privacy?
A. Eavesdropping
B. Denial of service (DoS)
C. Incorrect routing
D. Call recording

Answer: A

QUESTION 31
Which of the following ensures the availability of transactions in the event of a disaster?
A. Send tapes hourly containing transactions offsite,
B. Send tapes daily containing transactions offsite.
C. Capture transactions to multiple storage devices.
D. Transmit transactions offsite in real time.

Answer: D

11 | P a g e
Explanation:
The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite
facility. Choices A and B are not in real time and, therefore, would not include all the transactions. Choice C
does not ensure availability at an offsite location.

QUESTION 32
Due to cost restraints, a company defers the replacement of hardware supporting core applications.
Which of the following represents the GREATEST risk?
A. future upgrades may not be possible.
B. Eventual replacement may be more expensive.
C. Maintenance costs may rise
D. Systems availability may suffer.

Answer: D

QUESTION 33
Establishing data ownership is an important first step for which of the following processes?
Choose the BEST answer.
A. Assigning user access privileges
B. Developing organizational security policies
C. Creating roles and responsibilities
D. Classifying data

Answer: D
Explanation:
To properly implement data classification, establishing data ownership is an important first step.

QUESTION 34
Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer

Answer: C
Explanation:
User applications often encrypt and encapsulate data using protocols within the OSI session layer or farther
down in the transport layer.

QUESTION 35
Which of the following ensures a sender's authenticity and an e-mail's confidentiality?
A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the
message with the receiver's public key

12 | P a g e
B. The sender digitally signing the message and thereafter encrypting the hash of the message with the
sender's private key
C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message
with the receiver's public key
D. Encrypting the message with the sender's private key and encrypting the message hash with the receiver's
public key.

Answer: C
Explanation:
To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender's private
key, and then with the receiver's public key. The receiver can decrypt the message, thus ensuring
confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the
sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables
anyone to decrypt it.

QUESTION 36
Which of the following would be an auditor's GREATEST concern when reviewing data inputs from
spreadsheets into the core finance system?
A. Undocumented code formats data and transmits directly to the database
B. Spreadsheets are accessible by all members of the finance department
C. The department data protection policy has not been reviewed or updated for two years
D. There is not a complete inventory of spreadsheets, and file naming is inconsistent

Answer: A

QUESTION 37
Which of the following is a detective control?
A. Backup procedures
B. Programmed edit checks tor data entry
C. Verification of hash totals
D. Use of pass cards to gain access to physical facilities

Answer: C

QUESTION 38
When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST
important consideration is that the metrics:
A. provide quantitative measurement of IT initiatives in relation with business targets,
B. are used by similar industries to measure the effect of IT on business strategy.
C. are expressed in terms of how IT risk impacts the achievement of business goals.
D. measure the effectiveness of IT controls in the achievement of IT strategy.

Answer: A

QUESTION 39

13 | P a g e
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs
from the agreed-upon approach confirmed during the last audit.
Which of the following should be the auditor's NEXT course of action?
A. Inform senior management of the change in approach.
B. Conduct a risk analysis incorporating the change.
C. Report results of the follow-up to the audit committee.
D. Evaluate the appropriateness of the remedial action taken.

Answer: D

QUESTION 40
Which of the following would BEST support 24/7 availability?
A. Daily backup
B. offsite storage
C. Mirroring
D. Periodic testing

Answer: C
Explanation:
Mirroring of critical elements is a too! that facilitates immediate recoverability. Daily backup implies that it is
reasonable for restoration to take place within a number of hours but not immediately. Offsite storage and
periodic testing of systems do not of themselves support continuous availability.

QUESTION 41
An IS auditor finds multiple situations where the help desk resolved security incidents without notifying IT
security as required by policy. Which of the following is the BEST audit recommendation?
A. Redesign the help desk reporting process.
B. Have IT security review problem management policy.
C. Display the incident response hotline in common areas.
D. Reinforce the incident escalation process

Answer: D

QUESTION 42
In the review of a feasibility study for an IS acquisition, the important step is to:
A. determine whether security and control requirements have been specified.
B. determine whether the cost-benefits are achievable.
C. ensure that the right to audit the vendor has been considered.
D. ensure that a contingency plan is in place should the project fail.

Answer: B

QUESTION 43

14 | P a g e
Which of the following online auditing techniques is most effective for the early detection of errors or
irregularities?
A. Embedded audit module
B. Integrated test facility
C. Snapshots
D. Audit hooks

Answer: D
Explanation:
The audit hook technique involves embedding code in application systems for the examination of selected
transactions. This helps an IS auditor to act before an error or an irregularity gets out of hand. An embedded
audit module involves embedding specially-written software in the organization's host application system so
that application systems are monitored on a selective basis. An integrated test facility is used when it is not
practical to use test data, and snapshots are used when an audit trail is required.

QUESTION 44
An emergency power-off switch should:
A. be protected
B. be illuminated.
C. not be identified.
D. not be in the computer room

Answer: A

QUESTION 45
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital
network?
A. Modems convert analog transmissions to digital, and digital transmission to analog.
B. Modems encapsulate analog transmissions within digital, and digital transmissions within analog.
C. Modems convert digital transmissions to analog, and analog transmissions to digital.
D. Modems encapsulate digital transmissions within analog, and analog transmissions within digital.

Answer: A
Explanation:
Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to
analog, and are required for analog transmissions to enter a digital network.

QUESTION 46
Which of the following reports should an IS auditor use to check compliance with a service level agreements
(SLA) requirement for uptime?
A. Utilization reports
B. Hardware error reports
C. System logs
D. Availability reports

15 | P a g e
Answer: D
Explanation:
IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods
during which the computer was available for utilization by users or other processes. Utilization reports
document the use of computer equipment, and can be used by management to predict how/where/when
resources are required. Hardware error reports provide information to aid in detecting hardware failures and
initiating corrective action. System logs are a recording of the system's activities.

QUESTION 47
Which of the following would a digital signature MOST likely prevent?
A. Corruption
B. Unauthorized change
C. Repudiation
D. Disclosure

Answer: C
Explanation:
Digital signature enforces non-repudiation. Thereby it prevents repudiation.

QUESTION 48
An IS auditor has been asked to audit a complex system with computerized and manual elements.
Which of the following should be identified FIRST?
A. System risks
B. Programmed controls
C. Manual controls
D. Input validation

Answer: A

QUESTION 49
A vulnerability in which of the following virtual systems would be of GREATEST concern to the IS auditor?
A. The virtual file server
B. The virtual application server
C. The virtual machine management server
D. The virtual antivirus server

Answer: C

QUESTION 50
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:
A. address audit objectives.
B. collect sufficient evidence.
C. specify appropriate tests.

16 | P a g e
D. minimize audit resources.

Answer: A
Explanation:
ISACA auditing standards require that an IS auditor plan the audit work to address the audit objectives.
Choice B is incorrect because the auditor does not collect evidence in the planning stage of an audit.
Choices C and D are incorrect because they are not the primary goals of audit planning. The activities
described in choices B, C and D are all undertaken to address audit objectives and are thus secondary to
choice A.

QUESTION 51
An organization has established three IS processing environments: development, test, and production.
The MAJOR reason for separating the development and test environments is to:
A. obtain segregation of duties between IS staff and end users.
B. limit the user's access rights to the test environment.
C. perform testing in a stable environment.
D. protect the programs under development from unauthorized testing.

Answer: C

QUESTION 52
When using an integrated test facility (ITF), an IS auditor should ensure that:
A. production data are used for testing.
B. test data are isolated from production data.
C. a test data generator is used.
D. master files are updated with the test data.

Answer: B
Explanation:
An integrated test facility (ITF) creates a fictitious file in the database, allowing for test transactions to be
processed simultaneously with live data. While this ensures that periodic testing does not require a separate
test process, there is a need to isolate test data from production data. An IS auditor is not required to use
production data or a test data generator.
Production master files should not be updated with test data.

QUESTION 53
An IS auditor finds that a DBA has read and write access to production data. The IS auditor should:
A. accept the DBA access as a common practice.
B. assess the controls relevant to the DBA function.
C. recommend the immediate revocation of the DBA access to production data.
D. review user access authorizations approved by the DBA.

Answer: B

17 | P a g e
Explanation:
It is good practice when finding a potential exposure to look for the best controls. Though granting the
database administrator (DBA) access to production data might be a common practice, the IS auditor should
evaluate the relevant controls. The DBA should have access based on a need-to- know and need-to-do basis;
therefore, revocation may remove the access required. The DBA, typically, may need to have access to some
production data. Granting user authorizations is the responsibility of the data owner and not the DBA.

QUESTION 54
Which of the following is the MAIN purpose of an information security management system?
A. To enhance the impact of reports used to monitor information security incidents
B. To reduce the frequency and impact of information security incidents
C. To identify and eliminate the root causes of information security incidents
D. To keep information security policies and procedures up-to-date

Answer: B

QUESTION 55
Which of the following is an effective method for controlling downloading of files via FTP?
Choose the BEST answer.
A. An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall

Answer: B
Application-layer gateways, or proxy firewalls, are an effective method for controlling downloading of files via
FTP. Because FTP is an OSI application-layer protocol, the most effective firewall needs to be capable of
inspecting through the application layer.

QUESTION 56
Which of the following BEST limits the impact of server failures in a distributed environment?
A. Redundant pathways
B. Clustering
C. Dial backup lines
D. Standby power

Answer: B
Explanation:
Clustering allows two or more servers to work as a unit, so that when one of them fails, the other takes over.
Choices A and C are intended to minimize the impact of channel communications failures, but not a server
failure. Choice D provides an alternative power source in the event of an energy failure.

QUESTION 57
What is the first step in a business process re-engineering project?
A. Identifying current business processes
18 | P a g e
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewed
D. Reviewing the organizational strategic plan

Answer: C
Explanation: Defining the scope of areas to be reviewed is the first step in a business process reengineering
project.

QUESTION 58
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the
IS auditor recommend to avoid this situation?
A. Log all table update transactions.
B. implement before-and-after image reporting.
C. Use tracing and tagging.
D. implement integrity constraints in the database.

Answer: D
Implementing integrity constraints in the database is a preventive control, because data is checked against
predefined tables or rules preventing any undefined data from being entered. Logging all table update
transactions and implementing before-and-after image reporting are detective controls that would not avoid
the situation. Tracing and tagging are used to test application systems and controls and could not prevent out-
of-range data.

QUESTION 59
In wireless communication, which of the following controls allows the device receiving the communications to
verify that the received communications have not been altered in transit?
A. Device authentication and data origin authentication
B. Wireless intrusion detection (IDS) and prevention systems (IPS)
C. The use of cryptographic hashes
D. Packet headers and trailers

Answer: C
Explanation:
Calculating cryptographic hashes for wireless communications allows the device receiving the
communications to verify that the received communications have not been altered in transit. This prevents
masquerading and message modification attacks. Device authentication and data origin authentication is not
the correct answer since authenticating wireless endpoints to each other prevents man-in-the-middle attacks
and masquerading. Wireless iDS/lPSs is not the correct answer since wireless IDS/lPS shave the ability to
detect misconfigured devices and rogue devices, and detect and possibly stop certain types of attacks. Packet
headers and trailers alone do not ensure that the content has not been altered.

QUESTION 60
The purpose of a deadman door controlling access to a computer facility is primarily to:
A. prevent piggybacking.
B. prevent toxic gases from entering the data center.
C. starve a fire of oxygen.

19 | P a g e
D. prevent an excessively rapid entry to, or exit from, the facility.

Answer: A
Explaination:
The purpose of a deadman door controlling access to a computer facility is primarily intended to prevent
piggybacking. Choices B and C could be accomplished with a single self-closing door.
Choice D is invalid, as a rapid exit may be necessary in some circumstances, e.g., a fire.

QUESTION 61
Which of the following PBX feature supports shared extensions among several devices, ensuring that only
one device at a time can use an extension?
A. Call forwarding
B. Privacy release
C. Tenanting
D. Voice mail

Answer: B
Explanation:
Privacy release supports shared extensions among several devices, ensuring that only one device at a time
can use an extension.

QUESTION 62
Identify the INCORRECT statement from below mentioned testing types
A. Recovery Testing - Making sure the modified/new system includes provisions for appropriate access
control and does not introduce any security holes that might compromise other systems
B. Load Testing - Testing an application with large quantities of data to evaluate its performance during peak
hour
C. Volume testing - Studying the impact on the application by testing with an incremental volume of records to
determine the maximum volume of records that application can process
D. Stress Testing - Studying the impact on the application by testing with an incremental number of concurrent
users/services on the application to determine maximum number of concurrent user/service the application
can process

Answer: A
Explanation:
The word INCORRECT is the keyword used in this question. You need to find out the incorrect option
specified above. The term recovery testing is incorrectly defined in the above options. The correct description
of recovery testing is: Recovery Testing - Checking the system's ability to recover after a software or hardware
failure. For CISA exam you should know below types of testing:
Unit Testing - The testing of an individual program or module. Unit testing uses set of test cases that focus
on control structure of procedural design. These tests ensure internal operation of the programs according to
the specification.
Interface or integration testing - A hardware or software test that evaluates the connection of two or more
components that pass information from one area to another. The objective it to take unit tested module and
build an integrated structure dictated by design. The term integration testing is also referred to tests that verify
and validate functioning of the application under test with other systems, where a set of data is transferred
from one system to another.

20 | P a g e
System Testing - A series of tests designed to ensure that modified programs, objects, database schema,
etc, which collectively constitute a new or modified system, function properly. These test procedures are often
performed in a non-production test/development environment by software developers designated as a test
team. The following specific analysis may be carried out during system testing.
Recovery Testing - Checking the system's ability to recover after a software or hardware failure.
Security Testing - Making sure the modified/new system includes provisions for appropriate access control
and does not introduce any security holes that might compromise other systems.
Load Testing - Testing an application with large quantities of data to evaluate its performance during peak
hour.
Volume testing - Studying the impact on the application by testing with an incremental volume of records to
determine the maximum volume of records that application can process.
Stress Testing - Studying the impact on the application by testing with an incremental umber of concurrent
users/services on the application to determine maximum number of concurrent user/service the application
can process.
Performance Testing - Comparing the system performance to other equivalent systems using well defined
benchmarks.
Final Acceptance Testing - It has two major parts: Quality Assurance Testing(QAT) focusing on the technical
aspect of the application and User acceptance testing focusing on functional aspect of the application.
QAT focuses on documented specifications and the technology employed. It verifies that application works as
documented by testing the logical design and the technology itself. It also ensures that the application meet
the documented technical specifications and deliverables. QAT is performed primarily by IS department. The
participation of end user is minimal and on request. QAT does not focus on functionality testing.
UAT supports the process of ensuring that the system is production ready and satisfies all documented
requirements. The methods include:
 Definition of test strategies and procedure.
 Design of test cases and scenarios
 Execution of the tests.
 Utilization of the result to verify system readiness.
 Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of
the user. A UAT plan must be documented for the final test of the completed system.
 The tests are written from a user's perspective and should test the system in a manner as close to
production possible.

QUESTION 63
Which of the following is the BEST way to address ongoing concerns with the quality and accuracy of internal
audits?
A. Require peer reviews of audit workpapers.
B. Implement performance management for IS auditors.
C. Require IS audit management to lead exit meetings.
D. Engage an independent review of the audit function.

Answer: D

QUESTION 64
A web organization is developed in-house by an organization. Which of the following would provide the BEST
evidence to an IS auditor that the application is secure from external attack?
A. Code review by a third party
B. Web application firewall implementation
C. Penetration test results
D. Database application monitoring logs

21 | P a g e
Answer: C

QUESTION 65
When is regression testing used to determine whether new application changes have introduced any errors in
the remaining unchanged code?
A. In program development and change management
B. In program feasibility studies
C. In program development
D. In change management

Answer: A
Explanation:
Regression testing is used in program development and change management to determine whether new
changes have introduced any errors in the remaining unchanged code.

QUESTION 66
The use of risk assessment tools for classifying risk factors should be formalized in your IT audit effort
through:
A. the development of written guidelines.
B. the use of risk controls.
C. using computer assisted audit technology tools.
D. the use of computer assisted functions.

Answer: A

QUESTION 67
During an audit of the logical access control of an ERP financial system an IS auditor found some user
accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities.
These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?
A. Look for compensating controls.
B. Review financial transactions logs.
C. Review the scope of the audit.
D. Ask the administrator to disable these accounts.

Answer: A
Explanation:
The best logical access control practice is to create user IDs for each individual to define accountability. This
is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user
IDs are created based on role designations, an IS auditor should first understand the reasons and then
evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not
relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the
administrator to disable the shared accounts should not be recommended by an IS auditor before
understanding the reasons and evaluating the compensating controls. It is not an IS auditor's responsibility to
ask for disabling accounts during an audit.

22 | P a g e
QUESTION 68
Which of the following is MOST important for the successful establishment of a security vulnerability
management program?
A. An approved patching policy
B. A tested incident response plan
C. A comprehensive asset inventory
D. A robust tabletop exercise plan

Answer: C

QUESTION 69
Before concluding that internal controls can be relied upon, the IS auditor should:
A. discuss the internal control weaknesses with the auditee
B. document application controls
C. conduct tests of compliance
D. document the system of internal control

Answer: C

QUESTION 70
Which of the following is the PRIMARY role of the IS auditor in an organization's information classification
process?
A. Defining classification levels for information assets within the organization
B. Ensuring classification levels align with regulatory guidelines
C. Validating that assets are protected according to assigned classification
D. Securing information assets in accordance with the classification assigned

Answer: C

QUESTION 71
The MOST likely effect of the lack of senior management commitment to IT strategic planning is:
A. a lack of investment in technology.
B. a lack of a methodology for systems development.
C. technology not aligning with the organization's objectives.
D. an absence of control over technology contracts.

Answer: C
Explanation:
A steering committee should exist to ensure that the IT strategies support the organization's goals. The
absence of an information technology committee or a committee not composed of senior managers would be
an indication of a lack of top-level management commitment. This condition would increase the risk that IT
would not be aligned with the organization's strategy.

23 | P a g e
QUESTION 72
Which of the following is MOST likely to result from compliance testing?
A. Discovery of controls that have not been applied
B. Confirmation of data with outside sources
C. Comparison of data with physical counts
D. Identification of errors due to processing mistakes

Answer: A

QUESTION 73
Which of the following would be MOST useful when analyzing computer performance?
A. Report of off-peak utilization and response time
B. Tuning of system software to optimize resource usage
C. Operations report of user dissatisfaction with response time
D. Statistical metrics measuring capacity utilization

Answer: D

QUESTION 74
The PRIMARY goal of a web site certificate is:
A. authentication of the web site that will be surfed.
B. authentication of the user who surfs through that site.
C. preventing surfing of the web site by hackers.
D. the same purpose as that of a digital certificate.

Answer: A
Explanation:
Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is
achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking
nor does it authenticate a person.

QUESTION 75
Which of the following types of attack often take advantage of curiosity or greed to deliver malware?
A. Gimmes
B. Tripwire
C. Icing
D. Soft coding

Answer: A
Explanation:
Gimmes take advantage of curiosity or greed to deliver malware. Also known as a Trojan Horse, gimmes can
arrive as an email attachment promising anything. The recipient is expected to give in to the need to the

24 | P a g e
program and open the attachment. In addition, many users will blindly click on any attachments they receive
that seem even mildly legitimate.

QUESTION 76
An IS auditor reviewing a proposed application software acquisition should ensure that the:
A. operating system (OS) being used is compatible with the existing hardware platform.
B. planned OS updates have been scheduled to minimize negative impacts on company needs.
C. OS has the latest versions and updates.
D. products are compatible with the current or planned OS.

Answer: D
Explanation:
Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the
proposed application the auditor should ensure that the products to be purchased are compatible with the
current or planned OS. Regarding choice A, if the OS is currently being used, it is compatible with the existing
hardware platform, because if it is not it would not operate properly. In choice B, the planned OS updates
should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should
be equipped with the most recent versions and updates (with sufficient history and stability).

QUESTION 77
An IS auditor is reviewing logical access controls for an organization's financial business application. Which of
the following findings should be of GREATEST concern to the auditor?
A. Users are not required to change their passwords on a regular basis
B. Management does not review application user activity logs
C. Password length is set to eight characters
D. User accounts are shared between users

Answer: D

QUESTION 78
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a
successful brute force attack encrypted data at rest?
A. Use of symmetric encryption
B. Use of asymmetric encryption
C. Random key generation
D. Short key length

Answer: D

QUESTION 79
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:
A. ensure the employee maintains a good quality of life, which will lead to greater productivity.
B. reduce the opportunity for an employee to commit an improper or illegal act.
C. provide proper cross-training for another employee.
D. eliminate the potential disruption caused when an employee takes vacation one day at a time.
25 | P a g e
Answer: B
Explanation:
Required vacations/holidays of a week or more in duration in which someone other than the regular employee
performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit
improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking
place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are
not the reason why the policy is established.

QUESTION 80
Once an organization has finished the business process reengineering (BPR) of all its critical operations, an
IS auditor would MOST likely focus on a review of:
A. pre-BPR process flowcharts.
B. post-BPR process flowcharts.
C. BPR project plans.
D. continuous improvement and monitoring plans.

Answer: B
Explanation:
An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered
process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in
the past. Choices C and D are incorrect because they are steps within a BPR project.

QUESTION 81
Supply chain management processes Customer orders are not being fulfilled in a timely manner, and the
inventory in the warehouse does not match the quantity of goods in the sales orders. Which of the following is
the auditor's BEST recommendation?
A. Implement an automated control to verify inventory levels prior to finalizing sales orders.
B. Revise the order fulfillment procedures in collaboration with the e-commerce team.
C. Require the warehouse manager to send updated inventory levels on a periodic basis.
D. Require the sales representative to verify inventory levels prior to finalizing sales orders.

Answer: A

QUESTION 82
An organization wants to reuse company-provided smartphones collected from staff leaving the organization.
Which of the following would be the BEST recommendation?
A. Data should be securely deleted from the smartphones.
B. Smartphones should not be reused, but physically destroyed.
C. The memory cards of the smartphones should be replaced.
D. The SIM card and telephone number should be changed.

Answer: A

QUESTION 83

26 | P a g e
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to
processes and tools related to an organization's business continuity plan (BCP)?
A. Completed test plans
B. Updated inventory of systems
C. Change management processes
D. Full test results

Answer: D

QUESTION 84
An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that
is directly accessed by customers via the Internet. Which of the following should be a concern for the auditor?
A. The system is hosted on an external third-party service provider's servers.
B. The system is hosted in a hybrid-cloud platform managed by a service provider.
C. The system is hosted within a demilitarized zone (DMZ) of a corporate network.
D. The system is hosted within an internal segment of a corporate network.

Answer: D
Explanation:
A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a
secure and isolated environment to protect it from external threats and unauthorized access. A web-based
CRM system should also be reliable, trusted, and backed up regularly.
Hosting the system on an external third-party service provider's servers (A) or a hybrid-cloud platform
managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate
security measures and service level agreements in place. The auditor should verify the security controls and
contractual terms of the service provider before trusting them with the CRM data.
Hosting the system within a demilitarized zone (DMZ) of a corporate network is a common practice to provide
an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a
perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from
the external network using a security gateway.
Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because
it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system
should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could
compromise the confidentiality, integrity, and availability of the CRM data and the internal network.

QUESTION 85
The PRIMARY purpose of audit trails is to:
A. improve response time for users.
B. establish accountability and responsibility for processed transactions.
C. improve the operational efficiency of the system.
D. provide useful information to auditors who may wish to track transactions

Answer: B
Explanation:
Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by
tracing transactions through the system. The objective of enabling software to provide audit trails is not to
improve system efficiency, since it often involves additional processing which may in fact reduce response

27 | P a g e
time for users. Enabling audit trails involves storage and thus occupies disk space. Choice D is also a valid
reason; however, it is not the primary reason.

QUESTION 86
Which of the following software tools is often used for stealing money from infected PC owner through taking
control of the modem?
A. System patcher
B. Porn dialer
C. War dialer
D. T1 dialer

Answer: B
Explanation:
One way of stealing money from infected PC owner is to take control of the modem and dial an expensive toll
call. Dialer such as porn dialer software dials up a premium-rate telephone number and leave the line open,
charging the toll to the infected user.

QUESTION 87
Which of the following, who is BEST suited to establish an organization's risk tolerance?
A. Chief audit executive (CAE)
B. Information security officer
C. Information system owner
D. Senior leadership

Answer: D

QUESTION 88
A purpose of project closure is to determine the:
A. potential risks affecting the quality of deliverables.
B. lessons learned for use in future projects.
C. project feasibility requirements
D. professional expertise of the project manager.

Answer: B

QUESTION 89
An organization wants to replace its suite of legacy applications with a new, in-house developed solution.
Which of the following is the BEST way to address concerns associated with migration of all mission-critical
business functionality?
A. Expedite go-live by migrating in a single release to allow more time for testing in production.
B. Increase testing efforts so that all possible combinations of data have been tested prior to go live.
C. Strengthen governance by hiring certified and qualified project managers for the migration.
D. Plan multiple releases to gradually migrate subsets of functionality to reduce production risk.

28 | P a g e
Answer: D

QUESTION 90
An IS auditor reviewing the risk assessment process of an organization should FIRST:
A. identify the reasonable threats to the information assets.
B. analyze the technical and organizational vulnerabilities.
C. identify and rank the information assets.
D. evaluate the effect of a potential security breach.

Answer: C
Explanation:
Identification and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or
scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing
each of the organization's assets should be analyzed according to their value to the organization. Third,
weaknesses should be identified so that controls can be evaluated to determine if they mitigate the
weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the
organization information assets.

QUESTION 91
Processing controls ensure that data is accurate and complete, and is processed only through which of the
following? Choose the BEST answer.
A. Documented routines
B. Authorized routines
C. Accepted routines
D. Approved routines

Answer: B
Explanation:
Processing controls ensure that data is accurate and complete, and is processed only through authorized
routines.

QUESTION 92
Which of the following provides nonrepudiation in an electronic communication session without confidentiality?
A. Message encryption
B. Log-on ID and password
C. Certification authority
D. Digital signature

Answer: D

QUESTION 93
Which of the following types of audit always takes high priority over the others?
A. System audit

29 | P a g e
B. License audit
C. Application audit
D. Security server audit

Answer: D

QUESTION 94
An IS auditor has discovered that unauthorized customer management software was installed on a
workstation. The auditor determines the software has been uploading customer data to an external party.
Which of the following is the IS auditor's BEST course of action?
A. Present the issue at the next audit progress meeting
B. Determine the number of customer records that were uploaded
C. Review other workstations to determine the extent of the incident
D. Notify the incident response team.

Answer: D

QUESTION 95
Which of the following insurance types provide for a loss arising from fraudulent acts by employees?
A. Business interruption
B. Fidelity coverage
C. Errors and omissions
D. Extra expense

Answer: B
Explanation:
Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees.
Business interruption insurance covers the loss of profit due to the disruption in the operations of an
organization.
Errors and omissions insurance provides legal liability protection in the event that the professional practitioner
commits an act that results in financial loss to a client. Extra expense insurance is designed to cover the extra
costs of continuing operations following a disaster/disruption within an organization.

QUESTION 96
The ultimate purpose of IT governance is to:
A. encourage optimal use of IT.
B. reduce IT costs.
C. decentralize IT resources across the organization.
D. centralize control of IT.

Answer: A
Explanation:
IT governance is intended to specify the combination of decision rights and accountability that is best for the
enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome

30 | P a g e
for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may
be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of
where it might be desired is an enterprise desiring a single point of customer contact.

QUESTION 97
The FIRST step in managing the risk of a cyber attack is to:
A. assess the vulnerability impact.
B. evaluate the likelihood of threats.
C. identify critical information assets.
D. estimate potential damage.

Answer: C
Explanation:
The first step in managing risk is the identification and classification of critical information resources (assets).
Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and
calculation of potential damages.

QUESTION 98
After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit.
This evidence indicates that a procedural control may have failed and could contradict a conclusion of the
audit. Which of the following risks is MOST affected by this oversight?
A. Operational
B. Financial
C. Inherent
D. Audit

Answer: D

QUESTION 99
Which of the following is the BEST sampling method to ensure only active users have access to critical
systems?
A. Compliance testing
B. Difference estimation
C. Substantive testing
D. Unstratified mean per unit

Answer: A

QUESTION 100
Which of the following should be the GREATEST concern to an IS auditor evaluating an organization's
policies?
A. Policies are not formally approved by the management.
B. Policies are nor formally acknowledged and signed by employees.
C. Policies do not provide adequate protection to the organization.
D. Policies are not reviewed and updated frequently.
31 | P a g e
Answer: C

QUESTION 101
IT best practices for the availability and continuity of IT services should:
A. minimize costs associated with disaster-resilient components.
B. provide for sufficient capacity to meet the agreed upon demands of the business.
C. provide reasonable assurance that agreed upon obligations to customers can be met.
D. produce timely performance metric reports.

Answer: C
Explanation:
It is important that negotiated and agreed commitments (i.e., service level agreements [SLAs]) can be fulfilled
all the time. If this were not achievable, IT should not have agreed to these requirements, as entering into
such a commitment would be misleading to the business. 'All the time' in this context directly relates to the
'agreed obligations' and does not imply that a service has to be available 100 percent of the time. Costs are a
result of availability and service continuity management and may only be partially controllable. These costs
directly reflect the agreed upon obligations. Capacity management is a necessary, but not sufficient, condition
of availability.
Despite the possibility that a lack of capacity may result in an availability issue, providing the capacity
necessary for seamless operations of services would be done within capacity management, and not within
availability management. Generating reports might be a task of availability and service continuity
management, but that is true for many other areas of interest as well (e.g., incident, problem, capacity and
change management).

QUESTION 102
Which of the following is the MOST critical and contributes the greatest to the quality of data in a data
warehouse?
A. Accuracy of the source data
B. Credibility of the data source
C. Accuracy of the extraction process
D. Accuracy of the data transformation

Answer: A
Explanation:
Accuracy of source data is a prerequisite for the quality of the data in a data warehouse.
Credibility of the data source, accurate extraction processes and accurate transformation routines are all
important, but would not change inaccurate data into quality (accurate) data.

QUESTION 103
With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST
concern to an IS auditor?
A. Outsourced activities are core and provide a differentiated advantage to the organization.
B. Periodic renegotiation is specified in the outsourcing contract.
C. The outsourcing contract fails to cover every action required by the arrangement.
D. Similar activities are outsourced to more than one vendor.

32 | P a g e
Answer: A
Explanation:
An organization's core activities generally should not be outsourced, because they are what the organization
does best; an IS auditor observing that should be concerned. An IS auditor should not be concerned about the
other conditions because specification of periodic renegotiation in the outsourcing contract is a best practice.
Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved,
while multi-sourcing is an acceptable way to reduce risk.

QUESTION 104
During an external assessment of network vulnerability which of the following activities should be performed
FIRST
A. Collect network information
B. Review policies
C. Monitor the network
D. implement an intrusion detection system (IDS)

Answer: A

QUESTION 105
An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned
if:
A. IDS sensors are placed outside of the firewall.
B. a behavior-based IDS is causing many false alarms.
C. a signature-based IDS is weak against new types of attacks.
D. the IDS is used to detect encrypted traffic.

Answer: D
Explanation:
An intrusion detection system (IDS) cannot detect attacks within encrypted traffic, and it would be a concern if
someone was misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization
can place sensors outside of the firewall to detect attacks.
These sensors are placed in highly sensitive areas and on extranets. Causing many false alarms is normal for
a behavior-based IDS, and should not be a matter of concern. Being weak against new types of attacks is
also expected from a signature- based IDS, because it can only recognize attacks that have been previously
identified.

QUESTION 106
A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy
enforcement, monitoring and:
A. recovery.
B. retention.
C. rebuilding.
D. reuse.

Answer: B

33 | P a g e
Explanation:
Besides being a good practice, laws and regulations may require that an organization keep information that
has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in
the same regard as the official form of classic 'paper* makes the retention of corporate e-mail a necessity. All
e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy
should address the retention of messages, considering both known and unforeseen litigation. The policy
should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of
the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery,
rebuilding and reuse.

QUESTION 107
Identify the correct sequence of Business Process Reengineering (BPR) application steps from the given
choices below?
A. Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate
B. Initiate, Envision, Diagnose, Redesign, Reconstruct and Evaluate
C. Envision, Diagnose, Initiate, Redesign, Reconstruct and Evaluate
D. Evaluate, Envision, Initiate, Diagnose, Redesign, Reconstruct

Answer: A
Explanation:
The correct sequence of BRP application step is Envision, Initiate, Diagnose, Redesign, Reconstruct and
Evaluate.

QUESTION 108
After initial investigation, an IS auditor has reasons to believe that fraud may be present.
The IS auditor should:
A. expand activities to determine whether an investigation is warranted
B. report the matter to the audit committee.
C. report the possibility of fraud to top management and ask how they would like to be proceed.
D. consult with external legal counsel to determine the course of action to be taken.

Answer: A
Explanation:
An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any
additional action is necessary or whether an investigation should be recommended.
The IS auditor should notify the appropriate authorities within the organization only if it has determined that
the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have
authority to consult with external legal counsel.

QUESTION 109
Which of the following is a passive attack to a network?
A. Message modification
B. Masquerading
C. Denial of service
D. Traffic analysis

34 | P a g e
Answer: D
Explanation:
The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to
guess the type of communication taking place. Message modification involves the capturing of a message and
making unauthorized changes or deletions, changing the sequence or delaying transmission of captured
messages. Masquerading is an active attack in which the intruder presents an identity other than the original
identity. Denial of service occurs when a computer connected to the lnternet is flooded with data and/or
requests that must be processed.

QUESTION 110
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's
information security controls, an information security manager should FIRST:
A. conduct a risk assessment.
B. perform a gap analysis.
C. conduct a cost-benefit analysis.
D. interview senior management.

Answer: B

QUESTION 111
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's
information security program?
A. The program was not formally signed off by the sponsor.
B. Key performance indicators (KPIs) are not established.
C. Not all IT staff are aware of the program.
D. The program was last updated five years ago.

Answer: B

QUESTION 112
Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production programs.
B. Application programmers are implementing changes to test programs.
C. Operations support staff are implementing changes to batch schedules.
D. Database administrators are implementing changes to data structures.

Answer: A
Explanation:
Production programs are used for processing an enterprise's data. It is imperative that controls on changes to
production programs are stringent. Lack of control in this area could result in application programs being
modified to manipulate the data. Application programmers are required to implement changes to test
programs. These are used only in development and do not directly impact the live processing of data. The
implementation of changes to batch schedules by operations support staff will affect the scheduling of the
batches only; it does not impact the live data. Database administrators are required to implement changes to
data structures. This is required for reorganization of the database to allow for additions, modifications or
deletions of fields or tables in the database.

35 | P a g e
QUESTION 113
Which of the following data validation edits is effective in detecting transposition and transcription errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check

Answer: B
Explanation:
A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the
original data have not been altered, e.g., an incorrect, but valid, value substituted for the original. This control
is effective in detecting transposition and transcription errors. A range check is checking data that matches a
predetermined range of values. A validity check is programmed checking of the data validity in accordance
with predetermined criteria. In a duplicate check, newor fresh transactions are matched to those previously
entered to ensure that they are not already in the system.

QUESTION 114
Which of the following should an IS auditor review to determine user permissions that have been granted for a
particular resource?
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs

Answer: B
Explanation:
IS auditors should review access-control lists (ACL) to determine user permissions that have been granted for
a particular resource.

QUESTION 115
The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers
because they:
A. are recommended by security standards.
B. can limit Telnet and traffic from the open Internet.
C. act as fitters between the world and the network.
D. can detect cyberattacks.

Answer: B
The use of access control lists (ACLs) can limit Telnet and traffic from the open Internet, and they act as filters
between the world and the network. This makes them effective in mitigating security risk for routers as they
can restrict unauthorized access to the network and protect it from external threats.

QUESTION 116
Which of the following statement is NOT true about Voice-Over IP (VoIP)?
A. VoIP uses circuit switching technology

36 | P a g e
B. Lower cost per call or even free calls, especially for long distance call
C. Lower infrastructure cost
D. VoIP is a technology where voice traffic is carried on top of existing data infrastructure

Answer: A

QUESTION 117
Which of the following type of network service stores information about the various resources in a central
database on a network and help network devices locate services?
A. DHCP
B. DNS
C. Directory Service
D. Network Management

Answer: C
Explanation:
A directory service is the software system that stores, organizes and provides access to information in a
directory. In software engineering, a directory is a map between names and values. It allows the lookup of
values given a name, similar to a dictionary. As a word in a dictionary may have multiple definitions, in a
directory, a name may be associated with multiple, different pieces of information. Likewise, as a word may
have different parts of speech and different definitions, a name in a directory may have many different types of
data.

QUESTION 118
Which of the following internet security threats could compromise integrity?
A. Theft of data from the client
B. Exposure of network configuration information
C. A Trojan horse browser
D. Eavesdropping on the net

Answer: C
Explanation:
Internet security threats/vulnerabilities to integrity include a Trojan horse, which could modify user data,
memory and messages found in client-browser software. The other options compromise confidentiality.

QUESTION 119
Host Based ILD&P primarily addresses the issue of:
A. information integrity
B. information accuracy
C. information validity
D. information leakage

Answer: D
Explanation:

37 | P a g e
Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems
designed to detect and prevent the unauthorized transmission of information from the computer systems of an
organization to outsiders. Network ILD&P are gateway-based systems installed on the organization's internet
network connection and analyze network traffic to search for unauthorized information transmissions. Host
Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and
access information before it has been encrypted.

QUESTION 120
In which of the following WAN message transmission technique does two network nodes establish a
dedicated communications channel through the network before the nodes may communicate?
A. Message Switching
B. Packet switching
C. Circuit switching
D. Virtual Circuits

Answer: C

QUESTION 121
An IS auditor finds that conference rooms have active network ports. Which of the following is MOST
important to ensure?
A. The corporate network is using an intrusion prevention system (IPS)
B. This part of the network is isolated from the corporate network
C. A single sign-on has been implemented in the corporate network
D. Antivirus software is in place to protect the corporate network

Answer: B
Explanation:
If the conference rooms have access to the corporate network, unauthorized users may be able to connect to
the corporate network; therefore, both networks should be isolated either via a firewall or being physically
separated. An IPS would detect possible attacks, but only after they have occurred. A single sign-on would
ease authentication management. Antivirus software would reduce the impact of possible viruses; however,
unauthorized users would still be able to access the corporate network, which is the biggest risk.

QUESTION 122
In computer forensics, which of the following is the process that allows bit-for-bit copy of a data to avoid
damage of original data or information when multiple analysis may be performed?
A. Imaging
B. Extraction
C. Data Protection
D. Data Acquisition

Answer: A
Explanation:
Imaging is the process that allows one to obtain a bit-for bit copy of a data to avoid damage to the original
data or information when multiple analysis may be performed. The imaging process is made to obtain residual
data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis.
This is possible because imaging duplicates the disk surface, sector by sector.

38 | P a g e
The following were incorrect answers:
Extraction - This process consist of identification and selection of data from the imaged data set.
This process should include standards of quality, integrity and reliability.
Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is
important to establish specific protocol to inform appropriate parties that electronic evidence will be sought
and not destroy it by any means.
Data Acquisition - All information and data required should transferred into a controlled location; this includes
all types of electronic media such as fixed disk drives and removable media. Each device must be checked to
ensure that it is write protected. This may be achieved by using device known as write blocker.

QUESTION 123
Which of the following IS audit findings should be of GREATEST concern when preparing to migrate to a new
core system using a direct cut-over?
A. Incomplete test cases for some critical reports
B. Informal management approval to go live
C. Lack of a rollback strategy for the system go-live
D. Plans to use some workarounds for an extended period after go-live

Answer: C

QUESTION 124
An IS auditor has completed an audit on the organization's IT strategic planning process. Which of the
following findings should be given the HIGHEST priority?
A. The IT strategic plan was completed prior to the formulation of the business strategic plan
B. The IT strategic plan was formulated based on the current IT capabilities.
C. Assumptions in the IT strategic plan have not been communicated to business stakeholders
D. The IT strategic plan does not include resource requirements for implementation.

Answer: A

QUESTION 125
When reviewing an active project, an IS auditor observed that, because of a reduction in anticipated benefits
and increased costs, the business case was no longer valid. The IS auditor should recommend that the:
A. project be discontinued.
B. business case be updated and possible corrective actions be identified.
C. project be returned to the project sponsor for reapproval.
D. project be completed and the business case be updated later.

Answer: B
Explanation:
An IS auditor should not recommend discontinuing or completing the project before reviewing an updated
business case. The IS auditor should recommend that the business case be kept current throughout the
project since it is a key input to decisions made throughout the life of any project.

QUESTION 126

39 | P a g e
Which of the following virus prevention techniques can be implemented through hardware?
A. Remote booting
B. Heuristic scanners
C. Behavior blockers
D. Immunizers

Answer: A
Explanation:
Remote booting (e.g., diskless workstations) is a method of preventing viruses, and can be implemented
through hardware. Choice C is a detection, not a prevention, although it is hardware-based.
Choices B and D are not hard ware-based.

QUESTION 127
What is the MOST critical finding when reviewing an organization's information security management?
A. No dedicated security officer
B. No employee awareness training and education program
C. No periodic assessments to identify threats and vulnerabilities
D. No official charter for the information security management system

Answer: B

QUESTION 128
Of the following, who should approve a release to a critical application that would make the application
inaccessible for 24 hours?
A. Chief information security officer (CISO)
B. Project manager
C. Business process owner
D. Data custodian

Answer: C

QUESTION 129
An IS auditor is reviewing the results of a business process improvement project. Which of the following
should be performed FIRST?
A. Develop compensating controls.
B. Document the impact of control weaknesses in the process.
C. Evaluate control gaps between the old and the new processes.
D. Ensure that lessons learned during the change process are documented.

Answer: C

QUESTION 130

40 | P a g e
A hub is a device that connects:
A. two LANs using different protocols.
B. a LAN with a WAN.
C. a LAN with a metropolitan area network (MAN).
D. two segments of a single LAN.

Answer: D
Explanation:
A hub is a device that connects two segments of a single LAN. A hub is a repeater. It provides transparent
connectivity to users on all segments of the same LAN. It is a level 1 device.

QUESTION 131
Which of the following is a key success factor for implementing IT governance?
A. Embedding quality assurance processes
B. Establishing an IT governance committee
C. Delivering IT projects within budget
D. Aligning IT and business strategies

Answer: D

QUESTION 132
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:
A. enrollment.
B. identification.
C. verification.
D. storage.

Answer: A
Explanation:
The users of a biometrics device must first be enrolled in the device. The device captures a physical or
behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a
string of numbers stored as a template to be used in the matching processes.

QUESTION 133
A computer system is no more secure than the human systems responsible for its operation.
Malicious individuals have regularly penetrated well-designed, secure computer systems by taking advantage
of the carelessness of trusted individuals, or by deliberately deceiving them. Zombie computers are being
HEAVILY relied upon on by which of the following types of attack?
A. Eavedropping
B. ATP
C. DDoS
D. Social Engineering

41 | P a g e
Answer: C
Explanation:
"Distributed denial of service ( DDoS ) attacks are common, where a large number of compromised hosts
("zombie computers") are used to flood a target system with network requests, thus attempting to render it
unusable through resource exhaustion."

QUESTION 134
During the audit of an acquired software package, an IS auditor learned that the software purchase was
based on information obtained through the Internet, rather than from responses to a request for proposal
(RFP). The IS auditor should FIRST:
A. test the software for compatibility with existing hardware.
B. perform a gap analysis.
C. review the licensing policy.
D. ensure that the procedure had been approved.

Answer: D
Explanation:
In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure
followed for acquiring the software is consistent with the business objectives and has been approved by the
appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps
that may or may not be taken after determining that the procedure used to acquire the software had been
approved.

QUESTION 135
Which of the following is the MOST reliable network connection medium in an environment where there is
strong electromagnetic interference?
A. Coaxial cable
B. Fiber optic cable
C. Shielded twisted-pair cable
D. Wireless link

Answer: B

QUESTION 136
A bank has implemented a new accounting system. Which of the following is the BEST time for an IS auditor
to perform a post-implementation review?
A. After the first reporting cycle
B. After user acceptance testing (UAT) is completed
C. One full year after go-live
D. As close to go-live as possible

Answer: D

QUESTION 137
An IS auditor is performing a network security review of a telecom company that provides Internet connection
services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security
42 | P a g e
(WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer's payment information. The
IS auditor should be MOST concerned if a hacker:
A. compromises the Wireless Application Protocol (WAP) gateway.
B. installs a sniffing program in front of the server.
C. steals a customer's smart device.
D. listens to the wireless transmission.

Answer: A
Explanation:
In a WAP gateway, the encrypted messages from customers must be decrypted to transmit over the Internet
and vice versa. Therefore, if the gateway is compromised, all of the messages would be exposed.
SSL protects the messages from sniffing on the Internet, limiting disclosure of the customer's information.
WTLS provides authentication, privacy and integrity and prevents messages from eavesdropping.

QUESTION 138
Who is responsible for ensuring that system controls and supporting processes provides an effective level of
protection, based on the data classification set in accordance with corporate security policies and procedures?
A. Project Sponsor
B. Security Officer
C. User Management
D. Senior Management

Answer: B
Explanation:
Security Officer ensures that system controls and supporting processes provides an effective level of
protection, based on the data classification set in accordance with corporate security policies and procedures:
consult throughout the life cycle on appropriate security measures that should be incorporated into the
system.
The following were incorrect answers:
Project Sponsor - Project sponsor provides funding for the project and works closely with the project manager
to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that
success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a
project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that
the application will support.
User Management -Assumes ownership of the project and resulting system, allocates qualified
representatives to the team, and actively participates in business process redesign, system requirement
definitions, test case development, acceptance testing and user training.
Senior Management - Demonstrate commitment to the project and approves the necessary resources to
complete the project. This commitment from senior management helps ensure involvement by those needed
to complete the project.

QUESTION 139
The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?
A. Control
B. Prevention
C. Inherent
D. Detection

43 | P a g e
Answer: D

QUESTION 140
An organization offers an online information security awareness program to employees on an annual basis.
Which of the following findings from an audit of the program should be the IS auditor's GREATEST concern?
A. The post-training test content is two years old.
B. Training completion is not mandatory for staff
C. Employees have complained about the length of the program
D. New employees are given three months to complete the training.

Answer: B

QUESTION 141
An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor
intends to launch an intensive investigation if one exception is found. Which sampling method would be
appropriate?
A. Judgmental sampling
B. Stratified sampling
C. Discovery sampling
D. Variable sampling

Answer: C

QUESTION 142
During a post-implementation review of an enterprise resource management system, an IS auditor would
MOST likely:
A. review access control configuration.
B. evaluate interface testing.
C. review detailed design documentation.
D. evaluate system testing.

Answer: A
Explanation:
Reviewing access control configuration would be the first task performed to determine whether security has
been appropriately mapped in the system. Since a post-implementation review is done after user acceptance
testing and actual implementation, and would not engage in interface testing or detailed design
documentation. Evaluating interface testing would be part of the implementation process. The issue of
reviewing detailed design documentation is not generally relevant to an enterprise resource management
system, since these are usually vendor packages with user manuals. System testing should be performed
before final user sign off.

QUESTION 143
Which of the following controls BEST mitigates the impact of a distributed denial of service (DDoS) attack
against the controller in a software-defined network (SDN)?
A. Implementing multiple physical SDN controllers
44 | P a g e
B. Implementing configuration management for SDN controllers
C. Hardening the operating system that hosts the SDN controller
D. Relocating virtualized network functions to physical infrastructure

Answer: A

QUESTION 144
Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency
of computing resources?
A. Hardware upgrades
B. Virtualization
C. Real-time backups
D. Overclocking the central processing unit (CPU)

Answer: B

QUESTION 145
Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS
department?
A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs

Answer: A
Explanation:
The IS department should specifically consider the manner in which resources are allocated in the short term.
Investments in IT need to be aligned with top management strategies, rather than focusing on technology for
technology's sake. Conducting control self-assessments and evaluating hardware needs are not as critical as
allocating resources during short-term planning for the IS department.

QUESTION 146
Which of the following controls would an IS auditor look for in an environment where duties cannot be
appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls

Answer: D
Explanation:
Compensating controls are internal controls that are intended to reduce the risk of an existing or potential
control weakness that may arise when duties cannot be appropriately segregated.
Overlapping controls are two controls addressing the same control objective or exposure. Since primary
controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install
45 | P a g e
overlapping controls. Boundary controls establish the interface between the would-be user of a computer
system and the computer system itself, and are individual-based, not role-based, controls. Access controls for
resources are based on individuals and not on roles.

QUESTION 147
What type of cryptosystem is characterized by data being encrypted by the sender using the recipient's public
key, and the data then being decrypted using the recipient's private key?
A. With public-key encryption, or symmetric encryption
B. With public-key encryption, or asymmetric encryption
C. With shared-key encryption, or symmetric encryption
D. With shared-key encryption, or asymmetric encryption

Answer: B
Explanation:
With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipient's
public key; the data is then decrypted using the recipient's private key.

QUESTION 148
Which of the following is the BEST way to determine if IT is delivering value to the business?
A. Distribute surveys to various end users of IT services.
B. Interview key IT managers and service providers.
C. Review IT service level agreement (SLA) metrics.
D. Analyze downtime frequency and duration.

Answer: C
Explanation:
A service level agreement (SLA) is a written document, which officially describe the details of services, in non-
technical terms, provided by the IT department (internal or external) to its customers. The aim of SLA is to
maintain and improve the customer satisfaction to an agreed level.

QUESTION 149
An internal audit department reports directly to the chief financial officer (CFO) of an organization.
This MOST likely leads to
A. concern over the independence of the auditor.
B. audit findings becoming more business-oriented
C. audit recommendations receiving greater attention
D. biased audit findings and recommendations

Answer: A

QUESTION 150
The MAJOR reason for replacing checks with electronic funds transfer (EFT) systems in the accounts payable
area is to:
A. increase organizational credibility.

46 | P a g e
B. increase the efficiency of the payment process.
C. decrease the number of paper-based payment forms.
D. decrease the risk of unauthorized changes to payment transactions.

Answer: B

QUESTION 151
Which of the following layer of an enterprise data flow architecture represents subsets of information from the
core data warehouse?
A. Presentation layer
B. Desktop Access Layer
C. Data Mart layer
D. Data access layer

Answer: C
Explanation:
Data Mart layer - Data mart represents subset of information from the core DW selected and organized to
meet the needs of a particular business unit or business line. Data mart can be relational databases or some
form on-line analytical processing (OLAP) data structure.
For CISA exam you should know about business intelligence.
The following were incorrect answers:
Desktop access layer or presentation layer is where end users directly deal with information. This layer
includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits
offered by vendors such as Congas and business objects, and purpose built application such as balanced
source cards and digital dashboards.
Data access layer - his layer operates to connect the data storage and quality layer with data stores in the
data source layer and, in the process, avoiding the need to know to know exactly how these data stores are
organized. Technology now permits SQL access to data even if it is not stored in a relational database.

QUESTION 152
Identify the network topology from below diagram presented below:
Network Topology

47 | P a g e
A. Bus
B. Star
C. Ring
D. Mesh

Answer: D
For your exam you should know the information below related to LAN topologies:
LAN Topologies
Network topology is the physical arrangement of the various elements (links, nodes, etc.) of a computer
network.
Essentially, it is the topological structure of a network, and may be depicted physically or logically
Physical topology refers to the placement of the network's various components, including device location and
cable installation, while logical topology shows how data flows within a network, regardless of its physical
design.
Distances between nodes, physical interconnections, transmission rates, and/or signal types may differ
between two networks, yet their topologies may be identical.

QUESTION 153
When designing metrics for information security, the MOST important consideration is that the metrics:
A. are easy to understand.
B. track trends over time.
C. provide actionable data.
D. apply to all business units.

Answer: C

QUESTION 154
The MOST significant reason for using key performance indicators (KPIs) to track the progress of IT projects
against initial targets is that they:
A. influence management decisions to outsource IT projects
B. identify which projects may require additional funding
C. provide timely indication of when corrective actions need to be taken
D. identify instances where increased stakeholder engagement is required

Answer: D

QUESTION 155
Which of the following are designed to detect network attacks in progress and assist in post-attack forensics?
A. Intrusion Detection Systems
B. Audit trails
C. System logs
D. Tripwire

48 | P a g e
Answer: A
Explanation:
Intrusion Detection Systems are designed to detect network attacks in progress and assist in post-attack
forensics, while audit trails and logs serve a similar function for individual systems.

QUESTION 156
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of
an EFT system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to send their own
messages

Answer: A
Explanation:
The ability of one individual to capture and verify messages represents an inadequate segregation, since
messages can be taken as correct and as if they had already been verified.

QUESTION 157
Which of the following should concern an IS auditor when reviewing security in a client- server environment?
A. Protecting data using an encryption technique
B. Preventing unauthorized access using a diskless workstation
C. The ability of users to access and modify the database directly
D. Disabling floppy drives on the users' machines

Answer: C
Explanation:
For the purpose of data security in a client-server environment, an IS auditor should be concerned with the
user's ability to access and modify a database directly. This could affect the integrity of the data in the
database. Data protected by encryption aid in securing the data.
Diskless workstations prevent copying of data into local disks and thus help to maintain the integrity and
confidentiality of data. Disabling floppy drives is a physical access control, which helps to maintain the
confidentiality of data by preventing it from being copied onto a disk.

QUESTION 158
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a
risk. To evaluate the potential losses, the team should:
A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define exactly the loss amount.

Answer: C
Explanation:

49 | P a g e
The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in
which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a
very low impact to the business and five is a very high impact). An ROI is computed when there is predictable
savings or revenues that can be compared to the investment needed to realize the revenues.
Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time
needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate
potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not
likely to change, ant at the end of the day, the result will be a not well-supported evaluation.

QUESTION 159
An online retailer is receiving customer about receiving different items from what they ordered on the
organization's website. The root cause has been traced to poor data quality. Despite efforts to clean
erroneous data from the system, multiple data quality issues continue to occur. Which of the following
recommendations would be the BEST way to reduce the likelihood of future occurrences?
A. Implement business rules to validate employee data entry.
B. Invest in additional employee training for data entry.
C. Assign responsibility for improving data quality.
D. Outsource data cleansing activities to reliable third parties.

Answer: A

QUESTION 160
Default permit is only a good approach in an environment where:
A. security threats are non-existent or negligible.
B. security threats are non-negligible.
C. security threats are serious and severe.
D. users are trained.

Answer: A
Explanation:
"Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality.
This is a good approach if you have lots of security threats. On the other hand, ""Everything not explicitly
forbidden is permitted"" (default permit) allows greater functionality by sacrificing security. This is only a good
approach in an environment where security threats are non- existent or negligible."

QUESTION 161
In a multinational organization, local security regulations should be implemented over global security policy
because:
A. global security policies include unnecessary controls for local businesses
B. business objectives are defined by local business unit managers
C. requirements of local regulations take precedence
D. deploying awareness of local regulations is more practical than of global policy

Answer: C
Section: Governance and Management of IT

50 | P a g e
QUESTION 162
An employee has accidentally posted confidential data to the company's social media page.
Which of the following is the BEST control to prevent this from recurring?
A. Perform periodic audits of social media updates.
B. Establish two-factor access control for social media accounts.
C. Require all updates to be made by the marketing director.
D. Implement a moderator approval process.

Answer: D

QUESTION 163
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done
FIRST?
A. Review IT staff job descriptions for alignment
B. Include strategic objectives and IT staff performance objectives
C. Identify required IT skill sets that support key business processes
D. Develop quarterly training for each IT staff member.

Answer: C

QUESTION 164
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours
of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with
the regulation?
A. Include the requirement in the incident management response plan.
B. Establish key performance indicators (KPIs) for timely identification of security incidents.
C. Enhance the alert functionality of the intrusion detection system (IDS).
D. Engage an external security incident response expert for incident handling.

Answer: A

QUESTION 165
Which of the following is BEST characterized by unauthorized modification of data before or during systems
data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack

Answer: A
Explanation:
Data diddling involves modifying data before or during systems data entry.

51 | P a g e
QUESTION 166
Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery
made between two companies?
A. Developments may result in hardware and software incompatibility.
B. Resources may not be available when needed.
C. The recovery plan cannot be tested.
D. The security infrastructures in each company may be different.

Answer: A
Explanation:
If one organization updates its hardware and software configuration, it may mean that it is no longer
compatible with the systems of the other party in the agreement. This may mean that each company is unable
to use the facilities at the other company to recover their processing following a disaster.
Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a
contractual matter and is not the greatest risk. The plan can be tested by paper-based walkthroughs, and
possibly by agreement between the companies. The difference in security infrastructures, while a risk, is not
insurmountable.

QUESTION 167
Which of the following is the MOST reliable sender authentication method?
A. Digital signatures
B. Asymmetric cryptography
C. Digital certificates
D. Message authentication code

Answer: C
Explanation:
Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the
recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key
infrastructure (PKl), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack.
Digital signatures are used for both authentication and confidentiality, but the identity of the sender would still
be confirmed by the digital certificate. Message authentication code is used for message integrity verification.

QUESTION 168
Which of the following must exist to ensure the viability of a duplicate information processing facility?
A. The site is near the primary site to ensure quick and efficient recovery.
B. The site contains the most advanced hardware available.
C. The workload of the primary site is monitored to ensure adequate backup is available.
D. The hardware is tested when it is installed to ensure it is working properly.

Answer: C
Explanation:
Resource availability must be assured. The workload of the site must be monitored to ensure that availability
for emergency backup use is not impaired. The site chosen should not be subject to the same natural disaster
as the primary site. In addition, a reasonable compatibility of hardware/software must exist to serve as a basis
for backup. The latest or newest hardware may not adequately serve this need. Testing the hardware when

52 | P a g e
the site is established is essential, but regular testing of the actual backup data is necessary to ensure the
operation will continue to perform as planned.

QUESTION 169
The MAIN reason for requiring that all computer clocks across an organization be synchronized is to:
A. prevent omission or duplication of transactions.
B. ensure smooth data transition from client machines to servers.
C. ensure that e-mail messages have accurate time stamps.
D. support the incident investigation process.

Answer: D
Explanation:
During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them
is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events
might not be easily established. Time-stamping a transaction has nothing to do with the update itself.
Therefore, the possibility of omission or duplication of transactions does not exist. Data transfer has nothing to
do with the time stamp.
While the time stamp on an e-mail may not be accurate, this is not a significant issue.

QUESTION 170
When reviewing a disaster recovery plan (DRP), an IS auditor should examine the:
A. access to the computer site by backup staff.
B. offsite data file storage.
C. uninterruptible power supply (UPS).
D. fire-fighting equipment.

Answer: B

QUESTION 171
One advantage of monetary unit sampling is the fact that
A. results are stated and terms of the frequency of items in error
B. it increases the likelihood of selecting material items from the population
C. large-value population items are segregated and audited separately
D. it can easily be applied manually when computer resources are not available

Answer: B

QUESTION 172
An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST
course of action for the IS auditor would be to:
A. retain comments as findings for the audit report.
B. request at least one other alternative.
C. comment on the criteria used to assess the alternatives.
D. identify the best alternative.

53 | P a g e
Answer: C

QUESTION 173
An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days
of termination. The IS auditor should:
A. report that the control is operating effectively since deactivation happens within the time frame stated in the
IS policy.
B. verify that user access rights have been granted on a need-to-have basis.
C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination.
D. recommend that activity logs of terminated users be reviewed on a regular basis.

Answer: C
Explanation:
Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the
adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for
deactivation is inappropriate, the auditor needs to communicate this to management and recommend changes
to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control
is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying
that user access rights have been granted on a need-to-have basis is necessary when permissions are
granted.
Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but
not as effective as deactivation upon termination.

QUESTION 174
An online retailer is receiving customer complaints about receiving different items from what they ordered on
the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean
erroneous data from the system, multiple data quality issues continue to occur. Which of the following
recommendations would be the BEST way to reduce the likelihood of future occurrences?
A. Assign responsibility for improving data quality.
B. Outsource data cleansing activities to reliable third parties.
C. Invest in additional employee training for data entry.
D. Implement business rules to validate employee data entry.

Answer: D

QUESTION 175
Which of the following should be an IS auditor's GREATEST concern when evaluating a cybersecurity incident
response plan?
A. The plan has not been recently tested
B. Stakeholder contact details are not up to date
C. Roles and responsibilities are not detailed for each process
D. The plan does not include incident response metrics

Answer: D

54 | P a g e
QUESTION 176
Which of the following functionality is NOT performed by the application layer of a TCP/IP model?
A. Print service, application services
B. Data encryption and compression
C. Dialog management
D. End-to-end connection

Answer: D
Explanation:
The word NOT is the keyword used in the question. You need to find out a functionality which is not performed
by application layer of a TCP/IP model.
End-to-end connection is the Transport layer functionality in TCP/IP model.
For your exam you should know below information about TCP/IP model:
Network Models
Layer 4. Application Layer
Application layer is the top most layer of four layer TCP/IP model. Application layer is present on the top of the
Transport layer. Application layer defines TCP/IP application protocols and how host programs interface with
Transport layer services to use the network.
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP (Hypertext
Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer Protocol), SNMP
(Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol), DHCP (Dynamic Host
Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Layer 3. Transport Layer
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Layer 2. Internet Layer
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is between
Network Access Layer and Transport layer. Internet layer pack data into data packets known as IP
datagram's, which contain source and destination address (logical address or IP address) information that is
used to forward the datagram's between hosts and across networks. The Internet layer is also responsible for
routing of IP datagram's.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as Internet
layer. Its job is to allow hosts to insert packets into any network and have them to deliver independently to the
destination. At the destination side data packets may appear in a different order than they were sent. It is the
job of the higher layers to rearrange them in order to deliver them to proper network applications operating at
the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
Layer 1. Network Access Layer
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines details
of how data is physically sent through the network, including how bits are electrically or optically signaled by
hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted
pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.

55 | P a g e
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access Method
called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when Ethernet
operates in a shared media. An Access Method determines how a host will place data on the medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the wire to
find whether another host is already using the medium. If there is traffic already in the medium, the host will
wait and if there is no traffic, it will place the data in the medium. But, if two systems place data on the medium
at the same instance, they will collide with each other, destroying the data. If the data is destroyed during
transmission, the data will need to be retransmitted. After collision, each host will wait for a small interval of
time and again the data will be retransmitted.
Protocol Data Unit (PDU) :
Protocol Data Unit - PDU
The following answers are incorrect:
The other functionalities described in the options are performed by application layer in TCP/IP model.

QUESTION 177
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels
as required by the client?
A. Periodically review the service level agreement (SLA) with the vendor.
B. Conduct an unannounced vulnerability assessment of vendor's IT systems.
C. Obtain evidence of the vendor's control self-assessment (CSA).
D. Conduct periodic on-site assessments using agreed-upon criteria.

Answer: D

QUESTION 178
During a business continuity audit an IS auditor found that the business continuity plan (BCP) covered only
critical processes. The IS auditor should:
A. recommend that the BCP cover all business processes.
B. assess the impact of the processes not covered.
C. report the findings to the IT manager.
D. redefine critical processes.

Answer: B
Explanation:
The business impact analysis needs to be either updated or revisited to assess the risk of not covering all
processes in the plan. It is possible that the cost of including all processes might exceed the value of those
processes; therefore, they should not be covered. An IS auditor should substantiate this by analyzing the risk.

QUESTION 179
Which of the following should be of MOST concern to an IS auditor reviewing the BCP?
A. The disaster levels are based on scopes of damaged functions, but not on duration.
B. The difference between low-level disaster and software incidents is not clear.
C. The overall BCP is documented, but detailed recovery steps are not specified.
D. The responsibility for declaring a disaster is not identified.

56 | P a g e
Answer: D
Explanation:
If nobody declares the disaster, the response and recovery plan would not be invoked, making all other
concerns mute. Although failure to consider duration could be a problem, it is not as significant as scope, and
neither is as critical as the need to have someone invoke the plan. The difference between incidents and low-
level disasters is always unclear and frequently revolves around the amount of time required to correct the
damage. The lack of detailed steps should be documented, but their absence does not mean a lack of
recovery, if in fact someone has invoked the plan.

QUESTION 180
Which of the following controls is MOST appropriate against brute force attacks at login?
A. Storing passwords under a one-way hash function
B. Increasing the minimum password length to 10 characters
C. Storing password files using one-way encryption
D. Locking the account after three invalid passwords

Answer: D

QUESTION 181
Which of the following observations should be of concern to an IS auditor performing a review of an
organization's IT governance structure?
A. The IT steering committee has oversight of the IT budget.
B. The chief risk officer is also the chief information officer.
C. The chief information officer is prohibited from making capital decisions regarding IT.
D. There are no IT subject matter expects on the board of directors.

Answer: B

QUESTION 182
Phishing attack works primarily through:
A. email and hyperlinks
B. SMS
C. chat
D. file download

Answer: A
Explanation:
"Phishing applies to email appearing to come from a legitimate business, requesting "verification"" of
information and warning of some dire consequence if it is not done. The letter usually contains a link to a
fraudulent web page that looks legitimate and has a form requesting everything from a home address to an
ATM card's PIN."

QUESTION 183
Which of the following is the MOST important consideration for an organization when strategizing to comply
with privacy regulations?

57 | P a g e
A. Ensuring there are staff members with in-depth knowledge of the privacy regulations
B. Ensuring up-to-date knowledge of where customer data is saved
C. Ensuring regularly updated contracts with third parties that process customer data
D. Ensuring appropriate access to information systems containing privacy information.

Answer: D or B

QUESTION 184
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of
security over data?
A. inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism

Answer: C
Explanation:
Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not
been previously defined as public. This means that any implementation of the behavior of an object is not
accessible. An object defines a communication interface with the exterior and only that which belongs to that
interface can be accessed.

QUESTION 185
An IS auditor needs to consider many factors while evaluating an encryption system. Which of the following is
LEAST important factor to be considered while evaluating an encryption system?
A. Encryption algorithm
B. Encryption keys
C. Key length
D. Implementation language

Answer: D
Explanation/Reference:
Implementation language is LEAST important as compare to other options. Encryption algorithm, encryption
keys and key length are key elements of an Encryption system. It is important to read carefully the question.
The word "LEAST" was the key word. You had to find which one was LEAST important.
The following were incorrect answers:
Other options mentioned are key elements of an Encryption system
Encryption Algorithm - A mathematically based function or calculation that encrypts/decrypts data
Encryption keys - A piece of information that is used within an encryption algorithm (calculation) to make
encryption or decryption process unique. Similar to passwords, a user needs to use the correct key to access
or decipher the message into an unreadable form.
Key length - A predetermined length for the key. The longer the key, the more difficult it is to compromise in
brute-force attack where all possible key combinations are tried.

QUESTION 186

58 | P a g e
Pretexting is an act of:
A. DoS
B. social engineering
C. eavedropping
D. soft coding

Answer: B
Explanation/Reference:
Explanation:
Pretexting is the act of creating and using an invented scenario to persuade a target to release information or
perform an action and is usually done over the telephone. It is more than a simple lie as it most often involves
some prior research or set up and the use of pieces of known information.

QUESTION 187
To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.

Answer: C
Monitoring the time (choice A) and audit programs {choice D), as well as adequate training (choice B), will
improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the
organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.

QUESTION 188
Which of the following would BEST help prioritize various projects in an organization's IT portfolio?
A. Industry trends
B. Business cases
C. Total cost of ownership (TCO)
D. Enterprise architecture (EA)

Answer: B

QUESTION 189
Company.com has contracted with an external consulting firm to implement a commercial financial system to
replace its existing in-house developed system. In reviewing the proposed development approach, which of
the following would be of GREATEST concern?
A. Acceptance testing is to be managed by users.
B. A quality plan is not part of the contracted deliverables.
C. Not all business functions will be available on initial implementation.
D. Prototyping is being used to confirm that the system meets business requirements.

Answer: B

59 | P a g e
Explanation:
A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to
produce such a plan. The quality plan for the proposed development contract should be comprehensive and
encompass all phases of the development and include which business functions will be included and when.
Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet
their requirements. If the system is large, a phased-in approach to implementing the application is a
reasonable approach. Prototyping is a valid method of ensuring that the system will meet business
requirements.

QUESTION 190
Which of the following should an IS auditor review to understand project progress in terms of time, budget and
deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?
A. Function point analysis
B. Earned value analysis
C. Cost budget
D. Program Evaluation and Review Technique

Answer: B
Explanation:
Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given
point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and
budget as the project proceeds. It compares the planned amount of work with what has actually been
completed, to determine if the cost, schedule and work accomplished are progressing in accordance with the
plan. EVA works most effectively if a well-formed work breakdown structure exists. Function point analysis
(FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of
time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but
lacks projections for estimates at completion (EACs) and overall financial management.

QUESTION 191
An IS auditor reviews an organizational chart PRIMARILY for:
A. an understanding of workflows.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.

Answer: C
Explanation:
An organizational chart provides information about the responsibilities and authority of individuals in the
organization. This helps an IS auditor to know if there is a proper segregation of functions.
A workflow chart would provide information aboutthe roles of different employees. A network diagram will
provide information about the usage of various communication channels and will indicate the connection of
users to the network.

QUESTION 192
An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While
reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there
is a:
A. correlation of semantic characteristics of the data migrated between the two systems.

60 | P a g e
B. correlation of arithmetic characteristics of the data migrated between the two systems.
C. correlation of functional characteristics of the processes between the two systems.
D. relative efficiency of the processes between the two systems.

Answer: A
Explanation:
Due to the fact that the two systems could have a different data representation, including the database
schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the
new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal
definition in the database, and therefore are less important than the semantic characteristics. A review of the
correlation of the functional characteristics or a review of the relative efficiencies of the processes between the
two systems is not relevant to a data migration review.

QUESTION 193
What is the MOST effective way to ensure information security incidents will be managed effectively and in a
timely manner?
A. Obtain senior management commitment.
B. Test incident response procedures regularly.
C. Communicate incident response procedures to staff.
D. Establish and measure key performance indicators (KPIs).

Answer: B

QUESTION 194
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to
evaluate the:
A. Proposed functionality of the application.
B. Controls incorporated into the system specifications.
C. Development methodology employed.
D. Future compatibility of the application.

Answer: B

QUESTION 195
A long-term IS employee with a strong technical background and broad managerial experience has applied for
a vacant position in the IS audit department. Determining whether to hire this individual for this position should
be based on the individual's experience and:
A. length of service, since this will help ensure technical competence.
B. age, as training in audit techniques may be impractical.
C. IS knowledge, since this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IS relationships.

Answer: D
Explanation:

61 | P a g e
Independence should be continually assessed by the auditor and management. This assessment should
consider such factors as changes in personal relationships, financial interests, and prior job assignments and
responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure
credibility. The audit department's needs should be defined and any candidate should be evaluated against
those requirements. The length of service will not ensure technical competency. Evaluating an individual's
qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world.

QUESTION 196
What is the first step in a business process re-engineering project?
A. Identifying current business processes
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewed
D. Reviewing the organizational strategic plan

Answer: C
Explanation:
Defining the scope of areas to be reviewed is the first step in a business process reengineering project.

QUESTION 197
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party
service provider. Which of the following would be the BEST way to prevent accepting bad data?
A. Appoint data quality champions across the organization
B. Obtain error codes indicating failed data feeds
C. Purchase data cleansing tools from a reputable vendor
D. Implement business rules to reject invalid data

Answer: D

QUESTION 198
During a software acquisition review, an IS auditor should recommend that there be a software escrow
agreement when:
A. there is no service level agreement (SLA).
B. the deliverables do not include the source code.
C. the product is new in the market
D. the estimated lite tor the product is less than 3 years.

Answer: B

QUESTION 199
A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches
transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that
the orders are entered accurately and the corresponding products are produced?
A. Verifying production to customer orders
B. Logging all customer orders in the ERP system
C. Using hash totals in the order transmitting process

62 | P a g e
D. Approving (production supervisor) orders prior to production

Answer: A
Explanation:
Verification will ensure that production orders match customer orders. Logging can be used to detect
inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order
transmission, but not accurate processing centrally. Production supervisory approval is a time consuming,
manual process that does not guarantee proper control.

QUESTION 200
An IS auditor usually places more reliance on evidence directly collected. What is an example of such
evidence?
A. Evidence collected through personal observation
B. Evidence collected through systems logs provided by the organization's security administration
C. Evidence collected through surveys collected from internal staff
D. Evidence collected through transaction reports provided by the organization's IT administration

Answer: A
Explanation:
An IS auditor usually places more reliance on evidence directly collected, such as through personal
observation.

QUESTION 201
Which of the following presents an inherent risk with no distinct identifiable preventive controls?
A. Piggybacking
B. Viruses
C. Data diddling
D. Unauthorized application shutdown

Answer: C
Explanation:
Data diddling involves changing data before they are entered into the computer. It is one of the most common
abuses, because it requires limited technical knowledge and occurs before computer security can protect the
data. There are only compensating controls for data diddling.
Piggybacking is the act of following an authorized person through a secured door and can be prevented by
the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the
rights, e.g., electronically attaching to an authorized telecommunication link to possibly intercept
transmissions. This could be prevented by encrypting the message. Viruses are malicious program code
inserted into another executable code that can self-replicate and spread from computer to computer via
sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected
machine. Antiviral software can be used to protect the computer against viruses. The shutdown of an
application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-
up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the
shutdown process, which is effective if there are proper access controls.

QUESTION 202
Which of the following should be the MOST important consideration when deciding areas of priority for IT
governance implementation?

63 | P a g e
A. Process maturity
B. Performance indicators
C. Business risk
D. Assurance reports

Answer: C
Priority should be given to those areas which represent a known risk to the enterprise's operations. The level
of process maturity, process performance and audit reports will feed into the decision making process. Those
areas that represent real risk to the business should be given priority.

QUESTION 203
In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be
sanitized?
A. The data should be deleted and overwritten with binary 0s.
B. The data should be demagnetized.
C. The data should be low-level formatted.
D. The data should be deleted.

Answer: B
Explanation:
To properly protect against unauthorized disclosure of sensitive data, hard disks should be demagnetized
before disposal or release.

QUESTION 204
An internal audit has found that critical patches were not implemented within the timeline established by policy
without a valid reason. Which of the following is the BEST course of action to address the audit findings?
A. Monitor and notify IT staff of critical patches.
B. Evaluate patch management training.
C. Perform regular audits on the implementation of critical patches.
D. Assess the patch management process.

Answer: D

QUESTION 205
When conducting a penetration test of an IT system, an organization should be MOST concerned with:
A. the confidentiality of the report.
B. finding all possible weaknesses on the system.
C. restoring all systems to the original state.
D. logging all changes made to the production system.

Answer: C
Explanation:
All suggested items should be considered by the system owner before agreeing to penetration tests, but the
most important task is to be able to restore all systems to their original state.

64 | P a g e
Information that is created and/or stored on the tested systems should be removed from these systems. If for
some reason, at the end of the penetration test, this is not possible, all files (with their location) should be
identified in the technical report so that the client's technical staff will be able to remove these after the report
has been received.

QUESTION 206
An organization developed a comprehensive three-year IT strategic plan. Halfway into the plan, a major
legislative change impacting the organization is enacted. Which of the following should be management's
NEXT course of action?
A. Develop specific procedural documentation related to the changed legislation.
B. Assess the legislation to determine whether the changes are required to the strategic IT plan.
C. Perform a risk management of the legislative changes.
D. Develop a new IT strategic plan that encompasses the new legislation.

Answer: B

QUESTION 207
When using an integrated test facility (ITF), an IS auditor should ensure that:
A. production data are used for testing.
B. test data are isolated from production data.
C. a test data generator is used.
D. master files are updated with the test data.

Answer: B
Explanation:
An integrated test facility (ITF) creates a fictitious file in the database, allowing for test transactions to be
processed simultaneously with live data. While this ensures that periodic testing does not require a separate
test process, there is a need to isolate test data from production data. An IS auditor is not required to use
production data or a test data generator.
Production master files should not be updated with test data.

QUESTION 208
Which of the following should be done FIRST when planning a penetration test?
A. Define the testing scope.
B. Determine reporting requirements for vulnerabilities
C. Obtain management consent for the testing
D. Execute nondisclosure agreements (NDAs).

Answer: C

QUESTION 209
When auditing the closing stages of a system development protect which of the following should be the MOST
important consideration?
A. Rollback procedures
B. Functional requirements documentation

65 | P a g e
C. Control requirements
D. User acceptance lest (UAT) results

Answer: D

QUESTION 210
An IS auditor discovers that validation controls in a web application have been moved from the server side
into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:
A. structured query language (SQL) injection.
B. denial of service (DoS).
C. buffer overflow.
D. phishing.

Answer: A

QUESTION 211
In a client-server architecture, a domain name service (DNS) is MOST important because it provides the:
A. address of the domain server.
B. resolution service for the name/address.
C. IP addresses for the internet.
D. domain name system.

Answer: B
Explanation:
DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet
service that translates domain names into IP addresses. As names are alphabetic, they are easier to
remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS
service must translate the name into the corresponding IP address. The DNS system has its own network, if
one DNS server does not know how to translate a particular domain name, it asks another one, and so on,
until the correct IP address is returned.

QUESTION 212
Which of the following is the key benefit of control self-assessment (CSA)?
A. Management ownership of the internal controls supporting business objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to external audit work.
C. Improved fraud detection since internal business staff are engaged in testing controls
D. Internal auditors can shift to a consultative approach by using the results of the assessment.

Answer: A
Explanation:
The objective of control self-assessment is to have business management become more aware of the
importance of internal control and their responsibility in terms of corporate governance.
Reducing audit expenses is not a key benefit of control self-assessment (CSA). improved fraud detection is
important, but not as important as ownership, and is not a principal objective of CSA.

66 | P a g e
CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this
is an additional benefit, not the key benefit.

QUESTION 213
Which of the following are the PRIMARY considerations when determining the timing of remediation testing?
A. The availability and competencies of control owners tor implementing the agreed action plans
B. The level of management and business commitment to implementing agreed action plans
C. The difficult of scheduling resources and availability of management tor a I up engagement
D. The significance of the reported findings and the impact if corrective actions ate not taken

Answer: D

QUESTION 214
Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic
on a network and creates a database?
A. Signature-based
B. Neural networks-based
C. Statistical-based
D. Host-based

Answer: B
Explanation:
The neural networks-based IDS monitors the general patterns of activity and traffic on the network and
creates a database. This is similar to the statistical model but has the added function of self-learning.
Signature-based systems are a type of IDS in which the intrusive patterns identified are stored in the form of
signatures. These IDS systems protect against detected intrusion patterns. Statistical-based systems need a
comprehensive definition of the known and expected behavior of systems.
Host-based systems are not a type of IDS, but a category of IDS, and are configured for a specific
environment. They will monitor various internal resources of the operating system to warn of a possible attack.

QUESTION 215
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures
of critical data processing services. Which of the following would BEST enable the organization to resolve the
issue?
A. Incident management
B. Service level management
C. Change management
D. Problem management

Answer: D

QUESTION 216
An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on
an employee's desk was removed and put in the garbage by the outsourced cleaning staff.
Which of the following should the IS auditor recommend to management?

67 | P a g e
A. Stricter controls should be implemented by both the organization and the cleaning agency.
B. No action is required since such incidents have not occurred in the past.
C. A clear desk policy should be implemented and strictly enforced in the organization.
D. A sound backup policy for all important office documents should be implemented.

Answer: A
Explanation:
An employee leaving an important document on a desk and the cleaning staff removing it may result in a
serious impact on the business. Therefore, the IS auditor should recommend that strict controls be
implemented by both the organization and the outsourced cleaning agency. That such incidents have not
occurred in the past does not reduce the seriousness of their impact.
Implementing and monitoring a clear desk policy addresses only one part of the issue.
Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff
has been educated on the dos and don'ts of the cleaning process, are also controls that should be
implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy
does not address the issue of unauthorized leakage of information.

QUESTION 217
An efficient use of public key infrastructure (PKI) should encrypt the:
A. entire message.
B. private key.
C. public key.
D. symmetric session key.

Answer: D
Section: Protection of Information Assets
Explanation:
Public key (asymmetric) cryptographic systems require larger keys (1,024 bits) and involve intensive and time-
consuming computations. In comparison, symmetric encryption is considerably faster, yet relies on the
security of the process for exchanging the secret key. To enjoy the benefits of both systems, a symmetric
session key is exchanged using public key methods, after which it serves as the secret key for encrypting/
decrypting messages sent between two parties.

QUESTION 218
An organization recently implemented a cloud document storage solution and removed the ability for end
users to save data to their local workstation hard drives. Which of the following findings should be the IS
auditor's GREATEST concern?
A. Mobile devices are not encrypted.
B. Users are not required to sign updated acceptable use agreements
C. The business continuity plan (BCP) was not updated.
D. Users have not been trained on the new system.

Answer: C

QUESTION 219

68 | P a g e
Which of the following attack involves sending forged ICMP Echo Request packets to the broadcast address
on multiple gateways in order to illicit responses from the computers behind the gateway where they all
respond back with ICMP Echo Reply packets to the source IP address of the ICMP Echo Request packets?
A. Reflected attack
B. Brute force attack
C. Buffer overflow
D. Pulsing Zombie

Answer: A
Explanation:
Reflected attack involves sending forged requests to a large number of computers that will reply to the
requests. The source IP address is spoofed to that of the targeted victim, causing replies to flood.
A distributed denial of service attack may involve sending forged requests of some type to a very large
number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source
address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.
(This reflected attack form is sometimes called a "DRDOS".
ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the flooding
host(s) send Echo Requests to the broadcast addresses of mix-configured networks, thereby enticing hosts to
send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this
attack.
In the surf attack, the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a
victim's network broadcast address. This means that each system on the victim's subnet receives an ICMP
ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the
spoof address provided in the packets-which is the victim's address. All of these response packets go to the
victim system and overwhelm it because it is being bombarded with packets it does not necessarily know how
to process. The victim system may freeze, crash, or reboot. The Smurf attack is illustrated in Figure below:
surf-attack
The following answers are incorrect:
Brute force attack - Brute force (also known as brute force cracking) is a trial and error method used by
application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys,
through exhaustive effort (using brute force) rather than employing intellectual strategies. Just as a criminal
might break into, or "crack" a safe by trying many possible combinations, a brute force cracking application
proceeds through all possible combinations of legal characters in sequence. Brute force is considered to be
an infallible, although time-consuming, approach.
Buffer overflow - A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite
amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers,
corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming
error, buffer overflow is an increasingly common type of security attack on data integrity.
Pulsing Zombie - A Dos attack in which a network is subjected to hostile pinging by different attacker
computer over an extended time period.

QUESTION 220
Which of the following term related to network performance refers to the number of corrupted bits expressed
as a percentage or fraction of the total sent?
A. Bandwidth
B. Throughput
C. Latency
D. Error Rate

69 | P a g e
Answer: D
Explanation:
Error rate is the number of corrupted bits expressed as a percentage or fraction of the total sent For your
exam you should know below information about Network performance:
Network performance refers to measurement of service quality of a telecommunications product as seen by
the customer.
The following list gives examples of network performance measures for a circuit-switched network and one
type of packet-switched network (ATM):
Circuit-switched networks: In circuit switched networks, network performance is synonymous with the grade of
service. The number of rejected calls is a measure of how well the network is performing under heavy traffic
loads. Other types of performance measures can include noise, echo and so on.
ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate, quality
of service (QoS), data throughput, connect time, stability, technology, modulation technique and modem
enhancements.
There are many different ways to measure the performance of a network, as each network is different in
nature and design. Performance can also be modeled instead of measured; one example of this is using state
transition diagrams to model queuing performance in a circuit-switched network. These diagrams allow the
network planner to analyze how the network will perform in each state, ensuring that the network will be
optimally designed.
The following measures are often considered important:
Bandwidth - Bandwidth is commonly measured in bits/second is the maximum rate that information can be
transferred
Throughput - Throughput is the actual rate that information is transferred
Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a function of the
signals travel time, and processing time at any nodes the information traverses
Jitter - Jitter is the variation in the time of arrival at the receiver of the information
Error Rate - Error rate is the number of corrupted bits expressed as a percentage or fraction of the total sent
The following answers are incorrect:
Bandwidth - Bandwidth is commonly measured in bits/second is the maximum rate that information can be
transferred
Throughput - Throughput is the actual rate that information is transferred
Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a function of the
signals travel time, and processing time at any nodes the information traverses

QUESTION 221
An IS audit manager has been asked to perform a quality review on an audit that the same manager also
supervised. Which of the following is the manager's BEST response to this situation?
A. Notify the audit committee of the situation.
B. Escalate the situation to senior audit leadership.
C. Determine whether audit evidence supports audit conclusions.
D. Discuss with the audit team to understand how conclusions were reached.

Answer: D

70 | P a g e