1. An IS auditor is using a statistical sample to inventory the tape library.

What
type of test would this be considered?
A.Substantive
B. Compliance
C. Integrated
. Continuous audit
Answer! A
"sing a statistical sample to inventory the tape library is an e#ample of a
substantive test.

$. Which of the following would prevent accountability for an action performed%
thus allowing nonrepudiation?
A. &roper authentication
B. &roper identification A' authentication
C. &roper identification
. &roper identification% authentication% A' authori(ation

Answer! B
If proper identification and authentication are not performed during access
control% no accountability can e#ist for any action performed.

). Which of the following is the *+S, critical step in planning an audit?
A. Implementing a prescribed auditing framewor- such as C+BI,
B. Identifying current controls
C. Identifying high.ris- audit targets
. ,esting controls
Answer! C
In planning an audit% the most critical step is identifying the areas of high
ris-.

/. ,o properly evaluate the collective effect of preventative% detective% or
corrective controls within a process% an IS auditor should be aware of which of
the following? Choose the B0S, answer.
A. ,he business ob1ectives of the organi(ation
B. ,he effect of segregation of duties on internal controls
C. ,he point at which controls are e#ercised as data flows through the system
. +rgani(ational control policies
Answer! C
When evaluating the collective effect of preventive% detective% or corrective
controls within a process% an IS auditor should be aware of the point at which
controls are e#ercised as data flows through the system.

2. What is the recommended initial step for an IS auditor to implement continuous.
monitoring systems?
A. ocument e#isting internal controls
B. &erform compliance testing on internal controls
C. 0stablish a controls.monitoring steering committee
. Identify high.ris- areas within the organi(ation

Answer!
When implementing continuous.monitoring systems% an IS auditor3s first step is to
identify high.ris- areas within the organi(ation.

4. What type of ris- is associated with authori(ed program e#its 5trap doors6?
Choose the B0S, answer.
A. Business ris-
B. Audit ris-
C. etective ris-
. Inherent ris-

Answer!
Inherent ris- is associated with authori(ed program e#its 5trap doors6.

7. Which of the following is best suited for searching for address field
duplications?
A. ,e#t search forensic utility software
B. 8enerali(ed audit software
C. &roductivity audit software
. *anual review

Answer! B
8enerali(ed audit software can be used to search for address field duplications.

9. Which of the following is of greatest concern to the IS auditor?
A. :ailure to report a successful attac- on the networ-
B. :ailure to prevent a successful attac- on the networ-
C. :ailure to recover from a successful attac- on the networ-
. :ailure to detect a successful attac- on the networ-

Answer! A
;ac- of reporting of a successful attac- on the networ- is a great concern to an
IS auditor.

<. An integrated test facility is not considered a useful audit tool because it
cannot compare processing output with independently calculated data. ,rue or
false?
A. ,rue
B. :alse
Answer! B
An integrated test facility is considered a useful audit tool because it compares
processing output with independently calculated data.

1=. An advantage of a continuous audit approach is that it can improve system
security when used in time.sharing environments that process a large number of
transactions. ,rue or false?
A. ,rue
B. :alse

Answer! A
It is true that an advantage of a continuous audit approach is that it can improve
system security when used in time.sharing environments that process a large number
of transactions.

11. If an IS auditor finds evidence of ris- involved in not implementing proper
segregation of duties% such as having the security administrator perform an
operations function% what is the auditor3s primary responsibility?
A. ,o advise senior management.
B. ,o reassign 1ob functions to eliminate potential fraud.
C. ,o implement compensator controls.
. Segregation of duties is an administrative control not considered by an IS
auditor.

Answer! A
An IS auditor3s primary responsibility is to advise senior management of the ris-
involved in not implementing proper segregation of duties% such as having the
security administrator perform an operations function.

1$. Who is responsible for implementing cost.effective controls in an automated
system?
A. Security policy administrators
B. Business unit management
C. Senior management
. Board of directors
Answer! B
Business unit management is responsible for implementing cost.effective controls
in an automated system.

1). Why does an IS auditor review an organi(ation chart?
A. ,o optimi(e the responsibilities and authority of individuals
B. ,o control the responsibilities and authority of individuals
C. ,o better understand the responsibilities and authority of individuals
. ,o identify pro1ect sponsors
Answer! C
,he primary reason an IS auditor reviews an organi(ation chart is to better
understand the responsibilities and authority of individuals.

1/. 0nsuring that security and control policies support business and I, ob1ectives
is a primary ob1ective of!
A. An I, security policies audit
B. A processing audit
C. A software audit
. A vulnerability assessment
Answer! A
0nsuring that security and control policies support business and I, ob1ectives is
a primary ob1ective of an I, security policies audit.

12. When auditing third.party service providers% an IS auditor should be concerned
with which of the following? Choose the B0S, answer.
A. +wnership of the programs and files
B. A statement of due care and confidentiality% and the capability for continued
service of the service provider in the event of a disaster
C. A statement of due care
. +wnership of programs and files% a statement of due care and confidentiality%
and the capability for continued service of the service provider in the event of a
disaster
Answer!
When auditing third.party service providers% an auditor should be concerned with
ownership of programs and files% a statement of due care and confidentiality% and
the capability for continued service of the service provider in the event of a
disaster.
14. When performing an IS strategy audit% an IS auditor should review both short.
term 5one.year6 and long.term 5three. to five.year6 IS strategies% interview
appropriate corporate management personnel% and ensure that the e#ternal
environment has been considered. ,he auditor should especially focus on procedures
in an audit of IS strategy. ,rue or false?
A. ,rue
B. :alse
Answer! B
When performing an IS strategy audit% an IS auditor should review both short.term
5one.year6 and long.term 5three. to five.year6 IS strategies% interview
appropriate corporate management personnel% and ensure that the e#ternal
environment has been considered.
17. What process allows IS management to determine whether the activities of the
organi(ation differ from the planned or e#pected levels? Choose the B0S, answer.
A. Business impact assessment
B. >is- assessment
C. IS assessment methods
. ?ey performance indicators 5?&Is6
Answer! C
IS assessment methods allow IS management to determine whether the activities of
the organi(ation differ from the planned or e#pected levels.

19. When should reviewing an audit client3s business plan be performed relative to
reviewing an organi(ation3s I, strategic plan?
A. >eviewing an audit client3s business plan should be performed before reviewing
an organi(ation3s I, strategic plan.
B. >eviewing an audit client3s business plan should be performed after reviewing
an organi(ation3s I, strategic plan.
C. >eviewing an audit client3s business plan should be performed during the review
of an organi(ation3s I, strategic plan.
. >eviewing an audit client3s business plan should be performed without regard to
an organi(ation3s I, strategic plan.
Answer! A
>eviewing an audit client3s business plan should be performed before reviewing an
organi(ation3s I, strategic plan.

1<. Allowing application programmers to directly patch or change code in
production programs increases ris- of fraud. ,rue or false?
A. ,rue
B. :alse
Answer! A
Allowing application programmers to directly patch or change code in production
programs increases ris- of fraud.

$=. Who should be responsible for networ- security operations?
A. Business unit managers
B. Security administrators
C. 'etwor- administrators
. IS auditors

Answer! B
Security administrators are usually responsible for networ- security operations.

$1. &roper segregation of duties does not prohibit a @uality control administrator
from also being responsible for change control and problem management. ,rue or
false?
A. ,rue
B. :alse

Answer! A
&roper segregation of duties does not prohibit a @uality.control administrator
from also being responsible for change control and problem management.

$$. What can be implemented to provide the highest level of protection from
e#ternal attac-?
A. ;ayering perimeter networ- protection by configuring the firewall as a screened
host in a screened subnet behind the bastion host
B. Configuring the firewall as a screened host behind a router
C. Configuring the firewall as the protecting bastion host
. Configuring two load.sharing firewalls facilitating A&' access from e#ternal
hosts to internal hosts

Answer! A
;ayering perimeter networ- protection by configuring the firewall as a screened
host in a screened subnet behind the bastion host provides a higher level of
protection from e#ternal attac- than all other answers.

$). ,he directory system of a database.management system describes!
A. ,he access method to the data
B. ,he location of data A' the access method
C. ,he location of data
. 'either the location of data '+> the access method
Answer! B
,he directory system of a database.management system describes the location of
data and the access method.

$/. Bow is the ris- of improper file access affected upon implementing a database
system?
A. >is- varies.
B. >is- is reduced.
C. >is- is not affected.
. >is- is increased.

Answer!
Improper file access becomes a greater ris- when implementing a database system.

$2. In order to properly protect against unauthori(ed disclosure of sensitive
data% how should hard dis-s be saniti(ed?
A. ,he data should be deleted and overwritten with binary =s.
B. ,he data should be demagneti(ed.
C. ,he data should be low.level formatted.
. ,he data should be deleted.

Answer! B
,o properly protect against unauthori(ed disclosure of sensitive data% hard dis-s
should be demagneti(ed before disposal or release.

$4. When reviewing print systems spooling% an IS auditor is *+S, concerned with
which of the following vulnerabilities?
A. ,he potential for unauthori(ed deletion of report copies
B. ,he potential for unauthori(ed modification of report copies
C. ,he potential for unauthori(ed printing of report copies
. ,he potential for unauthori(ed editing of report copies

Answer! C
When reviewing print systems spooling% an IS auditor is most concerned with the
potential for unauthori(ed printing of report copies.

$7. Why is the WA& gateway a component warranting critical concern and review for
the IS auditor when auditing and testing controls enforcing message
confidentiality?
A. WA& is often configured by default settings and is thus insecure.
B. WA& provides wea- encryption for wireless traffic.
C. WA& functions as a protocol.conversion gateway for wireless ,;S to Internet
SS;.
. WA& often interfaces critical I, systems.
Answer! C
:unctioning as a protocol.conversion gateway for wireless ,;S to Internet SS;% the
WA& gateway is a component warranting critical concern and review for the IS
auditor when auditing and testing controls that enforce message confidentiality.
$9. &roper segregation of duties prevents a computer operator 5user6 from
performing security administration duties. ,rue or false?
A. ,rue
B. :alse
Answer! A
&roper segregation of duties prevents a computer operator 5user6 from performing
security administration duties.

$<. Bow do modems 5modulationCdemodulation6 function to facilitate analog
transmissions to enter a digital networ-?
A. *odems convert analog transmissions to digital% and digital transmission to
analog.
B. *odems encapsulate analog transmissions within digital% and digital
transmissions within analog.
C. *odems convert digital transmissions to analog% and analog transmissions to
digital.
. *odems encapsulate digital transmissions within analog% and analog
transmissions within digital.

Answer! A
*odems 5modulationCdemodulation6 convert analog transmissions to digital% and
digital transmissions to analog% and are re@uired for analog transmissions to
enter a digital networ-.

)=. Which of the following are effective in detecting fraud because they have the
capability to consider a large number of variables when trying to resolve a
problem? Choose the B0S, answer.
A. 0#pert systems
B. 'eural networ-s
C. Integrated synchroni(ed systems
. *ultitas-ing applications

Answer! B
'eural networ-s are effective in detecting fraud because they have the capability
to consider a large number of variables when trying to resolve a problem.

)1. What supports data transmission through split cable facilities or duplicate
cable facilities?
A. iverse routing
B. ual routing
C. Alternate routing
. >edundant routing

Answer! A
iverse routing supports data transmission through split cable facilities% or
duplicate cable facilities.

)$. What type5s6 of firewalls provide5s6 the greatest degree of protection and
control because both firewall technologies inspect all seven +SI layers of networ-
traffic?
A. A first.generation pac-et.filtering firewall
B. A circuit.level gateway
C. An application.layer gateway% or pro#y firewall% and stateful.inspection
firewalls
. An application.layer gateway% or pro#y firewall% but not stateful.inspection
firewalls
Answer! C
An application.layer gateway% or pro#y firewall% and stateful.inspection firewalls
provide the greatest degree of protection and control because both firewall
technologies inspect all seven +SI layers of networ- traffic.
)). Which of the following can degrade networ- performance? Choose the B0S,
answer.
A. Superfluous use of redundant load.sharing gateways
B. Increasing traffic collisions due to host congestion by creating new collision
domains
C. Inefficient and superfluous use of networ- devices such as switches
. Inefficient and superfluous use of networ- devices such as hubs

Answer!
Inefficient and superfluous use of networ- devices such as hubs can degrade
networ- performance.

)/. Which of the following provide5s6 near.immediate recoverability for time.
sensitive systems and transaction processing?
A. Automated electronic 1ournaling and parallel processing
B. ata mirroring and parallel processing
C. ata mirroring
. &arallel processing

Answer!B
ata mirroring and parallel processing are both used to provide near.immediate
recoverability for time.sensitive systems and transaction processing.

)2. What is an effective control for granting temporary access to vendors and
e#ternal support personnel? Choose the B0S, answer.
A. Creating user accounts that automatically e#pire by a predetermined date
B. Creating permanent guest accounts for temporary use
C. Creating user accounts that restrict logon access to certain hours of the day
. Creating a single shared vendor administrator account on the basis of least.
privileged access

Answer! A
Creating user accounts that automatically e#pire by a predetermined date is an
effective control for granting temporary access to vendors and e#ternal support
personnel.

)4. Which of the following help5s6 prevent an organi(ation3s systems from
participating in a distributed denial.of.service 5oS6 attac-? Choose the B0S,
answer.
A. Inbound traffic filtering
B. "sing access control lists 5AC;s6 to restrict inbound connection attempts
C. +utbound traffic filtering
. >ecentrali(ing distributed systems

Answer! C
+utbound traffic filtering can help prevent an organi(ation3s systems from
participating in a distributed denial.of.service 5oS6 attac-.

)7. What is a common vulnerability% allowing denial.of.service attac-s?
A. Assigning access to users according to the principle of least privilege
B. ;ac- of employee awareness of organi(ational security policies
C. Improperly configured routers and router access lists
. Configuring firewall access rules
Answer! C
Improperly configured routers and router access lists are a common vulnerability
for denial.of.service attac-s.
)9. What are tro1an horse programs? Choose the B0S, answer.
A. A common form of internal attac-
B. *alicious programs that re@uire the aid of a carrier program such as email
C. *alicious programs that can run independently and can propagate without the aid
of a carrier program such as email
. A common form of Internet attac-

Answer!
,ro1an horse programs are a common form of Internet attac-.

)<. What isCare used to measure and ensure proper networ- capacity management and
availability of services? Choose the B0S, answer.
A. 'etwor- performance.monitoring tools
B. 'etwor- component redundancy
C. Syslog reporting
. I, strategic planning

Answer! A
'etwor- performance.monitoring tools are used to measure and ensure proper networ-
capacity management and availability of services.

/=. What can be used to gather evidence of networ- attac-s?
A. Access control lists 5AC;6
B. Intrusion.detection systems 5IS6
C. Syslog reporting
. Antivirus programs

Answer! B
Intrusion.detection systems 5IS6 are used to gather evidence of networ- attac-s.

/1. Which of the following is a passive attac- method used by intruders to
determine potential networ- vulnerabilities?
A. ,raffic analysis
B. SD' flood
C. enial of service 5oS6
. istributed denial of service 5oS6

Answer! A
,raffic analysis is a passive attac- method used by intruders to determine
potential networ- vulnerabilities. All others are active attac-s.

/$. Which of the following fire.suppression methods is considered to be the most
environmentally friendly?
A. Balon gas
B. eluge sprin-lers
C. ry.pipe sprin-lers
. Wet.pipe sprin-lers
Answer! C
Although many methods of fire suppression e#ist% dry.pipe sprin-lers are
considered to be the most environmentally friendly.

/). What is a callbac- system?
A. It is a remote.access system whereby the remote.access server immediately calls
the user bac- at a predetermined number if the dial.in connection fails.
B. It is a remote.access system whereby the user3s application automatically
redials the remote.access server if the initial connection attempt fails.
C. It is a remote.access control whereby the user initially connects to the
networ- systems via dial.up access% only to have the initial connection terminated
by the server% which then subse@uently dials the user bac- at a predetermined
number stored in the server3s configuration database.
. It is a remote.access control whereby the user initially connects to the
networ- systems via dial.up access% only to have the initial connection terminated
by the server% which then subse@uently allows the user to call bac- at an approved
number for a limited period of time.
Answer! C
A callbac- system is a remote.access control whereby the user initially connects
to the networ- systems via dial.up access% only to have the initial connection
terminated by the server% which then subse@uently dials the user bac- at a
predetermined number stored in the server3s configuration database.

//. What type of fire.suppression system suppresses fire via water that is
released from a main valve to be delivered via a system of dry pipes installed
throughout the facilities?
A. A dry.pipe sprin-ler system
B. A deluge sprin-ler system
C. A wet.pipe system
. A halon sprin-ler system
Answer! A
A dry.pipe sprin-ler system suppresses fire via water that is released from a main
valve to be delivered via a system of dry pipes installed throughout the
facilities.

/2. igital signatures re@uire the sender to EsignE the data by encrypting the
data with the sender3s public -ey% to then be decrypted by the recipient using the
recipient3s private -ey. ,rue or false?
A. :alse
B. ,rue
Answer! B
igital signatures re@uire the sender to EsignE the data by encrypting the data
with the sender3s private -ey% to then be decrypted by the recipient using the
sender3s public -ey.

/4. Which of the following provides the B0S, single.factor authentication?
A. Biometrics
B. &assword
C. ,o-en
. &I'
Answer! A
Although biometrics provides only single.factor authentication% many consider it
to be an e#cellent method for user authentication.

/7. What is used to provide authentication of the website and can also be used to
successfully authenticate -eys used for data encryption?
A. An organi(ational certificate
B. A user certificate
C. A website certificate
. Authenticode
Answer! C
A website certificate is used to provide authentication of the website and can
also be used to successfully authenticate -eys used for data encryption.

/9. What determines the strength of a secret -ey within a symmetric -ey
cryptosystem?
A. A combination of -ey length% degree of permutation% and the comple#ity of the
data.encryption algorithm that uses the -ey
B. A combination of -ey length% initial input vectors% and the comple#ity of the
data.encryption algorithm that uses the -ey
C. A combination of -ey length and the comple#ity of the data.encryption algorithm
that uses the -ey
. Initial input vectors and the comple#ity of the data.encryption algorithm that
uses the -ey
Answer! B
,he strength of a secret -ey within a symmetric -ey cryptosystem is determined by
a combination of -ey length% initial input vectors% and the comple#ity of the
data.encryption algorithm that uses the -ey.

/<. What process is used to validate a sub1ect3s identity?
A. Identification
B. 'onrepudiation
C. Authori(ation
. Authentication

Answer!
Authentication is used to validate a sub1ect3s identity.

2=. What is often assured through table lin- verification and reference chec-s?
A. atabase integrity
B. atabase synchroni(ation
C. atabase normalcy
. atabase accuracy
Answer! A
atabase integrity is most often ensured through table lin- verification and
reference chec-s.

21. Which of the following should an IS auditor review to determine user
permissions that have been granted for a particular resource? Choose the B0S,
answer.
A. Systems logs
B. Access control lists 5AC;6
C. Application logs
. 0rror logs

Answer! B
IS auditors should review access.control lists 5AC;6 to determine user permissions
that have been granted for a particular resource.

2$. What should IS auditors always chec- when auditing password files?
A. ,hat deleting password files is protected
B. ,hat password files are encrypted
C. ,hat password files are not accessible over the networ-
. ,hat password files are archived

Answer! B
IS auditors should always chec- to ensure that password files are encrypted.

2). "sing the +SI reference model% what layer5s6 isCare used to encrypt data?
A. ,ransport layer
B. Session layer
C. Session and transport layers
. ata lin- layer
Answer! C
"ser applications often encrypt and encapsulate data using protocols within the
+SI session layer or farther down in the transport layer.

2/. When should systems administrators first assess the impact of applications or
systems patches?
A. Within five business days following installation
B. &rior to installation
C. 'o sooner than five business days following installation
. Immediately following installation

Answer! B
Systems administrators should always assess the impact of patches before
installation.

22. Which of the following is the most fundamental step in preventing virus
attac-s?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users3 des-top computers
C. Implementing antivirus content chec-ing at all networ-.to.Internet gateways
. Inoculating systems with antivirus code

Answer! A
Adopting and communicating a comprehensive antivirus policy is the most
fundamental step in preventing virus attac-s. All other antivirus prevention
efforts rely upon decisions established and communicated via policy.

24. Which of the following is of greatest concern when performing an IS audit?
A. "sers3 ability to directly modify the database
B. "sers3 ability to submit @ueries to the database
C. "sers3 ability to indirectly modify the database
. "sers3 ability to directly view the database

Answer! A
A ma1or IS audit concern is users3 ability to directly modify the database.

27. What are intrusion.detection systems 5IS6 primarily used for?
A. ,o identify A' prevent intrusion attempts to a networ-
B. ,o prevent intrusion attempts to a networ-
C. :orensic incident response
. ,o identify intrusion attempts to a networ-

Answer!
Intrusion.detection systems 5IS6 are used to identify intrusion attempts on a
networ-.

29. >ather than simply reviewing the ade@uacy of access control% appropriateness
of access policies% and effectiveness of safeguards and procedures% the IS auditor
is more concerned with effectiveness and utili(ation of assets. ,rue or false?
A. ,rue
B. :alse

Answer! B
Instead of simply reviewing the effectiveness and utili(ation of assets% an IS
auditor is more concerned with ade@uate access control% appropriate access
policies% and effectiveness of safeguards and procedures.

2<. If a programmer has update access to a live system% IS auditors are more
concerned with the programmer3s ability to initiate or modify transactions and the
ability to access production than with the programmer3s ability to authori(e
transactions. ,rue or false?
A. ,rue
B. :alse
Answer! A
If a programmer has update access to a live system% IS auditors are more concerned
with the programmer3s ability to initiate or modify transactions and the ability
to access production than with the programmer3s ability to authori(e transactions.
4=. +rgani(ations should use off.site storage facilities to maintain
FFFFFFFFFFFFFFFFF 5fill in the blan-6 of current and critical information within
bac-up files. Choose the B0S, answer.
A. Confidentiality
B. Integrity
C. >edundancy
. Concurrency
Answer! C
>edundancy is the best answer because it provides both integrity and availability.
+rgani(ations should use off.site storage facilities to maintain redundancy of
current and critical information within bac-up files.

41. ,he purpose of business continuity planning and disaster.recovery planning is
to!
A. ,ransfer the ris- and impact of a business interruption or disaster
B. *itigate% or reduce% the ris- and impact of a business interruption or disaster
C. Accept the ris- and impact of a business
. 0liminate the ris- and impact of a business interruption or disaster
Answer! B
,he primary purpose of business continuity planning and disaster.recovery planning
is to mitigate% or reduce% the ris- and impact of a business interruption or
disaster. ,otal elimination of ris- is impossible.

4$. If a database is restored from information bac-ed up before the last system
image% which of the following is recommended?
A. ,he system should be restarted after the last transaction.
B. ,he system should be restarted before the last transaction.
C. ,he system should be restarted at the first transaction.
. ,he system should be restarted on the last transaction.
Answer! B
If a database is restored from information bac-ed up before the last system image%
the system should be restarted before the last transaction because the final
transaction must be reprocessed.

4). An off.site processing facility should be easily identifiable e#ternally
because easy identification helps ensure smoother recovery. ,rue or false?
A. ,rue
B. :alse
Answer! B
An off.site processing facility should not be easily identifiable e#ternally
because easy identification would create an additional vulnerability for sabotage.

4/. Which of the following is the dominating ob1ective of BC& and >&?
A. ,o protect human life
B. ,o mitigate the ris- and impact of a business interruption
C. ,o eliminate the ris- and impact of a business interruption
. ,o transfer the ris- and impact of a business interruption
Answer! A
Although the primary business ob1ective of BC& and >& is to mitigate the ris- and
impact of a business interruption% the dominating ob1ective remains the protection
of human life.

42. Bow can minimi(ing single points of failure or vulnerabilities of a common
disaster best be controlled?
A. By implementing redundant systems and applications onsite
B. By geographically dispersing resources
C. By retaining onsite data bac-up in fireproof vaults
. By preparing BC& and >& documents for commonly identified disasters

Answer! B
*inimi(ing single points of failure or vulnerabilities of a common disaster is
mitigated by geographically dispersing resources.
44. *itigating the ris- and impact of a disaster or business interruption usually
ta-es priority over transference of ris- to a third party such as an insurer. ,rue
or false?
A. ,rue
B. :alse

Answer! A
*itigating the ris- and impact of a disaster or business interruption usually
ta-es priority over transferring ris- to a third party such as an insurer.

47. +ff.site data storage should be -ept synchroni(ed when preparing for recovery
of time.sensitive data such as that resulting from which of the following? Choose
the B0S, answer.
A. :inancial reporting
B. Sales reporting
C. Inventory reporting
. ,ransaction processing

Answer!
+ff.site data storage should be -ept synchroni(ed when preparing for the recovery
of time.sensitive data such as that resulting from transaction processing.

49. What is an acceptable recovery mechanism for e#tremely time.sensitive
transaction processing?
A. +ff.site remote 1ournaling
B. 0lectronic vaulting
C. Shadow file processing
. Storage area networ-
Answer! C
Shadow file processing can be implemented as a recovery mechanism for e#tremely
time.sensitive transaction processing.

4<. +ff.site data bac-up and storage should be geographically separated so as to
FFFFFFFFFFFFFFFF 5fill in the blan-6 the ris- of a widespread physical disaster
such as a hurricane or earth@ua-e.
A. Accept
B. 0liminate
C. ,ransfer
. *itigate

Answer!
+ff.site data bac-up and storage should be geographically separated% to mitigate
the ris- of a widespread physical disaster such as a hurricane or an earth@ua-e.

7=. Why is a clause for re@uiring source code escrow in an application vendor
agreement important?
A. ,o segregate systems development and live environments
B. ,o protect the organi(ation from copyright disputes
C. ,o ensure that sufficient code is available when needed
. ,o ensure that the source code remains available even if the application vendor
goes out of business
Answer!
A clause for re@uiring source code escrow in an application vendor agreement is
important to ensure that the source code remains available even if the application
vendor goes out of business.

71. What uses @uestionnaires to lead the user through a series of choices to reach
a conclusion? Choose the B0S, answer.
A. ;ogic trees
B. ecision trees
C. ecision algorithms
. ;ogic algorithms
Answer! B
ecision trees use @uestionnaires to lead the user through a series of choices to
reach a conclusion.

7$. What protects an application purchaser3s ability to fi# or change an
application in case the application vendor goes out of business?
A. Assigning copyright to the organi(ation
B. &rogram bac- doors
C. Source code escrow
. Internal programming e#pertise

Answer! C
Source code escrow protects an application purchaser3s ability to fi# or change an
application in case the application vendor goes out of business.

7). Who is ultimately responsible for providing re@uirement specifications to the
software.development team?
A. ,he pro1ect sponsor
B. ,he pro1ect members
C. ,he pro1ect leader
. ,he pro1ect steering committee
Answer! A
,he pro1ect sponsor is ultimately responsible for providing re@uirement
specifications to the software.development team.

7/. What should regression testing use to obtain accurate conclusions regarding
the effects of changes or corrections to a program% and ensuring that those
changes and corrections have not introduced new errors?
A. Contrived data
B. Independently created data
C. ;ive data
. ata from previous tests
Answer!
>egression testing should use data from previous tests to obtain accurate
conclusions regarding the effects of changes or corrections to a program% and
ensuring that those changes and corrections have not introduced new errors.

72. An IS auditor should carefully review the functional re@uirements in a
systems.development pro1ect to ensure that the pro1ect is designed to!
A. *eet business ob1ectives
B. 0nforce data security
C. Be culturally feasible
. Be financially feasible

Answer! A
An IS auditor should carefully review the functional re@uirements in a systems.
development pro1ect to ensure that the pro1ect is designed to meet business
ob1ectives.

74. Which of the following processes are performed during the design phase of the
systems.development life cycle 5S;C6 model?
A. evelop test plans.
B. Baseline procedures to prevent scope creep.
C. efine the need that re@uires resolution% and map to the ma1or re@uirements of
the solution.
. &rogram and test the new system. ,he tests verify and validate what has been
developed.
Answer! B
&rocedures to prevent scope creep are baselined in the design phase of the
systems.development life cycle 5S;C6 model.

77. When should application controls be considered within the system.development
process?
A. After application unit testing
B. After application module testing
C. After applications systems testing
. As early as possible% even in the development of the pro1ect3s functional
specifications
Answer!
Application controls should be considered as early as possible in the system.
development process% even in the development of the pro1ect3s functional
specifications.

79. What is used to develop strategically important systems faster% reduce
development costs% and still maintain high @uality? Choose the B0S, answer.
A. >apid application development 5>A6
B. 8A',,
C. &0>,
. ecision trees
Answer! A
>apid application development 5>A6 is used to develop strategically important
systems faster% reduce development costs% and still maintain high @uality.

7<. ,est and development environments should be separated. ,rue or false?
A. ,rue
B. :alse
Answer! A
,est and development environments should be separated% to control the stability of
the test environment.

9=. What -ind of testing should programmers perform following any changes to an
application or system?
A. "nit% module% and full regression testing
B. *odule testing
C. "nit testing
. >egression testing
Answer! A
&rogrammers should perform unit% module% and full regression testing following any
changes to an application or system.

91. Which of the following uses a prototype that can be updated continually to
meet changing user or business re@uirements?
A. &0>,
B. >apid application development 5>A6
C. :unction point analysis 5:&A6
. 8A',,

Answer! B
>apid application development 5>A6 uses a prototype that can be updated
continually to meet changing user or business re@uirements.

9$. What is the most common reason for information systems to fail to meet the
needs of users? Choose the B0S, answer.
A. ;ac- of funding
B. Inade@uate user participation during system re@uirements definition
C. Inade@uate senior management participation during system re@uirements
definition
. &oor I, strategic planning
Answer! B
Inade@uate user participation during system re@uirements definition is the most
common reason for information systems to fail to meet the needs of users.

9). Who is responsible for the overall direction% costs% and timetables for
systems.development pro1ects?
A. ,he pro1ect sponsor
B. ,he pro1ect steering committee
C. Senior management
. ,he pro1ect team leader
Answer! B
,he pro1ect steering committee is responsible for the overall direction% costs%
and timetables for systems.development pro1ects.

9/. When should plans for testing for user acceptance be prepared? Choose the B0S,
answer.
A. In the re@uirements definition phase of the systems.development pro1ect
B. In the feasibility phase of the systems.development pro1ect
C. In the design phase of the systems.development pro1ect
. In the development phase of the systems.development pro1ect
Answer! A
&lans for testing for user acceptance are usually prepared in the re@uirements
definition phase of the systems.development pro1ect.

92. Above almost all other concerns% what often results in the greatest negative
impact on the implementation of new application software?
A. :ailing to perform user acceptance testing
B. ;ac- of user training for the new system
C. ;ac- of software documentation and run manuals
. Insufficient unit% module% and systems testing

Answer! A
Above almost all other concerns% failing to perform user acceptance testing often
results in the greatest negative impact on the implementation of new application
software.

94. InputCoutput controls should be implemented for which applications in an
integrated systems environment?
A. ,he receiving application
B. ,he sending application
C. Both the sending and receiving applications
. +utput on the sending application and input on the receiving application
Answer! C
InputCoutput controls should be implemented for both the sending and receiving
applications in an integrated systems environment

97. Authentication techni@ues for sending and receiving data between 0I systems
is crucial to prevent which of the following? Choose the B0S, answer.
A. "nsynchroni(ed transactions
B. "nauthori(ed transactions
C. Inaccurate transactions
. Incomplete transactions
Answer! B
Authentication techni@ues for sending and receiving data between 0I systems are
crucial to prevent unauthori(ed transactions.

99. After identifying potential security vulnerabilities% what should be the IS
auditor3s ne#t step?
A. ,o evaluate potential countermeasures and compensatory controls
B. ,o implement effective countermeasures and compensatory controls
C. ,o perform a business impact analysis of the threats that would e#ploit the
vulnerabilities
. ,o immediately advise senior management of the findings
Answer! C
After identifying potential security vulnerabilities% the IS auditor3s ne#t step
is to perform a business impact analysis of the threats that would e#ploit the
vulnerabilities.

9<. What is the primary security concern for 0I environments? Choose the B0S,
answer.
A. ,ransaction authentication
B. ,ransaction completeness
C. ,ransaction accuracy
. ,ransaction authori(ation
Answer!
,ransaction authori(ation is the primary security concern for 0I environments.

<=. Which of the following e#ploit vulnerabilities to cause loss or damage to the
organi(ation and its assets?
A. 0#posures
B. ,hreats
C. Ba(ards
. Insufficient controls
Answer! B
,hreats e#ploit vulnerabilities to cause loss or damage to the organi(ation and
its assets.

<1. Business process re.engineering often results in FFFFFFFFFFFFFF automation%
which results in FFFFFFFFFFFFF number of people using technology. :ill in the
blan-s.
A. IncreasedG a greater
B. IncreasedG a fewer
C. ;essG a fewer
. IncreasedG the same
Answer! A
Business process re.engineering often results in increased automation% which
results in a greater number of people using technology.

<$. Whenever business processes have been re.engineered% the IS auditor attempts
to identify and @uantify the impact of any controls that might have been removed%
or controls that might not wor- as effectively after business process changes.
,rue or false?
A. ,rue
B. :alse
Answer! A
Whenever business processes have been re.engineered% the IS auditor should attempt
to identify and @uantify the impact of any controls that might have been removed%
or controls that might not wor- as effectively after business process changes.

<). When should an application.level edit chec- to verify that availability of
funds was completed at the electronic funds transfer 50:,6 interface?
A. Before transaction completion
B. Immediately after an 0:, is initiated
C. uring run.to.run total testing
. Before an 0:, is initiated
Answer!
An application.level edit chec- to verify availability of funds should be
completed at the electronic funds transfer 50:,6 interface before an 0:, is
initiated.

</. FFFFFFFFFFFFFFFF 5fill in the blan-6 should be implemented as early as data
preparation to support data integrity at the earliest point possible.
A. Control totals
B. Authentication controls
C. &arity bits
. Authori(ation controls
Answer! A
Control totals should be implemented as early as data preparation to support data
integrity at the earliest point possible.

<2. What is used as a control to detect loss% corruption% or duplication of data?
A. >edundancy chec-
B. >easonableness chec-
C. Bash totals
. Accuracy chec-
Answer! C
Bash totals are used as a control to detect loss% corruption% or duplication of
data.

<4. ata edits are implemented before processing and are considered which of the
following? Choose the B0S, answer.
A. eterrent integrity controls
B. etective integrity controls
C. Corrective integrity controls
. &reventative integrity controls
Answer!
ata edits are implemented before processing and are considered preventive
integrity controls.

<7. In small office environments% it is not always possible to maintain proper
segregation of duties for programmers. If a programmer has access to production
data or applications% compensatory controls such as the reviewing of transaction
results to approved input might be necessary. ,rue or false?
A. ,rue
B. :alse
Answer! A
In small office environments% it is not always possible to maintain proper
segregation of duties for programmers. If a programmer has access to production
data or applications% compensatory controls such as the review of transaction
results to approved input might be necessary.

<9. &rocessing controls ensure that data is accurate and complete% and is
processed only through which of the following? Choose the B0S, answer.
A. ocumented routines
B. Authori(ed routines
C. Accepted routines
. Approved routines
Answer! B
&rocessing controls ensure that data is accurate and complete% and is processed
only through authori(ed routines.

<<. What is a data validation edit control that matches input data to an
occurrence rate? Choose the B0S, answer.
A. Accuracy chec-
B. Completeness chec-
C. >easonableness chec-
. >edundancy chec-
Answer! C
A reasonableness chec- is a data validation edit control that matches input data
to an occurrence rate.

1==. atabase snapshots can provide an e#cellent audit trail for an IS auditor.
,rue or false?
A. ,rue
B. :alse
Answer! A
atabase snapshots can provide an e#cellent audit trail for an IS auditor.