Correct Answer is (A) Answer (a) is correct. According to the Standards, the purpose from reviewing the effectiveness of the system of internal control is to ascertain whether the system is functioning as intended. Not (b). Not (c). Not (d). b. CIA May 87 I.17 Correct Answer is (A) Answer (a) is correct. By definition, an operational audit is an audit to test whether the functions within the organization are effective in achieving their obectives, and are operating efficiently and economically. !herefore, the auditors must understand the auditee"s departmental obectives in order to establish the obectives for an operational audit. Not (b) because the most recent financial data is more relevant to a financial audit than to an operational audit. Not (c) because activity reports showing rental information is more relevant to a financial audit than to an operational audit. Not (d) because a complete listing of the perpetual inventory is more relevant to a financial audit than to an operational audit. c. CIA Nov 84 I.14 Correct Answer is (B) Not (a) because the reliability and integrity of financial information are important in operational auditing. #nformation systems provide data for decision ma$ing, control, and compliance with e%ternal re&uirements. Answer (b) is correct. 'inancial auditing is primarily concerned with providing an opinion on the fairness of the financial statements while operational auditing evaluates the accomplishment of established goals and obectives, and the economical and efficient use of resources in accomplishing the established goals and obectives. Not (c) because financial statements are the starting point in financial auditing rather than operational auditing. Not (d) because analytical s$ills and tools are necessary in all types of audits. d. CIA May 87 I.! Correct Answer is (B) Not (a) because determining that employees are paid in accordance with union wages would be an obective for a compliance audit. Answer (b) is correct. (etermining that employees are assigned to wor$ situations e&uivalent to their training and s$ill level relates to minimizing labor costs because the assignment of employees to tas$s not commensurate with their s$ills, specifically far less than their abilities)s$ills, may result in e%cess labor costs. Not (c) because determining that the &uality of performance by labor meets the company standards would be an obective for effectiveness of the company*s use of labor resources. Not (d) because determining that only authorized employees are paid relates to the obective of e%istence of employees on the payroll. +, B-!4 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review e. CIA Nov 94 I.! Correct Answer is (A) Answer (a) is correct. A compliance audit of overtime policy is li$ely to be the most obective audit because the audit is comparing actual operations against specific management policies and procedures, which are li$ely to be well defined and documented. Not (b) because an operational audit of the personnel function hiring and firing procedures is relatively subective since there is often more than one way to establish operational procedures. Not (c) because a performance audit of the mar$eting department is relatively subective since the criteria to evaluate performance must be agreed upon. Not (d) because a financial control audit over payroll procedures is relatively subective since there is often more than one way to establish operational procedures. ". CIA Nov 88 I.1 Correct Answer is (C) Not (a). Not (b). Answer (c) is correct. By definition, an operational audit is an audit to test whether the functions within the organization are effective in achieving their obectives, and are operating efficiently and economically. (etermining that the mar$eting department has the organizational status needed to accomplish its obectives and operates in a manner that is cost-beneficial to the company would be obectives of an operational audit of the mar$eting department. Not (d). #. CIA May 89 I.1 Correct Answer is (C) Not (a). Not (b). Answer (c) is correct. #nternal auditors review information systems to test the security and integrity of data processing systems in addition to the data generated by those systems. !his includes determining that financial and operating records and reports contain accurate, reliable, timely, complete, and useful information. Not (d). $. CIA Nov 90 I.17 Correct Answer is (A) Answer (a) is correct. 2rogram-results audits e%amine effectiveness (outputs)results) by analyzing how the inputs are converted. Not (b) because see$ing cost savings is in audits of economy and efficiency. Not (c) because including only historical data is in financial and compliance audits. Not (d) because e%pressing an opinion on the fairness of financial presentation is an obective of a financial audit. +, B-!5 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review i. CIA May 90 I.1 Correct Answer is (B) Not (a) because approving obectives or goals to be met is a managerial function. Answer (b) is correct. #nternal auditors can provide assistance to managers who are developing obectives and goals by determining if the underlying assumptions are appropriate. (etermination whether the underlying assumptions are appropriate provides for an opinion and not an actual e%ecutive or decision function and thus an internal audit function. Not (c) because developing and implementing control procedures is management*s responsibility. Not (d) because accomplishing desired operating program results is management*s responsibility. %. CIA May 91 I.1 Correct Answer is (A) Answer (a) is correct. By definition, 6#nternal auditing is an independent, obective assurance and consulting activity designed to add value and improve an organization"s operations. #t helps an organization accomplish its obectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of ris$ management, control, and governance processes6. !herefore, internal auditing assists members of the organization in the effective discharge of their responsibilities. Not (b) because internal auditing usually gives an opinion on designs and implementation of accounting and control systems, but does not directly assist in the process. Although performed in some cases, assisting in the design and implementation of accounting and control systems would impair the obectivity of internal auditing. #n any case, this would only be a limited scope of internal auditing. #nternal auditing has a far broader scope. Not (c) because the scope of internal auditing is much broader than e%amining and evaluating an organization"s accounting system. Not (d) because the obective of internal auditing is to serve the organization rather than the e%ternal auditors. &. CIA Nov 91 I.10 Correct Answer is (B) Not (a). Answer (b) is correct. !he goal of an operational audit is to assess current performance and ma$e appropriate recommendations for improvement. Not (c). Not (d). . /001 2owers 3esources 4orporation5. All rights reserved +, B-!! Powers CIA Review '. CIA May 9 I.9 Correct Answer is (A) Answer (a) is correct. #nternal auditors are more familiar with the organization, including systems, people, and obectives. Standard 710, Scope of wor$, 8conomical and efficient 9se of 3esources. Not (b) because both internal and e%ternal auditors are re&uired to be obective. Not (c) because internal and e%ternal Auditors use the same techni&ues. Not (d) because internal auditors will be concerned with fraud and waste. (. CIA Nov 9! I.7 Correct Answer is (A) Answer (a) is correct. !he auditor is determining whether the participants are in compliance with the program*s eligibility re&uirements. Not (b). Not (c). Not (d). n. CIA Nov 9! I.8 Correct Answer is (B) Not (a) because the internal auditor should determine whether the budget was reviewed and approved by supervisory personnel within the city as this relates to the obectives established in the regulation. Answer (b) is correct. !he regulation set by the granting agency states that the city should establish a budget in a manner consistent with the obectives of the program. !here is no such re&uirement for the granting agency to review and approve the budget. Not (c) because this procedure would help determine whether the budget is adhered to, i.e. all e%penses were charged to the appropriate accounts, and the accounts are all in accordance with the budgets. Not (d) because this procedure determines whether the budget is adhered too in accordance with the approved budget. o. CIA Nov 9! I.9 Correct Answer is ()) Not (a) Because these individuals should be familiar with the applicable laws and regulations and would provide the auditor with relevant information. Not (b) because reviewing prior year*s wor$ing papers and in&uiring about changes would allow the auditor to benefit from prior audit*s research. Not (c) because the grant agreements will often contain references to the applicable laws and regulations. Answer (d) is correct. (iscussing the matter with the audit committee would be least effective because the audit committee would not be responsible for understanding all the underlying laws and regulations. 'urther, the audit committee*s obectives for the audit do not help the auditor understand the applicable laws and regulations. +, B-!7 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review *. CIA Nov 88 II.+ Correct Answer is (A) Answer (a) is correct. :anagement is responsible for setting operating standards. #nternal auditors are responsible for determining that (;) such standards have been established, (/) the standards are being met, (7) deviations are being identified and communicated, and (1) corrective action has been ta$en. Not (b) because verifying e%istence relates to the safeguarding of assets. Not (c) because the reliability of operating information and the accuracy of asset valuation concern the reliability and integrity of information. Not (d) because the reliability of operating information and the accuracy of asset valuation concern the reliability and integrity of information. ,. CIA May 9 II.1 Correct Answer is ()) Not (a) because a program results auditing addresses accomplishment of program obectives. Not (b) because financial auditing addresses accuracy of financial records. Not (c) because compliance auditing addresses compliance with re&uirements, including legal and regulatory re&uirement. Answer (d) is correct. <perational auditing is most li$ely to address a determination of cost savings by focusing on economy and efficiency. r. CIA Nov 9! III.+0 Correct Answer is ()) Not (a). Not (b). Not (c). Answer (d) is correct. By definition, 6#nternal auditing is an independent, obective assurance and consulting activity designed to add value and improve an organization"s operations. #t helps an organization accomplish its obectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of ris$ management, control, and governance processes6. s. CIA May 90 III.+7 Correct Answer is (A) Answer (a) is correct. Since each 24 in the networ$ can send or receive electronic mail to or from any other 24 via the minicomputer (which is the central controller), such networ$ is called start networ$. #n a star networ$ (also called star topology), all stations are directly connected to a centralized controller. !ransmissions go through the central controller and then diverted to the related station. Not (b) because in a ring topology (also called ring networ$) the stations are connected to each other to form a loop. !ransmissions are received by each station and then transmitted to the ne%t station in the ring. !here is no central computer that diverts transmissions to the stations in this type of networ$. Not (c) because an irregular networ$ has the properties of both star and ring networ$s. Not (d) because there is no networ$ configuration called loop networ$. !he appropriate terminology is ring networ$. . /001 2owers 3esources 4orporation5. All rights reserved +, B-!8 Powers CIA Review t. CIA May 97 III.!9 Correct Answer is (B) Not (a) because there is no limitation on the number of access ports. Answer (b) is correct. !he most difficult aspect of using #nternet resources is locating the best information given the large number of information sources on the world wide web. Not (c) because the only e&uipment re&uired for accessing #nternet resources is a computer, a modem, a telephone line, and basic communication software. Not (d) because organizations routinely provide #nternet access to their employees, and individuals can obtain access through individual subscriptions to commercial information service providers. -. CIA May 90 III.+9 Correct Answer is (B) Not (a) because system # is an e%ample of a centralized facility. Answer (b) is correct. A minicomputer tied to ;= intelligent wor$stations is an e%ample of a distributed system. A distributed system combines the features of centralized and decentralized facilities> users have their own computers that perform some processing? in addition, some computers are tied to a remote terminal that performs other processing functions. #t is beneficial to distinguish between a decentralized and a distributed facility. #n a decentralized facility, a separate computer facility is established to service the needs of each maor department or unit in an organization. #n a distributed facility, these computer facilities are interconnected as in the given e%ample. Not (c) because system # is an e%ample of a centralized facility while system ## is an e%ample of a distributed facility. Not (d) because system # is an e%ample of a centralized facility while system ## is an e%ample of a distributed facility. v. CIA Nov 90 III.0 Correct Answer is (A) Answer (a) is correct. 8lectronic mail system has those features that the other systems do not have. An electronic mail system enables the user to use features as Answer, 8dit, 'orward, Send, 3ead, and 2rint among many other features. Not (b) because a voice store-and-forward system lac$s 3ead and 2rint capability. Not (c) because, a des$top publishing system provides only 8dit and 2rint features. Not (d) because a digital communications system refers to a method of transmission (digital transmission). w. CIA May 9 III.! Correct Answer is (A) Answer (a) is correct. A local area networ$ (@AN) is the appropriate type of networ$. @ocal area networ$s connect computers with other computers, peripherals (e.g. printers, plotters) and wor$stations that are fairly close in pro%imity such as in a building or multiple buildings within a campus. Not (b) because ,ide area networ$s (,ANs) provide communication over long distance. Not (c) because, this is a distracter. !he term 6end user6 is not a type of networ$. Not (d) because Baseband networ$ is a term used to describe the communication between terminals in most local area networ$s. Basebands are used only for data communications? such types of networ$s are very slow in data transmission. .. CIA Nov 9+ III.+ Correct Answer is (A) Answer (a) is correct. #n a star networ$ (also called star topology), all stations (nodes) are directly connected to a centralized controller. !he centralized controller controls the networ$ and all nodes and all transmissions go through the central controller and then diverted to the +, B-!9 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review related station. Not (b) because in a ring networ$ (also called ring topology) the stations are connected to each other to form a loop. !ransmissions are received by each station and then transmitted to the ne%t station in the ring. !here is no central computer that diverts transmissions to the stations in this type of networ$. Not (c) because in a bus networ$ (also called bus topology), all stations are connected to one communications channel. 8ach station gets a copy of the transmission that will be processed (if addressed to the particular station) or ignored (if addressed to another station). Not (d) because synchronous is a communications protocol (type of data transmission) where characters are sent at a fi%ed rate by synchronizing the transmitting and receiving devices. y. CIA Nov 9+ III.9 Correct Answer is ()) Not (a) because a self-contained minicomputer with terminals would be unable to communicate with the corporate computer for file in&uiry and downloading. Not (b) because personal computers with a terminal emulator would be unable to access other departments" machines. Not (c) because personal computers in a stand- alone @AN would be unable to access corporate files. Answer (d) is correct. 2ersonal computers in a @AN with a gateway would be able to access to departmental laser printers (via the @AN), electronic mail with each other (via the @AN) and employees in other departments and other plants (via the @AN through the gateway to the corporate computer), and file in&uiry and downloading of corporate files (through the gateway to the corporate computer). A gateway is a device that acts as a protocol converter, e.g. connecting @AN to mainframe or a @AN to the internet. /. CIA May 94 III.+ Correct Answer is (A) Answer (a) is correct. A networ$ interface card lin$s microcomputers and printers together in a local area networ$ that is connected by coa%ial cable, twisted pair, or optical fiber. !he card creates an address for the microcomputer, transmits data, and monitors incoming messages (e.g. 8thernet card). Not (b) because modems are used to connect microcomputers to regular telephone lines. Not (c) because modems are used to connect microcomputers to regular telephone lines. Not (d) because modems are used to connect microcomputers to regular telephone lines. aa. CIA Nov 94 III.0 Correct Answer is ()) Not (a) because long-range business plans is a central aspect of strategic decisions. Not (b) because support of daily business operations is an important aspect of strategic decisions. Not (c) because measurement of plan fulfillment is essential to management"s evaluation of the system. Answer (d) is correct. 4utting operating costs, by itself, is the least important issue concerning the e%pansion of its e%isting local area networ$ . /001 2owers 3esources 4orporation5. All rights reserved +, B-70 Powers CIA Review (@AN). !he payoff that would result from the e%pansion i.e. the company*s return on its investment is a more relevant strategic consideration. bb. CIA Nov 94 III.1 Correct Answer is (B) Not (a) because cabling (the telecommunications lin$) is the medium through which the terminals are lin$ed in a @AN. Answer (b) is correct. A server manages the @AN*s resources. A file server is the device that stores program and data files for users of the @AN? it is one type of server. Not (c) because a networ$ gateway connects the @AN to other networ$s. A gateway is a device that acts as a protocol converter, e.g. connecting @AN to mainframe or a @AN to the internet. Not (d) because a wor$station that is dedicated to a single user is a client. cc. CIA Nov 95 III.! Correct Answer is ()) Not (a) because AANs normally act as a clearinghouse and storage house for communications between different organizations. Not (b) because AANs provide a common communication interface, thus eliminating the need for each company to establish independent communication with each of its trading partners. Not (c) because AANs establish logs of transactions as a basis for record $eeping and audit trail. Answer (d) is correct. 4ompanies must purchase their own software to translate to a national standard protocol (either ANS# B.;/ in the 9.S. or 8(#'A4! in 8urope and most of the rest of the world). <nce the data are in the standard format, the AAN handles all aspects of the communication. Aalue-Added Networ$ (AAN) is a private owned type of networ$ that provides services such as data storage and access to specialized databases for a fee. <rganizations implementing 8(# would utilize AANs. dd. CIA Nov 9! III.5! Correct Answer is (A) Answer (a) is correct. Cateways connect #nternet computers of dissimilar networ$s. A gateway is a device that acts as a protocol converter, e.g. connecting @AN to mainframe or a @AN to the internet. Not (b) because bridges are devices that connect physically two independent @AN"s. Not (c) because repeaters are devices that regenerate and transmit signals between segments of a networ$ to strengthen data signals between distant computers. Not (d) because routers are devices that route information pac$ets in accordance with the address and the intended destinations of the pac$s by determining the best path for data. ee. CIA Nov 9! III.59 Correct Answer is ()) Not (a) because dedicated phone lines would not be cost effective or available to field agents. Not (b) because, field agents would not always be located at the same phone line to permit dialup call bac$ usage. #n addition, callbac$ features are a type of access controls and are not controls for securing data transmission. Not (c) because passwords are a type of access controls and are not controls for securing data transmission. #n addition, passwords may be compromised by computer software. Answer (d) is correct. 8ncryption of data to be transmitted through the networ$ would best secure data while being transmitted. 8ncryption +, B-71 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review is the encoding of sensitive data using mathematical algorithms so that data becomes incomprehensible. (ecryption will retrieve the data to its comprehensible form. "". CIA Nov 9! III.71 Correct Answer is ()) Not (a) because private ,ide Area Networ$ is one that an individual business firm maintains for its own use. Not (b) because #ntegrated Services (igital Networ$ (#S(N) is an international standard for transmitting voice, video, and data over phone lines. Not (c) because a Aalue-Added Networ$ is a data-only, multi-path, third-party managed networ$. Answer (d) is correct. A Airtual 2rivate Networ$ (A2N) is a carrier-provided service in which the public switched networ$ provides capabilities similar to those of dedicated private lines but at a lower cost. ##. CIA Nov 9! III.7 Correct Answer is (A) Answer (a) is correct. A number of bottlenec$s (e.g. in-house analog technology) may limit the benefits that can be derived from the e%ternal networ$. !o prepare the company for changes resulting from the enhanced e%ternal networ$ services management should optimize in-house networ$s to avoid such bottlenec$s. Not (b) because resistance to change, infle%ible organizational structures, and s$epticism of the technology should be e%pected and must be successfully managed if the company is to reap the benefits of the technology. Not (c) because as individuals rely more on communications to perform their daily tas$s, it becomes imperative for a networ$ to be essentially ;00D available. !he company should enhance its disaster recovery plan to recognize this fact. Not (d) because since networ$ management may now be primarily a function within the company, it will become more of a partnership arrangement with the communications carrier. $$. CIA Nov 9! III.74 Correct Answer is (B) Not (a) because, value-added networ$s provide protocol conversion, message storing, and message forwarding for specific transactions such as 8(#. Answer (b) is correct. A :AN (metro-area networ$) connects multiple sites with multiple wor$stations for shared use of common resources. !hus, the company can share inventory and special diagnostic s$ills. Not (c) because electronic data interchange supports the transfer of business information between application systems on different computers. Not (d) because !42)#2 is a networ$ protocol that implements the <S# transport layer for managing end-to-end networ$ transmissions. ii. CIA May 97 I.0 Correct Answer is (C) Not (a) because a maor concern with @ANs is that users are responsible for building and maintaining procedures for capturing and processing data. <ne of the maor problems associated with this form of end-user computing is that users often do not do a good ob of documenting procedures. Not (b) because security is a maor concern for sensitive data residing on a 24 and)or a @AN. Answer (c) is correct. +ardware used for processing data is not considered a maor ris$ since 24s have similar hardware components to mainframe computers. #f a hardware failure is to occur, it would be for various factors that both 24s and mainframes are e%posed to. Not (d) because, data communications are always a high ris$ factor on @ANs because they do not happen automatically. !he auditor will need to gain assurance that the company has mechanisms, including reconciliations, to . /001 2owers 3esources 4orporation5. All rights reserved +, B-7 Powers CIA Review ensure completeness of data communications. %%. CIA May 97 III.41 Correct Answer is (C) Not (a) because both statements # and ### are correct. Not (b) because #tem ## is incorrect. A confidential mail message should not be retained on the server once the user has downloaded it to a personal computer. Answer (c) is correct. Statements # and ### are correct and item ## is incorrect. A confidential mail message should not be retained on the server once the user has downloaded it to a personal computer. Since electronic mail is operated and stored on the computer system, control features present in the networ$ will secure it. #n addition, large organizations usually have several electronic mail administrators and locations with varying levels of security. &&. CIA May 97 III.4+ Correct Answer is (A) Answer (a) is correct. <nly item # is correct. 4ompanies who wish to maintain ade&uate security must use firewalls to protect data from being accessed by unauthorized users. 'irewalls separate an internal secure networ$ from an e%ternal networ$ by controlling traffic flow of information. #tem ## is incorrect. Anyone can establish a +ome 2age on the #nternet. #tem ### is incorrect. !here are no security standards for connecting to the #nternet, nor is there a coalition of #nternet providers which dictate such standards. !he lac$ of such standards is a maor problem with the #nternet. Not (b) because item ## is incorrect. Anyone can establish a +ome 2age on the #nternet. Not (c) because item ### is incorrect. !here are no security standards for connecting to the #nternet, nor is there a coalition of #nternet providers which dictate such standards. !he lac$ of such standards is a maor problem with the #nternet. Not (d) because item ### is incorrect. !here are no security standards for connecting to the #nternet, nor is there a coalition of #nternet providers which dictate such standards. !he lac$ of such standards is a maor problem with the #nternet. ''. CIA May 9+ III.40 Correct Answer is (C) Not (a) because management oversight controls for the growth in end-user development by selecting and authorizing users who will develop the system. Not (b) because competitive pressures for enhanced functions in systems may affect the efficiency and effectiveness of the developed functions but does not essentially wea$en access controls in the system. Answer (c) is correct. Creater on-line access to information systems creates the ris$ of increased unauthorized access to systems, which can be mitigated by authenticating transactions for authorized users. Not (d) because growing organizational reliance on information systems is controlled by increased attention to validating development phases. ((. CIA May 94 I.!5 Correct Answer is (C) Not (a) because, data file bac$ups are critical to reconstructing lost files. +, B-7+ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review Not (b) because the controls over hardware and software failures may prevent or minimize the effects of a system failure. Answer (c) is correct. 8ncryption is the process of coding data before transmission and decoding it after transmission. !hus, encryption is a communication control for security. #t is not related to bac$up and recovery. Not (d) because responsibilities for bac$up and recovery should be fully described in updated documents and manuals. nn. CIA May 95 III.7! Correct Answer is (C) Not (a) because parallel testing is done when using parallel conversion method in systems development. New and e%isting systems run concurrently for a period of time. !he results of both systems are then compared. Not (b) because, integrated test facility (#!') is a computer-aided audit techni&ue by which fictitious entities are integrated on the company*s master files and data is tested to validate processing.. Answer (c) is correct. 2erformance monitoring is the systematic measurement and evaluation of operating results such as transaction rates, response times, and incidence of error conditions. 2erformance monitoring will reveal trends in 4apacity usage so that capacity can be upgraded before response deteriorates to the point that users behave in unintended or undesirable ways. Not (d) because program code comparison software enables detection of unauthorized changes in programs, but such software cannot detect deteriorating response time. oo. CIA May 95 III.78 Correct Answer is (C) Not (a) because, to the e%tent the system incorporates components from e%ternal parties, the company is dependent on them. Not (b) because, having an accurate inventory of hardware, software, and communications components and an accurate account of changes in the components would ma$e timely installation of new components easier but would not guarantee timely installation of new components. Answer (c) is correct. @ac$ of ade&uate inventories of networ$, hardware, and software components and lac$ of records of changes in components increase the difficulty of isolating faults in any part of the system. !here may be subtle differences in components or successive versions of the same components, which lead to incompatibilities that cause failures. Not (d) because having an accurate inventory of hardware, software, and communications components and an accurate account of changes in the components may be helpful in maintaining system availability? but availability depends on the appropriateness of the configuration and the ability of service personnel to $eep the system running. . /001 2owers 3esources 4orporation5. All rights reserved +, B-74 Powers CIA Review **. CIA May 9! III.5 Correct Answer is (A) Answer (a) is correct. !he pressure for the department store company to be competitive is so great that there may be a significant ris$ that applications software could be incomplete, inade&uately tested, or unauthorized. Not (b) because, on the contrary, management has stated its intention to install the networ$, salespeople have been as$ing for features that the networ$ could provide, and the planning committee has identified many potential applications. Not (c) because these types of violations do not occur with in-house development. Not (d) because given the standard nature of the networ$, it is unli$ely that the company would not be able to obtain needed components from vendors as usage increases. ,,. CIA May 9! III.5+ Correct Answer is ()) Not (a) because reserving all system functions for salespeople would restrict access more than is re&uired for ade&uate security and would hinder use of the system for ma%imum benefit Not (b) because customers should not have update privileges to prevent them from corrupting data files, intentionally or accidentally. Not (c) because customers should not have update privileges to prevent them from corrupting data files, intentionally or accidentally. Answer (d) is correct. 4ustomers with read privileges can e%amine the gift registry lists to ma$e their selections, and salespeople can update the gift registry with actual purchases. rr. CIA May 9! III.54 Correct Answer is ()) Not (a) because salespeople are already as$ing for networ$ features to help them do their obs so they are unli$ely to be reluctant to use the system. Not (b) because, the re&uired features are typical of networ$s and its overall size ma$es it a mid-range system, the networ$ should not re&uire e%pensive non-standard components. Not (c) because customers are used to companies managing inventory using computer systems with the best supply practices. Answer (d) is correct. Civen the company"s lac$ of e%perience with networ$s, a significant ris$ is that the networ$ operating costs may not be fully proected. !he result is that the company may incur unanticipated costs after the networ$ is installed. ss. CIA May 9! III.55 Correct Answer is (B) Not (a) because a local area networ$ (@AN) is generally limited to short distances, e.g., /,000 feet radius of the servers. Answer (b) is correct. ,ide area networ$s (,ANs) are a type of networ$s that connect system users who are geographically dispersed through public telecommunication facilities. A wide area networ$ (,AN) is the best $ind of networ$ because it can connect many sites located across a broad geographical distance. Not (c) because a value-added networ$ (AAN) is, in general, more e%pensive than a private networ$ such as a ,AN for high-volume communications. Not (d) because, a private branch e%change (2BB) is an electronic switch that transfers +, B-75 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review voice and data within a local site and it does not have the networ$ capabilities needed by the company. tt. CIA May 9! III.5! Correct Answer is (C) Not (a) because in a leased-line networ$ there are no phone numbers. Not (b) because in a leased-line networ$ there are no phone numbers and hence no ports with tone devices for incoming calls. Answer (c) is correct. #f the company installs a leased-line networ$, it should ensure that transmission facilities on its premises are secure. A leased line is more secure than a public switched line and security issues should be dealt with to physically secure the transmission facilities. Not (d) because to reduce the time during which unauthorized people could potentially gain access to the system by limiting networ$ availability to certain times of the day is often associated with public switched lines, not leased lines. --. CIA May 9! III.!0 Correct Answer is (A) Answer (a) is correct. !he company should have access to the business-related 8-mail that is left behind. Access to 8-:ail can also be critical in business or possible criminal investigations. !he privacy concerns of the individual may be mitigated by compelling business interests. Not (b) because encryption helps prevent eavesdropping of unauthorized persons trying to compromise 8-:ail messages. Not (c) because limiting the number of electronic mail pac$ages adopted by the organization is an appropriate element of the new policy on electronic mail. Such standards simplify the ob of managing email messages and reduce the number of administrators who can access them. Not (d) because this is an appropriate privacy control techni&ue because of the inherent wea$nesses in 8-:ail security. vv. CIA May 97 III.+9 Correct Answer is (B) Not (a) because messages on the #nternet are not encrypted. !he sender and receiver are responsible for encrypting confidential information. Answer (b) is correct. Access should be limited to those whose activities necessitate access to the computer system. :oreover, the degree of access allowed should be consistent with an individual"s responsibilities. 3estricting access to particular individuals rather than groups or departments clearly establishes specific accountability. Not everyone in a group will need access or the same degree of access. !hus, passwords assigned to individuals should be re&uired for identification of users by the system. 2asswords are especially effective against the casual intruder. Not (c) because if someone gains access to the server, he or she can download the file of messages and gain access to them without wor$ing with a security log. Not (d) because the statements, 6All messages on the #nternet are encrypted thereby providing enhanced security6 and 6#f someone gains supervisory-level access to the file server containing electronic messages, he or she could still not gain access to the file containing electronic mail messages without decrypting the security control log6 are false. . /001 2owers 3esources 4orporation5. All rights reserved +, B-7! Powers CIA Review ww.CIA Nov 9+ III.17 Correct Answer is ()) Not (a) because, improvements in automated control techni&ues follow from the development of information technology. Not (b) because, improvements in automated control techni&ues follow from the development of information technology. Not (c) because data encryption standards are a response to the increase in the use of telecommunications technology as a whole. Answer (d) is correct. ;. 4orrect - 4ompetition has been a strong motivator in the financial services industry in the development of 8'! systems. /. 4orrect - :aintaining costs in a highly competitive industry can be aided by leveraging information technology. 7. 4orrect - Advances in information technology, especially telecommunications technology have made 8'! systems possible. 1. #ncorrect - #mprovements in automated control techni&ues have been the result of industry ta$ing advantage of the trends that have influenced the development of information technology. E. E. #ncorrect - (ata encryption standards have been in response to the increase in the use of telecommunications technology. ... CIA May 9! III.!4 Correct Answer is (C) Not (a) because unauthorized access and activity is a maor ris$ factor, inherent to electronic funds transfer (8'!). Not (b) because duplicate transaction processing is another inherent ris$ factor in 8'!. Answer (c) is correct. 8lectronic 'unds !ransfer (8'!) is the e%change of funds via telecommunication devices. 'unds are transferred electronically between two accounts without the actual e%change or manual deposit. (ue to the nature of transactions described, 8'! systems re&uire high level of security and control. #n addition, per transaction costs are lower with electronic funds transfer since the electronic process of transferring funds replaces the manual process. Not (d) because inade&uate bac$up and recovery capabilities is a critical ris$ factor in 8'!. yy. CIA May 9+ III.+1 Correct Answer is ()) Not (a) because physical access controls over the data center are important to restrict physical access to authorized people? however, poor physical access controls are secondary e%posure for compromise of remote data communications lines. Not (b) because, e%posures from networ$ viruses can be minimized through the implementation of 6safe computing practices6 such as where to buy software or have logical +, B-77 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review access controls on the system. Not (c) because poor system documentation is a secondary e%posure thus causing inconvenience to system users and maintainers. Answer (d) is correct. @eased telephone circuits represent a direct e%posure to breaching data integrity since it represents the use of public lines that can be easily identified and tapped and thus re&uires that ade&uate security measures be adopted. //. CIA Nov 9! III.!+ Correct Answer is (B) Not (a) because, improper change controls procedures, insufficient online edit chec$s procedures, and inade&uate bac$ups and disaster recovery procedures are all ris$s that are common to all types of #nformation !echnology environments. Answer (b) is correct. 9nauthorized access is a ris$ that is higher in an 8'! environment than in other #nformation !echnology environments. #f unauthorized people were able to access 8'! systems they could cause serious financial losses to institutions that use the 8'! system. Not (c) because improper change controls procedures, insufficient online edit chec$s procedures, and inade&uate bac$ups and disaster recovery procedures are all ris$s that are common to all types of #nformation !echnology environments. Not (d) because improper change controls procedures, insufficient online edit chec$s procedures, and inade&uate bac$ups and disaster recovery procedures are all ris$s that are common to all types of #nformation !echnology environments. aaa. CIA Nov 9+ III.50 Correct Answer is (C) Not (a) because, this cycle time (/; days) does not include reductions possible by using electronic data interchange (8(#) to eliminate mail time (7 days) and supplier process time (;1 days). Not (b) because this cycle time (;F days) does not include reductions possible by using 8(# to eliminate supplier process time (;1 days). Answer (c) is correct. 'our days is the minimum cycle time because physical delivery re&uires 1 days. !he other periods of time described for the manual purchase cycle time would be eliminated when the company fully implements electronic data interchange (8(#). #n 8(#, documents are electronically e%changed between the company (purchaser) and the supplier and data entry is eliminated. Not (d) because the cycle time cannot be reduced below the delivery time of 1 days with implementation of 8(# alone.G !ransportation that is more efficient would be re&uired. . /001 2owers 3esources 4orporation5. All rights reserved +, B-78 Powers CIA Review bbb. CIA Nov 9 III.+0 Correct Answer is ()) Not (a) because a re&uest for an airline reservation re&uires an on-line, real-time reservations system. Not (b) because withdrawal of cash from an automated teller is accomplished via on-line transactions to copies of master files. Not (c) because the transfer of summary data to head&uarters may be accomplished with point-to-point communications, $nown as distributed computing. Answer (d) is correct. 2lacement of order entry transactions from a customer to its supplier is an accepted use of electronic data interchange between trading partners. #n 8(#, documents are electronically e%changed between the purchaser and the supplier and data entry is eliminated and inventory ordering and carrying costs will be reduced. ccc. CIA May 9+ III.+8 Correct Answer is (A) Answer (a) is correct. 8lectronic data interchange (8(#) for business documents between unrelated parties has the potential to increase the ris$ of unauthorized third-party access to systems because more outsiders will have access to internal systems. Not (b) because systematic programming errors are the result of mis-specification of re&uirements or lac$ of correspondence between specifications and programs. Not (c) because inade&uate $nowledge bases are a function of lac$ of care in building them. Not (d) because one of the benefits of 8(# is to improve the efficiency and effectiveness of system use. ddd. CIA May 9+ III.59 Correct Answer is ()) Not (a) because the first is not 8(# since it is not computer-to-computer. Not (b) because the second is not <@3! since processing does not ta$e place, only communication. Not (c) because the first is <@3!, the second 8(#. Answer (d) is correct. <@3! systems are used when time is of the essence. #nventory availability and good credit status are important to process a customer"s order at the catalog sales firm where orders are made by phone. <nce inventory and credit are chec$ed, the order can be processed (if inventory is available and the customer still has credit available to use). #n 8(#, documents are electronically e%changed between the purchaser and the supplier and data entry is eliminated. !he second application uses 8(# since the production schedule and parts orders are sent electronically to the supplier by the manufacturer*s (purchaser) computer. eee. CIA Nov 9+ III.45 Correct Answer is (A) Answer (a) is correct. Before sending or receiving electronic data interchange (8(#) messages with its customers and suppliers, the company should e%ecute a trading partner agreement with its customers and suppliers so that all parties understand their responsibilities, the messages each will initiate, and how they will interpret the messages. Not (b) because the company may intend to reduce inventory levels, but that is unrelated to the timing of sending or receiving electronic data interchange (8(#) messages. Not (c) because the company may want to demand or encourage all its customers and suppliers to implement electronic data interchange (8(#) capabilities, but that is independent to sending and receiving messages to customers and suppliers. Not (d) because, it is not possible to evaluate the effectiveness of electronic data interchange (8(#) transmissions until after they occur. +, B-79 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review """. CIA Nov 9+ III.4! Correct Answer is (B) Not (a) because the company and its customers may get their 8(#-related software from the same vendor but still have software incompatibility problems if they do not synchronize their installation of updated versions. Answer (b) is correct. #f the company and its customers will agree to synchronize their updating of electronic data interchange (8(#)- related software, then they will minimize the li$elihood of unrecognizable or unintelligible messages due to software incompatibilities. #n fact, one of the maor features of an 8(# is to have data transmitted between the parties in a standard format to facilitate processing and ma$e the use of 8(# effective. !he data is then translated by using an 8(#-related software to ma$e it in an intelligible form for other parties. !hus, the best approach for minimizing the li$elihood of software incompatibilities is to have the company and its customers agree to synchronize their updating of 8(#-related software. Not (c) because as business re&uirements change, it may not be possible to use the same software in the same ways indefinitely. Not (d) because even if the company and its customers each write their own version of the electronic data interchange (8(#)-related software, there will be synchronization problems with updates. ###. CIA Nov 9+ III.47 Correct Answer is ()) Not (a) because, if the company developed its own software, internal audit would be responsible for evaluating that the software was developed in a controlled environment. Not (b) because if the company developed and maintained its own software, internal audit would be responsible for evaluating that the software is bac$ed up ade&uately to permit recovery in the event of a system failure. Not (c) because, if the company purchased, leased, or paid for the use of the software, internal audit would be responsible for evaluating that the software was ac&uired with legal counsel review of contract terms. Answer (d) is correct. 3egardless of whether the company develops, buys, leases, or pays for the use of the software for electronic data interchange (8(#), internal audit should be responsible for evaluating that the applications meet business obectives. . /001 2owers 3esources 4orporation5. All rights reserved +, B-80 Powers CIA Review $$$. CIA Nov 9+ III.49 Correct Answer is (A) Answer (a) is correct. #f the company gave the supplier more information about use of the materials, the supplier could plan its production better so that it could reduce its inventory of the materials and then reduce the price of the materials to be able to charge a lower price. Not (b) because the company could demand that the supplier reduce the prices of the materials, but the supplier could then decline to supply them. Not (c) because, the company could attempt to find another supplier to replace the one charging higher prices, but since the materials are special, other suppliers would probably charge higher prices for the same reasons the original supplier did. Not (d) because if the special materials are needed in the primary product line, it is unli$ely that the company would discontinue it before investigating other alternative, e.g., wor$ing with the supplier to help the supplier manage its inventory. iii. CIA Nov 9+ III.51 Correct Answer is (A) Answer (a) is correct. #f implementing electronic data interchange (8(#) with suppliers permitted more fre&uent orders and more fre&uent communication about them, the company could reduce ordering and carrying costs of inventory. 'or e%ample, inventory carrying costs would be reduced by reducing raw materials inventory. Not (b) because the company could ensure that it always maintained the /E-day buffer stoc$, but there would be no reason to do so if it could ensure more reliable deliveries by ordering more fre&uently. Not (c) because trac$ing materials through production is not an e%ample of electronic data interchange (8(#), which is inter-company e%change of business information. Not (d) because scheduling production is not an e%ample of electronic data interchange (8(#), which is inter-company e%change of business information. %%%. CIA Nov 9+ III.5+ Correct Answer is (A) Answer (a) is correct. Sending the supplier the re&uested data daily via 8(# would permit the supplier to smooth its production and thus +, B-81 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review let it hold down its costs. Not (b) because sending the supplier usage data via wee$ly reports is not the most effective response. :a$ing daily data available is more effective since it allows for updates that are more fre&uent. Not (c) because sending the supplier usage data via monthly production reports is not the most effective response. :a$ing daily data available is more effective since it allows for updates that are more fre&uent. Not (d) because sending the supplier no data at all (since it is confidential) will probably lead to the supplier increasing its prices to the company in order for the supplier to assume the increased ris$ entailed by having to be more responsive to the company"s orders, i.e., the supplier assumes the cost of the inventory the company no longer maintains. &&&. CIA May 94 III.! Correct Answer is (C) Not (a) because 8-mail can send te%t or document files, but the term encompasses a wide range of transfers. 8lectronic (ata #nterchange (8(#) specifically applies to the system described in the &uestion. Not (b) because electronic 'unds !ransfer (8'!) refers to the transfer of money. 8lectronic (ata #nterchange (8(#) specifically applies to the system described in the &uestion Answer (c) is correct. 8lectronic data interchange (8(#) refers to the electronic transfer of documents between businesses and between customers and suppliers. #n 8(#, documents are electronically e%changed between the purchaser and the supplier and data entry is eliminated and inventory ordering and carrying costs will be reduced. Not (d) because 8lectronic (ata 2rocessing (8(2) is a generic term that refers to computerized processing of transaction data within organizations. '''. CIA May 9! III.57 Correct Answer is (B) Not (a) because 8(# transmits document data, not the actual document. Answer (b) is correct. #n 8(# documents are electronically e%changed between the purchaser and the supplier and data entry is eliminated and inventory ordering and carrying costs will be reduced. #n addition, improved business relationships with trading partners is also a benefit of 8(# because of increased communication, reduction in costs (for both supplier and customer), shorter lead time etc. Not (c) because liability issues related to protection of proprietary business data are a maor legal implication of 8(#. Not (d) because 8(# bac$up and contingency planning re&uirements are not diminished. (((. CIA May 9! III.59 Correct Answer is ()) Not (a) because #tem # is incorrect. 9sing a third party service provider-does not mean encryption is utilized. Not (b) because #tem # is incorrect. 9sing a third party service provider-does not mean encryption is utilized. Not (c) because #tem ### is incorrect. 2ublic switched data networ$s are not directly related to 8(# applications . /001 2owers 3esources 4orporation5. All rights reserved +, B-8 Powers CIA Review Answer (d) is correct. #tem ## is correct. (etermination whether an independent review of the third party service provider has been performed (and appropriate follow-up) is re&uired. #tem #A is correct. 3eviewing the third part provider"s contract is an appropriate audit step. #tem # is incorrect. 9sing a third party service provider-does not mean encryption is utilized. #tem ### is incorrect. 2ublic switched data networ$s are not directly related to 8(# applications. nnn. CIA May 97 III.51 Correct Answer is (A) Answer (a) is correct. :ar$ed benefits come about when 8(# is tied to strategic efforts that alter, not mirror, previous practices. Applying 8(# to an inefficient process results in the ability to continue doing things incorrectly. !hus, successful 8(# implementation must begin with planning and analyzing the wor$ processes and flows that support the organization"s goals. Not (b) because, the prere&uisite for 8(# success is an understanding of the mission of the business and the processes and flows that support its goals, followed by cooperation with e%ternal partners. +ardware concerns come secondly. Not (c) because before applying 8(# technology to the business, 8(# must be viewed as part of an overall integrated solution to organizational re&uirements. Not (d) because 8(# is not a solution by itself. #nstead of thin$ing about how to send and receive transactions bac$ and forth, a company should first thin$ about the entire process from both ends. ooo. CIA May 91 III.50 Correct Answer is ()) Not (a) because the procedure described is considered acceptable. 8ncrypted passwords further decrease the li$elihood of unauthorized access. Not (b) because message se&uencing detects unauthorized access by numbering each message and incrementing each message by one more than the last one sent. Such a system detects when a gap or duplicate has occurred. Not (c) because allowing certain types of transactions (such as payroll transactions) to be made only at specific terminals minimizes the li$elihood of unauthorized access. Answer (d) is correct. !he system should employ automatic dial-bac$ to prevent intrusion by unauthorized parties. Such a system accepts an incoming modem call, disconnects, and automatically dials bac$ a prearranged number to establish a permanent connection for data transfer or in&uiry. +, B-8+ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review ***. CIA May 94 III.18 Correct Answer is (A) Answer (a) is correct. !he customer*s account number, name, and unused credit balance should be downloaded to the microcomputer. !he name should be displayed when the account number is input to provide a control chec$. !he system then should show the amount available for a credit purchase. !he user should not be re&uired to calculate an amount that could be done by the computer. Not (b) because current customer balance is not needed as the system shows the amount of available for a credit purchase and the sales department can ma$e credit chec$s before processing an order. Also the customer name is an important control since a wrong, but valid, account number might be entered Not (c) because the customer name is an important control since a wrong, but valid, account number might be entered. Not (d) because unused credit balance is more important than the current customer balance for credit chec$s. ,,,. CIA May 94 III.19 Correct Answer is (C) Not (a) because the sales department is creating an informal system to ma$e up for a system deficiency. !here is a ris$ that it may rely on the previous day"s file and the credit information would be outdated. Not (b) because the sales department is capturing data at the beginning of the day. !here is a ris$ that customers would e%ceed their credit limit if multiple orders were submitted on the same day. Answer (c) is correct. Bac$ups of transaction data are necessary for security and to safeguard data and provide control. +owever, in this situation the user file does not contain transaction data and a bac$up would li$ely duplicate data contained elsewhere. #t is highly probable that the main system has a history file with the day"s beginning balances that could be accessed if needed. !here is a higher degree of ris$ associated with using outdated data or manipulated data. Not (d) because there is a ris$ that the sales department could alter the contents of the file and allow customers to e%ceed their credit limit. . /001 2owers 3esources 4orporation5. All rights reserved +, B-84 Powers CIA Review rrr. CIA Nov 9+ III.4+ Correct answer is (A) Answer (a) is correct. #f the company ac$nowledges messages initiated e%ternally, then the alleged sender would have the opportunity to recognize that it had not sent the message and could notify the company of the potential forgery. Not (b) because permitting only authorized employees to have access to transmission facilities controls for unauthorized access to the facilities but would not detect forged 8(# messages. Not (c) because delaying action on orders until a second order is received for the same goods defeats the purpose of using 8(#, namely, rapid communication followed by rapid response. Not (d) because writing all incoming messages to a write-once)read -many device is a good practice, but it will not detect forgeries. sss. CIA Nov 9! III.70 Correct Answer is ()) Not (a) because the ob of end users is to conduct the business of the organization, not to be the interface between the #S group and the rest of the organization. Not (b) because the application programmer"s ob is to convert information re&uirements specifications into new application systems. Not (c) because the maintenance programmer"s ob is to modify e%isting programs in response to authorized changes in program functions. Answer (d) is correct. !he systems analysts are the principal liaison between the #S group and the rest of an organization because the analyst"s ob is to translate business problems and re&uirements into information re&uirements and systems. ttt. CIA May 90 III.+0 Correct Answer is (B) Not (a) because system programs are those that provide the interface with the computer for the e%ecution of application programs. Answer (b) is correct. Application programs are user programs that perform specific tas$s for the users. An e%ample of application programs is inventory control application program. Not (c) because utility programs are part of system programs which perform common tas$s such as sorting, merging, listing, etc. Not (d) because, an operating program is not a specific program type in #! terminology. System programs however, relate to the operating system whose main purpose is to control and coordinate the running of the computer and its many functions. !he <)S directs and assists the e%ecution of application programs. ---. CIA Nov 9+ III.+1 Correct Answer is (A) Answer (a) is correct. :anagement of the commercial lending department has the ultimate responsibility for data integrity and availability of its applications. !hus, the responsibility of bac$up) recovery of data files is that of management of the department. Not (b) because, the function of a central #S group analyst is to help develop applications for users. Not (c) because, the function of a central #S group programmer is to help develop applications for users. Not (d) because the function of an internal auditor is to assess the appropriateness of controls and not to operate those controls. vvv. CIA May 94 III.7 Correct Answer is (A) Answer (a) is correct. Access must be controlled to ensure integrity of documentation although 6read6 access should be provided to +, B-85 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review other parties, as it is important for applications development and maintenance. !he database administrators are responsible for the administration of the organization*s database. !hus, adding and updating data elements into the data dictionary is one of a database administrator*s functions. Not (b) because a system programmer develops and maintains the system software and should not be able to access data dictionaries to add or update documentation items into them. Not (c) because a system librarian records, issues, receives, and safeguards all program and data files used by the organization. !he librarian should not be authorized or have the s$ills to add or update documentation items into data dictionaries. Not (d) because an application programmer develops the application software and should not be able to access data dictionaries to add or update documentation items into them. www. CIA May 95 III.79 Correct Answer is (C) Not (a) because if the only access permitted is read-only, then there could be no updating of database files. Not (b) because permitting catalog updating from privileged software would be a breach of security, which might permit unauthorized access. Answer (c) is correct. !he database administrator should ensure that database system features are in place to permit access only to authorized logical views. <ne security feature in database systems is their ability to let the (BA restrict access on a logical view basis for each user. Not (d) because updating of users" access profiles should be a function of a security officer, not the user. .... CIA Nov 95 III.++ Correct Answer is (A) Answer (a) is correct. #nade&uate testing is the most li$ely cause for the coding errors in the most comple% reports. #t is difficult to design a test that will satisfy all data criteria in a comple% environment. Not (b) because there may be inade&uate change control, but that is not the reason for errors in the most comple% reports. Not (c) because there may be inade&uate documentation, but that is not the reason for errors in the most comple% reports. Not (d) because there may be inade&uate access control, but that is not the reason for errors in the most comple% reports. yyy. CIA Nov 95 III.+4 Correct Answer is (B) Not (a) because, there may be inade&uate bac$ups, but that is not the cause of analysts reusing erroneous code. Answer (b) is correct. !he most li$ely cause of the reappearance of the same coding errors is inade&uate change control. #nade&uate change control is apt to lead to previously corrected errors recurring because the analysts were reusing erroneous code rather than corrected code. !he solution to the problem is . /001 2owers 3esources 4orporation5. All rights reserved +, B-8! Powers CIA Review better program change control procedures. Not (c) because there may be inade&uate access control, but that is not the cause of analyst*s reusing erroneous code. Not (d) because there may be inade&uate testing, but that is not the cause of analysts reusing erroneous code. ///.CIA May 9! III.4+ Correct Answer is (A) Answer (a) is correct. Segregation of incompatible duties in a computer environment is crucial. 9sers need access to production application data but should not have access to the programs. #n addition, application programmers should not have access to production data, systems software, and production application programs. Any update for application programs must be subect to proper control procedures. Not (b) as per the e%planation in (a) above. Not (c) as per the e%planation in (a) above. Not (d) as per the e%planation in (a) above. aaaa. CIA May 9! III.44 Correct Answer is (B) Not (a) because developing an information security policy is a duty properly assigned to an information security officer. Answer (b) is correct. !he information security officer should not even $now the user passwords. !hese are normally stored on a computer in encrypted format, and users change them directly. Not (c) because commenting on security controls in new applications is a duty properly assigned to an information security officer. Not (d) because monitoring and investigating unsuccessful access attempts is a duty properly assigned to an information security officer. bbbb. CIA May 9! III.45 Correct Answer is ()) Not (a) because application audits should be about the same difficulty with or without an ade&uately staffed help des$. Not (b) because preparation of documentation is a development function, not a help des$ function. Not (c) because the li$elihood of use of unauthorized program code is a function of change control, not a help des$. Answer (d) is correct. !he biggest ris$ in not having an ade&uately staffed help des$ is that users will un$nowingly persist in ma$ing errors in their interaction with the information systems. cccc. CIA Nov 9! III.49 Correct Answer is (B) Not (a) because a security administration deals with adding or deleting user to)from the system. Answer (b) is correct. 4hange control is the process of authorizing, developing, testing, and installing coded changes so as to minimize the impact on processing and the ris$ to the system. Not (c) because problem trac$ing is the process of collecting operational data about processes so that it can be analyzed for corrective action. Not (d) because problem escalation procedures are a means of categorizing problems or unusual circumstances so that the least s$illed person can address them. +, B-87 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review dddd. CIA Nov 9! III.55 Correct Answer is (C) Not (a) because applications development is responsible for developing systems. After acceptance by users, developers typically cease having day-to-day contact with a system"s users. Not (b) because, the responsibility of systems programming is to implement and maintain system level software such as operating systems, access control software, and database systems software. Answer (c) is correct. +elp des$s are usually a responsibility of computer operations because of the operational nature of their functions, e.g., assisting users with systems problems involving prioritization and obtaining technical support)vendor assistance. Not (d) because 9ser departments typically do not have the e%pertise necessary to solve their own systems problems. eeee. CIA May 97 III.7+ Correct Answer is (A) Answer (a) is correct. #n client)server environments, change control must also ensure synchronization of programs across the networ$ so that each client and each server are running from the same versions of the programs, #n mainframe environments, there may be only one copy of the production system that is e%ecuted so that synchronization of programs is not re&uired. Not (b) because emergency move procedures should be documented and followed in both mainframe and client)server environments. Not (c) because appropriate users should be involved in program change testing in mainframe and in client)server environments. Not (d) because movement from the test library to the production library should be controlled in both mainframe and client)server environments. """". CIA Nov 90 III.+7 Correct Answer is (B) Not (a) because operating systems direct and manage use of computer resources such as the 429 and peripheral devices. Answer (b) is correct. An application program, such as a payroll program, performs the processing functions that the users in an organizational unit need to complete their tas$s. Not (c) because a report generator is a program that accepts high-level coding statements and creates program code to e%ecute them. Not (d) because a utility program accepts commands, such as copying and sorting, from users and manipulates the designated files accordingly. . /001 2owers 3esources 4orporation5. All rights reserved +, B-88 Powers CIA Review ####. CIA May 91 III.+1 Correct Answer is (A) Answer (a) is correct. (isplay screen layouts, interactive dialogues, and processing interact with program generators to generate applications based on specifications included in the layouts, dialogues and processing to be performed. Not (b) because detailed coding is not re&uired for operation of a program generator to produce an application. Not (c) because statistical sampling parameters are not re&uired for program generators. Not (d) because control sensors measure a character or condition as part of a control feedbac$ system and do not pertain to program generators. $$$$. CIA May 9 I.+ Correct Answer is ()) Not (a) because asynchronous modems handle data streams from peripheral devices to a central processor. Not (b) because, authentication techni&ues confirm that valid users have access to the system. Not (c) because, call bac$ techni&ues are used to ensure incoming calls are from authorized locations. Answer (d) is correct. 4ryptographic devices protect (encrypt) data to be transmitted over communication lines. A $ey notarization can be used in conunction with a cryptographic device to provide increased data security. Hey management involves the secure generation, distribution, and storage of cryptographic $eys. iiii. CIA May 94 III.1+ Correct Answer is (A) Answer (a) is correct. Aarious factors need to be considered. 8ncoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored. Although @ANs may need encryption protection, the type of data and the described communication media ma$e the other options appear more vulnerable. Not (b) because when wire transfers are made between ban$s encryption is most li$ely to be utilized. Not (c) because, when confidential data are sent by satellite transmission encryption is most li$ely to be utilized. Not (d) because when financial data are sent over dedicated leased lines, encryption is most li$ely to be utilized. %%%%. CIA May 9! III.47 Correct Answer is (A) Answer (a) is correct. 8ncryption is the best means of ensuring the confidentiality of satellite transmissions because even if an unauthorized individual recorded the transmissions, they would not be intelligible until decoded in the correct way. Not (b) because access control applies to gaining entrance to the application systems, not to the format of transmissions. Not (c) because monitoring software is designed to monitor performance (human or machine) for specified functions such as number of tas$s performed or capacity utilized. Not (d) because cyclic redundancy chec$s are comple% computations performed with the data bits and the chec$ bits in data transmissions to ensure the integrity, but not the confidentiality, of the data. +, B-89 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review &&&&. CIA May 9! III.48 Correct Answer is (C) Not (a) because encrypting transmissions from the stores would increase the difficulty of eavesdropping on the transmissions but would not deter someone from entering bogus transactions. Not (b) because re&uiring change control for programs ensures that program changes are authorized, tested, and documented. Answer (c) is correct. 8nforcing password control procedures would ma$e it more difficult for an unauthorized person, such as a competitor intending to disrupt the distribution patterns, to gain prolonged entry. Not (d) because encouraging store employees to report suspicious activity is a good practice, but such activity might go undetected. ''''. CIA May 9! III.49 Correct Answer is (C) Not (a) because access control ensures that only authorized persons have access to specific or categories of information resources, but is not enough by itself to ensure integrity of application software. Not (b) because, audit trails permit audits of transaction updates to data files, not programs. Answer (c) is correct. !he best way to ensure the integrity of the application software change controls for inventory software. 4hange control is the set of procedures that ensure that only authorized, tested changes to programs are run in production. Not (d) because monitoring software is designed to monitor performance (human or machine) for specified functions such as number of tas$s performed or capacity utilized. ((((. CIA May 9+ I.4 Correct Answer is (C) Not (a) because a proof calculation is the use of a predefined algorithm to be performed on the information in a telecommunications transmission to verify that no transmission errors occurred. Not (b) because chec$-digit verification is used to control the accuracy of input of reference numbers but would not deny access to an inactive but valid account. Answer (c) is correct. !he master file will contain information about the status of ban$ accounts (i.e., active or inactive). By loo$ing up the account numbers in the master file, the teller can verify that the account is active. Not (d) because a duplicate record chec$ ensures that duplicate records are not processed. nnnn. CIA May 9 II.+0 Correct Answer is ()) Not (a) because statistical sampling is most useful in estimating the size of a population (variables sampling) or the degree of error (attribute sampling). Specific identification of unreported duplicate payments is the problem here. Not (b) because des$ chec$ing the source code would detect a program error, but not the potential causes of duplicate payments. Not (c) because an integrated test facility is useful for passing test data through a production system, but it does not address the unreported duplicate payments problem. Answer (d) is correct. !he primary use of generalized audit software is to select and summarize a client"s records for additional testing. !hese pac$ages permit the auditor to audit through the computer, to e%tract, compare, analyze, and summarize data and generate output for use in the audit. !hey allow the auditor to e%ploit the computer to e%amine many more records than otherwise possible with far greater speed and accuracy. Although generalized audit software re&uires the auditor to provide certain specifications about the . /001 2owers 3esources 4orporation5. All rights reserved +, B-90 Powers CIA Review particular client"s records, 8(2 e&uipment, and file formats, a detailed $nowledge of the client"s system may be unnecessary because the audit pac$age is designed to be used in many environments. oooo. CIA Nov 9 I.+! Correct Answer is (A) Answer (a) is correct. 9se of audit software to perform parallel simulation is an acceptable audit application. 2arallel simulation (the audit model techni&ue) involves duplicate processing of the client"s data using a program developed by the auditor. !he auditor"s program simulates the logic of the client"s application program. !he auditor may thus enter data and compare simulated test results with those from the auditee"s program. :aintenance of parallel simulation programs may prove e%pensive because they must be updated to match changes in the client"s system. Not (b) because use of an integrated facility usually re&uires advanced planning before a system is implemented. #nstalling an integrated test facility after-the-fact can be &uite costly and time consuming. Not (c) because tagging and tracing is more difficult to employ than parallel simulation. Not (d) because mapping and program analysis re&uires a strong programming bac$ground, something not available on this audit team. ****. CIA Nov 94 I.40 Correct Answer is (C) Not (a) because an integrated test facility involves the use of test data and also the creation of fictitious entities on master files. Not (b) because tracing provides a detailed listing of the se&uence of program statement e%ecution. Answer (c) is correct. 2arallel simulation processes live transactions run through an auditor-developed test program. !he purpose is to simulate routine processing and verify the results. Not (d) because mapping is a procedure for reporting code usage within a program. ,,,,. CIA May 88 II.+ Correct Answer is (B) Not (a) because both input and processing controls are types of application controls. Answer (b) is correct. !here are two categories of accounting controls present in a computerized system - general and application controls. Ceneral controls apply to the environment of the information system and all information systems actions. Application controls relate to specific obs e%ecuted by the computer. !hey are designed to supply reasonable assurance that the recording, processing, and reporting functions are properly e%ecuted. Application controls are classified as input controls, processing controls, and output controls. #nput controls are designed to provide reasonable assurance that data ac&uired for processing have been properly authorized (approved by management), converted into machine- sensible form (verified and edited as to validity and completeness), and subse&uently accounted for (controls to chec$ if data were lost in transmission). Not (c) because organization controls pertain to segregation of functions within the information systems department. Not (d) because general controls apply to the environment of the information system and are +, B-91 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review distinct from application controls. rrrr.CIA Nov 88 II.+5 Correct Answer is (A) Answer (a) is correct. 2hysical security of storage media is much easier and more effective if in a central location. 8ach location is subect to various problems. (ata transfer, format, and location re&uire more control in a distributed system. Not (b) because access restrictions and custody controls are necessary in any environment. Not (c) because computer organizational standards are necessary to maintain computer compatibility, security, and efficient operation procedures. Not (d) because access restrictions are necessary on every computer system irrespective of the configuration. ssss. CIA Nov 88 II.+! Correct Answer is (B) Not (a) because a chec$ digit is used primarily to catch transpositions. Answer (b) is correct. All transactions and their record $eeping should be authorized. A review should be made of all write-offs> inventory, receivables, final assets, etc. Also, warehouse employees having custody of inventory should not have authority to initiate or process entries to the inventory records. Not (c) because a parity chec$ is a hardware control over the internal transfer of data. Not (d) because an edit chec$ for validity would not catch an adustment of a valid part number. tttt. CIA May 89 I.4 Correct Answer is ()) Not (a) because the batch total chec$ simply assures that items have not been lost. Not (b) because an edit test at the time of online data entry will detect the problem earlier than a chec$ made during the later batch- processing run. Not (c) because an edit test at the time of online data entry will detect the problem earlier than a chec$ made during the later batch- processing run. Answer (d) is correct. #f an online data entry is used, edit tests (programmed chec$s) to detect errors must be applied as each transaction is entered. 'or e%ample, the vendor number in the transaction file should be matched (matching chec$) with the number in the vendor file. #f the latter file has not yet been updated, this edit test will result in immediate detection of the discrepancy. ----. CIA Nov 89 I.5 Correct Answer is ()) Not (a) because personal computer operations are decentralized and therefore customarily combine these functions out of necessity. Not (b) because these special security measures are more cost-ustified in a mainframe system. . /001 2owers 3esources 4orporation5. All rights reserved +, B-9 Powers CIA Review Not (c) because programming by users is often necessary and sometimes a purpose of using decentralized, personal computer-based systems. Answer (d) is correct. #n a personal computer environment, user training becomes still more important than in a centralized system because users may have to assume greater responsibilities. !hus, users may have to provide maintenance of the e&uipment and learn programming s$ills. vvvv. CIA Nov 89 I.+0 Correct Answer is (A) Answer (a) is correct. An overflow test is a programmed control that chec$s computational results and issues a warning if the result e%ceeds the capacity of the storage location, which would result in the loss of data. 'or e%ample, if E1/F were stored as E1/, the F lost on overflow would be discovered. Not (b) because a range test determines whether the value of a data field falls outside prescribed limits. Not (c) because an e%istence (validity) chec$ determines whether an entered code is one of a set of valid codes. Not (d) because a parity chec$ adds the bits in a character or message and chec$s the sum to determine if it is odd or even, depending on whether the computer has odd or even parity. !his chec$ verifies that all data have been transferred without loss. 'or e%ample, if the computer has even parity, a bit will be added to a binary coded character or message that contains an odd number of bits. No bit is added if a character or message in binary form has an even number of bits. wwww. CIA Nov 89 I.7 Correct Answer is (B) Not (a) because a data transmission chec$ verifies only the accuracy of the communication. Answer (b) is correct. !he use of e%ternal, header, and trailer labels should be enforced to ensure the proper access and protection of files. A header label is a machine-readable record at the beginning of a file that identifies the file. Software ma$es this chec$. A trailer label is a machine-readable label at the end of a file containing record counts and control totals. An e%ternal label is a human-readable identifying label affi%ed to the outside of a file holder, such as a magnetic tape file. Not (c) because this control (boundary protection) protects programs or data from interference (unauthorized reading and)or writing) caused by activity related to other programs or data stored on the same medium. Not (d) because access controls (passwords, etc.) prevent unauthorized access from remote locations, not authorized use by an operator. ..... CIA Nov 89 I.8 Correct Answer is (C) Not (a) because the control group has this responsibility. Not (b) because these are specified in the bac$up and recovery plan. Answer (c) is correct. An important operating control is to establish a library to preclude misplacement or theft of storage media, +, B-9+ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review programs, and documentation. A librarian should perform this custodianship function and be appropriately accountable. !he schedule of data processing activity provides authorization for release of files to operators and a conse&uent transfer of accountability. Not (d) because the control group has this responsibility. yyyy. CIA Nov 89 I.9 Correct Answer is ()) Not (a) because hash totals, document counts, batch se&uence chec$s, and computer matching test for completeness, not for accuracy of data. !he term 6dependency chec$6 is apparently not meaningful in this conte%t. A matching chec$ compares a field (e.g., a customer number) on the master file with the matching field in a transaction record. Not (b) because hash totals, document counts, batch se&uence chec$s, and computer matching test for completeness, not for accuracy of data. !he term 6dependency chec$6 is apparently not meaningful in this conte%t. A matching chec$ compares a field (e.g., a customer number) on the master file with the matching field in a transaction record. Not (c) because hash totals, document counts, batch se&uence chec$s, and computer matching test for completeness, not for accuracy of data. !he term 6dependency chec$6 is apparently not meaningful in this conte%t. A matching chec$ compares a field (e.g., a customer number) on the master file with the matching field in a transaction record. Answer (d) is correct. A limit or reasonableness (range) chec$ tests whether the value of a data field falls outside a prescribed range. !he range may be stated in terms of an upper limit, lower limit, or both. 'or e%ample, a payroll record might be tested to determine if the number of hours wor$ed e%ceeds E0 per wee$. A chec$ digit (self- chec$ing number) tests an identification number by recomputing a chec$ digit in accordance with an established algorithm. Hey verification involves re$eying data (usually only critical fields) and comparing the results with the first $eying operation. +ence, all these techni&ues control for data accuracy. ////. CIA Nov 89 I.+1 Correct Answer is (C) Not (a) because posting batch control totals is a means of accounting for (recording) all batches of transactions. Not (b) because source documents are used for input, not output. Answer (c) is correct. 4ritical output data should be physically isolated, e.g., in loc$ed output bins. :oreover, the distribution of output should be in accordance with distribution registers that list designated users. !he data control group should distribute output in a prompt manner to these users, and the distribution should be noted in the control log. Not (d) because destruction is not helpful if the company desires to retain the output. . /001 2owers 3esources 4orporation5. All rights reserved +, B-94 Powers CIA Review aaaaa. CIA Nov 89 I.+7 Correct Answer is ()) Not (a) because the limited capacity of main memory is not a ris$. Not (b) because some personal computer manufacturers provide operating systems that can be used with any machine. Not (c) because purchase procedures do not relate to the use of personal computers. Answer (d) is correct. Security problems are intensified in a personal computer environment. !he computers themselves are often small, portable, and located in areas of ma%imum accessibility. +ence, they are prone to theft, damage, and unauthorized use. !hey tend to use the main power supply, with the conse&uent potential for loss of data and harm to the e&uipment. A personal computer system may also not provide for the elaborate hardware and software controls found in larger systems, and organizational control through segregation of duties may not be feasible. 'or e%ample, the same person may be able to access data, modify programs, and operate the e&uipment. 4onse&uently, security issues of all $inds may arise when personal computers are used, whether as stand-alones or as intelligent terminals. bbbbb. CIA May 90 I.1 Correct Answer is (C) Not (a) because redundant calculation is a processing, not an input, control. Not (b) because the input itself was valid, so validity chec$ing would not have detected the error. Answer (c) is correct. 8%plicit chec$ing for data values with error messages for un$nown values would have detected the biwee$ly employee pay re&uests and generated error messages rather than erroneous chec$s. Not (d) because chec$point-restart processing permits the operator to restart a failed program without repeating the entire process. ccccc. CIA Nov 89 II.5 Correct Answer is ()) Not (a) because systems development controls concern systems analysis, design, and implementation. Not (b) because hardware controls are incorporated into the e&uipment. Not (c) because applications controls pertain to specific programs. !hey include input, processing, and output controls. Answer (d) is correct. <rganizational control concerns the proper segregation of duties and responsibilities within the information systems department. 'or e%ample, programmers should not have access to the e&uipment, and operators should not have programming ability. Although proper segregation is desirable, functions that would be considered incompatible if performed by a single individual in a manual activity are often performed through the use of an information systems program or series of programs. !herefore, compensating controls may be necessary, such as library controls, effective supervision, and rotation of personnel. ddddd. CIA Nov 89 II.9 Correct Answer is ()) Not (a) because access controls perform this function. Not (b) because access controls perform this function. Not (c) because processing controls perform this function. +, B-95 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review Answer (d) is correct. #nput controls are designed to provide reasonable assurance that data received for information systems processing have been properly authorized and are in a form suitable for processing, i.e., complete, accurate, and valid. #nput controls also include those that relate to reection, correction, and resubmission of data that were initially incorrect. eeeee. CIA Nov 89 II.+0 Correct Answer is (B) Not (a) because an access control does not affect the validity, accuracy, and completeness of processing. Answer (b) is correct. A suspense file contains input records in which errors have been detected. !he transaction file incorporates transactions flagged during the edit or master file updating run. !his file is run against the suspense file so that the latter will include the new erroneous items. A listing of errors is printed out and corrections are made. !he corrected transactions are then re-entered. ,hen the transaction file is ne%t run against the suspense file, the corrected items are removed. 3econciling the suspense file items is necessary to arrive at an accurate inventory balance. Not (c) because failing a reasonableness chec$ is but one basis for including an item in the suspense file. Not (d) because this control concerns whether only timely data are processed. """"". CIA Nov 90 I.+ Correct Answer is (A) Answer (a) is correct. <nline systems re&uire physical controls over terminals and password protection. !he latter is effected through the operating system or security software. Actual use of the system may re&uire a hierarchy of passwords permitting only specified persons to access the system or specified programs and files. 'or e%ample, certain persons may have read-only access to certain files, whereas other parties may have updating authority. Not (b) because sign-on se&uences do not provide physical security. Not (c) because conte%t-dependent security is access control based on the content of a se&uence of database in&uiries. Not (d) because write-protection security is provided by the absence of a write-enable ring on tapes and the presence of a write-protect tab on floppy dis$s. . /001 2owers 3esources 4orporation5. All rights reserved +, B-9! Powers CIA Review #####. CIA May 90 I.0 Correct Answer is (A) Answer (a) is correct. !his separation is an organizational control. <rganizational controls concern the proper segregation of duties and responsibilities within the information systems department. Although proper segregation is desirable, functions that would be considered incompatible if performed by a single individual in a manual activity are often performed through the use of an information systems program or series of programs. !hus, compensating controls may be necessary, such as library controls, effective supervision, and rotation of personnel. Segregating test programs ma$es concealment of unauthorized changes in production programs more difficult. Not (b) because physical security (e.g., climate control and restrictions on physical access) is another aspect of organizational control. Not (c) because input controls validate the completeness, accuracy, and appropriateness of input. Not (d) because concurrency controls manage situations in which two or more programs attempt to use a file or database at the same time. $$$$$. CIA Nov 89 II.++ Correct Answer is ()) Not (a) because a limit or reasonableness test chec$s the values of data items against established limits. Not (b) because a limit or reasonableness test chec$s the values of data items against established limits. Not (c) because a chec$ digit in a number is determined by applying an algorithm to the number. #f the number has been mis$eyed, the digit generated will differ from the chec$ digit. Answer (d) is correct. A record count is simply a control total of the physical records (documents) involved in the run. A hash total is a control total generated by adding the values found in a given field of each record in the batch. !he total is a 6hash6 because the field chosen contains an identification number or other item that is otherwise not meaningful. :issing transactions can be detected by either control. iiiii. CIA May 90 I. Correct Answer is ()) Not (a) because chec$ digit processing and master file loo$ups verify that employee numbers are valid. Not (b) because validity tests verify that only authorized employees are paid. Not (c) because hash totals are independent of calculations of payroll amounts. Answer (d) is correct. 4alculation of a hash total is an input control. #t assures that all the transactions that should have been applied to the master file were processed once but only once. +, B-97 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review %%%%%. CIA May 90 II.0 Correct Answer is (B) Not (a) because memory protection prohibits programs from accessing memory outside their designated ranges. Answer (b) is correct. 2arity chec$ing adds the bits in a character or message and chec$s the sum to determine if it is odd or even, depending on whether the computer has odd or even parity. !his chec$ verifies that all data have been transferred without loss. 'or e%ample, if the computer has even parity, a bit will be added to a binary coded character or message that contains an odd number of bits. No bit is added if a character or message in binary form has an even number of bits. Not (c) because, for hardware, validity chec$ing verifies that a machine-level instruction is a valid instruction, for applications, validity chec$ing verifies that transaction data is complete, authorized, and reasonable. Not (d) because range chec$ing verifies that input data values are within pre-determined ranges. &&&&&. CIA Nov 90 I.++ Correct Answer is ()) Not (a) because agreement of a batch register or total gives assurance that the batch totals agree but does not identify the specific missing or duplicate transactions. Not (b) because agreement of a batch register or total gives assurance that the batch totals agree but does not identify the specific missing or duplicate transactions. Not (c) because batch se&uence chec$s perform se&uence chec$s within single batches only. Answer (d) is correct. #n a cumulative se&uence chec$, transaction table entries are flagged by se&uence number when transactions are processed so that a record is created of the transactions processed. !his record permits detection of attempted duplicate transactions and missing transactions. '''''. CIA Nov 90 I.+4 Correct Answer is ()) Not (a) because password security for access to the system permits all departmental employees access to all documents in the system. Not (b) because there are no floppy dis$s in this system. Not (c) because periodic server bac$up and storage in a secure area is a good security)bac$up procedure, but it would not prevent access to sensitive documents online. Answer (d) is correct. (ifferent passwords may be re&uired to access the system, to read certain files, and to perform certain other functions. 3e&uired entry of passwords for access to individual documents is the best single control over unauthorized access to sensitive documents in the system. (((((. CIA Nov 90 I.+5 Correct Answer is (A) Answer (a) is correct. Source code written in a higher-level language must be translated (compiled) into machine language statements that can be e%ecuted by the computer. 9pdating of e%ecutable program modules must be controlled by re&uiring proper authorization . /001 2owers 3esources 4orporation5. All rights reserved +, B-98 Powers CIA Review of changes in the source code. . <nly the authorized source code should then be used for updating the e%ecutable modules. Not (b) because enforcing the use of separate development and production libraries is good practice, but it does not ensure that source code and e%ecutable modules correspond. Not (c) because re&uiring management authorization for source code change ensures that source code changes are authorized but does not ensure correspondence between source versions and e%ecutable forms. Not (d) because installing access control procedures ensures control of source code libraries but does not ensure control over access to e%ecutable libraries. nnnnn. CIA Nov 90 I.+! Correct Answer is (C) Not (a) because performing data matching of transactions and master file records ensures that the proper master file record is selected for updating but does not ensure that the record is actually updated. Not (b) because a self-chec$ing number is a control over the accuracy of data transmission. Answer (c) is correct. A processing control that reconciles counts of se&uence flags set and records updated would detect situations in which records were not updated. Not (d) because this procedure permits detection of duplicate updates but does not ensure that updates occur. ooooo. CIA Nov 90 II.+1 Correct Answer is (B) Not (a) because hardware controls have nothing to do with correct programming of operating system functions. Answer (b) is correct. +ardware 4ontrols such as parity chec$s, read-after-write chec$s, and echo chec$s, are manufacturer-built-in controls to detect and control errors that arise from the use of automated e&uipment. !he significance of hardware controls to internal auditors is that they assure the correct e%ecution of machine instructions representing application systems. ,ithout hardware controls, internal auditors would have no way of $nowing whether hardware operated correctly. Not (c) because input controls, rather than hardware controls, reduce the incidence of user input errors in online systems. Not (d) because control totals, rather than hardware controls, ensure that run-to-run totals in application systems are consistent. *****. CIA Nov 91 I.! Correct Answer is (C) Not (a) because determining the competence of information systems operating personnel is not the maor purpose of the evaluation Not (b) because due professional care should be e%ercised in all audits. Answer (c) is correct. #nternal auditors should review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information. #nformation systems provide data for decision-ma$ing, control, and compliance with e%ternal re&uirements. !hus, internal +, B-99 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review auditors should e%amine information systems and, as appropriate, ascertain whether financial and operating records and reports contain accurate, reliable, timely, complete, and useful information, and controls over record $eeping and reporting are ade&uate and effective. Not (d) because becoming familiar with the company"s information system is a means to an end. ,,,,,. CIA May 91 I.+! Correct Answer is (C) Not (a) because programmed chec$s determine the potential accuracy of input data (e.g., a range chec$). Not (b) because batch control is used to ensure the completeness and accuracy of input and updating. Answer (c) is correct. Ceneral information system controls include organizational controls, such as a policy (an implementation control) that re&uires new programs and changes in programs (after ade&uate testing) to be formally approved before being put into operation (implemented). !his policy is reflected in the maintenance of approval and change sheets with appropriate authorizations. Not (d) because one-for-one chec$ing is a techni&ue used to chec$ individual documents for accuracy and completeness of data input or update. rrrrr. CIA May 91 I.+8 Correct Answer is ()) Not (a) because $ey verification ensures the accuracy of selected fields by re&uiring a different individual to re-$ey them. Not (b) because se&uence chec$s are used to ensure the completeness of input or update data by chec$ing the use of preassigned document serial numbers. Not (c) because computer matching entails chec$ing selected fields on input data with information held in a suspense or master file. Answer (d) is correct. !o prevent unauthorized access to computer files, lists of authorized persons can be maintained in the computer. !he entry of passwords or identification numbers, a prearranged set of personal &uestions, and the use of badges, magnetic cards, or optically scanned cards may be combined to avoid unauthorized access. :oreover, a device authorization table may restrict file access to those physical devices that should logically need access even when a valid password is used. sssss. CIA May 91 I.+9 Correct Answer is (B) Not (a) because the system log is a file showing details of all activity during processing that can be used to investigate unusual activity, such as hardware malfunctions, reruns, and abnormal endings. Answer (b) is correct. !he advent of cheaper, smaller, and more powerful computers has permitted the development of a somewhat different alternative to centralization or decentralization> distributed data processing. #n a distributed data processing system, the organization"s processing needs are e%amined in their totality. !he decision is not whether an application should be done centrally or locally, but rather which parts of the application are . /001 2owers 3esources 4orporation5. All rights reserved +, B-100 Powers CIA Review better performed by small local computers as intelligent terminals, and which parts are better performed at some other, possibly centralized, site. #n essence, the best distribution of processing tas$s within application areas is sought. !he $ey distinction between decentralized and distributed systems is the interconnection among the nodes (sites) in the latter $ind of networ$. !he capability to continue processing at all sites e%cept a nonfunctioning one is called fail-soft protection, an advantage of distributed systems. Not (c) because bac$up procedures are intended to prevent the recovery process from introducing any erroneous changes into the system after computer failure. Not (d) because data file security procedures are intended to prevent unauthorized changes to data files. ttttt. CIA May 91 I.41 Correct Answer is (A) Answer (a) is correct. A computer matching of fields, such as product code, supplier code, and &uantity, assures agreement between goods received and goods invoiced. Not (b) because control totals do not identify specific item-by-item differences. Not (c) because batch totals only provide a total value for a field and do not allow for detailed matching. Not (d) because chec$ digits only provide for validation of predefined account numbers. -----. CIA Nov 91 I.8 Correct Answer is (C) Not (a) because review of the use of restricted utilities is an important control over the activities of systems programmers, who have access to utility programs that is denied to others. Not (b) because reviewing attempted accesses is an important step in ensuring that access control is effective. Answer (c) is correct. 4hanges in the computer system should be subect to strict control procedures. 'or e%ample, a written re&uest for an applications program change should be made by a user department and authorized by a designated manager or committee. !he program should then be redesigned using a wor$ing copy, not the version currently in use. Also, the systems documentation must be revised. !he user, the internal auditor, and a systems employee who was not involved in designing the change will be testing changes in the program. Approval of the documented change and the results of testing should be given by a systems manager. !he user may then accept the change and test results. Not (d) because maintenance of bac$up master files is important in any system to ensure data integrity. vvvvv. CIA Nov 91 I.+0 Correct Answer is ()) Not (a) because, in this case, the batch totals would have agreed, and the error would not have been prevented. Not (b) because, in this case, the batch totals would have agreed, and the error would not have been prevented. Not (c) because in a batch se&uence chec$, only specific ranges are chec$ed for duplicates within the batch. !hus, a batch se&uence chec$ would not have prevented this error. Answer (d) is correct. !esting for paid invoices, which assumes that invoice records are mar$ed paid as chec$s are produced, +, B-101 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review would have detected the duplicate chec$ re&uests and thus prevented the second set of chec$s from being produced. wwwww. CIA Nov 91 I.+1 Correct Answer is (C) Not (a) because preassignment of authorization times for ob e%ecution is appropriate for production obs run on a fi%ed schedule, but it would not have prevented this unauthorized access. Not (b) because periodic comparison of production program e%ecution with authorized production schedules would neither prevent this unauthorized access nor detect it after the fact. Answer (c) is correct. 2rogrammers design, write, test, and document the specific programs re&uired by the system. !o prevent wrongdoing, these functions should be segregated from production activities. +ence, programmers should have no access to production programs and data or to the e&uipment used in operations. Not (d) because logging does not prevent the copying of a program. ...... CIA Nov 91 I.9 Correct Answer is (C) Not (a) because the use of internal labels is intended to prevent misidentification of programs. Not (b) because control totals are used to assure that all transactions are processed. Answer (c) is correct. @ibrary security controls include the organization and operation of a library to preclude misplacement, misuse, or theft of storage media, programs, and documentation. !he librarian should maintain control over and accountability for these items. Not (d) because maintaining a duplicate set of programs insures against loss or destruction of original programs. yyyyy. CIA Nov 91 I.+4 Correct Answer is (A) Answer (a) is correct. Application controls relate to specific tas$s performed by personnel or programs. !heir function is to provide reasonable assurance that the recording, processing, and reporting of data are performed properly. Application controls are of three types> input, processing, and output. An input control is designed to provide reasonable assurance that data received for processing have been properly authorized and converted to machine-sensible form. Self-chec$ing digits may be used to detect incorrect identification numbers. !he digit is generated by applying an algorithm to the #( number. (uring the input process, the chec$ digit is recomputed by applying the same algorithm to the code actually entered. Not (b) because a chec$ digit is an input control, not a file management control. Not (c) because a chec$ digit is an input control, not an access control. Not (d) because a chec$ digit is an input control, not an output control. /////. CIA May 9 I.+1 Correct Answer is ()) Not (a) because the review of obs processed will disclose access but not prevent it. Not (b) because comparison of production programs and controlled copies will detect changes but not prevent them. Not (c) because periodic running of test data will detect changes but not prevent them. Answer (d) is correct. ,hen duties are separated, users cannot obtain a detailed $nowledge of programs, and those developing or maintaining programs cannot gain unsupervised access to production programs. <rganizational control is achieved in part through proper segregation of duties and responsibilities within the information systems . /001 2owers 3esources 4orporation5. All rights reserved +, B-10 Powers CIA Review function. 'or e%ample, programmers should not have access to the e&uipment, and operators should not have programming ability. Although proper segregation is desirable, functions that would be considered incompatible if performed by a single individual in a manual activity are often performed through the use of a computer program or series of programs. !hus, compensating controls may be necessary, such as library controls, effective supervision, and rotation of personnel. aaaaaa. CIA May 9 I.++ Correct Answer is (B) Not (a) because batch totals re&uire numerical control. Answer (b) is correct. 3eview of processing results by users is an important output control. <ne-for-one chec$ing of input documents against a list of transactions processed is one aspect of the comparison of output with data input. Not (c) because computer se&uence chec$s re&uire that transactions be numbered. Not (d) because computer matching is performed under program control and not by the user. bbbbbb. CIA May 9 I.+4 Correct Answer is (B) Not (a) because, although user submission of test data may detect invalid transactions and failure to process valid transactions, this techni&ue would not be used consistently. Answer (b) is correct. An important detective control is user review of output. 9sers should be able to determine when output is incomplete or not reasonable, particularly when the user prepared the input. !hus, users as well as information systems personnel have a &uality assurance function. Not (c) because controlled output distribution will not prevent or detect incorrect output. Not (d) because decollation of output is simply the separation of output copies. cccccc. CIA May 9 I.+5 Correct Answer is (B) Not (a) because applications programmers are responsible for installing and customizing software and usually perform their duties outside the computer center. !hey should not have access to output. Answer (b) is correct. !he information systems control group acts as liaison between the users and the processing center. !his group records input data in a control log, follows the progress of processing, distributes output, and establishes control totals. #t is also responsible for following up error reports and assuring that erroneous records are reprocessed. Not (c) because computer operators should not have access to output. Not (d) because review of output is performed by the control section and not directly by the data processing manager. dddddd. CIA May 9 I.+! Correct Answer is (C) Not (a) because supervisor-only authorization for transfers between the ban$"s customers would interfere with normal ban$ operations. Not (b) because overnight balancing of all accounts by the online teller system ensures that all parts of all transactions are accounted for but does not ensure that all transactions are authorized. Answer (c) is correct. 2eriodic e%amination of accounts of employees with access to automated teller functions may detect unusual activity to and from employees" accounts. Not (d) because re&uired vacations for employees with access to teller functions might e%pose a teller"s actions to others" scrutiny but would not ensure detection, especially if the teller remedied any overdrafts before going on +, B-10+ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review vacation. eeeeee. CIA May 9 I.+8 Correct Answer is (A) Answer (a) is correct. A logic error occurs in the fundamental interrelationships among the program"s instructions. !he spreadsheet logic was flawed in that it failed to apply discounts to all complementary product lines. Not (b) because the error is independent of the operation of hardware. Not (c) because there was no misentry of $eystro$es in spreadsheet cells. Not (d) because cross footing is the independent summing of rows and columns and comparison of results. No cross footing error occurred in the spreadsheet model. """""". CIA May 9 I.+9 Correct Answer is (B) Not (a) because, although trained systems professionals are less li$ely to ma$e logic errors, all significant spreadsheet models should be independently reviewed. Spreadsheet models are useful precisely because they can be prepared by users. Systems specialists may not be available to develop all the spreadsheet models that organizations need. Answer (b) is correct. #ndependent audit and testing of spreadsheet models by $nowledgeable persons is the best approach for validating model logic and thus the integrity of a spreadsheet. (evelopment of new programs or program changes should be initiated by users and authorized by an appropriate manager or committee. #f changes are authorized, they should be made in a copy of the program. 2rogrammers should not have access to the programs used in actual processing (production). !he user, the internal auditor, and a systems employee independent of the programmer should then test the changes. !he documentation must be amended to reflect the changes and the test results, a manager in the systems department should give formal approval, and the users should ma$e a formal acceptance. Not (c) because specifying cross footing for all spreadsheet models would detect some spreadsheet logic errors, but not all of them. 4ross footing would not have detected this error. Not (d) because enforcing documentation standards for multi-use spreadsheet models is a good practice for promoting correct use of spreadsheet models used repetitively but is unli$ely to detect logic errors li$e this one. ######. CIA Nov 9 I.++ Correct Answer is (C) Not (a) because installing a logging system for program access would permit detection of unauthorized access but not prevent it. Not (b) because monitoring physical access to program library media would control only unauthorized physical access. Answer (c) is correct. An important operating control is to establish a library to preclude misplacement, misuse, or theft of data files, programs, and documentation. A librarian should perform this custodianship function and be appropriately accountable. 3estricting physical and logical access secures programs from unauthorized use, whether in person or remotely via terminals. Not (d) because denying all remote access via terminals would li$ely be inefficient and would not secure program libraries against physical access. . /001 2owers 3esources 4orporation5. All rights reserved +, B-104 Powers CIA Review $$$$$$. CIA May 9 III.7 Correct Answer is ()) Not (a) because use of an integrated test facility (#!') is a techni&ue by which an auditor selects transactions and processing functions and applies the transactions to a fictitious entity during a normal processing cycle along with regular transactions. !his techni&ue cannot determine whether the data themselves are legitimate. Not (b) because tracing follows the path of a transaction during processing but is inade&uate to determine whether a transaction is legitimate. Not (c) because transaction selection uses an independent computer program to monitor and select transactions for internal audit review. @i$e tracing, it fails to determine whether a transaction is legitimate. #t would be an appropriate techni&ue to apply to transactions suspected to be illegitimate. Answer (d) is correct. An access log should be used to record all attempts to use the system. !he date and time, codes used, mode of access, and data involved are recorded. !he system should monitor unsuccessful attempts because repeated attempts could suggest that someone is trying random or patterned character se&uences in order to identify a password. iiiiii. CIA Nov 9 I.+1 Correct Answer is (B) Not (a) because verifying that the account number corresponds to an e%isting account in the master file is a master file reference chec$. Answer (b) is correct. A maor control used to guard against errors made in transcribing or $eying data is a chec$ digit. A chec$ digit is a detective control designed to establish the validity and appropriateness of numerical data elements, such as account numbers. !he chec$-digit within the code is a mathematical function of the other digits. 3ecalculation of the digit tests the accuracy of the other characters in the code. 4hec$ digit verification prevents single-digit errors from leading to erroneous updates. Not (c) because ensuring that supporting documentation e%ists for update transactions is a document reconciliation control. Not (d) because re&uiring a field to have the correct logical relationship with other fields is a dependency chec$. %%%%%%. CIA Nov 9 II.+1 Correct Answer is (A) Answer (a) is correct. An echo chec$ provides a feedbac$ loop by transmitting data received (by peripheral devices) bac$ to the source unit +, B-105 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review (429) for validation with the original data. #t is a hardware control. Not (b) because a protection ring prevents accidental writing on a tape file for mostly batch systems. A real time system would not utilize tape files. Not (c) because hash totals are utilized to control data sent to a batch system not a real- time system. Not (d) because integrated test facilities are useful in testing real-time systems but cannot be utilized to ensure completeness of data transmissions. &&&&&&. CIA Nov 9 I.+4 Correct Answer is (B) Not (a) because se&uence chec$ing provides a reasonably good test for completeness of input but does not test accuracy. Answer (b) is correct. A batch total is an application control. !his total controls the movement and processing of data in groups. !he batch total (a record count or financial total) tests completeness and accuracy. Not (c) because limit chec$s are useful to determine whether an entry is within acceptable limits only. Such limitation ma$es the limit chec$ unusable to test the accuracy of input. Not (d) because a chec$ digit allows the computer to automatically reect incorrect entries. !he cumbersome computation re&uired to establish the chec$ digit, however, tends to limit its use to a few $ey entries. #t is never used to test accuracy of input for an entire wor$ing document. ''''''. CIA Nov 9 I.+5 Correct Answer is ()) Not (a) because increased capacity has led to further proliferation of personal computers but is not a ris$. Not (b) because rapid changes or new versions of software usually include enhanced features? some changes may reflect e%posure but change is not the maor e%posure. Not (c) because rapid e%pansion in usage tended to decrease centralization? moreover, such centralization would not tend to represent an e%posure. Answer (d) is correct. ,idespread use of personal computers means that more and often less well-trained individuals are involved in computing and that assuring the security of data, programs, and hardware is increasingly difficult. Accordingly, end-user processing with personal computers potentially e%poses the organization to loss or corruption of data, unreliable processing, and alteration of programs and data. ((((((. CIA Nov 9 I.+7 Correct Answer is (C) Not (a) because vendor payees were not changed? the chec$ register would show that the chec$s were issued to authorized vendors. Not (b) because total dollars were not altered? there is no out-of-balance condition. . /001 2owers 3esources 4orporation5. All rights reserved +, B-10! Powers CIA Review Answer (c) is correct. All application changes must be documented and subect to testing and approval. A program change control group is responsible for determining that proper procedures are carried out relative to controlling programming changes. !his includes assuring that written authorizations are received for changes. !o avoid fraud and to ensure compatibility with other programs, programmers should not be able to ma$e unauthorized changes. Not (d) because the programmer did not need access to the system given his)her access to the program. nnnnnn. CIA Nov 9 I.+ Correct Answer is (C) Not (a) because, although validation at sign-on to the system will limit access, it will not effectively prevent data from being removed without permission. Not (b) because data could be ta$en electronically from the networ$ file server or the mainframe. Answer (c) is correct. (ata access control software on the networ$ and mainframe will limit access to the data to authorized users only. 'or e%ample, this software may e%ecute compatibility tests. 4ompatibility tests restrict access to the computer system by determining whether access by a given user (or device) is compatible with the nature of the attempted use. A series of passwords or identification numbers may be re&uired to gain access to the system, to e%amine data files, and to perform processing using particular programs. !hus, a cler$ might be authorized only to read the data in a given file while using a specified terminal, but his)her superior might be able to update the file. 4ompatibility tests re&uire online storage of authorization tables or matrices that specify the access permitted to specified codes and devices. Not (d) because $ey loc$s will limit access to the 24 and thus to the data, but they will not effectively prevent data being removed without permission. oooooo. CIA Nov 9 III.++ Correct Answer is (B) Not (a) because an integrated test facility is an audit approach to validating processing. Answer (b) is correct. An operating system is a set of programs routines used by the processor to control the operations of the computer and its peripheral e&uipment, such as input-output devices and communications channels. 'unctions performed by the operating system include scheduling of program e%ecution, debugging, input-output control, compilation, storage assignment, data management, and related services. #nitial login to a system is a function of access control software at the operating system level. Not (c) because database subschema authorizations control access to specific views of fields in a database. Not (d) because access to applications and their data is a function of application level software. ******. CIA May 9+ I.9 Correct Answer is (B) Not (a) because completeness tests are used to ensure that the input has the prescribed amount of data in all data fields. Answer (b) is correct. Aalidity tests are used to ensure that transactions contain valid transaction codes, valid characters, and valid field size. 4hec$ing obs for validity would prevent assigning labour hours to inactive obs. +, B-107 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review Not (c) because limit tests are used to determine whether the data e%ceeds certain predetermined limits. Not (d) because control totals are used to reconcile 8(2 input to the source document totals. ,,,,,,. CIA May 9+ I.1 Correct Answer is ()) Not (a) because top management is charged with the overall control of computer based information systems. <perational control is defined as residing in the users. Not (b) because e%ternal auditing is an independent appraisal function, whose principle obective is the e%pression of an opinion about an organization"s financial statements. Not (c) because internal auditing is an independent appraisal function, whose principle obective is to assist the organization in the accomplishment of its obectives. Answer (d) is correct. :odule / of the ##A"s Systems Auditability and 4ontrol (SA4 ;II;) report places the operational responsibility for the accuracy and completeness of computer based information systems on the users. rrrrrr. CIA May 9+ I.5 Correct Answer is (B) Not (a) because ensuring that the database design is relational facilitates the use of views, but would not by itself prevent cler$s from having read access to confidential information. Answer (b) is correct. !he cler$ was able to access the online system with his)her own access code. 3estricting access to authorized individuals would prevent the use of unauthorized user numbers for unauthorized access. !his could be achieved by maintaining a list of the authorized people to access the system in the computer)server including a device authorization table. #n addition, passwords, access codes, the use of badges and magnetic cards may be combined to avoid unauthorized access to the information systems files. Not (c) because re&uiring before and after images of transactions is a good bac$up)recovery practice but would not prevent unauthorized read access. Not (d) because reconciling monetary totals for input sessions helps maintain data integrity but would not prevent unauthorized read access. . /001 2owers 3esources 4orporation5. All rights reserved +, B-108 Powers CIA Review ssssss. CIA May 9+ I.+0 Correct Answer is (B) Not (a) because controlled disposal of documents is not limited to computer files. Answer (b) is correct. 8ncryption is a typical security measure. A program encodes data so that it is more difficult for an intruder to understand or use the data. Also, fre&uent changing of passwords limits unauthorized access to files. Not (c) because $ey integrity chec$s are not access controls. Hey integrity chec$s prevent the updating process from creating inaccuracies in $eys. Not (d) because $ey integrity chec$s are not access controls. Hey integrity chec$s prevent the updating process from creating inaccuracies in $eys. tttttt. CIA May 9+ I.4 Correct Answer is (B) Not (a) because a 6hot site6 has all needed assets in place and is not vendor dependent. Answer (b) is correct. <rganizations should maintain contingency plans for operations e.g.> plans for off-site storage of important bac$up data and a plan for the continuation of operations at another location in the case of a disaster. A 6cold site6 has all needed assets in place e%cept the needed computer e&uipment and is vendor dependent for timely delivery of e&uipment. Not (c) because a 6cold and hot site6 combination allows the 6hot site6 to be used until the 6cold site6 is prepared and is thus not too vendor dependent6. Not (d) because e%cess capacity would ensure that needed assets are available and would not be vendor dependent. ------. CIA May 9+ II.+ Correct Answer is (B) Not (a) because, although there is a migration of control of this type away from applications to other software, the large bul$ of these controls still reside in application software. Answer (b) is correct. 9tility programs perform functions such as sorting and copying. !hose programs are available to all users and in many applications, which ma$es them one of the more serious 6holes6 in data access security since some of them can actually bypass normal access controls. Not (c) because access control software has as one of its primary obectives improving data access security for all data on the system. Not (d) because most data base management systems provide for improved data access security while they are running. vvvvvv.CIA May 9+ II.4 Correct Answer is (A) Answer (a) is correct. 2rocessing controls provide reasonable assurance that processing has been performed as intended for the particular application, i.e., that all transactions are processed as authorized, that no authorized transactions are omitted, and that no unauthorized transactions are added. Not (b) because proof calculations mitigate the ris$ of transmission errors. Not (c) because restart and recovery controls mitigate the ris$ of lost transactions when processing is interrupted. Not (d) because programmed cutoff controls prevent an improper cutoff and mitigate the ris$ of transactions being recorded in the wrong period. +, B-109 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review wwwwww. CIA May 9+ I.+ Correct Answer is (A) Answer (a) is correct. 4hec$ digit verification is an e%ample of an input control. #nput controls are application controls designed to provide reasonable assurance that data received for processing have been properly authorized (approved by management) and converted to machine-readable form (verified and edited as to validity and completeness). !he completeness of the input process can be determined by accumulating and comparing appropriate control totals (controls to chec$ if data were lost in transmission). Not (b) because chec$ digit verification is not a file management control. #nternal label chec$ is an e%ample of a file management control. Not (c) because chec$ digit verification is not an access control. 2assword is an e%ample of access control. Not (d) because chec$ digit verification is not an output control. 3eport balancing is an e%ample of an output control. ....... CIA May 9+ II.8 Correct Answer is ()) Not (a) because lac$ of enforcement of program change procedures is irrelevant to this impropriety. Not (b) because lac$ of a password is irrelevant to this impropriety. Not (c) because lac$ of appropriate ownership is irrelevant to this impropriety. Answer (d) is correct. #ndividuals should have only the access privileges re&uired for their ob functions. 2roduction employees typically do not need access to pricing information. Access controls, such as passwords, #( numbers, access logs, and device authorization tables, prevent unauthorized use of data files. !hey ensure that only persons with a bona fide purpose and authorization have access to databases. yyyyyy. CIA May 9+ II.41 Correct Answer is (A) Answer (a) is correct. !he primary reason for organizations to develop contingency plans for their 8(2 operations is to ensure that they will be able to properly process vital transactions in the event of any type of disaster. !he continuity of operations depends on these vital transactions. 'ast and efficient application of the contingency plan is also a crucial factor in such a case. Not (b) because it is not the best answer. !his is a secondary reason. Not (c) because it is not the best answer. !his is a secondary reason. Not (d) because it is not the best answer? sources of capital are seldom included. //////. CIA May 9+ III.+5 Correct Answer is (B) Not (a) because ensuring compatibility of information systems with organizational obectives will not ensure ade&uate security and recovery controls in end-user developed systems. Answer (b) is correct. !he technology trend of increasing end-user development of systems has the ris$ of lac$ of necessary security and recovery controls. !his can be mitigated by management oversight to ensure ade&uate procedures. Not (c) because validation of the $nowledge base will not ensure ade&uate security and recovery controls in end-user developed systems. Not (d) because testing of controls in development and production will not ensure ade&uate security and recovery controls in end- user developed systems. . /001 2owers 3esources 4orporation5. All rights reserved +, B-110 Powers CIA Review aaaaaaa. CIA May 9+ II.5 Correct Answer is (C) Not (a) because restart and recovery controls mitigate the ris$ of lost transactions when processing is interrupted. Not (b) because cycle processing controls mitigate the ris$ of missing or improper transactions. Answer (c) is correct. 2rogrammed balancing controls ensure the accuracy and completeness of file updating by verifying consistency of opening and closing balances and thus ensuring that the right file is processed. Not (d) because programmed cutoff controls prevent an improper cutoff and mitigate the ris$ of transactions being recorded in the wrong period. bbbbbbb. CIA May 9+ III.4+ Correct Answer is (A) Answer (a) is correct. 2reventive controls are controls designed to prevent errors from occurring. !he error in this case is overspending the budget. !he control prevented this from occurring. Not (b) because detection occurs after-the-fact. An error is detected after it happens. Not (c) because correction fi%es the error and comes after the error is detected (after-the- fact). Not (d) because relates to automated detection of error conditions and attempts by the software (usually vendor software such as a database) to recover from an error condition. ccccccc. CIA May 9+ III.41 Correct Answer is ()) Not (a) because systematic and rigorous testing of programmed controls does not reduce the ris$ of misplaced reliance on management oversight since the supervision of management is an essential element of every control structure in an organization. Not (b) because proliferation of $nowledge- based systems increases the ris$ of inade&uate $nowledge bases. Not (c) because closer lin$age between organizational strategy and information is a strength, not a wea$ness. Answer (d) is correct. Systematic and rigorous testing of programmed controls reduces the ris$ of misplaced reliance on automated controls. :ore pervasive use of automated controls increases the need for testing those controls in their development, implementation and functioning since there are fewer compensating manual controls. ddddddd. CIA May 9+ III.54 Correct Answer is ()) Not (a) because system development standards for the organization are an element of management control, they are not part of a disaster recovery plan. Not (b) because the history of modifications to the operating system is an element of management control through documentation, it is not part of the disaster recovery plan. Not (c) because the applications planned for new development are part of management planning and control, they are not part of a disaster recovery plan. Answer (d) is correct. An essential element of a disaster recovery plan is a statement of the responsibilities of each organizational unit. +, B-111 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review eeeeeee. CIA May 9+ III.5! Correct Answer is (A) Answer (a) is correct. 2assword control systems are used to prevent unauthorized access to system program and data files. Not (b) because physical loc$s and other such devices are used to prevent unauthorized physical availability of remote terminals. Not (c) because organizational controls for security and protection are necessary to prevent physical destruction of system program and data files. Not (d) because organizational controls for security and protection are necessary to prevent physical destruction of remote terminals. """"""". CIA May 9+ III.58 Correct Answer is ()) Not (a) because policy dissemination is too vague a response in this case. Not (b) because training cannot cover all contingencies. Not (c) because the customer did not wish to effect a change Answer (d) is correct. @imiting access to the database to authorized users only will prevent inaccurate file changes by unauthorized users, such as an accounts receivable cler$. #######. CIA May 9+ III.49 Correct Answer is (A) Answer (a) is correct. A dependency chec$ would test whether the data elements for a loan application are logically consistent. Not (b) because a reasonableness chec$ tests whether the data contents entered fall within predetermined limits. Not (c) because a format chec$ ensures that all re&uired data are present in the prescribed form. Not (d) because an e%istence chec$ tests whether the entered data codes are valid codes held on the file or in the program. $$$$$$$. CIA May 9+ III.!1 Correct Answer is (C) Not (a) because both types of data are sensitive and need protection Not (b) because it would not identify the user. Answer (c) is correct. Access limited to users with valid passwords to prevent unauthorized access to data files and programs. Not (d) because use of separate passwords for customer data and product data is e%cessive and burdensome. . /001 2owers 3esources 4orporation5. All rights reserved +, B-11 Powers CIA Review iiiiiii. CIA Nov 9+ I.5 Correct Answer is (A) Answer (a) is correct. 4ode comparison is the process of comparing two versions of the same program to determine whether the two correspond. #t is an efficient techni&ue because it is performed by software. Not (b) because code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. 4ode review can be used as a means of code comparison but is inefficient. Not (c) because test data runs permit the auditor to verify the processing of preselected transactions. #t gives no evidence about une%ercised portions of the program. Not (d) because analytical review is the process of creating and evaluating ratios between numbers, often in the conte%t of financial statements. %%%%%%%. CIA Nov 9+ I.7 Correct Answer is (B) Not (a) because an e%istence chec$ is a test of accuracy. Answer (b) is correct. Application controls relate to specific tas$s performed by personnel or programs. #nput controls are application controls designed to provide reasonable assurance that data received for processing have been properly authorized and converted to machine-readable form. !he completeness of the input process can be determined by accumulating and comparing appropriate control totals. Not (c) because a limit chec$ is a test of accuracy which determines whether a data value falls within certain limits. Not (d) because a reasonableness chec$ is based on limits for given information. &&&&&&&. CIA Nov 9+ I.8 Correct Answer is (C) Not (a) because individuals e%ternal to the organization may need to have limited access privileges to participate in inter-organization information systems, e.g., electronic data interchange. Not (b) because a wee$ly cycle may be too long to wait to cancel privileges for employees with changed ob responsibilities or for terminated employees. Answer (c) is correct. 2roper addition)deletion of authorizations includes prompt activation of access privileges after they are authorized. !oo much delay may tempt users to bypass access control procedures. Not (d) because security officers, not systems programmers, are responsible for maintaining records of access changes. '''''''. CIA Nov 9+ I.9 Correct Answer is (B) Not (a) because having customers specify the name for each item they order would let the company correct erroneous order codes once they had been detected, but would not, in general, detect erroneous codes. Answer (b) is correct. Self-chec$ing digits may be used to detect incorrect codes. By applying an algorithm to the code, the digit is generated. (uring the input process, the chec$ digit is recomputed by applying the same algorithm to the code actually entered. Not (c) because separating the parts of the order code with hyphens would ma$e the characters easier to read, but would not cure the problem of transposed characters. Not (d) because using a master file reference for all order codes would verify the e%istence of items, but would not detect erroneous order codes in which transposed characters in an order code match other items. +, B-11+ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review (((((((. CIA Nov 9+ I.+0 Correct Answer is ()) Not (a) because moving the program code that computes sales ta%es to a single program is a good system design approach, but it does not guarantee that sales ta% processing is complete. Not (b) because changing the operator input screens does not ensure correct application of sales ta%es. !he operator may not $now what the appropriate computation is. Not (c) because customers may not $now the proper rates or may deny that their areas impose the ta%es. Answer (d) is correct. Sales ta%es vary from one urisdiction to another. +ence, the program must include a code that sorts orders by area. Aerification of the accuracy of the ta% charges can then be obtained by calculating the total ta%es for each area in two ways> applying the ta% rate to the aggregate sales and summing the ta%es charged on individual sales. nnnnnnn. CIA May 9+ III.! Correct Answer is ()) Not (a) because a firm can control the application ris$s resulting from bad system design and implementation. #t is a class of ris$ and is very pertinent to an 894 application. Not (b) because a firm can control environmental ris$s such as interfaces of an 894 system and people with others. #t is a class of ris$ and is very pertinent to an 894 application. Not (c) because a firm can control the ris$s inherent in the application"s software and hardware combination. !he company*s technical support staff and)or computer vendor support staff can resolve problems resulting from these ris$s. #t is a class of ris$ and is very pertinent to an 894 application. Answer (d) is correct. A single firm cannot control the technological obsolescence ris$s resulting from advancements in computer hardware and software. ooooooo. CIA Nov 9+ I.+1 Correct Answer is (C) Not (a) because placing output in bins does not ensure that unauthorized persons are denied access. Not (b) because output loaded in a file is available to anyone with access to the file. Answer (c) is correct. An independent data control group should receive user input, log it, transfer it to the computer center, monitor processing, review error messages, compare control totals, log and distribute output, and determine whether error corrections have been made. !his group is therefore responsible for maintaining lists of authorized recipients in a distribution log and holding the output in a secure area until it is pic$ed up. Not (d) because ma$ing printouts available at specified times does not control access. . /001 2owers 3esources 4orporation5. All rights reserved +, B-114 Powers CIA Review *******. CIA Nov 9+ I.+ Correct Answer is (B) Not (a) because the practice of not retaining daily transaction data is unsound in that the ban$ loses a day"s transactions for each bac$up that is unreadable. Answer (b) is correct. Bac$ups should always be made to ensure that any lost information can be restored. +owever, not retaining each day"s transaction files is ris$y because information received since the last bac$up file was created will be lost. Not (c) because the practice of not retaining daily transaction data certainly minimizes comple%ity but at the e%pense of losing transaction data if the online file must be restored from the bac$up. Not (d) because chec$point)restart information is not needed. !he bac$ups are created after all processing is finished for the day. ,,,,,,,. CIA Nov 9+ I.+4 Correct Answer is (A) Answer (a) is correct. Aalidation of the model can be accomplished using historical data if circumstances have not changed. #f they have, the results produced by varying the input should be evaluated to determine that they are consistent with what is $nown about the behavior of ta% revenue given various economic conditions, changes in ta% law, etc. Not (b) because there is no forecast techni&ue that would always forecast all the different $inds of revenue this precisely? the overall behavior of the model is more important than the forecasting of individual revenue components. Not (c) because there is no reason to believe that the programs used for this year"s forecast should be identical to those used in the previous year, given continually evolving circumstances. Not (d) because there is no reason to re&uire that the model predict the previous year"s actual revenue. 8conomic conditions and ta% laws change. +, B-115 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review rrrrrrr. CIA Nov 9+ I.+7 Correct Answer is (A) Answer (a) is correct. System development procedures and controls that are well established in the centralized information systems environment do not e%ist in user departments. 8nd-user computing may result in elimination of the function of the systems analyst, omission of documentation, inade&uate consideration of control procedures, poor integration with e%isting systems, etc. Not (b) because this is a principle motivation for developing end-user systems. Not (c) because end-user systems can be developed to serve departmental needs without understanding mainframe architecture. Not (d) because the inability to accommodate computer-assisted auditing techni&ues is not a control wea$ness. sssssss. CIA Nov 9+ II.5 Correct Answer is (A) Answer (a) is correct. (uring each program run in a series, the computer accumulates the totals of transactions that have been processed. !he run-to-run chec$ reconciles them with the totals forwarded from the previous program run. 3un-to-run totals thus ensure completeness of update. Not (b) because computer matching compares transaction data with referenced fields or records. Not (c) because computer se&uence chec$s identify changes or brea$s in a numerical se&uence. Not (d) because one-for-one chec$ing usually re&uires manual comparisons of input data elements with processing results. ttttttt. CIA Nov 9+ I.+5 Correct Answer is (A) Answer (a) is correct. A (B:S is an integrated set of computer programs that create the database, maintain the elements, safeguard the data from loss or destruction, and ma$e the data available to application programs and in&uiries. Because the (B:S handles data retrieval and storage, applications programs need not specify data locations but can simply as$ for data by name. !he results are data independence and avoidance of data redundancy. (ata ournaling procedures re&uire ma$ing appropriate copies of any changes to a database to enable recovery from database failures. Not (b) because edit and validation are controls over data integrity. Not (c) because data ownership and accountability policies identify who $nows how data are to be used and who is responsible for determining levels of control over access to data. Not (d) because data integrity procedures test input of data, not recovery of data. -------. CIA Nov 9+ II.9 Correct Answer is (A) Answer (a) is correct. An online in&uiry capability permits the order-ta$er to retrieve the J#2 code from a master file of J#2 codes. !he operator can then verify the state abbreviation while tal$ing with the customer. Not (b) because loo$ing up the state abbreviation is insufficient to permit the operator to verify the J#2 code. 8ach state has more than one J#2 code. Not (c) because permitting operators to enter the J#2 code only ma$es it impossible to detect incorrect J#2 codes. Not (d) because, in general, it is not feasible to determine J#2 codes from street, city, and state addresses that can be entered in multiple ways. . /001 2owers 3esources 4orporation5. All rights reserved +, B-11! Powers CIA Review vvvvvvv. CIA Nov 9+ II.+ Correct Answer is ()) Not (a) because analyzing ob activity with a &ueuing model to determine wor$load characteristics gives information about resource usage but does not verify that the system actually functioned as intended. Not (b) because a simulation helps management characterize the wor$load but does not verify that the system actually functioned as intended. Not (c) because using library management software to trac$ changes to successive versions of application programs permits control of production and test versions but does not verify that the system actually functioned as intended. Answer (d) is correct. Kob accounting data analysis permits programmatic e%amination of ob initiation and termination, record counts, and processing times. Auditing ob accounting data for file accesses and ob initiation)termination messages will reveal whether the right data files were loaded)dismounted at the right times and the right programs were initiated)terminated at the right times. wwwwwww. CIA Nov 9+ II.+4 Correct Answer is (C) Not (a) because protecting all cells e%cept those specifically intended for data entry guards against data entry mista$es, but it does not ensure that model calculations are correct. Not (b) because inspecting the documentation provides evidence on how usable and maintainable the model is but does not ensure that model calculations are correct. Answer (c) is correct. 2erforming sensitivity analysis, i.e., varying input values and determining whether the output varies accordingly, on the maor output results gives assurance that calculations are performed correctly. Not (d) because mapping the spreadsheet model with spreadsheet analysis software provides output useful for documenting the structure and surface consistency of the model but does not ensure that model calculations are correct. +, B-117 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review ........ CIA Nov 9+ III.! Correct Answer is ()) Answer (d) is correct. As e%plained below> ;. 4orrect - :icrocomputer users may be unaware of the need to ma$e fre&uent file bac$-ups. /. #ncorrect - 3educed application development costs are one of the benefits of microcomputers. 7. #ncorrect - Batch update is a characteristic of mainframes. 1. 4orrect - :icrocomputer software pac$ages typically do not have appropriate access control capabilities. E. 4orrect - :a$ing unauthorized copies of software is fairly easy and sometimes may be an informally accepted method of reducing software costs for microcomputer systems. Answers (a, b, and c) are incorrect. (ue to answer (d). yyyyyyy. CIA Nov 9+ III.+0 Correct Answer is ()) Not (a) because restricting access on the basis of the type of resource would not permit selective access based on values in a record. Not (b) because restricting access on the basis of statistical summaries would not be helpful in preparing bids. Not (c) because restricting access on the basis of the age of the stored records would not enable the selective access the company wants because some needed data would be new and some would be old. Answer (d) is correct. 3estricting access on the basis of data values within a record, e.g., bid identity, would enable the selective access the company wants. ///////. CIA Nov 94 I.4 Correct Answer is (B) Not (a) because data ownership standards are a direct departmental-level responsibility. Answer (b) is correct. #n an end-user computing environment, an individual user is directly responsible for bac$up and recovery of data and for physical security. Not (c) because most end users do not have the $nowledge to read technical manuals. Not (d) because the end user has custody of e&uipment but should not be responsible for the inventory of e&uipment. aaaaaaaa. CIA Nov 94 I.8 Correct Answer is (C) Not (a) because discussing the password removal process does not determine whether e%-employees are still using or are able to use their passwords to access the databases. Not (b) because the computer logs should be compared with current payroll lists. Answer (c) is correct. !o determine if e%- employees are accessing the company"s automated database, the auditor should obtain the log showing database accesses. !his log should be compared with current payroll lists to see if anyone not on the payroll is still accessing or is able to access the databases. Not (d) because reviewing the access control software does not indicate whether e%- employees can access or are accessing the databases. . /001 2owers 3esources 4orporation5. All rights reserved +, B-118 Powers CIA Review bbbbbbbb. CIA Nov 9+ III.55 Correct Answer is (A) Answer (a) is correct. 3estricting updating to one position would protect the libraries from unauthorized updating, and permitting all #S employees read access to source code would let them continue to obtain the efficiencies of being able to read others" code. Not (b) because permitting updating for everyone is the current situation, which is ris$y? restricting read access to source code to one position creates more inefficiency than e%isted before. Not (c) because restricting updating and read access to one position protects the libraries but creates the inefficiency of no others being able to read the source code. Not (d) because permitting updating and read access for everyone in the information systems department is the current situation, which created the ris$. cccccccc. CIA Nov 9+ III.75 Correct Answer is (A) Answer (a) is correct. A software agreement usually allows one bac$up copy to be made. #nstalling the software on multiple computers and ma$ing additional copies are copyright violations. Not (b) because installing the spreadsheet software on a multi-user networ$ would ma$e it available to multiple users. Not (c) because not all vendors allow use on different machines. Not (d) because some agreements re&uire relicensing when a machine change occurs. dddddddd. CIA May 95 I.7 Correct Answer is (C) Not (a) because oral verification also would address the problem. Not (b) because assigning a se&uential number to the customer"s order helps build an audit trail but does not address the product identification issue. Answer (c) is correct. A self-chec$ing digit detects incorrect codes. Applying an algorithm to the code generates the digit. (uring input, the digit is recomputed by applying the algorithm to the code actually entered. <ral verification also addresses the problem of incorrectly identifying the product number. Not (d) because assigning a se&uential number to the customer"s order helps build an audit trail but does not address the product identification issue. eeeeeeee. CIA Nov 94 I.7 Correct Answer is (B) Not (a) because the built-in access controls should be retained until replaced with a more comprehensive and cost-effective system. Answer (b) is correct. Access control software provides comprehensive and coordinated security. #t permits authorized users to gain access only for purposes of performing their assigned duties and restricts employees from performing incompatible functions. A comprehensive system is more cost-effective than programming access controls into each application. Not (c) because utility software does not usually perform security functions. Not (d) because a comprehensive system is more cost-effective than programming access controls into each application. +, B-119 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review """""""". CIA Nov 94 I.+7 Correct Answer is ()) Not (a) because the ac&uisition of hardware and software is an organizational- and departmental-level responsibility. Not (b) because ta$ing e&uipment inventories is an organizational-level responsibility. Not (c) because strategic planning is an organizational- and departmental-level responsibility. Answer (d) is correct. 8nd-user computing involves user-created or - ac&uired systems that are maintained and operated outside of traditional information systems controls. #n this environment, an individual user is ordinarily responsible for the physical security of the e&uipment he or she uses. ########. CIA Nov 94 I.+9 Correct Answer is (B) Not (a) because bac$up)restart procedures are relevant to abnormal interruptions of processing. !hey do not cause bottlenec$s. Answer (b) is correct. Scheduling obs to optimize computer resources is essential. 2oor scheduling can result in bottlenec$s at pea$ hours and inade&uate usage at other times. !he results are increased costs and inefficient operation. Not (c) because console logs provide indications of problems and are not the cause of bottlenec$s. Not (d) because program documentation does not show why the bottlenec$s are occurring. $$$$$$$$. CIA Nov 95 I.+ Correct Answer is (C) Not (a) because effective control re&uires that programmers not be able to ma$e undetected, unrecorded changes in data or programs. !hus, programmers should not have access to the production library. Not (b) because programmers should be responsible for ma$ing program changes, and users should be responsible for testing the changes. +ence, users should not have access to the test library. Accountability for changes would be diminished. :oreover, users may lac$ the competence to ma$e appropriate changes. Answer (c) is correct. !he program librarian is accountable for, and has custody of, the programs in the production library. Not (d) because, if the operator has access to both program libraries, he or she may be able to ma$e unauthorized and undetected changes to the computer programs. iiiiiiii. CIA Nov 94 I.+8 Correct Answer is ()) Not (a) because copyright violations are common ris$s in a stand-alone personal . /001 2owers 3esources 4orporation5. All rights reserved +, B-10 Powers CIA Review computer environment. Not (b) because unauthorized access is a common ris$ in a stand-alone microcomputer environment. Not (c) because lac$ of data availability is a common ris$ in a stand-alone microcomputer environment. Answer (d) is correct. 8nvironmental control ris$s more li$ely in a stand-alone microcomputer environment include copyright violations that occur when unauthorized copies of software are made or software is installed on multiple computers. Access to application programs and related data by unauthorized persons is another concern because of lac$ of physical access controls, application-level controls, and other controls found in mainframe environments. :oreover, a stand-alone personal computer environment may be characterized by inade&uate bac$up, recovery, and contingency planning that may result in an inability to re-create the system or its data. %%%%%%%%. CIA Nov 95 I.++ Correct Answer is (C) Not (a) because self-chec$ing digits detect incorrect product identification numbers. Not (b) because verbally verifying the product and the price helps to ensure that the system captures the transaction accurately. Answer (c) is correct. Batch totals are useful for ensuring that orders are not lost once they have been captured. !hey do not ensure that orders are recorded correctly or that shipments are accurately priced. Not (d) because the ability to ma$e price changes should be tightly restricted. &&&&&&&&. CIA May 95 I.+ Correct Answer is (C) Not (a) because generating price tags based on the electronic receiving reports is appropriate, given that one purchase order may generate more than one shipment. !he correct number received should be properly recorded, and this reconciliation accomplishes that tas$. Not (b) because prenumbered receiving documents are not necessary given that they are replaced by a re&uired reference to the purchase order. Answer (c) is correct. Coods should be inspected in the receiving department for &uantity and &uality at the time of receipt, and receiving information should be documented at that time. Not (d) because not all of the answers are incorrect. ''''''''. CIA May 95 I.+4 Correct Answer is (A) Answer (a) is correct. As organizations move to 8(# and other forms of automated processing, a comprehensive data access and security program becomes crucial. Access to hardware, software, and data files should be restricted to authorized persons, activities, and devices. Not (b) because program changes should always be reviewed and tested by the user. !he changes should be implemented only by the program librarian, not the programmer. Not (c) because initiation of changes in the vendor database by the purchasing agent would allow the purchasing agent to establish fictitious vendors. Not (d) because the receiving department needs access to purchase order information to determine whether a shipment of goods ought to be received. ((((((((. CIA Nov 94 I.4+ Correct Answer is (B) Not (a) because input validation for transactions is available in both environments. Answer (b) is correct. #n general, mainframe software and procedures for installing programs and maintaining change histories ensure centralized control. #n an end-user environment, individual users are held +, B-11 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review accountable for ensuring that changes follow established procedures. (ecentralizing this responsibility may result in inade&uate software and hardware facilities. Not (c) because encryption of sensitive data is available in both environments. Not (d) because software for relational database &ueries is available in both environments. nnnnnnnn. CIA Nov 95 I.8 Correct Answer is (A) Answer (a) is correct. Access should be limited to those whose activities necessitate access to the computer system. :oreover, the degree of access allowed should be consistent with an individual"s responsibilities. 3estricting access to particular individuals rather than groups or departments clearly establishes specific accountability. Not everyone in a group will need access or the same degree of access. !hus, passwords assigned to individuals should be re&uired for identification of users by the system. 'urthermore, data should be restricted at the field level, not the wor$station level. #t may be possible to limit access to a wor$station, but most wor$stations are connected to larger mainframe databases. !hus, the security at the wor$station level only would be insufficient. Not (b) because access should be restricted to particular individuals on a need-to-$now basis, data should be restricted at the field level, and use should be limited to necessary functions performed by the accountable individual. Not (c) because access should be restricted to particular individuals on a need-to-$now basis, data should be restricted at the field level, and use should be limited to necessary functions performed by the accountable individual. Not (d) because access should be restricted to particular individuals on a need-to-$now basis, data should be restricted at the field level, and use should be limited to necessary functions performed by the accountable individual. oooooooo. CIA Nov 95 I.+! Correct Answer is (C) Not (a) because users often choose passwords that are easily guessed. Not (b) because a program to test passwords is useful but less effective than see-through authentication. Answer (c) is correct. See-through authentication techni&ues, such as the one described, re&uire the user to have two of the three important elements to authenticate oneself to the system, i.e., a possession (the card used to generate the password), $nowledge (the new password), or a personal . /001 2owers 3esources 4orporation5. All rights reserved +, B-1 Powers CIA Review characteristic (e.g., fingerprints). Not (d) because limiting access to times and a location is helpful in certain environments but not when the system allows dial-up access. ********. CIA May 9! I.10 Correct Answer is (A) Answer (a) is correct. 4omparing variances and the related documentation is the only test that samples from the appropriate population (proect variances) and verifies that needed approvals and e%planations were given and documented. Not (b) because recomputing variances is not relevant to whether variances were e%plained and approved. Not (c) because the direction of testing should be from the variances to both e%planations and approvals. !esting e%planations by tracing to subse&uent approvals and proect reports does not determine whether some variances were not e%plained. Not (d) because the direction of testing should be from the variances to both e%planations and approvals. !esting e%planations by tracing to subse&uent approvals and proect reports does not determine whether some variances were not e%plained. ,,,,,,,,. CIA Nov 95 I.+7 Correct Answer is ()) Not (a) because physical access to the @AN is relevant. 3is$ e%posures e%ist if the components are not physically protected. Not (b) because data access security is within the audit scope. Not (c) because interviews with users are often effective in identifying potential security breaches or other problems that should be addressed. Answer (d) is correct. !he level of computer security at other @ANs in the company may be interesting for comparative purposes, but it has no effect on the security at this location or the scope of the e%amination needed. rrrrrrrr. CIA May 9! I.9 Correct Answer is (C) Not (a) because reviewing K4@ and report end- of-ob indicators concern processing, not output distribution. Not (b) because verifying that a correct transaction file was used concerns input, not output. Answer (c) is correct. Someone on the approved distribution list should sign for reports upon delivery. !his procedure is the only one of those listed that will provide information about access to reports. Not (d) because review of end-of-ob indicators would not provide information on report access. ssssssss. CIA May 9! I.11 Correct Answer is (C) Not (a) because error listings relate to application controls. Not (b) because record counts relate to application controls. Answer (c) is correct. Ceneral controls are pervasive because they apply to most applications and facilities. 'or e%ample, proper segregation of duties, systems development methods, access and other security controls, administrative controls, and disaster-recovery planning are e%amples. 3eviewing the fire suppression capabilities located at the production facility is a test of the disaster- recovery plan. 3eviewing position descriptions for production personnel assigned to computer- +, B-1+ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review related duties is a test of an administrative control. Not (d) because error listings relate to application controls. tttttttt. CIA Nov 95 I.+1 Correct Answer is ()) Not (a) because potential loss, the probability thereof, and the cost and effectiveness of security measures are important elements of the analysis. Not (b) because potential loss, the probability thereof, and the cost and effectiveness of security measures are important elements of the analysis. Not (c) because potential loss, the probability thereof, and the cost and effectiveness of security measures are important elements of the analysis. Answer (d) is correct. 2otential loss is the amount of dollar damages associated with a security problem or loss of assets. 2otential loss times the probability of occurrence is an estimate (e%pected value) of the e%posure associated with lac$ of security. #t represents a potential benefit associated with the implementation of security measures. !o perform a cost-benefit analysis, the costs should be considered. !hus, all three items need to be addressed. --------. CIA May 9! I.7 Correct Answer is (B) Not (a) because testing may detect missing or erroneous logic, but it does not address flaws in the conceptual design of the system. Answer (b) is correct. A traditional system employs systems analysts to review all aspects of a problem and to devise a solution given all relevant factors. +owever, 894 applications lac$ such an independent review. Not (c) because proper documentation does not rectify design flaws. Not (d) because lac$ of segregation of duties is a ris$ associated with concealment of errors or fraud, not failure to meet business re&uirements. vvvvvvvv. CIA May 9! I.8 Correct Answer is ()) Not (a) because a standard method for uploading data may not include the controls necessary to detect errors in the uploading process. Not (b) because edit and validation chec$s are typically designed to identify errors in data entry rather than in processing. Not (c) because a record or log of reected items is a control for monitoring the subse&uent correction and processing of the items. Answer (d) is correct. Balancing totals should be used to ensure completeness and accuracy of processing. 'or e%ample, comparing totals of critical fields generated before processing with output totals for those fields tests for missing or improper transactions. . /001 2owers 3esources 4orporation5. All rights reserved +, B-14 Powers CIA Review wwwwwwww. CIA May 9! I.9 Correct Answer is (C) Not (a) because lac$ of documentation may not affect the reliability of the information processed. Not (b) because an appropriate level of management authorized the changes. Answer (c) is correct. <ne of the increased ris$s in an 894 environment is that program change procedures may not be followed. 9sers may ta$e action without adherence to controls over initiation, authorization, testing, documentation, coordination, and communication of the changes. Not (d) because the consultants may have properly tested the changes. ......... CIA May 9! I.+0 Correct Answer is ()) Not (a) because application controls are dependent on the general controls. Not (b) because, in an 894 environment, responsibility for general controls may be shared by several individuals in different departments or locations. Not (c) because the need for specific general controls varies with the comple%ity and importance of the application. Answer (d) is correct. Ceneral controls concern data and program security, program changes, system development, computer operations, and disaster recovery. Application controls depend on the general controls. !he former will be ineffective if the latter are not functioning properly. 'urthermore, application controls in an 894 environment may be inade&uate, so the general controls may be the auditor"s primary emphasis. yyyyyyyy. CIA May 9! I.+1 Correct Answer is (B) Not (a) because restricting access to @AN wor$stations is a control to prevent unauthorized persons from gaining access to the networ$. Answer (b) is correct. Sophisticated software pac$ages may inadvertently threaten data security by allowing users to bypass e%isting system-level security. 'ourth-generation languages have update, retrieval, and reporting functions that may be used inappropriately in the absence of strong controls. Not (c) because re&uiring a password to log on to the @AN may not prevent authorized users from performing unauthorized functions. Not (d) because a security policy may establish responsibility but will not prevent inappropriate update of information. ////////. CIA May 9! I.+ Correct Answer is (A) Answer (a) is correct. 8dit or validation routines are application controls over data entry. 'or e%ample, they test whether data fields have the appropriate types and numbers of characters, data fields are complete, data are consistent with information in a master file or table, transactions balance, and amounts fall within a reasonableness interval. Not (b) because reected and suspense item controls are relevant only if the data are first subect to edit and validation chec$s. Not (c) because controls over update access to the database are general controls rather than application controls. Not (d) because control totals are designed to identify errors in the processing of data rather than in the data itself. aaaaaaaaa. CIA May 9+ II.0 Correct Answer is (C) Not (a) because hiring policies can provide assurance of &ualified personnel for operation +, B-15 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review of the system, but cannot prevent introduction of viruses from bulletin boards or from outside sources. Not (b) because software programs can identify and neutralize $nown viruses but may not recognize and properly neutralize new strains of a computer virus. Answer (c) is correct. Acceptably safe computing can be achieved by carefully crafted policies and procedures used in conunction with antivirus and access control software. Not (d) because physical protection devices can reduce access but cannot prevent introduction of viruses by errant employees or from outside sources. bbbbbbbbb. CIA Nov 9! I.55 Correct Answer is (C) Not (a) because continuous audit involvement does not minimize the audit cost. Actually, it has the highest cost of the alternatives. Not (b) because, when the audit department is continuously involved in development, there are no clearly defined points for comments. Answer (c) is correct. !he scope of internal auditing wor$ includes recommending standards of control and reviewing procedures before implementation. 4ontinuous involvement of the internal auditing department in systems development should minimize the costs of rewor$ing the system. 4ontinuous audit involvement allows for adustments to be made during the course of development. Not (d) because the potential for lac$ of audit independence can be minimized with audit involvement only after implementation. ccccccccc. CIA May 9! I.44 Correct Answer is (C) Not (a) because terminal access restrictions limit access to data input sites. Not (b) because passwords re&uirements help restrict input access. Answer (c) is correct. +ash totals do not have defined meanings. 8%amples are totals of employee numbers or invoice numbers. !hey are used to verify the completeness of data, not to limit access. Not (d) because validity tests for user identification and product codes help to determine whether input is authorized. ddddddddd. CIA May 9! I.45 Correct Answer is (C) Not (a) because open purchase orders have not yet been invoiced or paid. Not (b) because an 8(# system is unli$ely to offer cash discounts. #n addition, the auditor was involved in the design and testing of the 8(# system and presumably has $nowledge of the 8(# system"s procedures. Answer (c) is correct. :anual input and processing increase the ris$ of delayed payments and loss of purchase discounts. 'urthermore, an 8(# system is unli$ely to offer cash discounts. !hus, the proper population from which to sample consists of paid invoices not processed through the 8(# system. Not (d) because an 8(# system is unli$ely to offer cash discounts. #n addition, the auditor was involved in the design and testing of the 8(# system and presumably has $nowledge of the 8(# system"s procedures. eeeeeeeee. CIA May 9! I.4! Correct Answer is (A) Answer (a) is correct. An e%ception report (error listing) should be issued so that company personnel can investigate the discrepancy, determine its cause, and ta$e appropriate corrective action. . /001 2owers 3esources 4orporation5. All rights reserved +, B-1! Powers CIA Review Not (b) because the company should not pay for goods not received. Not (c) because the company should first determine the cause of the discrepancy. Not (d) because the company should not pay for goods not received. """"""""". CIA May 9! I.47 Correct Answer is (C) Not (a) because the number of vendors does not indicate the size of the purchases. Not (b) because the amount of purchases is e&ually divided between the 8(# and non-8(# systems and does not provide a basis for prioritizing ris$s. Answer (c) is correct. Sound controls mitigate the ris$s associated with 8(#. !he &uestion states that the internal auditing department"s prior involvement consisted of assessing and testing the 8(# system. !his review found no significant problems. Accordingly, the ris$ of the 8(# system is decreased. Not (d) because failure to e%amine 8(# purchase controls increases ris$. #########. CIA May 9! I.49 Correct Answer is ()) Not (a) because identifying and authenticating the re&uestor provides some assurance that transactions are authorized. Not (b) because information should be authenticated before transfer. Not (c) because e%ception processing provides assurance about validity. All error conditions should be logged, reported, and reviewed on a timely basis. Answer (d) is correct. 8ncryption protects data from unauthorized interception. +owever, this process does not ensure that the underlying transactions are genuine. $$$$$$$$$. CIA May 9! I.58 Correct Answer is (B) Not (a) because reasonableness, limit, and range chec$s are based upon $nown limits for given information. 'or e%ample, the hours wor$ed per wee$ is not li$ely to be greater than 1E. Answer (b) is correct. Aalidity chec$s are tests of identification numbers or transaction codes for validity by comparison with items already $nown to be correct or authorized. 'or e%ample, Social Security numbers on payroll input records can be compared with Social Security numbers authorized by the personnel department. Not (c) because a record count is a control total of the number of records processed during the operation of a program. 'inancial totals summarize dollar amounts in an information field in a group of records. Not (d) because a hash total is the number obtained from totaling the same field value for each transaction in a batch. !he total has no meaning or value other than as a comparison with another hash total. iiiiiiiii. CIA Nov 9! I.5 Correct Answer is ()) Not (a) because information technology allows more data to be reviewed and reduces audit ris$. +, B-17 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review Not (b) because information technology can e%pedite the audit. Not (c) because information technology can be used to implement a new approach to the audit of an application or function. Answer (d) is correct. Kudgment is the fruit of an auditor"s formal education, professional e%perience, and personal &ualities. #nformation technology is merely a tool for achieving audit obectives. #t does not improve the auditor"s udgment. %%%%%%%%%. CIA Nov 9! I.11 Correct Answer is (A) Answer (a) is correct. !he number of systems personnel employed may reflect differences in operating philosophy (outsourcing vs. in-house development of applications). +owever, the compatibility of personnel is a less serious concern than the compatibility of hardware and software. Not (b) because company A has little 8(# e%perience. +ence, the greater the number of vendors that must be connected with 4ompany A, the greater the ris$ e%posure. Not (c) because the difficulty and e%pense of conversion will be increased if the computer systems have significant compatibility problems. Not (d) because the greater the comple%ity of the systems to be integrated, the greater the ris$ e%posure. &&&&&&&&&. CIA May 97 I.4 Correct Answer is (B) Not (a) because bac$up)restart procedures concern abnormally aborted processing of obs. Answer (b) is correct. Kob scheduling is an obvious starting point for the investigation. #neffective controls over scheduling result not only in processing bottlenec$s at pea$ hours but also in inefficient usage at other times and increased costs. Scheduling problems may arise when, for e%ample, the ob mi% changes daily, users are allowed to submit unscheduled obs, or manual overrides of an automated schedule are permitted. 4ontrols include using automated scheduling software, limiting manual overrides, obtaining supervisory approval of manual overrides, documenting complete and current operations, verifying that all obs are completed, and submitting unscheduled obs to a different processor or partition of the processor from that used for production processing of scheduled obs. Not (c) because console logs would give only indications of problems. 4onsole logs might be e%amined later in the process, but they would not be the initial focus. Not (d) because program documentation is not the correct place to start, but it might help later to determine why a given program was delaying processing. . /001 2owers 3esources 4orporation5. All rights reserved +, B-18 Powers CIA Review '''''''''. CIA May 97 I.5 Correct Answer is (B) Not (a) because asynchronous transmission is a method of data transmission, not a means of safeguarding data. #t is used for slow, irregular transmissions, such as from a $eyboard terminal. 8ach character is mar$ed by a start and stop code. Answer (b) is correct. 8ncryption software uses a fi%ed algorithm to manipulate plain te%t and an encryption $ey (a set of random data bits used as a starting point for application of the algorithm) to introduce variation. Although tapping into the transmission line may access data, the encryption $ey is necessary to understand the data being sent. Not (c) because, although fiber-optic transmission lines are difficult to tap, their use will not prevent theft of unencrypted data by someone who has access to them. Not (d) because use of passwords will control access at the sending location and the head- office computer. +owever, passwords will not prevent someone from tapping the transmission line. (((((((((. CIA May 97 I.19 Correct Answer is (B) Not (a) because self-chec$ing digits detect inaccurate identification numbers. !hey are an effective control to ensure that the appropriate part has been identified. +owever, the control obective is to ensure that data transfer is complete. Answer (b) is correct. Batch control totals for the data transferred can be reconciled with the batch control totals in the e%isting file. !his comparison provides information on the completion of the data transfer. Batch totals may include record counts, totals of certain critical amounts, or hash totals. A hash total is a control total without a defined meaning, such as the total of employee numbers or invoice numbers that is used to verify the completeness of data. !hus, the hash total for the employee listing by the personnel department could be compared with the total generated during the payroll run. Not (c) because passwords help ensure that only authorized personnel ma$e the transfer, not that data transfer is complete. Not (d) because field chec$s are effective input controls, but they do not ensure completeness of data transfer. nnnnnnnnn. CIA May 9+ I.9 Correct Answer is ()) Not (a) because access to sensitive output is a security concern. Not (b) because bac$up and disaster recovery is an operational integrity issue. Not (c) because the change environment is a security and independence concern. Answer (d) is correct. 8fficiency is not +, B-19 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review achieved when facilities are underused, wor$ is nonproductive, or procedures are uneconomical. 8fficiency will be improved by freeing media and dis$ space for other uses, thus reducing data storage costs. ooooooooo. CIA May 97 I.51 Correct Answer is (C) Not (a) because restricting specific applications to specific files is a ob-to-data authorization techni&ue. Not (b) because restricting specific terminals to specific applications is a terminal-to-data authorization techni&ue. Answer (c) is correct. #n a user-to-data access control system, access controls are based on identification and authentication procedures. #dentification is the process of uni&uely distinguishing one user from all others, and authentication determines that a user is the person he claims to be. Authentication may be by $nowledge, possessions, or characteristics. Hnowledge may include passwords and identification numbers, possessions may include a security card or badge, and characteristics may include physiological and behavioral traits. Not (d) because the use of access software alone does not address all security ris$s. *********. CIA May 97 I.!7 Correct Answer is (A) Answer (a) is correct. A technical feasibility study determines whether the proposed solution can be implemented. #t should be conducted in the systems analysis stage. Not (b) because the involvement of users in the development process should result in better design and greater acceptance of the system. Not (c) because software &uality assurance is crucial to the development process. :ista$es may be e%tremely costly. Not (d) because, without good documentation, an information system may be difficult, if not impossible, to operate, maintain, or use. ,,,,,,,,,. CIA May 90 III.41 Correct Answer is (C) Not (a) because given that the members of the personnel department share one computer, they all have access to that computer. Authorized members need to access the system and retrieve and edit their assigned portion of personnel files to perform their ob. #f access and file retrieval for all members were restricted by passwords only, members who are authorized to access the system and retrieve files but not authorized for editing those files will be able to edit personnel records. Not (b) because given that the members of the personnel department share one computer, they all have access to that computer. Authorized members need to access the system and retrieve and edit their assigned portion of personnel files to perform their ob. #f access and file retrieval for all members were restricted by passwords only, members who are authorized to access the system and retrieve files but not authorized for editing those files will be able to edit personnel records. Answer (c) is correct. Civen that the members of the personnel department share one computer, they all have access to that computer. Authorized members need to access the system and retrieve and edit their assigned portion of personnel files to perform their ob. #f access and file retrieval for all members were restricted by passwords only, members who are authorized to access the system and retrieve files but not authorized for editing those files will be able to edit personnel records. 4onse&uently, minimum password protection should be available at the file editing level. Not (d) because password control is needed. rrrrrrrrr. CIA Nov 89 I.4 Correct Answer is (C) Not (a) because the 6paper trail6 is less e%tensive in an information system. 4ombining . /001 2owers 3esources 4orporation5. All rights reserved +, B-1+0 Powers CIA Review processing and controls within the system reduces documentary evidence. Not (b) because information assets are more li$ely to be under the control of the information system function. Answer (c) is correct. 9sing a computer does not change the basic concepts and obectives of control. +owever, the use of computers may modify the control techni&ues used. !he processing of transactions may be combined with control activities previously performed separately, or control functions may be combined within the information system activity. Not (d) because documentation is more important in an information system. #nformation is more li$ely to be stored in machine-readable form than in hard copy. sssssssss. CIA Nov 90 III.+ Correct Answer is (B) Not (a) because password authorization is a general control over access to terminals. Answer (b) is correct. 4hec$ digit verification is used when an algorithm generates a self- chec$ing digit and then associates it with an identification number (e.g. part no.). ,hen the user enters the part number for e%ample, the digit will be regenerated using the same algorithm and compared to the stored chec$- digit that is related to that part no. !his would be an appropriate input-output control since it detects errors in fields, such as account or inventory numbers. Not (c) because, hash totals are appropriate for batch processing. Not (d) because bac$up and recovery procedures are general controls and not application controls. ttttttttt. CIA Nov 90 III.++ Correct Answer is (A) Answer (a) is correct. !he callbac$ techni&ue would prevent unauthorized access to the computer when using a dial up facility. !he call bac$ techni&ue is a two-step control. 'irst the connection is bro$en after the caller has identified himself and given the call number allowing reconnection. !he system chec$s for authorization by the caller, if the authorization is verified the computer is reconnected. #f there is no authorization, the computer is not reconnected. Not (b) because the modem (modulator)demodulator) is a device that allows a connection between a computer and a terminal to be made from a remote location through the use of telephone lines. Not (c) because the echo chec$ is a control used to verify that information sent by a sender is identical to the information received by the recipient. !he information sent is echoed bac$ by the recipient to the sender, if the message received by the sender is not identical to what was sent the transmission is tried again. Not (d) because the console log has nothing to do with controlling access to the computer. !he log lists all operating system activity, maintains an e&uipment utilization record, and identifies operator-initiated actions. ---------. CIA May 91 III.! Correct Answer is (B) Not (a) because the ban$ employee obtained account codes)2#Ns by observing customers at the A!:s. !he ban$ should encourage its customers to $eep their account information secret but must ta$e independent steps to detect and prevent use of fraudulent cards. +, B-1+1 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review Answer (b) is correct. (etecting the fraudulent cards allowed the ban$ to monitor A!: use and catch the individual. !ransaction validation of cards allows detecting fraudulent A!: cards in addition to account numbers and 2#N codes. Not (c) because, this individual had, at one time, been authorized to $now about A!: operations. Not (d) because the ban$ should restrict access to machines capable of writing magnetic stripes on cards to only those employees who need them for their ob. #ndividuals s$illed in electronics can, however, obtain parts they assemble themselves so ban$s are unable to restrict access to stripe- writing machines. vvvvvvvvv. CIA May 91 III.8+ Correct Answer is (B) Not (a) because prohibiting departmental staff from programming their spreadsheet applications defeats the purpose of using personal computers, that is, to ma$e it possible for users to be more productive with their own computers. Answer (b) is correct. !o assure control over confidential data and programs, a functional separation of computer-based activities should be established. 4ustody of the data and programs should be in the hands of a librarian responsible for their secure storage and control. Access should be formally authorized to assure accountability for use of the data and programs. Not (c) because custom-designed menus are ordinarily used to limit access to other application programs, not necessarily to data files. Also, they are unnecessary for s$illed users and do not impose control on them. Not (d) because dividing the duties of application preparation and e%ecution impedes the intended use of the application models. #t is ineffective as a control measure because all the department"s staff are s$illed spreadsheet users. wwwwwwwww. CIA May 91 III.4 Correct Answer is (C) Not (a) because tagging is the practice of mar$ing specific transactions for subse&uent investigation. Not (b) because, callbac$ is a procedure in which the system disconnects the caller and calls the e%ternal entity"s telephone number of record before letting the terminal session proceed. Answer (c) is correct. 9sing passwords would permit supervisors to authenticate themselves to the system as supervisors. !ellers, not $nowing the supervisors" passwords, could not invo$e supervisor-only functions. Not (d) because, logs of access and attempted functions by employee would detect teller use of unauthorized functions but would not prevent . /001 2owers 3esources 4orporation5. All rights reserved +, B-1+ Powers CIA Review tellers from using them. .......... CIA May 91 III.89 Correct Answer is (A) Answer (a) is correct. (uring processing, the operating system records in the console log the activities of the computer system and the actions ta$en by the computer operator. #t should therefore contain entries for the wor$ performed and provide a control over operator intervention. Not (b) because, the data control log contains entries concerning obs run and output distribution. +owever, recording is not concurrent with computer activity, and no entry may appear for some transactions already processed. Not (c) because the ob &ueue is the list of obs waiting to be processed, not those that have been e%ecuted. Not (d) because the master run boo$ provides documentation of the system. yyyyyyyyy. CIA May 9+ III.+9 Correct Answer is (B) Not (a) because growing organizational reliance on information systems increases the ris$ of business interruption. Answer (b) is correct. As competitive pressures for enhanced functions in systems increase, development groups will be under more pressure to implement systems &uic$ly, which increases the ris$ of hastily developed, ineffective systems. Not (c) because greater emphasis on internal control reduces the ris$ of ineffectiveness in the developed system. Not (d) because the use of $nowledge-based systems increases the ris$ of inade&uate $nowledge bases. /////////. CIA May 94 I.!4 Correct Answer is (A) Answer (a) is correct. !he list of authorized users and their passwords would not be included in an audit trail log but in a file within the computer. Not (b) because the type of event or transaction attempted would be included in an audit log and is necessary to investigate unauthorized attempted access to the system. Not (c) because the terminal used to ma$e the attempt would be included in an audit log and is necessary to investigate unauthorized attempted access to the system. Not (d) because the data in the program sought would be included in an audit log and is necessary to investigate unauthorized attempted access to the system. aaaaaaaaaa. CIA May 94 III.+1 Correct Answer is (A) Answer (a) is correct. A preventive control is designed to prevent errors from occurring. #n this case, the computer program will not generate month-end balances to prevent reporting incorrect balances when it notes the missing transactions. Not (b) because detective controls are designed to detect errors that occurred. Not (c) because corrective controls fi% detected and reported errors. Not (d) because discretionary control is a distracter since there is no such term. bbbbbbbbbb. CIA Nov 94 III. Correct Answer is ()) Not (a) because review of insurance coverage is an aspect of ris$ analysis, and a much narrower concept than contingency planning. Not (b) because electronic vaulting is a technology which may be used as part of contingency planning. 8lectronic vaulting is +, B-1++ . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review bac$ing up data electronically at a remote location to protect against hardware failures and threats such as natural threats, fire etc. Not (c) because change control procedures in the development of information systems do not ensure continuity of operations. Answer (d) is correct. 4ontingency planning is a management activity that is essential to ensure continuity of operations in the event a disaster impairs information systems processing. cccccccccc. CIA Nov 94 III.+ Correct Answer is (A) Answer (a) is correct. 3is$ analysis is necessary to for an organization to assess its e%posure to various factors that may hinder the organization*s operations and effect losses. !he level of e%posure may vary from minimal to disastrous. Not (b) because system bac$-up analysis is a contingency planning strategy to react to a disaster. Not (c) because, vendor supply agreement analysis is a contingency planning strategy to react to a disaster. Not (d) because contingent facility contract analysis is a contingency planning strategy to react to a disaster. dddddddddd. CIA Nov 94 III.+9 Correct Answer is (A) Answer (a) is correct. Automatic dial bac$ re&uires reconnection of authorized contact before processing. Automatic dial bac$ or callbac$ is a control procedure in which the system allows only authorized users to access the system. (ial bac$ procedure disconnects the caller and calls the e%ternal entity"s telephone number of record before letting the terminal session proceed. Not (b) because message se&uencing is to detect gaps or duplicate messages. Not (c) because encryption scrambles messages for security transmissions. Not (d) because dedicated lines for a home ban$ing system have a high cost factor. eeeeeeeeee. CIA May 95 III.+9 Correct Answer is ()) Not (a) because. 2#N codes are not physiological or behavioral characteristics of a person. Not (b) because passwords are not physiological or behavioral characteristics of a person. Not (c) because an employee badge is not a physiological or behavioral characteristic of a person. Answer (d) is correct. 8ach person*s voice has different characteristics (sound fre&uency or signature) that distinguish it from others people*s voices. !his personal characteristic is used by biometric systems to authenticate and verify the identity of a person. """""""""". CIA May 95 III.40 Correct Answer is ()) Not (a) because screen savers do not prevent the viewing of data on an unattended data terminal. Not (b) because passwords do not prevent the viewing of data on an unattended data terminal. Not (c) because encryption of data files will not prevent the viewing of data on an unattended data terminal. Answer (d) is correct. Automatic log-off of inactive data terminals may prevent the viewing of sensitive data on an unattended data terminal. . /001 2owers 3esources 4orporation5. All rights reserved +, B-1+4 Powers CIA Review ##########. CIA May 95 III.71 Correct Answer is (C) Not (a) because personnel employed at the site would not be familiar with company operations because they wor$ for the third party, not the company. Not (b) because using a cold site may actually increase travel e%penses because company personnel would have to travel to the site. Answer (c) is correct. #f the company arranged for a third-party cold site to replace a non-functioning regional center, the company would not have to install additional e&uipment at the regional centers. Not (d) because typically, cold sites re&uire more than few hours before being operational in order to permit installation and testing of software and data. $$$$$$$$$$. CIA May 95 III.7 Correct Answer is (A) Answer (a) is correct. !he company has decentralized its information processing since the last revision to the plan. !he e%isting plan is li$ely to be out of date because of changes in e&uipment, data, and software when shifting to decentralized data processing. Not (b) because the head&uarters has ade&uate processing capability. Not (c) because if the company were depending on a cold site as a contingent plan for the centralized head&uarters, arrangements for cold site bac$ups would be crucial and included in the plan. Not (d) because personnel turnover, by itself, is not a reason for a contingency plan to be outdated because new personnel would be trained for their obs, which would include recovery procedures for processing. iiiiiiiiii. CIA May 95 III.7+ Correct Answer is (B) Not (a) because, head&uarters would be no more unaware of processing than is now the case. Answer (b) is correct. :irroring the data another regional center would cause the company to incur the cost and comple%ity of greater networ$ traffic that would be re&uired to send and synchronize the replicated data. Not (c) because, the mirrored data would most li$ely be $ept in segregated files, there would be no interference with the data originally $ept at each regional center. Not (d) because agents would not have to change their procedures because they would continue using the system as before. %%%%%%%%%%. CIA May 9! I.57 Correct Answer is ()) Not (a) because a record count determines the number of documents entered into a process. Not (b) because an echo chec$ tests the reliability of computer hardware. 'or e%ample, the 429 sends a signal to a printer that is echoed ust prior to printing. !he signal verifies that the proper print position has been activated. Not (c) because a self-chec$ing digit is generated by applying an algorithm to an identification number. Answer (d) is correct. A limit, reasonableness, or range test determines whether an amount is within a predetermined limit for given information. #t can only detect certain errors (i.e., those that e%ceed the acceptable limit). &&&&&&&&&&. CIA Nov 95 III.+8 Correct Answer is ()) Not (a) because, a cold site re&uires significant time to be activated to duplicate regional +, B-1+5 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review facilities. !he site does not have hardware and e&uipment ready for use beyond the basic installations re&uired to run an information processing facility (flooring, lighting, air conditioning etc.). Not (b) because, a hot site is a very e%pensive option for rerouting calls and it would not provide s$illed staff to receive the claims. A hot site however, is a fully configured and e&uipped location that may be ready to operate within few hours after getting the re&uired staff, programs, and data files needed. Not (c) because a third-party service center is not the best option for contingency planning. !his option would also be very e%pensive and may not provide s$illed staff to handle customers* insurance claims. Answer (d) is correct. Since it is a distributed insurance company and receiving customers* calls is an essential aspect of the operations of the company, the best contingency plan for restoring capacity in the event of a disaster would be to reroute call traffic to regional centers that would not be affected by the disaster. #n addition, choosing this contingency plan would minimize recovery costs during recovery periods and would be more effective since the company*s trained personnel would be receiving customer*s claims. ''''''''''. CIA May 9! III.!8 Correct Answer is (A) Answer (a) is correct. !he best way to protect a client-server system from unauthorized access is through a combination of application and general access control techni&ues. Not (b) because, only authentication systems are not enough to provide protection for a client-server system from unauthorized access? those systems are only a part of the solution. Not (c) because this only affects general access control techni&ues. Not (d) because testing and evaluation of remote procedure calls may be a small part of an overall security review. ((((((((((. CIA Nov 9! III.+9 Correct Answer is (A) Answer (a) is correct. A crucial aspect of recovery planning for the company is ensuring that organizational and operational changes are incorporated in the plans. #f organizational and operational changes were not reflected in the recovery plans, there would be the potential to have the recovery plans inapplicable. Not (b) because, it is vital that changes to systems be tested thoroughly before being placed into production, but that is not a part of recovery planning. Not (c) because a good recovery plan would specify how operational staff might be replaced should the need arise, but management personnel would not be used to replace operational staff. Not (d) because being able to predict wor$load changes accurately permits a company to minimize its information systems facility costs, but that is not a part of recovery planning. nnnnnnnnnn. CIA Nov 9! III.4+ Correct Answer is (C) Not (a) because ensuring that the disaster recovery plans are fully tested would not contribute to avoiding being selected as a terrorist target. Not (b) because hardening the electrical and communications systems so that they could withstand some $inds of attac$s would not contribute to avoiding being selected as a terrorist"s target. Answer (c) is correct. !he best approach to avoid having the data center identified as a . /001 2owers 3esources 4orporation5. All rights reserved +, B-1+! Powers CIA Review terrorist"s target is to establish as low a profile as possible for the data center, e.g., by refraining from (;) identifying the building on the outside as a data center, (/) showcasing the data center through glass windows, of (7) advertising the important role the data center plays in operations. Not (d) because monitoring the locations and activities of $nown terrorists, even if permitted by law, would not by itself help the company avoid having the data center selected as a terrorist"s target. oooooooooo. CIA Nov 9! III.48 Correct Answer is (C) Not (a) because, the company may or may not maintain the same level of employment after a disaster, e.g., a disaster that destroys productive capacity in one plant may lead to layoffs. Not (b) because, thorough planning may or may not minimize the cost of facility repair, i.e., the best approach may be to undergo more e%pensive repair sooner in order to resume operations sooner. Answer (c) is correct. !he more thorough l the recovery plans are, then the more li$ely the company would be to resume operations &uic$ly and fulfill its obligations to customers. Not (d) because the ma%imum benefit from planning is that it prompts action to avoid the most li$ely or most devastating events with the potential to interrupt business. :anagement would be delighted if planning ensured that business was never interrupted and thus that the recovery plan was never invo$ed. **********. CIA Nov 9! III.54 Correct Answer is (C) Not (a) because multiple access to data by data owners i.e. access by the individuals responsible for creating and maintaining specific data, is a normal occurrence. Not (b) because, management authorization of modified access is e%pected as needs or conditions change and is not an event typically reported. Answer (c) is correct. !he security administrator should report access to data or resources by privileged users so that the access can be monitored for appropriate and authorized usage. Not (d) because data owner specification of access privileges is normal and need not be monitored by the security administrator. ,,,,,,,,,,. CIA Nov 9! III.! Correct Answer is ()) Not (a) because, fingerprints are a biometrics measure? they involve measuring part of person"s physiological or behavioral characteristics. Not (b) because, a retina pattern is a biometrics measure? they involve measuring part of person"s physiological or behavioral characteristics. Not (c) because, speech patterns are a biometrics measure? they involve measuring part of person"s physiological or behavioral characteristics. Answer (d) is correct. 2asswords are not a biometrics authentication. Biometrics systems use personal characteristics to authenticate and verify the identity of a person such as fingerprints, retina patterns, and speech patterns. +, B-1+7 . /001 2owers 3esources 4orporation5. All rights reserved Powers CIA Review rrrrrrrrrr. CIA Nov 9! III.!! Correct Answer is ()) Not (a) because password proliferation is a considerable security concern because users will be tempted to write down their password or ma$e them overly simplistic. Not (b) because, consistent security across varied platforms is often challenging because of the different security features of the various systems and the decentralized nature of those controlling security administration. Not (c) because under centralized control, management can feel more confidants that bac$up file storage is being uniformly controlled. (ecentralization of this function lead to lac$ of consistency and difficulty in monitoring compliance. Answer (d) is correct. !his would not cause a control concern. +aving data distributed across many computers throughout the organization actually decreases the ris$ that a single disaster would destroy large portions of the organization"s data. #t is a potential advantage to distributed systems of various architectures versus centralized data in a single mainframe computer. ssssssssss. CIA May 97 III.+7 Correct Answer is (B) Not (a) because review of the computer processing logs is an output control to ensure that data are accurate and complete. Answer (b) is correct. :atching the input data with information held on master or suspense files is a processing control, not an output control, to ensure that data are complete and accurate during updating. Not (c) because periodic reconciliation of output reports is an output control to ensure that data are accurate and complete. Not (d) because maintaining formal procedures and documentation specifying authorized recipients is an output control to ensure proper distribution. tttttttttt. CIA May 97 III.44 Correct Answer is (B) Not (a) because data encryption is an effective security feature for any computer. Answer (b) is correct. A noteboo$ computer is a portable device smaller than a laptop. Because it may be readily transported anywhere, security concerns for such a device are even greater than for des$top personal computers. 'or e%ample, password protection for a screensaver program can be easily bypassed. Not (c) because a removable hard drive provides obvious protection for data and programs stored thereon. Not (d) because security is promoted by physically loc$ing the noteboo$ computer to an immovable obect. ----------. CIA May 97 III.! Correct Answer is (A) Answer (a) is correct. #mplementation controls are part of general controls. #mplementation controls occur in the system development process at various points to ensure that implementation is properly controlled and . /001 2owers 3esources 4orporation5. All rights reserved +, B-1+8 Powers CIA Review managed. Not (b) because, hardware controls ensure that computer hardware is physically secure and chec$ for e&uipment malfunction. Not (c) because computer operations controls apply to the wor$ of the computer department and help ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. Not (d) because data security controls ensure that data files on either dis$ or tape are not subect to unauthorized access, change, or destruction. vvvvvvvvvv. CIA May 97 III.!4 Correct Answer is (C) Not (a) because this practice is a wise control, but it does not address the issue of upload-data integrity. Bac$ups cannot prevent or detect data-upload problems, but can only help correct data errors that a poor upload caused. Not (b) because this control may be somewhat helpful in preventing fraud in data uploads, but it is of little use in preventing errors. Answer (c) is correct. !o prevent data errors when data would be uploaded from a microcomputer to the company"s mainframe system in batch processing, the mainframe computer should subect the data to the same edits and validation routines that online data entry would re&uire. Not (d) because this control is detective in nature, but the error could have already caused erroneous reports and management decisions. +aving users try to find errors in uploaded data would be costly. +, B-1+9 . /001 2owers 3esources 4orporation5. All rights reserved