Abstract image of a woman sitting on books and studying on a laptop

Cisa exam mock test questions-1

Download as DOCX, PDF
H
Hemang Doshi

This document consists of a mock assessment test for Certified Information Systems Auditor (CISA) candidates, containing various questions related to information systems audits, risk assessment, and control measures. Key topics include the audit process, evidence gathering, statistical sampling, and the roles of auditors. Each question is aimed at testing the candidate's knowledge on best practices and methodologies in the field of information systems auditing.

Career
1 of 16
Downloaded 218 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1 Mock Assessment Test-Paper No.1-CISA course (Ref:QB9F50/QB10F50/QB11F50/QB13.130-179) 1. In an audit of an inventory application, which approach would provide the BEST evidence that purchaseorders are valid? A. Testing whether inappropriatepersonnelcan change application parameters B. Tracing purchase orders to a computer listing C. Comparing receiving reports to purchaseorder details D. Reviewing theapplication documentation 2. The extent to which data will be collected during an IS audit should be determined based on the: A. availability of critical and required information. B. auditor's familiarity with the circumstances. C. auditee's ability to find relevant evidence. D. purposeand scopeof the audit being done. 3. The responsibility, authority and accountability of theIS audit function is appropriately documented in an audit charter and MUST be: A. approved by thehighest level of management. B. approved by audit department management. C. approved by user department management. D. changed every year before commencement of IS audits. 4. A key element in a risk analysis is: A. audit planning. B. controls. C. vulnerabilities. D. liabilities. 5. An IS auditor discovers evidence of fraud perpetrated with amanager's user id. The manager had written the password, allocated by the systemadministrator, inside his/her desk drawer. The IS auditor should conclude that the: A. manager's assistant perpetrated thefraud. B. perpetrator cannot be established beyond doubt. C. fraud must have been perpetrated by themanager. D. systemadministrator perpetrated thefraud. 6. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, theIS auditor would use: A. test datato validate data input. B. test data to determine systemsort capabilities. C. generalized audit software to search for address field duplications. D. generalized audit softwareto search for account field duplications. 7. The IS department of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n): A. control procedure. B. control objective. C. corrective control. D. operational control. 8. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should: A. create the procedures document. B. terminate the audit. C. conduct compliance testing. D. identify and evaluate existing practices. 9. When implementing continuous monitoring systems, an IS auditor's first step is to identify: A. reasonable target thresholds. B. high-risk areas within theorganization. C. the location and format of output files. D. applications that providethe highest potentialpayback.
2 10. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potentialanomalies in user or systembehavior. Which of the following tools is MOST suitable for performing that task? A. CASE tools B. Embedded data collection tools C. Heuristic scanning tools D. Trend/variance detection tools 11. An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when: A. theprobability of error must be objectively quantified. B. the auditor wishes to avoid sampling risk. C. generalized audit software is unavailable. D. thetolerable error rate cannot be determined. 12. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: A. controls needed to mitigate risks are in place. B. vulnerabilities and threats are identified. C. audit risks are considered. D. a gap analysis is appropriate. 13. The vice president of human resources has requested an audit to identify payrolloverpayments for the previous year. Which would be the BEST audit technique to use in this situation? A. Test data B. Generalized audit software C. Integrated test facility D. Embedded audit module 14. Which of the following would be theBEST population to takea sample from when testing program changes? A. Test library listings B. Source program listings C. Program change requests D. Production library listings 15. Which of the following normally would be the MOST reliable evidence for an auditor? A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by theIS auditor from reports supplied by line management 16. During a review of the controls over theprocess of defining IT service levels, an IS auditor would MOST likely interview the: A. systems programmer. B. legal staff. C. business unit manager. D. application programmer. 17. In the course of performing a risk analysis, an IS auditor has identified threats and potentialimpacts. Next, an IS auditor should: A. identify and assess therisk assessment process used by management. B. identify information assets and the underlying systems. C. disclose thethreats and impacts to management. D. identify and evaluate the existing controls. 18. A PRIMARYbenefit derived from an organization employing control self-assessment (CSA) techniques is that it: A can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control. 19. Senior management has requested that an IS auditor assist thedepartmental management in theimplementation of necessary controls. The IS auditor should: A. refuse the assignment since it is not the role of theIS auditor. B. inform management of his/her inability to conduct future audits. C. perform theassignment and futureaudits with due professionalcare. D. obtain theapprovalof user management to perform theimplementation and follow-up.
3 20. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? A. Multiplecycles of backup files remain available. B. Access controls establish accountability for e-mail activity. C. Data classification regulates what information should be communicated via e-mail. D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available. 21. Which of the following is a benefit of a risk-based approach to audit planning? Audit: A. scheduling may be performed months in advance. B. budgets are more likely to be met by theIS audit staff. C. staff will be exposed to a variety of technologies. D. resources are allocated to the areas of highest concern. 22. An audit charter should: A. be dynamic and change often to coincide with thechanging nature of technology and the audit profession. B. clearly stateaudit objectives for and thedelegation of authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scopeand responsibilities of theaudit function. 23. An IS auditor is evaluating a corporatenetwork for a possiblepenetration by employees. Which of the following findings should give theIS auditor the GREATEST concern? A. There are a number of external modems connected to thenetwork. B. Users can install software on their desktops. C. Network monitoring is very limited. D. Many user ids have identical passwords. 24. While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that theaudit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work. 25. To identify thevalue of inventory that has been kept for more than eight weeks, an IS auditor would MOST likely use: A. test data. B. statisticalsampling. C. an integrated test facility. D. generalized audit software. 26. An integrated test facility is considered a useful audit tool because it: A. is a cost-efficient approach to auditing application controls. B. enables the financial and IS auditors to integrate their audit tests. C. compares processing output with independently calculated data. D. provides the IS auditor with a tool to analyze a large range of information. 27. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent B. Detection C. Control D. Business 28. Data flow diagrams are used by IS auditors to: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation. 29. Reviewing management's long-term strategic plans helps the IS auditor: A. gain an understanding of an organization's goals and objectives. B. test theenterprise's internal controls. C. assess the organization's reliance on information systems. D. determine thenumber of audit resources needed. 30. When evaluating thecollective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware: A. of thepoint at which controls are exercised as data flow through the system. B. that only preventive and detective controls are relevant. C. that corrective controls can only be regarded as compensating. D. that classification allows an IS auditor to determine which controls are missing.
4 31. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do is an example of: A. inherent risk. B. control risk. C. detection risk. D. audit risk. 32. The PRIMARYpurposeof an audit charter is to: A. document the audit process used by theenterprise. B. formally document theaudit department's plan of action. C. document a code of professional conduct for the auditor. D. describe theauthority and responsibilities of theaudit department. 33. An IS auditor has evaluated the controls for theintegrity of the data in a financial application. Which of thefollowing findings would be theMOST significant? A. Theapplication owner was unaware of several changes applied to the application by the IT department. B. The application data are backed up only once a week. C. The application development documentation is incomplete. D. Information processing facilities are not protected by appropriatefiredetection systems. 34. Overall business risk for a particular threat can be expressed as: A. a product of theprobability and magnitude of the impact if a threat successfully exploits a vulnerability. B. the magnitude of the impact should a threat source successfully exploit thevulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. thecollective judgment of the risk assessment team. 35. Which one of the following could an IS auditor use to validate theeffectiveness of edit and validation routines? A. Domain integrity test B. Relational integrity test C. Referential integrity test D. Parity checks 36. An IS auditor reviews an organizational chart PRIMARILYfor: A. an understanding of workflows. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating thenetwork connected to different employees. 37. An IS auditor is evaluating management's risk assessment of information systems. TheIS auditor should FIRST review: A. thecontrols already in place. B. the effectiveness of the controls in place. C. the mechanism for monitoring therisks related to the assets. D. thethreats/vulnerabilities affecting the assets. 38. Which of the following is an objective of a control self-assessment (CSA) program? A. Concentration on areas of high risk B. Replacement of audit responsibilities C. Completion of control questionnaires D. Collaborative facilitative workshops 39. Which of the following steps would an IS auditor normally performFIRST in a data center security review? A. Evaluate physicalaccess test results. B. Determine therisks/threats to thedata center site. C. Review business continuity procedures. D. Test for evidence of physicalaccess at suspect locations. 40. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of: A. facilitator. B. manager. C. partner. D. stakeholder. 41. The use of statisticalsampling procedures helps minimize: A. sampling risk. B. detection risk. C. inherent risk. D. control risk.
5 42. An IS auditor evaluates the test results of a modification to a systemthat deals with payment computation. Theauditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? A. Design further tests of thecalculations that are in error. B. Identify variables that may have caused the test results to be inaccurate. C. Examine some of the test cases to confirm the results. D. Document theresults and preparea report of findings, conclusions and recommendations. 43. An IS auditor is assigned to perform a post implementation review of an application system. Which of the following situations may have impaired the independence of theIS auditor? The IS auditor: A. implemented a specific control during the development of the application system. B. designed an embedded audit module exclusively for auditing the application system. C. participated as a member of the application systemproject team, but did not have operational responsibilities. D. provided consulting advice concerning application systembest practices. 44. The BEST method of proving the accuracy of a systemtax calculation is by: A. detailed visual review and analysis of the source code of thecalculation programs. B. recreating program logic using generalized audit softwareto calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs. 45. Which of the following audit tools is MOST usefulto an IS auditor when an audit trail is required? A. Integrated test facility (ITF) B. Continuous and intermittent simulation (CIS) C. Audit hooks D. Snapshots 46. The PRIMARYadvantage of a continuous audit approach is that it: A. does not require an IS auditor to collect evidence on systemreliability while processing is taking place. B. requires theIS auditor to review and follow up immediately on all information collected. C. can improve systemsecurity when used in time-sharing environments that process a large number of transactions. D. does not depend on thecomplexity of an organization's computer systems. 47. Which of the following sampling methods is MOST useful when testing for compliance? A. Attributesampling B. Variable sampling C. Stratified mean per unit D. Difference estimation 48. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of: A. variable sampling. B. substantivetesting. C. compliance testing. D. stop-or-go sampling. 49. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures: A. information assets are overprotected. B. a basic level of protection is applied regardless of asset value. C. appropriatelevels of protection are applied to information assets. D. an equal proportion of resources are devoted to protecting all information assets. 50. In a risk-based audit approach, an IS auditor should FIRST complete a(n): A. inherent risk assessment. B. control risk assessment. C. test of control assessment. D. substantivetest assessment. 51. The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors.
6 52. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A. O/S and hardware refresh frequencies B. Gain-sharing performance bonuses C. Penalties for noncompliance D. Charges tied to variable cost metrics 53. Involvement of senior management is MOST important in thedevelopment of: A. strategic plans. B. IS policies. C. IS procedures. D. standards and guidelines. 54. An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of thenetwork load on terminal responsetimes and network data transfer rates. D. recommends network balancing procedures and improvements. 55. The output of therisk management process is an input for making: A. business plans. B. audit charters. C. security policy decisions. D. softwaredesign decisions. 56. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A. destruction policy. B. security policy. C. archive policy. D. audit policy. 57. An IT steering committee should review information systems PRIMARILYto assess: A. whether IT processes support business requirements. B. if proposed systemfunctionality is adequate. C. the stability of existing software. D. thecomplexity of installed technology. 58. An IS auditor reviewing an organization's IT strategic plan should FIRST review: A. theexisting IT environment. B. the business plan. C. the present IT budget. D. current technology trends. 59. As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterpriserequirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure. 60. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potentiallosses, theteam should: A. computethe amortization of the related assets. B. calculate a return on investment (ROI). C. apply aqualitative approach. D. spend thetime needed to define exactly theloss amount. 61. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results. B. customer satisfaction. C. internal process efficiency. D. innovation capacity.
7 62. Establishing the level of acceptable risk is the responsibility of: A. quality assurance management. B. senior business management. C. the chief information officer. D. thechief security officer. 63. Which of the following is the MOST critical for thesuccessful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approvalfor the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitiveactions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software 64. To ensure an organization is complying with privacy requirements, the IS auditor should FIRST review: A. theIT infrastructure. B. the organization's policies, standards and procedures. C. legal and regulatory requirements. D. theadherence to organizational policies, standards and procedures. 65. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls 66. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to theprovider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoringthe outsourcing provider's performance 67. Before implementing an IT balanced scorecard, an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses. 68. The MOST likely effect of thelack of senior management commitment to IT strategic planning is: A. a lack of investment in technology. B. a lack of a methodology for systems development. C. the technology not aligning with the organization's objectives. D. an absence of control over technology contracts. 69. Which of the following would BEST provideassurance of the integrity of new staff? A. Background screening B. References C. Bonding D. Qualifications listed on a resumé 70. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.
8 71. Effective IT governance will ensure that theIT plan is consistent with the organization's: A. business plan. B. audit plan. C. security plan. D. investment plan. 72. Which of the following is a function of an IS steering committee? A. Monitoringvendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approvingand monitoring major projects, thestatus of IS plans and budgets D. Liaising between the IS department and theend users 73. A long-term IS employeewith a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: A. thelength of service since this will help ensure technical competence. B. age as training in audit techniques may be impractical. C. IS knowledge since this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IS relationships. 74. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? A. Response B. Correction C. Detection D. Monitoring 75. An organization has outsourced its softwaredevelopment. Which of the following is the responsibility of the organization's IT management? A. Paying for provider services B. Participating in systems design with the provider C. Managing compliance with the contract for theoutsourced services D. Negotiating contractual agreement with the provider 76. When reviewing IS strategies, theIS auditor can BEST assess whether IS strategy supports theorganizations' business objectives by determining if IS: A. has all thepersonnel and equipment it needs. B. plans are consistent with management strategy. C. uses its equipment and personnel efficiently and effectively. D. has sufficient excess capacity to respond to changing directions. 77. Which of the following is the PRIMARYobjective of an IT performance measurement process? A. Minimizeerrors. B. Gather performance data. C. Establish performance baselines. D. Optimizeperformance. 78. Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods 79. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A. ensure the employeemaintains a good quality of life, which will lead to greater productivity. B. reduce the opportunity for an employee to commit an improper or illegal act. C. provide proper cross-training for another employee. D. eliminate the potentialdisruption caused when an employeetakes vacation one day at a time.
9 80. In reviewing the IS short-range (tactical) plan, the IS auditor should determine whether: A. there is an integration of IS and business staffs within projects. B. there is a clear definition of the IS mission and vision. C. there is a strategic information technology planning methodology in place. D. theplan correlates business objectives to IS goals and objectives. 81. An organization acquiring other businesses continues using its legacy EDI systems and uses three separatevalue-added network (VAN) providers. No written VAN agreements exist. TheIS auditor should recommend that management: A. obtains independent assurance of thethird-party service providers. B. sets up a process for monitoring theservice delivery of thethird party. C. ensures that formal contracts are in place. D. considers agreements with third-party serviceproviders in the development of continuity plans. 82. Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning systemwithin thenext 12 months. D. Become the supplier of choice for theproduct offered. 83. Assessing IT risks is BEST achieved by: A. evaluating threats associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports. 84. An IS auditor was hired to review e-business security. TheIS auditor's first task was to examine each existing e-business application looking for vulnerabilities. Which would be the next task? A. Report therisks to the CIO and CEO immediately. B. Examine e-business application in development. C. Identify threats and likelihood of occurrence. D. Check the budget available for risk management. 85. Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risks are managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structureis provided that facilitates the creation and sharing of business information. D. Top management mediate between the imperatives of business and technology 86. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties? A. Sequence check B. Check digit C. Source documentation retention D. Batch control reconciliations 87. The lack of adequate security controls represents a(n): A. threat. B. asset. C. impact. D. vulnerability. 88. IT control objectives are useful to IS auditors, as they providethe basis for understanding the: A. desired result or purposeof implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.
10 89. To support an organization's goals, the IS department should have: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. planned to acquire new hardware and software. 90. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. theaudit finding will cause management to provide continuous training to staff. 91. The general ledger setup function in an enterpriseresource planning (ERP) system allows for setting accounting periods. Access to this function has been permitted to users in finance, the warehouse and order entry. TheMOST likely reason for such broad access is the: A. need to change accounting periods on a regular basis. B. requirement to post entries for a closed accounting period. C. lack of policies and procedures for the proper segregation of duties. D. need to create/modify the chart of accounts and its allocations. 92. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: A. recovery. B. retention. C. rebuilding. D. reuse. 93. A top-down approach to thedevelopment of operational policies will help ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically. 94. When developing a risk management program, the FIRST activity to be performed is a(n): A. threat assessment. B. classification of data. C. inventory of assets. D. criticality analysis. 95. A probable advantage to an organization that has outsourced its data processing services is that: A. needed IS expertise can be obtained from the outside. B. greater control can be exercised over processing. C. processing priorities can be established and enforced internally. D. greater user involvement is required to communicate user needs. 96. When an organization is outsourcing their information security function, which of the following should be kept in the organization? A. Accountability for the corporatesecurity policy B. Defining thecorporate security policy C. Implementing the corporatesecurity policy D. Defining security procedures and guidelines 97. When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A. Restricting physicalaccess to computing equipment B. Reviewing transaction and application logs C. Performing background checks prior to hiring IT staff D. Locking user sessions after a specified period of inactivity 98. Which of the following reduces the potentialimpact of social engineering attacks? A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives
11 99. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations. 100. When performing a review of thestructureof an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructureis based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of thefollowing conclusions should be the main concern of the IS auditor? A. There could be a question with regards to thelegal jurisdiction. B. Having a provider abroad will cause excessive costs in futureaudits. C. The auditing process will be difficult because of thedistances. D. There could be different auditing norms. 101. Which of the following is critical to the selection and acquisition of the correct operating systemsoftware? A. Competitivebids B. User department approval C. Hardware configuration analysis D. Purchasing department approval 102. A single digitally signed instruction was given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited theaccount three times. Which of thefollowing would be the MOST appropriate control against such multiple credits? A. Encryptingthe hash of thepayment instruction with the public key of the financial institution B. Affixing a time stamp to the instruction and using it to check for duplicate payments C. Encryptingthe hash of the payment instruction with theprivate key of the instructor D. Affixing a time stamp to thehash of the instruction before having it digitally signed by the instructor 103. Assumptions whileplanning an IS project involve a high degree of risk because they are: A. based on known constraints. B. based on objective past data. C. a result of a lack of information. D. often made by unqualified people. 104. An existing systemis being extensively enhanced by extracting and reusing design and program components. This is an example of: A. reverse engineering. B. prototyping. C. softwarereuse. D. reengineering. 105. When implementing an acquired systemin a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact thedesktop environment? A. Sociability testing B. Parallel testing C. White box testing D. Validation testing 106. Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspensefile listing. D. user error report.
12 107. The IS auditor finds that a systemunder development has 12 linked modules and each item of data can carry up to 10 definable attributefields. The systemhandles several million transactions a year. Which of these techniques could theIS auditor use to estimate the sizeof the development effort? A. Program evaluation review technique (PERT) B. Counting source lines of code (SLOC) C. Function point analysis D. White box testing 108. The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing siteafter running theapplication system. B. central processing site during the running of the application system. C. remote processing siteafter transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site. 109. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system? A. Investigate the author. B. Remove any underlying threats. C. Establish compensating controls. D. Have the offending code removed. 110. The GREATEST benefit in implementing an expert systemis the: A. capturing of the knowledge and experience of individuals in an organization. B. sharing of knowledge in a central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments. 111. An IS auditor reviewing a proposed application softwareacquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and updates. D. products are compatible with the current or planned OS. 112. Which of the following is MOST likely to occur when a systemdevelopment project is in the middle of the programming/coding phase? A. Unit tests B. Stress tests C. Regression tests D. Acceptance tests 113. An organization planning to purchase a softwarepackage asks the IS auditor for a risk assessment. Which of the following is theMAJOR risk? A. Unavailability of the source code B. Lack of a vendor-quality certification C. Absence of vendor/client references D. Little vendor experience with the package 114. An IS auditor assigned to audit a reorganized process should FIRST review which of the following? A. A map of existing controls B. Eliminated controls C. Process charts D. Compensating controls 115. The PRIMARYbenefit of integrating total quality management (TQM) into asoftware development project is: A. comprehensive documentation. B. on-time delivery. C. cost control. D. end-user satisfaction.
13 116. When reviewing thequality of an IS department's development process, theIS auditor finds that he/she does not use any formal, documented methodology and standards. The IS auditor's MOST appropriateaction would be to: A. complete theaudit and report thefinding. B. investigate and recommend appropriateformal standards. C. document the informal standards and test for compliance. D. withdraw and recommend a further audit when standards are implemented. 117. During unit testing, thetest strategy applied is: A. black box. B. white box. C. bottom-up. D. top-down. 118. A decision support system(DSS): A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision-making approach of users. D. supportsonly structured decision-making tasks. 119. Which of the following phases represents the optimumpoint for softwarebaselining to occur? A. Testing B. Design C. Requirement D. Development 120. A proposed transaction processing application will have many data capturesources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, the IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing. 121. When auditing the conversion of an accounting systeman IS auditor should verify the existence of a: A. control totalcheck. B. validation check. C. completeness check. D. limit check. 122. A debugging tool, which reports on thesequence of steps executed by a program, is called a(n): A. output analyzer. B. memory dump. C. compiler. D. logic path monitor. 123. Which of the following facilitates program maintenance? A. Morecohesive and loosely coupled programs B. Less cohesive and loosely coupled programs C. Morecohesive and strongly coupled programs D. Less cohesive and strongly coupled programs 124. Which of the following ensures completeness and accuracy of accumulated data? A. Processing control procedures B. Data file control procedures C. Output controls D. Application controls 125. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically: A. result in a correct capture of requirements. B. ensure that desirable application controls have been implemented. C. produce ergonomic and user-friendly interfaces. D. generate efficient code.
14 126. The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve theperformance of the web server and network. D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine. 127. Ideally, stress testing should be carried out in a: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data. 128. Good quality softwareis BEST achieved: A. through thorough testing. B. by finding and quickly correcting programming errors. C. by determining the amount of testing using theavailable time and budget. D. by applyingwell-defined processes and structured reviews throughout theproject. 129. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of thefollowing would be the IS auditor's main concern about the new process? A. Are key controls in place to protect assets and information resources? B. Does it address the corporatecustomer requirements? C. Does thesystemmeet the performance goals (time and resources)? D. Have owners been identified who will be responsible for theprocess? 130. A company has contracted with an external consulting firm to implement a commercial financial systemto replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of thecontracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototypingis being used to confirm that the system meets business requirements. 131. The use of a GANTT chart can: A. aid in scheduling project tasks. B. determine project checkpoints. C. ensure documentation standards. D. direct the postimplementation review. 132. Using test dataas part of a comprehensive test of program controls in a continuous online manner is called a(n): A. test data/deck. B. base-case systemevaluation. C. integrated test facility (ITF). D. parallel simulation. . 133. Testing the connection of two or more systemcomponents that pass information from one area to another is: A. pilot testing. B. parallel testing C. interface testing. D. regression testing. 134. Regression testing is the process of testing a program to determine if: A. thenew code contains errors. B. discrepancies exist between functional specifications and performance. C. new requirements have been met. D. changes have introduced any errors in the unchanged code. 135. Which of the following groups/individuals should assume overall direction and responsibility for costs and timetables of systemdevelopment projects?
15 A. User management B. Project steering committee C. Senior management D. Systems development management 136. The difference between white box testing and black box testing is that white box testing: A. involves the IS auditor. B. is performed by an independent programmer team. C. examines a program's internal logical structure. D. uses the bottom-up approach. 137. An IS auditor reviewing a project, where quality is a major concern, should use the project management triangle to explain that a(n): A. increase in quality can be achieved, even if resource allocation is decreased. B. increase in quality is only achieved, if resource allocation is increased. C. decrease in delivery time can be achieved, even if resource allocation is decreased. D. decrease in delivery time can only be achieved, if quality is decreased. 138. Which of the following integrity tests examines theaccuracy, completeness, consistency and authorization of data? A. Data B. Relational C. Domain D. Referential 139. Which of the following is MOST effective in controlling application maintenance? A. Informing users of the status of changes B. Establishing priorities on program changes C. Obtaining user approvalof program changes D. Requiring documented user specifications for changes 140. Which of the following groups should assume ownership of a systems development project and theresulting system? A. User management B. Senior management C. Project steering committee D. Systems development management 141. To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters thesame data again, before themoney is transferred. The control adopted by the organization in this case is: A. sequence check. B. key verification. C. check digit. D. completeness check. 142. An IS auditor is told by IS management that the organization has recently reached the highest level of the softwarecapability maturity model (CMM). Thesoftwarequality process MOST recently added by theorganization is: A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects. 143. The use of fourth-generation languages (4GLs) should be weighed carefully against using traditional languages, because 4GLs: A. can lack the lower-level detail commands necessary to perform data intensive operations. B. cannot be implemented on both the mainframe processors and microcomputers. C. generally contain complex language subsets that must be used by skilled users. D. cannot access database records and produce complex online outputs. 144. During the development of an application, the quality assurance testing and user
16 acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. inadequate functional testing. D. delays in problem resolution. 145. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system(ETCS). The vendor has provided its proprietary application software as part of thesolution. The contract should require that: A. a backup server be available to run ETCS operations with up-to-datedata. B. a backup server be loaded with all the relevant software and data. C. the systems staff of the organization be trained to handle any event. D. source code of theETCS application be placed in escrow. 146. Which of the following is a dynamic analysis toolfor the purposeof testing software modules? A. Black box test B. Desk checking C. Structured walk-through D. Design and code 147. The impact of EDI on internal controls will be: A. that fewer opportunities for review and authorization will exist. B. an inherent authentication. C. a proper distribution of EDI transactions while in the possession of third parties. D. that IPF management will have increased responsibilities over data center controls. 148. Which of the following tasks occurs during the research stage of the benchmarking process? A. Critical processes are identified. B. Benchmarking partners are visited. C. Findings are translated into core principles. D. Benchmarking partners are identified. 149. Which of the following would be a risk specifically associated with the agile development process? A. Lack of documentation B. Lack of testing C. Poor requirements definition D. Poor project management practices 150. An IS auditor evaluating data integrity in a transaction-driven systemenvironment should review atomicity to determine whether: A. thedatabase survives failures (hardware or software). B. each transaction is separated from other transactions. C. integrity conditions are maintained. D. a transaction is completed or a database is updated. Now evaluate your score – Find Answers at http://datainfosec.blogspot.in/2016/04/answer-to-cisa-mock-test-1.html

More Related Content

PPTX
CISA exam 100 practice question
Arshad A Javed
 
PDF
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
PPTX
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
Cisa domain 3
ShivamSharma909
 
PDF
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
PPTX
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
Cisa domain 1
Ismail aboulezz
 
PDF
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
CISA exam 100 practice question
Arshad A Javed
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Cisa domain 3
ShivamSharma909
 
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
Cisa domain 1
Ismail aboulezz
 
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 

What's hot (20)

PDF
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
PDF
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
PPTX
IT Audit For Non-IT Auditors
Ed Tobias
 
PPTX
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
IT Control Objectives for SOX
Mahesh Patwardhan
 
PPTX
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
Governance risk and compliance
Magdalena Matell
 
PDF
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
PPTX
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
PDF
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Ee Chuan Yoong
 
PPTX
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PDF
IT Governance - COBIT 5 Capability Assessment
Eryk Budi Pratama
 
PDF
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
PPT
COBIT® Presentation Package.ppt
Emmacuet
 
PPT
CISA Review Course Slides - Part1
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
PPT
Understanding IT Governance and Risk Management
jiricejka
 
PDF
Cisa domain 4
ShivamSharma909
 
PPT
Cisa Certification Overview
Al Imran, CISA
 
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
IT Audit For Non-IT Auditors
Ed Tobias
 
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
IT Control Objectives for SOX
Mahesh Patwardhan
 
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
Governance risk and compliance
Magdalena Matell
 
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Ee Chuan Yoong
 
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
Building an effective Information Security Roadmap
Elliott Franklin
 
IT Governance - COBIT 5 Capability Assessment
Eryk Budi Pratama
 
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
COBIT® Presentation Package.ppt
Emmacuet
 
CISA Review Course Slides - Part1
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Understanding IT Governance and Risk Management
jiricejka
 
Cisa domain 4
ShivamSharma909
 
Cisa Certification Overview
Al Imran, CISA
 
Ad

Similar to Cisa exam mock test questions-1 (20)

PDF
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
bekiewmegli
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
fukuguigue
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
zarradbakiza
 
PDF
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
ginovawappi
 
PDF
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
discosufay13
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
natjecasin
 
PDF
Free Access to Accounting Information Systems The Processes and Controls 2nd ...
moumiepegui
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
zuletherjana
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
fochttybiegq
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
xuxfhqf8829
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
yeosabic
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
yeosabic
 
PDF
All chapter download Accounting Information Systems Controls Processes 3rd Ed...
cuylvekene
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
raihwzi589
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
dnfttowsdb9338
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
kustonoden
 
PDF
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
qurshaimae
 
PDF
Download Accounting Information Systems The Processes and Controls 2nd Editio...
sobekbaberwl
 
PDF
Get Accounting Information Systems Controls Processes 3rd Edition Turner Test...
tsiokamildou
 
PDF
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
vajdachase05
 
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
bekiewmegli
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
fukuguigue
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
zarradbakiza
 
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
ginovawappi
 
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
discosufay13
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
natjecasin
 
Free Access to Accounting Information Systems The Processes and Controls 2nd ...
moumiepegui
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
zuletherjana
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
fochttybiegq
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
xuxfhqf8829
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
yeosabic
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
yeosabic
 
All chapter download Accounting Information Systems Controls Processes 3rd Ed...
cuylvekene
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
raihwzi589
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
dnfttowsdb9338
 
Accounting Information Systems Controls Processes 3rd Edition Turner Test Bank
kustonoden
 
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
qurshaimae
 
Download Accounting Information Systems The Processes and Controls 2nd Editio...
sobekbaberwl
 
Get Accounting Information Systems Controls Processes 3rd Edition Turner Test...
tsiokamildou
 
Accounting Information Systems The Processes and Controls 2nd Edition Turner ...
vajdachase05
 
Ad

Recently uploaded (20)

PPTX
Artificial intelligence introduction basic
msukumarbtech
 
PPTX
PERIODONTAL INSTRUMENTS PHOTOS.pptxxxxxx
khushaansh9
 
PPTX
Inventory Control in nursing management in wards
SheetalSharma980589
 
PPTX
Gender Sensitizations and females learning
TanyaSharma271691
 
PDF
Lesson 1-IOM-Introduction to Management and Organizations.pdf
MALLARIMicoAngeloS
 
PPTX
Nature and Scope of Political Science and its evolution
RiyaSingh481180
 
PPTX
7. ANTI-FUNGAL DRUGS-PMY430123456789123.
samuelchirwanyirongo
 
PPTX
Q1 Review Spoke Centre _ Project समर्थ (1) (1).pptx
DeepakMohanty45
 
PPTX
Teaching Presentation on web Technology.
educationonlyukiyo
 
PDF
Kiyovu_OHMS_Manual_Extract.pdf important information to include in a manual e...
nkugwaharrison
 
DOCX
ANECDOTAL RECORD 12.docx to access the children
AnjuGupta674700
 
PPTX
1.-NSTP-Orientation-Introductio of life a
loceye80
 
PPT
Machine Translation in Natural Language Processing
paramveersinghcr7
 
PPTX
SYNOPSIS OBG PPT.pptx cvhfdhfdhdgfdgfdgfdg
anahitabanerjee27
 
PPTX
FUTURE_VISIONS of me and my friends and dreams
IdrexSaEd
 
PPTX
Departments in a Thermal Power Plant.pptx
Er.Raman Kumar
 
PPTX
MATERIALS IN ORTHODONTICS PART 1.pptxxxx
khushaansh9
 
PPTX
MTVED - Trends in Food and Innovation.pptx
RizaQuiderBedayo
 
PDF
VIT Accelerating Growth - September 2023.pdf
Aparna488777
 
PDF
Surgical instruments for final year mbbs students
VanshikaMehta28
 
Artificial intelligence introduction basic
msukumarbtech
 
PERIODONTAL INSTRUMENTS PHOTOS.pptxxxxxx
khushaansh9
 
Inventory Control in nursing management in wards
SheetalSharma980589
 
Gender Sensitizations and females learning
TanyaSharma271691
 
Lesson 1-IOM-Introduction to Management and Organizations.pdf
MALLARIMicoAngeloS
 
Nature and Scope of Political Science and its evolution
RiyaSingh481180
 
7. ANTI-FUNGAL DRUGS-PMY430123456789123.
samuelchirwanyirongo
 
Q1 Review Spoke Centre _ Project समर्थ (1) (1).pptx
DeepakMohanty45
 
Teaching Presentation on web Technology.
educationonlyukiyo
 
Kiyovu_OHMS_Manual_Extract.pdf important information to include in a manual e...
nkugwaharrison
 
ANECDOTAL RECORD 12.docx to access the children
AnjuGupta674700
 
1.-NSTP-Orientation-Introductio of life a
loceye80
 
Machine Translation in Natural Language Processing
paramveersinghcr7
 
SYNOPSIS OBG PPT.pptx cvhfdhfdhdgfdgfdgfdg
anahitabanerjee27
 
FUTURE_VISIONS of me and my friends and dreams
IdrexSaEd
 
Departments in a Thermal Power Plant.pptx
Er.Raman Kumar
 
MATERIALS IN ORTHODONTICS PART 1.pptxxxx
khushaansh9
 
MTVED - Trends in Food and Innovation.pptx
RizaQuiderBedayo
 
VIT Accelerating Growth - September 2023.pdf
Aparna488777
 
Surgical instruments for final year mbbs students
VanshikaMehta28
 

Cisa exam mock test questions-1

  • 1. 1 Mock Assessment Test-Paper No.1-CISA course (Ref:QB9F50/QB10F50/QB11F50/QB13.130-179) 1. In an audit of an inventory application, which approach would provide the BEST evidence that purchaseorders are valid? A. Testing whether inappropriatepersonnelcan change application parameters B. Tracing purchase orders to a computer listing C. Comparing receiving reports to purchaseorder details D. Reviewing theapplication documentation 2. The extent to which data will be collected during an IS audit should be determined based on the: A. availability of critical and required information. B. auditor's familiarity with the circumstances. C. auditee's ability to find relevant evidence. D. purposeand scopeof the audit being done. 3. The responsibility, authority and accountability of theIS audit function is appropriately documented in an audit charter and MUST be: A. approved by thehighest level of management. B. approved by audit department management. C. approved by user department management. D. changed every year before commencement of IS audits. 4. A key element in a risk analysis is: A. audit planning. B. controls. C. vulnerabilities. D. liabilities. 5. An IS auditor discovers evidence of fraud perpetrated with amanager's user id. The manager had written the password, allocated by the systemadministrator, inside his/her desk drawer. The IS auditor should conclude that the: A. manager's assistant perpetrated thefraud. B. perpetrator cannot be established beyond doubt. C. fraud must have been perpetrated by themanager. D. systemadministrator perpetrated thefraud. 6. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, theIS auditor would use: A. test datato validate data input. B. test data to determine systemsort capabilities. C. generalized audit software to search for address field duplications. D. generalized audit softwareto search for account field duplications. 7. The IS department of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n): A. control procedure. B. control objective. C. corrective control. D. operational control. 8. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should: A. create the procedures document. B. terminate the audit. C. conduct compliance testing. D. identify and evaluate existing practices. 9. When implementing continuous monitoring systems, an IS auditor's first step is to identify: A. reasonable target thresholds. B. high-risk areas within theorganization. C. the location and format of output files. D. applications that providethe highest potentialpayback.
  • 2. 2 10. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potentialanomalies in user or systembehavior. Which of the following tools is MOST suitable for performing that task? A. CASE tools B. Embedded data collection tools C. Heuristic scanning tools D. Trend/variance detection tools 11. An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when: A. theprobability of error must be objectively quantified. B. the auditor wishes to avoid sampling risk. C. generalized audit software is unavailable. D. thetolerable error rate cannot be determined. 12. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: A. controls needed to mitigate risks are in place. B. vulnerabilities and threats are identified. C. audit risks are considered. D. a gap analysis is appropriate. 13. The vice president of human resources has requested an audit to identify payrolloverpayments for the previous year. Which would be the BEST audit technique to use in this situation? A. Test data B. Generalized audit software C. Integrated test facility D. Embedded audit module 14. Which of the following would be theBEST population to takea sample from when testing program changes? A. Test library listings B. Source program listings C. Program change requests D. Production library listings 15. Which of the following normally would be the MOST reliable evidence for an auditor? A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by theIS auditor from reports supplied by line management 16. During a review of the controls over theprocess of defining IT service levels, an IS auditor would MOST likely interview the: A. systems programmer. B. legal staff. C. business unit manager. D. application programmer. 17. In the course of performing a risk analysis, an IS auditor has identified threats and potentialimpacts. Next, an IS auditor should: A. identify and assess therisk assessment process used by management. B. identify information assets and the underlying systems. C. disclose thethreats and impacts to management. D. identify and evaluate the existing controls. 18. A PRIMARYbenefit derived from an organization employing control self-assessment (CSA) techniques is that it: A can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control. 19. Senior management has requested that an IS auditor assist thedepartmental management in theimplementation of necessary controls. The IS auditor should: A. refuse the assignment since it is not the role of theIS auditor. B. inform management of his/her inability to conduct future audits. C. perform theassignment and futureaudits with due professionalcare. D. obtain theapprovalof user management to perform theimplementation and follow-up.
  • 3. 3 20. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? A. Multiplecycles of backup files remain available. B. Access controls establish accountability for e-mail activity. C. Data classification regulates what information should be communicated via e-mail. D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available. 21. Which of the following is a benefit of a risk-based approach to audit planning? Audit: A. scheduling may be performed months in advance. B. budgets are more likely to be met by theIS audit staff. C. staff will be exposed to a variety of technologies. D. resources are allocated to the areas of highest concern. 22. An audit charter should: A. be dynamic and change often to coincide with thechanging nature of technology and the audit profession. B. clearly stateaudit objectives for and thedelegation of authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scopeand responsibilities of theaudit function. 23. An IS auditor is evaluating a corporatenetwork for a possiblepenetration by employees. Which of the following findings should give theIS auditor the GREATEST concern? A. There are a number of external modems connected to thenetwork. B. Users can install software on their desktops. C. Network monitoring is very limited. D. Many user ids have identical passwords. 24. While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that theaudit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work. 25. To identify thevalue of inventory that has been kept for more than eight weeks, an IS auditor would MOST likely use: A. test data. B. statisticalsampling. C. an integrated test facility. D. generalized audit software. 26. An integrated test facility is considered a useful audit tool because it: A. is a cost-efficient approach to auditing application controls. B. enables the financial and IS auditors to integrate their audit tests. C. compares processing output with independently calculated data. D. provides the IS auditor with a tool to analyze a large range of information. 27. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent B. Detection C. Control D. Business 28. Data flow diagrams are used by IS auditors to: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation. 29. Reviewing management's long-term strategic plans helps the IS auditor: A. gain an understanding of an organization's goals and objectives. B. test theenterprise's internal controls. C. assess the organization's reliance on information systems. D. determine thenumber of audit resources needed. 30. When evaluating thecollective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware: A. of thepoint at which controls are exercised as data flow through the system. B. that only preventive and detective controls are relevant. C. that corrective controls can only be regarded as compensating. D. that classification allows an IS auditor to determine which controls are missing.
  • 4. 4 31. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do is an example of: A. inherent risk. B. control risk. C. detection risk. D. audit risk. 32. The PRIMARYpurposeof an audit charter is to: A. document the audit process used by theenterprise. B. formally document theaudit department's plan of action. C. document a code of professional conduct for the auditor. D. describe theauthority and responsibilities of theaudit department. 33. An IS auditor has evaluated the controls for theintegrity of the data in a financial application. Which of thefollowing findings would be theMOST significant? A. Theapplication owner was unaware of several changes applied to the application by the IT department. B. The application data are backed up only once a week. C. The application development documentation is incomplete. D. Information processing facilities are not protected by appropriatefiredetection systems. 34. Overall business risk for a particular threat can be expressed as: A. a product of theprobability and magnitude of the impact if a threat successfully exploits a vulnerability. B. the magnitude of the impact should a threat source successfully exploit thevulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. thecollective judgment of the risk assessment team. 35. Which one of the following could an IS auditor use to validate theeffectiveness of edit and validation routines? A. Domain integrity test B. Relational integrity test C. Referential integrity test D. Parity checks 36. An IS auditor reviews an organizational chart PRIMARILYfor: A. an understanding of workflows. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating thenetwork connected to different employees. 37. An IS auditor is evaluating management's risk assessment of information systems. TheIS auditor should FIRST review: A. thecontrols already in place. B. the effectiveness of the controls in place. C. the mechanism for monitoring therisks related to the assets. D. thethreats/vulnerabilities affecting the assets. 38. Which of the following is an objective of a control self-assessment (CSA) program? A. Concentration on areas of high risk B. Replacement of audit responsibilities C. Completion of control questionnaires D. Collaborative facilitative workshops 39. Which of the following steps would an IS auditor normally performFIRST in a data center security review? A. Evaluate physicalaccess test results. B. Determine therisks/threats to thedata center site. C. Review business continuity procedures. D. Test for evidence of physicalaccess at suspect locations. 40. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of: A. facilitator. B. manager. C. partner. D. stakeholder. 41. The use of statisticalsampling procedures helps minimize: A. sampling risk. B. detection risk. C. inherent risk. D. control risk.
  • 5. 5 42. An IS auditor evaluates the test results of a modification to a systemthat deals with payment computation. Theauditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? A. Design further tests of thecalculations that are in error. B. Identify variables that may have caused the test results to be inaccurate. C. Examine some of the test cases to confirm the results. D. Document theresults and preparea report of findings, conclusions and recommendations. 43. An IS auditor is assigned to perform a post implementation review of an application system. Which of the following situations may have impaired the independence of theIS auditor? The IS auditor: A. implemented a specific control during the development of the application system. B. designed an embedded audit module exclusively for auditing the application system. C. participated as a member of the application systemproject team, but did not have operational responsibilities. D. provided consulting advice concerning application systembest practices. 44. The BEST method of proving the accuracy of a systemtax calculation is by: A. detailed visual review and analysis of the source code of thecalculation programs. B. recreating program logic using generalized audit softwareto calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs. 45. Which of the following audit tools is MOST usefulto an IS auditor when an audit trail is required? A. Integrated test facility (ITF) B. Continuous and intermittent simulation (CIS) C. Audit hooks D. Snapshots 46. The PRIMARYadvantage of a continuous audit approach is that it: A. does not require an IS auditor to collect evidence on systemreliability while processing is taking place. B. requires theIS auditor to review and follow up immediately on all information collected. C. can improve systemsecurity when used in time-sharing environments that process a large number of transactions. D. does not depend on thecomplexity of an organization's computer systems. 47. Which of the following sampling methods is MOST useful when testing for compliance? A. Attributesampling B. Variable sampling C. Stratified mean per unit D. Difference estimation 48. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of: A. variable sampling. B. substantivetesting. C. compliance testing. D. stop-or-go sampling. 49. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures: A. information assets are overprotected. B. a basic level of protection is applied regardless of asset value. C. appropriatelevels of protection are applied to information assets. D. an equal proportion of resources are devoted to protecting all information assets. 50. In a risk-based audit approach, an IS auditor should FIRST complete a(n): A. inherent risk assessment. B. control risk assessment. C. test of control assessment. D. substantivetest assessment. 51. The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors.
  • 6. 6 52. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A. O/S and hardware refresh frequencies B. Gain-sharing performance bonuses C. Penalties for noncompliance D. Charges tied to variable cost metrics 53. Involvement of senior management is MOST important in thedevelopment of: A. strategic plans. B. IS policies. C. IS procedures. D. standards and guidelines. 54. An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of thenetwork load on terminal responsetimes and network data transfer rates. D. recommends network balancing procedures and improvements. 55. The output of therisk management process is an input for making: A. business plans. B. audit charters. C. security policy decisions. D. softwaredesign decisions. 56. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A. destruction policy. B. security policy. C. archive policy. D. audit policy. 57. An IT steering committee should review information systems PRIMARILYto assess: A. whether IT processes support business requirements. B. if proposed systemfunctionality is adequate. C. the stability of existing software. D. thecomplexity of installed technology. 58. An IS auditor reviewing an organization's IT strategic plan should FIRST review: A. theexisting IT environment. B. the business plan. C. the present IT budget. D. current technology trends. 59. As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterpriserequirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure. 60. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potentiallosses, theteam should: A. computethe amortization of the related assets. B. calculate a return on investment (ROI). C. apply aqualitative approach. D. spend thetime needed to define exactly theloss amount. 61. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results. B. customer satisfaction. C. internal process efficiency. D. innovation capacity.
  • 7. 7 62. Establishing the level of acceptable risk is the responsibility of: A. quality assurance management. B. senior business management. C. the chief information officer. D. thechief security officer. 63. Which of the following is the MOST critical for thesuccessful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approvalfor the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitiveactions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software 64. To ensure an organization is complying with privacy requirements, the IS auditor should FIRST review: A. theIT infrastructure. B. the organization's policies, standards and procedures. C. legal and regulatory requirements. D. theadherence to organizational policies, standards and procedures. 65. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls 66. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to theprovider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoringthe outsourcing provider's performance 67. Before implementing an IT balanced scorecard, an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses. 68. The MOST likely effect of thelack of senior management commitment to IT strategic planning is: A. a lack of investment in technology. B. a lack of a methodology for systems development. C. the technology not aligning with the organization's objectives. D. an absence of control over technology contracts. 69. Which of the following would BEST provideassurance of the integrity of new staff? A. Background screening B. References C. Bonding D. Qualifications listed on a resumé 70. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.
  • 8. 8 71. Effective IT governance will ensure that theIT plan is consistent with the organization's: A. business plan. B. audit plan. C. security plan. D. investment plan. 72. Which of the following is a function of an IS steering committee? A. Monitoringvendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approvingand monitoring major projects, thestatus of IS plans and budgets D. Liaising between the IS department and theend users 73. A long-term IS employeewith a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: A. thelength of service since this will help ensure technical competence. B. age as training in audit techniques may be impractical. C. IS knowledge since this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IS relationships. 74. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? A. Response B. Correction C. Detection D. Monitoring 75. An organization has outsourced its softwaredevelopment. Which of the following is the responsibility of the organization's IT management? A. Paying for provider services B. Participating in systems design with the provider C. Managing compliance with the contract for theoutsourced services D. Negotiating contractual agreement with the provider 76. When reviewing IS strategies, theIS auditor can BEST assess whether IS strategy supports theorganizations' business objectives by determining if IS: A. has all thepersonnel and equipment it needs. B. plans are consistent with management strategy. C. uses its equipment and personnel efficiently and effectively. D. has sufficient excess capacity to respond to changing directions. 77. Which of the following is the PRIMARYobjective of an IT performance measurement process? A. Minimizeerrors. B. Gather performance data. C. Establish performance baselines. D. Optimizeperformance. 78. Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods 79. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A. ensure the employeemaintains a good quality of life, which will lead to greater productivity. B. reduce the opportunity for an employee to commit an improper or illegal act. C. provide proper cross-training for another employee. D. eliminate the potentialdisruption caused when an employeetakes vacation one day at a time.
  • 9. 9 80. In reviewing the IS short-range (tactical) plan, the IS auditor should determine whether: A. there is an integration of IS and business staffs within projects. B. there is a clear definition of the IS mission and vision. C. there is a strategic information technology planning methodology in place. D. theplan correlates business objectives to IS goals and objectives. 81. An organization acquiring other businesses continues using its legacy EDI systems and uses three separatevalue-added network (VAN) providers. No written VAN agreements exist. TheIS auditor should recommend that management: A. obtains independent assurance of thethird-party service providers. B. sets up a process for monitoring theservice delivery of thethird party. C. ensures that formal contracts are in place. D. considers agreements with third-party serviceproviders in the development of continuity plans. 82. Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning systemwithin thenext 12 months. D. Become the supplier of choice for theproduct offered. 83. Assessing IT risks is BEST achieved by: A. evaluating threats associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports. 84. An IS auditor was hired to review e-business security. TheIS auditor's first task was to examine each existing e-business application looking for vulnerabilities. Which would be the next task? A. Report therisks to the CIO and CEO immediately. B. Examine e-business application in development. C. Identify threats and likelihood of occurrence. D. Check the budget available for risk management. 85. Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risks are managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structureis provided that facilitates the creation and sharing of business information. D. Top management mediate between the imperatives of business and technology 86. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties? A. Sequence check B. Check digit C. Source documentation retention D. Batch control reconciliations 87. The lack of adequate security controls represents a(n): A. threat. B. asset. C. impact. D. vulnerability. 88. IT control objectives are useful to IS auditors, as they providethe basis for understanding the: A. desired result or purposeof implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.
  • 10. 10 89. To support an organization's goals, the IS department should have: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. planned to acquire new hardware and software. 90. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. theaudit finding will cause management to provide continuous training to staff. 91. The general ledger setup function in an enterpriseresource planning (ERP) system allows for setting accounting periods. Access to this function has been permitted to users in finance, the warehouse and order entry. TheMOST likely reason for such broad access is the: A. need to change accounting periods on a regular basis. B. requirement to post entries for a closed accounting period. C. lack of policies and procedures for the proper segregation of duties. D. need to create/modify the chart of accounts and its allocations. 92. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: A. recovery. B. retention. C. rebuilding. D. reuse. 93. A top-down approach to thedevelopment of operational policies will help ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically. 94. When developing a risk management program, the FIRST activity to be performed is a(n): A. threat assessment. B. classification of data. C. inventory of assets. D. criticality analysis. 95. A probable advantage to an organization that has outsourced its data processing services is that: A. needed IS expertise can be obtained from the outside. B. greater control can be exercised over processing. C. processing priorities can be established and enforced internally. D. greater user involvement is required to communicate user needs. 96. When an organization is outsourcing their information security function, which of the following should be kept in the organization? A. Accountability for the corporatesecurity policy B. Defining thecorporate security policy C. Implementing the corporatesecurity policy D. Defining security procedures and guidelines 97. When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A. Restricting physicalaccess to computing equipment B. Reviewing transaction and application logs C. Performing background checks prior to hiring IT staff D. Locking user sessions after a specified period of inactivity 98. Which of the following reduces the potentialimpact of social engineering attacks? A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives
  • 11. 11 99. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations. 100. When performing a review of thestructureof an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructureis based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of thefollowing conclusions should be the main concern of the IS auditor? A. There could be a question with regards to thelegal jurisdiction. B. Having a provider abroad will cause excessive costs in futureaudits. C. The auditing process will be difficult because of thedistances. D. There could be different auditing norms. 101. Which of the following is critical to the selection and acquisition of the correct operating systemsoftware? A. Competitivebids B. User department approval C. Hardware configuration analysis D. Purchasing department approval 102. A single digitally signed instruction was given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited theaccount three times. Which of thefollowing would be the MOST appropriate control against such multiple credits? A. Encryptingthe hash of thepayment instruction with the public key of the financial institution B. Affixing a time stamp to the instruction and using it to check for duplicate payments C. Encryptingthe hash of the payment instruction with theprivate key of the instructor D. Affixing a time stamp to thehash of the instruction before having it digitally signed by the instructor 103. Assumptions whileplanning an IS project involve a high degree of risk because they are: A. based on known constraints. B. based on objective past data. C. a result of a lack of information. D. often made by unqualified people. 104. An existing systemis being extensively enhanced by extracting and reusing design and program components. This is an example of: A. reverse engineering. B. prototyping. C. softwarereuse. D. reengineering. 105. When implementing an acquired systemin a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact thedesktop environment? A. Sociability testing B. Parallel testing C. White box testing D. Validation testing 106. Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspensefile listing. D. user error report.
  • 12. 12 107. The IS auditor finds that a systemunder development has 12 linked modules and each item of data can carry up to 10 definable attributefields. The systemhandles several million transactions a year. Which of these techniques could theIS auditor use to estimate the sizeof the development effort? A. Program evaluation review technique (PERT) B. Counting source lines of code (SLOC) C. Function point analysis D. White box testing 108. The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing siteafter running theapplication system. B. central processing site during the running of the application system. C. remote processing siteafter transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site. 109. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system? A. Investigate the author. B. Remove any underlying threats. C. Establish compensating controls. D. Have the offending code removed. 110. The GREATEST benefit in implementing an expert systemis the: A. capturing of the knowledge and experience of individuals in an organization. B. sharing of knowledge in a central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments. 111. An IS auditor reviewing a proposed application softwareacquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and updates. D. products are compatible with the current or planned OS. 112. Which of the following is MOST likely to occur when a systemdevelopment project is in the middle of the programming/coding phase? A. Unit tests B. Stress tests C. Regression tests D. Acceptance tests 113. An organization planning to purchase a softwarepackage asks the IS auditor for a risk assessment. Which of the following is theMAJOR risk? A. Unavailability of the source code B. Lack of a vendor-quality certification C. Absence of vendor/client references D. Little vendor experience with the package 114. An IS auditor assigned to audit a reorganized process should FIRST review which of the following? A. A map of existing controls B. Eliminated controls C. Process charts D. Compensating controls 115. The PRIMARYbenefit of integrating total quality management (TQM) into asoftware development project is: A. comprehensive documentation. B. on-time delivery. C. cost control. D. end-user satisfaction.
  • 13. 13 116. When reviewing thequality of an IS department's development process, theIS auditor finds that he/she does not use any formal, documented methodology and standards. The IS auditor's MOST appropriateaction would be to: A. complete theaudit and report thefinding. B. investigate and recommend appropriateformal standards. C. document the informal standards and test for compliance. D. withdraw and recommend a further audit when standards are implemented. 117. During unit testing, thetest strategy applied is: A. black box. B. white box. C. bottom-up. D. top-down. 118. A decision support system(DSS): A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision-making approach of users. D. supportsonly structured decision-making tasks. 119. Which of the following phases represents the optimumpoint for softwarebaselining to occur? A. Testing B. Design C. Requirement D. Development 120. A proposed transaction processing application will have many data capturesources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, the IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing. 121. When auditing the conversion of an accounting systeman IS auditor should verify the existence of a: A. control totalcheck. B. validation check. C. completeness check. D. limit check. 122. A debugging tool, which reports on thesequence of steps executed by a program, is called a(n): A. output analyzer. B. memory dump. C. compiler. D. logic path monitor. 123. Which of the following facilitates program maintenance? A. Morecohesive and loosely coupled programs B. Less cohesive and loosely coupled programs C. Morecohesive and strongly coupled programs D. Less cohesive and strongly coupled programs 124. Which of the following ensures completeness and accuracy of accumulated data? A. Processing control procedures B. Data file control procedures C. Output controls D. Application controls 125. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically: A. result in a correct capture of requirements. B. ensure that desirable application controls have been implemented. C. produce ergonomic and user-friendly interfaces. D. generate efficient code.
  • 14. 14 126. The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve theperformance of the web server and network. D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine. 127. Ideally, stress testing should be carried out in a: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data. 128. Good quality softwareis BEST achieved: A. through thorough testing. B. by finding and quickly correcting programming errors. C. by determining the amount of testing using theavailable time and budget. D. by applyingwell-defined processes and structured reviews throughout theproject. 129. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of thefollowing would be the IS auditor's main concern about the new process? A. Are key controls in place to protect assets and information resources? B. Does it address the corporatecustomer requirements? C. Does thesystemmeet the performance goals (time and resources)? D. Have owners been identified who will be responsible for theprocess? 130. A company has contracted with an external consulting firm to implement a commercial financial systemto replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of thecontracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototypingis being used to confirm that the system meets business requirements. 131. The use of a GANTT chart can: A. aid in scheduling project tasks. B. determine project checkpoints. C. ensure documentation standards. D. direct the postimplementation review. 132. Using test dataas part of a comprehensive test of program controls in a continuous online manner is called a(n): A. test data/deck. B. base-case systemevaluation. C. integrated test facility (ITF). D. parallel simulation. . 133. Testing the connection of two or more systemcomponents that pass information from one area to another is: A. pilot testing. B. parallel testing C. interface testing. D. regression testing. 134. Regression testing is the process of testing a program to determine if: A. thenew code contains errors. B. discrepancies exist between functional specifications and performance. C. new requirements have been met. D. changes have introduced any errors in the unchanged code. 135. Which of the following groups/individuals should assume overall direction and responsibility for costs and timetables of systemdevelopment projects?
  • 15. 15 A. User management B. Project steering committee C. Senior management D. Systems development management 136. The difference between white box testing and black box testing is that white box testing: A. involves the IS auditor. B. is performed by an independent programmer team. C. examines a program's internal logical structure. D. uses the bottom-up approach. 137. An IS auditor reviewing a project, where quality is a major concern, should use the project management triangle to explain that a(n): A. increase in quality can be achieved, even if resource allocation is decreased. B. increase in quality is only achieved, if resource allocation is increased. C. decrease in delivery time can be achieved, even if resource allocation is decreased. D. decrease in delivery time can only be achieved, if quality is decreased. 138. Which of the following integrity tests examines theaccuracy, completeness, consistency and authorization of data? A. Data B. Relational C. Domain D. Referential 139. Which of the following is MOST effective in controlling application maintenance? A. Informing users of the status of changes B. Establishing priorities on program changes C. Obtaining user approvalof program changes D. Requiring documented user specifications for changes 140. Which of the following groups should assume ownership of a systems development project and theresulting system? A. User management B. Senior management C. Project steering committee D. Systems development management 141. To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters thesame data again, before themoney is transferred. The control adopted by the organization in this case is: A. sequence check. B. key verification. C. check digit. D. completeness check. 142. An IS auditor is told by IS management that the organization has recently reached the highest level of the softwarecapability maturity model (CMM). Thesoftwarequality process MOST recently added by theorganization is: A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects. 143. The use of fourth-generation languages (4GLs) should be weighed carefully against using traditional languages, because 4GLs: A. can lack the lower-level detail commands necessary to perform data intensive operations. B. cannot be implemented on both the mainframe processors and microcomputers. C. generally contain complex language subsets that must be used by skilled users. D. cannot access database records and produce complex online outputs. 144. During the development of an application, the quality assurance testing and user
  • 16. 16 acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. inadequate functional testing. D. delays in problem resolution. 145. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system(ETCS). The vendor has provided its proprietary application software as part of thesolution. The contract should require that: A. a backup server be available to run ETCS operations with up-to-datedata. B. a backup server be loaded with all the relevant software and data. C. the systems staff of the organization be trained to handle any event. D. source code of theETCS application be placed in escrow. 146. Which of the following is a dynamic analysis toolfor the purposeof testing software modules? A. Black box test B. Desk checking C. Structured walk-through D. Design and code 147. The impact of EDI on internal controls will be: A. that fewer opportunities for review and authorization will exist. B. an inherent authentication. C. a proper distribution of EDI transactions while in the possession of third parties. D. that IPF management will have increased responsibilities over data center controls. 148. Which of the following tasks occurs during the research stage of the benchmarking process? A. Critical processes are identified. B. Benchmarking partners are visited. C. Findings are translated into core principles. D. Benchmarking partners are identified. 149. Which of the following would be a risk specifically associated with the agile development process? A. Lack of documentation B. Lack of testing C. Poor requirements definition D. Poor project management practices 150. An IS auditor evaluating data integrity in a transaction-driven systemenvironment should review atomicity to determine whether: A. thedatabase survives failures (hardware or software). B. each transaction is separated from other transactions. C. integrity conditions are maintained. D. a transaction is completed or a database is updated. Now evaluate your score – Find Answers at http://datainfosec.blogspot.in/2016/04/answer-to-cisa-mock-test-1.html