Full QA CISA With Answer
Full QA CISA With Answer
1. Which of the following is the MOST important skill an IS auditor should develop to understand
the constraints of conducting an audit?
A. Contingency planning
C. Project management
Justification:
C. Audits often involve resource management, deliverables, scheduling and deadlines similar
to project management best practices.
2. During an audit, an IS auditor notices that the IT department of a medium-sized organization has
no separate risk management function, and the organization’s operational risk documentation
only contains a few broadly described types of IT risk. What is the MOST appropriate
recommendation in this situation?
A. Create an IT risk management department and establish an IT risk framework with the aid of
external risk management experts.
B. Use common industry standard aids to divide the existing risk documentation into several
individual types of risk which will be easier to handle.
D. Establish regular IT risk management meetings to identify and assess risk, and create a
mitigation plan as input to the organization’s risk management.
Justification:
C. The auditor should recommend a formal IT risk management effort because the failure to
demonstrate responsible IT risk management may be a liability for the organization.
D. Establishing regular IT risk management meetings is the best way to identify and assess IT-
related risk in a medium-sized organization, to address responsibilities to the respective
management and to keep the risk register and mitigation plans up to date.
C. System administrators are trained to use the virtual machine (VM) architecture.
Justification:
A. The most important control to test in this configuration is the server configuration
hardening. It is important to patch known vulnerabilities and to disable all non-required
functions before production, especially when production architecture is different from
development and testing architecture.
B. The greatest risk is associated with the difference between the testing and production
environments. Ensuring that physical resources are available is a relatively low risk and easily
addressed.
C. Virtual machines (VMs) are often used for optimizing programming and testing
infrastructure. In this scenario, the development environment (VM architecture) is different
from the production infrastructure (physical three-tier). Because the VMs are not related to
the web application in production, there is no real requirement for the system
administrators to be familiar with a virtual environment.
D. Because the VMs are only used in a development environment and not in production, it may
not be necessary to include VMs in the disaster recovery plan (DRP).
4. A database administrator has detected a performance problem with some tables, which could be
solved through denormalization. This situation will increase the risk of:
A. concurrent access.
B. deadlocks.
Justification:
C. Access to data is controlled by defining user rights to information and is not affected by
denormalization.
D. Normalization is the removal of redundant data elements from the database structure.
Disabling normalization in relational databases will create redundancy and a risk of not
maintaining consistency of data, with the consequent loss of data integrity.
5. Which of the following user profiles should be of MOST concern to an IS auditor when performing
an audit of an electronic funds transfer (EFT) system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to send
their own messages
Justification:
A. The ability of one individual to capture and verify their own messages represents an
inadequate segregation because messages can be taken as correct and as if they had
already been verified. The verification of messages should not be allowed by the person
who sent the message.
B. Users may have the ability to send messages but should not be able to verify their own
messages.
C. This is an example of separation of duties. A person can send their own message but only
verify the messages of other users.
D. The ability to capture and verify the messages of others but only send their own messages is
acceptable.
DOMAIN 1
1. Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be
completed. Assuming that the situation is communicated in the audit report, which course of
action is MOST acceptable?
Justification:
A. Testing the adequacy of control design is not the best course of action because this does not
ensure that controls operate effectively as designed.
B. Testing control operating effectiveness will not ensure that the audit plan is focused on
areas of greatest risk.
C. Reducing the scope and focusing on auditing high-risk areas is the best course of action.
D. The reliance on management testing of controls will not provide an objective verification of
the control environment.
2. Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be
completed. Assuming that the situation is communicated in the audit report, which course of
action is MOST acceptable?
Justification:
A. Testing the adequacy of control design is not the best course of action because this does not
ensure that controls operate effectively as designed.
B. Testing control operating effectiveness will not ensure that the audit plan is focused on
areas of greatest risk.
C. Reducing the scope and focusing on auditing high-risk areas is the best course of action.
D. The reliance on management testing of controls will not provide an objective verification of
the control environment.
3. Although management has stated otherwise, an IS auditor has reasons to believe that the
organization is using software that is not licensed. In this situation, the IS auditor should FIRST:
D. discuss the issue with senior management because it could have a negative impact
on the organization.
Justification:
A. The statement from management may be included in the audit report, but the auditor
should independently validate the statements made by management to ensure
completeness and accuracy.
B. When there is an indication that an organization might be using unlicensed software, the
IS auditor should obtain sufficient evidence before including it in report.
D. If the organization is using software that is not licensed, the IS auditor, to maintain
objectivity and independence, must include this in the report, but the IS auditor should
verify that this is in fact the case before presenting it to senior management.
4. The internal IS audit team is auditing controls over sales returns and is concerned about fraud.
Which of the following sampling methods would BEST assist the IS auditors?
A. Stop-or-go
B. Classical variable
C. Discovery
D. Probability-proportional-to-size
Justification:
A. Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to
be stopped at the earliest possible moment.
B. Classical variable sampling is associated with dollar amounts and has a sample based on a
representative sample of the population but is not focused on fraud.
5. An IS auditor is determining the appropriate sample size for testing the existence of program
change approvals. Previous audits did not indicate any exceptions, and management has
confirmed that no exceptions have been reported for the review period. In this context, the IS
auditor can adopt a:
Justification:
A. When internal controls are strong, a lower confidence coefficient can be adopted, which
will enable the use of a smaller sample size.
B. A higher confidence coefficient will result in the use of a larger sample size.
C. A higher confidence coefficient need not be adopted in this situation because internal
controls are strong.
D. A lower confidence coefficient will result in the use of a smaller sample size.
6. Which of the following is the BEST factor for determining the required extent of data collection
during the planning phase of an IS compliance audit?
Justification:
A. The complexity of the organization’s operation is a factor in the planning of an audit, but
does not directly affect the determination of how much data to collect. Extent of data
collection is subject to the intensity, scope and purpose of the audit.
B. Prior findings and issues are factors in the planning of an audit, but do not directly affect the
determination of how much data to collect. Data must be collected outside of areas of
previous findings.
C. The extent to which data will be collected during an IS audit is related directly to the
purpose, objective and scope of the audit. An audit with a narrow purpose and limited
objective and scope is most likely to result in less data collection than an audit with a
wider purpose and scope. Statistical analysis may also determine the extent of data
collection such as sample size or means of data collection.
D. An auditor’s familiarity with the organization is a factor in the planning of an audit, but does
not directly affect the determination of how much data to collect. The audit must be based
on sufficient evidence of the monitoring of controls and not unduly influenced by the
auditor’s familiarity with the organization.
A. An impact
B. A vulnerability
C. An asset
D. A threat
Justification:
A. Impact is the measure of the consequence (including financial loss, reputational damage,
loss of customer confidence) that a threat event may have.
7. Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report
is:
Justification:
A. Preparation of the IS audit report according to a predefined and standard template may be
useful in ensuring that all key aspects are provided in a uniform structure, but this does not
demonstrate that audit findings are based on evidence that can be proven, if required.
B. ISACA IS audit standards require that reports should be backed by sufficient and
appropriate audit evidence so that they demonstrate the application of the minimum
standard of performance and the findings and recommendations can be validated, if
required.
C. The scope and coverage of IS audit is defined by a risk assessment process, which may not
always provide comprehensive coverage of processes of the enterprise.
D. While from an operational standpoint an audit report should be reviewed and approved by
audit management, the more critical consideration is that all conclusions are backed by
sufficient and appropriate audit evidence.
8. The MOST appropriate action for an IS auditor to take when shared user accounts are discovered
is to:
C. document the finding and explain the risk of using shared IDs.
Justification:
A. It is not appropriate for an IS auditor to report findings to the audit committee before
conducting a more detailed review and presenting them to management for a response.
B. Review of audit logs would not be useful because shared IDs do not provide for individual
accountability.
C. An IS auditor’s role is to detect and document findings and control deficiencies. Part of the
audit report is to explain the reasoning behind the findings. The use of shared IDs is not
recommended because it does not allow for accountability of transactions. An IS auditor
would defer to management to decide how to respond to the findings presented.
D. It is not the role of an IS auditor to request the removal of IDs from the system.
B. Publish a report omitting the areas where the evidence obtained from testing was
inconclusive.
C. Request a delay of the implementation date until additional security testing can be
completed and evidence of appropriate controls can be obtained.
Justification:
A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on
time frame, this fact should be highlighted in the audit report and follow-up testing should
be scheduled for a later date. Management could then determine whether any of the
potential weaknesses identified were significant enough to delay the go-live date for the
system.
B. It is not acceptable for the IS auditor to ignore areas of potential weakness because
conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA IS
Audit and Assurance Standards would be violated if these areas were omitted from the audit
report.
C. Extending the time frame for the audit and delaying the go-live date is unlikely to be
acceptable in this scenario where the system involved is business-critical. In any case, a
delay to the go-live date must be the decision of business management, not the IS auditor.
In this scenario, the IS auditor should present business management with all available
information by the agreed-on date.
D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify
cancelling or postponing the audit; this would violate the audit guideline concerning due
professional care.
10.The PRIMARY objective of performing a postincident review is that it presents an opportunity to:
Justification:
A. A postincident review examines both the cause and response to an incident. The lessons
learned from the review can be used to improve internal controls. Understanding the
purpose and structure of postincident reviews and follow-up procedures enables the
information security manager to continuously improve the security program. Improving
the incident response plan based on the incident review is an internal (corrective) control.
B. A postincident review may result in improvements to controls, but its primary purpose is not
to harden a network.
C. The purpose of postincident review is to ensure that the opportunity is presented to learn
lessons from the incident. It is not intended as a forum to educate management.
D. An incident may be used to emphasize the importance of incident response, but that is not
the intention of the postincident review.
11.An internal IS audit function is planning a general IS audit. Which of the following activities takes
place during the FIRST step of the planning phase?
Justification:
A. The results of the risk assessment are used for the input for the audit program.
B. The audit charter is prepared when the audit department is established or as updates are
needed. Creation of the audit charter is not related to the audit planning phase because it is
part of the internal audit governance structure that provides independence for the function.
C. A risk assessment must be performed prior to identifying key information owners. Key
information owners are generally not directly involved during the planning process of an
audit.
D. A risk assessment should be performed to determine how internal audit resources should
be allocated in order to ensure that all material items will be addressed.
12.Which of the following should an IS auditor use to detect duplicate invoice records within an
invoice master file?
A. Attribute sampling
C. Compliance testing
Justification:
A. Attribute sampling would aid in identifying records meeting specific conditions but would
not compare one record to another to identify duplicates. To detect duplicate invoice
records, the IS auditor should check all of the items that meet the criteria and not just a
sample of the items.
B. Computer-assisted audit techniques (CAATs) would enable the IS auditor to review the
entire invoice file to look for those items that meet the selection criteria.
C. Compliance testing determines whether controls procedures are adhered to, and using
CAATs is the better option as it would most likely be more efficient to search for duplicates.
D. An integrated test facility (ITF) allows the IS auditor to test transactions through the
production system but would not compare records to identify duplicates.
DOMAIN 2
1. Which of the following choices is the PRIMARY benefit of requiring a steering committee to
oversee IT investment?
Justification:
A. A steering committee may use a feasibility study in its reviews; however, it is not responsible
for performing/conducting the study.
B. A steering committee consists of representatives from the business and IT and ensures
that IT investment is based on business objectives rather than on IT priorities.
Justification:
A. Information security governance, when properly implemented, should provide four basic
outcomes: strategic alignment, value delivery, risk management and performance
measurement. Strategic alignment provides input for security requirements driven by
enterprise requirements.
B. Strategic alignment ensures that security aligns with business goals. Providing a standard set
of security practices (i.e., baseline security following good practices or institutionalized and
commoditized solutions) is a part of value delivery.
C. Value delivery addresses the effectiveness and efficiency of solutions, but is not a result of
strategic alignment.
D. Risk management is a primary goal of IT governance, but strategic alignment is not focused
on understanding risk exposure.
3. An IS auditor is evaluating the IT governance framework of an organization. Which of the
following would be the GREATEST concern?
Justification:
D. Estimation of risk appetite is important; however, at the same time, management should
ensure that controls are in place. Therefore, checking only on risk appetite does not verify
soundness of IT governance.
C. A structure is provided that facilitates the creation and sharing of business information.
Justification:
A. Supplier and partner risk being managed is a risk management good practice but not a
strategic function.
D. a disruption of operations.
Justification:
C. Cross-training is a process of training more than one individual to perform a specific job or
procedure. However, in using this approach, it is prudent to have first assessed the risk of
any person knowing all parts of a system and the related potential exposures related to
abuse of privilege.
D. Cross-training provides for the backup of personnel in the event of an absence and, thereby,
provides for the continuity of operations.
6. Which of the following controls would an IS auditor look for in an environment where duties
cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
Justification:
A. Overlapping controls are two controls addressing the same control objective or exposure.
Because primary controls cannot be achieved when duties cannot or are not appropriately
segregated, it is difficult to install overlapping controls.
B. Boundary controls establish the interface between the would-be user of a computer system
and the computer system itself and are individual-based, not role-based, controls.
C. Access controls for resources are based on individuals and not on roles. A lack of segregation
of duties would mean that the IS auditor would expect to find that a person has higher levels
of access than would be ideal. This would mean the IS auditor wants to find compensating
controls to address this risk.
D. Compensating controls are internal controls that are intended to reduce the risk of an
existing or potential control weakness that may arise when duties cannot be appropriately
segregated.
7. When auditing the IT governance framework and IT risk management practices that exist within
an organization, the IS auditor identified some undefined responsibilities regarding IT
management and governance roles. Which of the following recommendations is the MOST
appropriate?
Justification:
A. While the strategic alignment of IT with the business is important, it is not directly related to
the gap identified in this scenario.
B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should
recommend the implementation of accountability rules to ensure that all responsibilities
are defined within the organization. Note that this question asks for the best
recommendation—not about the finding itself.
C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly
defined and implemented.
D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are
not clearly defined and implemented.
8. When auditing the archiving of the company’s email communications, the IS auditor should pay
the MOST attention to:
Justification:
A. Without a data retention policy that is aligned to the company’s business and compliance
requirements, the email archive may not preserve and reproduce the correct information
when required.
B. The storage capacity of the archiving solution would be irrelevant if the proper email
messages have not been properly preserved and others have been deleted.
C. The level of user awareness concerning email use would not directly affect the completeness
and accuracy of the archived email.
D. The support and stability of the archiving solution manufacturer is secondary to the need to
ensure a retention policy. Vendor support would not directly affect the completeness and
accuracy of the archived email.
Justification:
B. Providing the user with a backup copy of software is not escrow. Escrow requires that a copy
be kept with a trusted third party.
D. Software escrow is used to protect the intellectual property of software developed by one
organization and sold to another organization. This is not used for software being reviewed
by an auditor of the organization that wrote the software.
10.Which of the following is the MOST important IS audit consideration when an organization
outsources a customer credit review system to a third-party service provider? The provider:
Justification:
A. Compliance with security standards is important, but there is no way to verify or prove that
is the case without an independent review.
D. Compliance with organizational security policies is important, but there is no way to verify or
prove that that is the case without an independent review.
11.After the merger of two organizations, multiple self-developed legacy applications from both
organizations are to be replaced by a new common platform. Which of the following would be
the GREATEST risk?
B. The replacement effort consists of several independent projects without integrating the
resource allocation in a portfolio management approach.
C. The resources of each of the organizations are inefficiently allocated while they are being
familiarized with the other company’s legacy systems.
D. The new platform will force the business areas of both organizations to change their work
processes, which will result in extensive training needs.
Justification:
B. The efforts should be consolidated to ensure alignment with the overall strategy of the
postmerger organization. If resource allocation is not centralized, the separate projects are
at risk of overestimating the availability of key knowledge resources for the in-house
developed legacy applications.
C. The development of new integrated systems can require some knowledge of the legacy
systems to gain an understanding of each business process.
D. In most cases, mergers result in application changes and thus in training needs as
organizations and processes change to leverage the intended synergy effects of the merger.
C. IT organizational structure.
Justification:
A. An enterprise data model is a document defining the data structure of an organization and
how data interrelate. It is useful, but it does not provide information on investments in IT
assets.
B. The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives
and business objectives by supplementing the traditional financial evaluation with
measures to evaluate customer satisfaction, internal processes and the ability to innovate.
In this way the auditor can measure the success of the IT investment and strategy.
D. Historical financial statements do not provide information about planning and lack sufficient
detail to enable one to fully understand management’s activities regarding IT assets. Past
costs do not necessarily reflect value, and assets such as data are not represented on the
books of accounts.
13.Which of the following factors should an IS auditor PRIMARILY focus on when determining the
appropriate level of protection for an information asset?
Justification:
A. The appropriate level of protection for an asset is determined based on the risk associated
with the asset. The results of the risk assessment are, therefore, the primary information
that the IS auditor should review.
B. The relative value of an asset to the business is one element considered in the risk
assessment; this alone does not determine the level of protection required.
C. The results of a vulnerability assessment would be useful when creating the risk assessment;
however, this would not be the primary focus.
D. The cost of security controls is not a primary factor to consider because the expenditures on
these controls are determined by the value of the information assets being protected.
14.When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the
following risk treatment approaches is being applied?
A. Transfer
B. Mitigation
C. Avoidance
D. Acceptance
Justification:
A. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities
that pose a risk).
C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For
example, a company may stop accepting credit card payments to avoid the risk of credit card
information disclosure.
D. Risk acceptance occurs when an organization decides to accept the risk as it is and to do
nothing to mitigate or transfer it.
Justification:
A. The auditor needs to know what standards the organization has adopted and then measure
compliance with those standards. Determining how the organization follows the standards is
secondary to knowing what the standards are. The other items listed—verifying how well
standards are being followed, identifying relevant controls and reviewing the quality
metrics—are secondary to the identification of standards.
B. The first step is to know the standards and what policies and procedures are mandated for
the organization, then to document the controls and measure compliance.
C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe
or require the metrics.
D. Because an audit measures compliance with the standards of the organization, the first
step of the review of the software quality management process should be to determine
the evaluation criteria in the form of standards adopted by the organization. The
evaluation of how well the organization follows their own standards cannot be performed
until the IS auditor has determined what standards exist.
16.When developing a formal enterprise security program, the MOST critical success factor (CSF)
would be the:
Justification:
B. The creation of a security unit is not effective without visible sponsorship of top
management.
D. The selection of a security process owner is not effective without visible sponsorship of top
management.
17.While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on
collecting evidence to show that:
Justification:
A. Generally, good practices are adopted according to business requirements, and therefore,
conforming to good practices may or may not be a requirement of the business.
C. Updating operating procedures is part of implementing the QMS; however, it must be part
of change management and not an annual activity.
D. Key performance indicators (KPIs) may be defined in a QMS, but they are of little value if
they are not being monitored.
18.Before implementing an IT balanced scorecard (BSC), an organization must:
D. control IT expenses.
Justification:
C. A BSC will measure the value of IT to business, not the other way around.
D. A BSC will measure the performance of IT, but the control over IT expenses is not a key
requirement for implementing a BSC.
19.During a review of a business continuity plan, an IS auditor noticed that the point at which a
situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is
that:
Justification:
B. Execution of the business continuity and disaster recovery plans would be impacted if the
organization does not know when to declare a crisis.
C. After a potential crisis is recognized, the teams responsible for crisis management need to
be notified. Delaying the declaration of a disaster would impact or negate the effect of
having response teams, but this is only one part of the larger impact.
D. Potential crisis recognition is the first step in recognizing or responding to a disaster and
would occur prior to the declaration of a disaster.
20.An IS auditor is reviewing an organization’s recovery from a disaster in which not all the critical
data needed to resume business operations were retained. Which of the following was
incorrectly defined?
Justification:
A. The interruption window is defined as the amount of time during which the organization is
unable to maintain operations from the point of failure to the time that the critical
services/applications are restored.
B. The recovery time objective (RTO) is determined based on the acceptable downtime in the
case of a disruption of operations.
C. The service delivery objective (SDO) is directly related to the business needs. SDO is the level
of services to be reached during the alternate process mode until the normal situation is
restored.
D. The recovery point objective (RPO) is determined based on the acceptable data loss in the
case of a disruption of operations. RPO defines the point in time from which it is necessary
to recover the data and quantifies, in terms of time, the permissible amount of data loss in
the case of interruption.
21.When auditing the IT governance framework and IT risk management practices that exist within
an organization, the IS auditor identified some undefined responsibilities regarding IT
management and governance roles. Which of the following recommendations is the MOST
appropriate?
Justification:
A. While the strategic alignment of IT with the business is important, it is not directly related to
the gap identified in this scenario.
B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should
recommend the implementation of accountability rules to ensure that all responsibilities
are defined within the organization. Note that this question asks for the best
recommendation—not about the finding itself.
C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly
defined and implemented.
D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are
not clearly defined and implemented.
A. the business processes that generate the most financial value for the organization
and, therefore, must be recovered first
B. the priorities and order for recovery to ensure alignment with the organization’s
business strategy
C. the business processes that must be recovered following a disaster to ensure the
organization’s survival
D. the priorities and order of recovery, which will recover the greatest number of
systems in the shortest time frame
Justification:
A. It is a common mistake to overemphasize financial value rather than urgency. For example,
while the processing of incoming mortgage loan payments is important from a financial
perspective, it could be delayed for a few days in the event of a disaster. On the other hand,
wiring funds to close on a loan, while not generating direct revenue, is far more critical
because of the possibility of regulatory problems, customer complaints and reputation
issues.
B. The business strategy (which is often a long-term view) does not have a direct impact at this
point in time.
D. The mere number of recovered systems does not have a direct impact at this point in time.
The importance is to recover systems that would impact business survival.
DOMAIN 3
1. Normally, it would be essential to involve which of the following stakeholders in the initiation
stage of a project?
A. System owners
B. System users
C. System designers
D. System builders
Justification:
A. System owners are the information systems (project) sponsors or chief advocates. They
normally are responsible for initiating and funding projects to develop, operate and
maintain information systems.
B. System users are the individuals who use or are affected by the information system. Their
requirements are crucial in the requirements definition, design and testing stages of a
project.
C. System designers translate business requirements and constraints into technical solutions.
D. System builders construct the system based on the specifications from the systems
designers. In most cases, the designers and builders are one and the same.
2. When reviewing an active project, an IS auditor observed that the business case was no longer
valid because of a reduction in anticipated benefits and increased costs. The IS auditor should
recommend that the:
A. project be discontinued.
Justification:
B. The IS auditor should recommend that the business case be kept current throughout the
project because it is a key input to decisions made throughout the life of any project.
C. The project cannot be returned to the sponsor until the business case has been updated.
D. An IS auditor should not recommend completing the project before reviewing an updated
business case and ensuring approval from the project sponsor.
3. During the audit of an acquired software package, an IS auditor finds that the software purchase
was based on information obtained through the Internet, rather than from responses to a
request for proposal (RFP). The IS auditor should FIRST:
Justification:
A. Because the software package has already been acquired, it is most likely that it is in use and
therefore compatible with existing hardware. Further, the first responsibility of the IS
auditor is to ensure that the purchasing procedures have been approved.
B. Because there was no request for proposal (RFP), there may be no documentation of the
expectations of the product and nothing to measure a gap against. The first task for the IS
auditor is to ensure that the purchasing procedures were approved.
C. The licensing policy should be reviewed to ensure proper licensing but only after the
purchasing procedures are checked.
D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure
that the procedure followed for acquiring the software is consistent with the business
objectives and has been approved by the appropriate authorities.
4. A company has contracted with an external consulting firm to implement a commercial financial
system to replace its existing system developed in-house. In reviewing the proposed
development approach, which of the following would be of GREATEST concern?
D. Prototyping is being used to confirm that the system meets business requirements.
Justification:
A. Acceptance is normally managed by the user area because users must be satisfied that the
new system will meet their requirements.
B. A quality plan is an essential element of all projects. It is critical that the contracted
supplier be required to produce such a plan. The quality plan for the proposed
development contract should be comprehensive and encompass all phases of the
development and include which business functions will be included and when.
A. Project sponsor
Justification:
A. A project sponsor is typically the senior manager in charge of the primary business unit that
the application will support. The sponsor provides funding for the project and works closely
with the project manager to define the critical success factors or metrics for the project. The
project sponsor is not responsible for reviewing the progress of the project.
B. A system development project team (SDPT) completes the assigned tasks, works according
to the instructions of the project manager and communicates with the user project team.
The SDPT is not responsible for overseeing the progress of the project.
C. A project steering committee that provides an overall direction for the enterprise resource
planning (ERP) implementation project is responsible for reviewing the project’s progress
to ensure that it will deliver the expected results.
D. A user project team (UPT) completes the assigned tasks, communicates effectively with the
system development team and works according to the advice of the project manager. A UPT
is not responsible for reviewing the progress of the project.
6. While evaluating software development practices in an organization, an IS auditor notes that the
quality assurance (QA) function reports to project management. The MOST important concern
for an IS auditor is the:
C. effectiveness of the project manager because the project manager should interact
with the QA function.
Justification:
B. The efficiency of the QA function would not be impacted by interacting with the project
implementation team. The QA team would not release a product for implementation until it
had met QA requirements.
C. The project manager will respond to the issues raised by the QA team. This will not impact
the effectiveness of the project manager.
D. The QA function’s interaction with the project implementation team should not impact the
efficiency of the project manager.
7. Which of the following would BEST help to prioritize project activities and determine the time
line for a project?
A. A Gantt chart
Justification:
A. Provided that data architecture, technical and operational requirements are sufficiently
documented, the alignment to standards could be treated as a specific work package
assigned to new project resources.
B. The usage of nonstandard data definitions would lower the efficiency of the new
development, and increase the risk of errors in critical business decisions. To change data
definition standards after project conclusion is risky and is not a viable solution.
D. Punishing the violators would be outside the authority of the auditor and inappropriate until
the reason for the violations have be determined.
8. An IS auditor has found time constraints and expanded needs to be the root causes for recent
violations of corporate data definition standards in a new business intelligence project. Which of
the following is the MOST appropriate suggestion for an auditor to make?
Justification:
A. Provided that data architecture, technical and operational requirements are sufficiently
documented, the alignment to standards could be treated as a specific work package
assigned to new project resources.
B. The usage of nonstandard data definitions would lower the efficiency of the new
development, and increase the risk of errors in critical business decisions. To change data
definition standards after project conclusion is risky and is not a viable solution.
D. Punishing the violators would be outside the authority of the auditor and inappropriate until
the reason for the violations have be determined.
9. Which of the following would be the BEST approach to ensure that sufficient test coverage will be
achieved for a project with a strict end date and a fixed time to perform testing?
D. The number of required test runs should be reduced by retesting only defect fixes.
Justification:
A. The idea is to maximize the usefulness of testing by concentrating on the most important
aspects of the system and on the areas where defects represent the greatest risk to user
acceptance. A further extension of this approach is to also consider the technical
complexity of requirements because complexity tends to increase the likelihood of
defects.
B. The problem with testing only functional requirements is that nonfunctional requirement
areas, such as usability and security, which are important to the overall quality of the
system, are ignored.
C. Increasing the efficiency of testing by automating test execution is a good idea. However, by
itself, this approach does not ensure the appropriate targeting of test coverage and so is not
as effective an alternative.
D. Retesting only defect fixes has a considerable risk that it will not detect instances in which
defect fixes may have caused the system to regress (i.e., introduced errors in parts of the
system that were previously working correctly). For this reason, it is a good practice to
undertake formal regression testing after defect fixes have been implemented.
10.Who should review and approve system deliverables as they are defined and accomplished to
ensure the successful completion and implementation of a new business system application?
A. User management
C. Senior management
Justification:
A. User management assumes ownership of the project and resulting system, allocates
qualified representatives to the team and actively participates in system requirements
definition, acceptance testing and user training. User management should review and
approve system deliverables as they are defined and accomplished or implemented.
C. Senior management demonstrates commitment to the project and approves the necessary
resources to complete the project. This commitment from senior management helps ensure
involvement by those who are needed to complete the project.
D. Quality assurance staff review results and deliverables within each phase, and at the end of
each phase confirm compliance with standards and requirements. The timing of reviews
depends on the system development life cycle, the impact of potential deviation
methodology used, the structure and magnitude of the system and the impact of potential
deviation.
11.An IS auditor is reviewing the software development process for an organization. Which of the
following functions would be appropriate for the end users to perform?
B. System configuration
D. Performance tuning
Justification:
A. A user can test program output by checking the program input and comparing it with the
system output. This task, although usually done by the programmer, can also be done
effectively by the user.
B. System configuration is usually too technical to be accomplished by a user and this situation
could create security issues. This could introduce a segregation of duties issue.
C. Program logic specification is a very technical task that is normally performed by a
programmer. This could introduce a segregation of duties issue.
D. Performance tuning also requires high levels of technical skill and will not be effectively
accomplished by a user. This could introduce a segregation of duties issue.
12.From a risk management point of view, the BEST approach when implementing a large and
complex IT infrastructure is:
Justification:
B. Prototyping may reduce development failure, but a large environment will usually require a
phased approach.
C. When developing a large and complex IT infrastructure, a good practice is to use a phased
approach to fit the entire system together. This will provide greater assurance of quality
results.
Justification:
A. User acceptance testing (UAT) should be performed prior to the implementation (perhaps
during the development phase), not after the implementation.
C. The audit trail should be activated during the implementation of the application.
D. While updating the enterprise architecture (EA) diagrams is a best practice, it would not
normally be part of a postimplementation review.
14.The PRIMARY objective of conducting a postimplementation review for a business process
automation project is to:
Justification:
A. Ensuring that the project meets the intended business requirements is the primary
objective of a postimplementation review.
B. Evaluating the adequacy of controls may be part of the review but is not the primary
objective.
15.A legacy payroll application is migrated to a new application. Which of the following stakeholders
should be PRIMARILY responsible for reviewing and signing-off on the accuracy and
completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner
Justification:
A. An IS auditor should ensure that there is a review and sign-off by the data owner during the
data conversion stage of the project.
C. A project manager provides day-to-day management and leadership of the project but is not
responsible for the accuracy and integrity of the data.
D. During the data conversion stage of a project, the data owner is primarily responsible for
reviewing and signing-off that the data are migrated completely and accurately and are
valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the
converted data.
16.An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation
procedures should include:
A. vouching.
B. authorizations.
C. corrections.
D. tracing.
Justification:
A. Vouching is usually performed during the funds transfer, not during the reconciliation effort.
B. In online processing, authorizations are normally done automatically by the system not
during the reconciliation.
C. Correction entries should be reviewed during a reconciliation; however, they are normally
done by an individual other than the person entrusted to do reconciliations and are not as
important as tracing.
D. Tracing is a transaction reconciliation effort that involves following the transaction from
the original source to its final destination. In electronic funds transfer (EFT) transactions,
the direction on tracing may start from the customer-printed copy of the receipt, checking
the system audit trails and logs, and finally checking the master file records for daily
transactions.
DOMAIN 4
1. Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a
service level agreement (SLA)?
B. The complexity of application logs used for service monitoring made the review
difficult.
Justification:
B. The complexity of application logs is an operational issue, which is not related to the SLA.
C. Lack of performance measures will make it difficult to gauge the efficiency and
effectiveness of the IT services being provided.
D. While it is important that the document be current, depending on the term of the
agreement, it may not be necessary to change the document more frequently than annually.
2. During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement
between the IT and HR departments as to the level of IT services expected. In this situation, what
should the IS auditor do FIRST?
Justification:
B. Reporting to senior management is not necessary at this stage of the audit because this is
not a serious immediate vulnerability.
C. An IS auditor should first confirm and understand the current practice before making any
recommendations. Part of this will be to ensure that both parties are in agreement with
the terms of the agreement.
D. Drafting a service level agreement (SLA) is not the IS auditor’s responsibility.
3. Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to
meet service level agreement (SLA) requirements for a critical IT security service?
Justification:
A. The master agreement typically includes terms, conditions and costs but does not typically
include service levels.
B. Metrics allow for a means to measure performance. Service level agreements (SLAs) are
statements related to expected service levels. For example, an Internet service provider
(ISP) may guarantee that their service will be available 99.99 percent of the time.
C. If applicable to the service, results of business continuity tests are typically included as part
of the due diligence review.
4. When reviewing the configuration of network devices, an IS auditor should FIRST identify:
Justification:
A. After understanding the devices in the network, a good practice for using the device should
be reviewed to ensure that there are no anomalies within the configuration.
B. Identification of which component is missing can only be known upon reviewing and
understanding the topology and a good practice for deployment of the device in the
network.
C. The first step is to understand the importance and role of the network device within the
organization’s network topology.
D. Identification of which subcomponent is being used inappropriately can only be known upon
reviewing and understanding the topology and a good practice for deployment of the device
in the network.
5. Which of the following processes should an IS auditor recommend to assist in the recording of
baselines for software releases?
A. Change management
C. Incident management
D. Configuration management
Justification:
A. Change management is important to control changes to the configuration, but the baseline
itself refers to a standard configuration.
B. Backup and recovery of the configuration are important, but not used to create the baseline.
C. Incident management will determine how to respond to an adverse event, but is not related
to recording baseline configurations.
D. The configuration management process may include automated tools that will provide an
automated recording of software release baselines. Should the new release fail, the
baseline will provide a point to which to return.
A. Malware on servers
B. Firewall misconfiguration
Justification:
B. Firewall misconfiguration could contribute to network performance issues, but the degraded
performance would not likely be restricted to business hours.
C. The existence of spam on the organization’s email server could contribute to network
performance issues, but the degraded performance would not likely be restricted to
business hours.
7. During fieldwork, an IS auditor experienced a system crash caused by a security patch installation.
To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:
Justification:
A. While system administrators would normally install patches, it is more important that
changes be made according to a formal procedure that includes testing and implementing
the change during nonproduction times.
C. While patches would normally undergo testing, it is often impossible to test all patches
thoroughly. It is more important that changes be made during nonproduction times, and
that a backout plan is in place in case of problems.
D. An approval process alone could not directly prevent this type of incident from happening.
There should be a complete change management process that includes testing, scheduling
and approval.
8. Which of the following ways is the BEST for an IS auditor to verify that critical production servers
are running the latest security updates released by the vendor?
B. Verify manually that the patches are applied on a sample of production servers.
Justification:
A. Ensuring that automatic updates are enabled on production servers may be a valid way to
manage the patching process; however, this would not provide assurance that all servers are
being patched appropriately.
B. Verifying patches manually on a sample of production servers will be less effective than
automated testing and introduces a significant audit risk. Manual testing is also difficult and
time consuming.
C. The change management log may not be updated on time and may not accurately reflect
the patch update status on servers. A better testing strategy is to test the server for patches,
rather than examining the change management log.
D. An automated tool can immediately provide a report on which patches have been applied
and which are missing.
9. The database administrator (DBA) suggests that database efficiency can be improved by
denormalizing some tables. This would result in:
A. loss of confidentiality.
B. increased redundancy.
C. unauthorized accesses.
D. application malfunctions.
Justification:
A. Denormalization should not cause loss of confidentiality even though confidential data may
be involved. The database administrator (DBA) should ensure that access controls to the
databases remain effective.
C. Denormalization pertains to the structure of the database, not the access controls. It should
not result in unauthorized access.
D. Denormalization may require some changes to the calls between databases and
applications, but should not cause application malfunctions.
A. reduced exposure.
B. reduced threat.
C. less criticality.
D. less sensitivity.
Justification:
A. Segmenting data reduces the quantity of data exposed as a result of a particular event.
B. The threat may remain constant, but each segment may represent a different vector against
which it must be directed.
C. Criticality (availability) of data is not affected by the manner in which it is segmented.
11.An IS auditor observed that users are occasionally granted the authority to change system data.
This elevated system access is not consistent with company policy yet is required for smooth
functioning of business operations. Which of the following controls would the IS auditor MOST
likely recommend for long-term resolution?
Justification:
A. Data authorization controls should be driven by the policy. While there may be some
technical controls that could be adjusted, if the data changes happen infrequently, then an
exception process would be the better choice.
B. While adequate segregation of duties is important, it is simpler to fix the policy versus
adding additional controls to enforce segregation of duties.
C. If the users are granted access to change data in support of the business requirements, but
the policy forbids this, then perhaps the policy needs some adjustment to allow for policy
exceptions to occur.
D. Audit trails are needed, but this is not the best long-term solution to address this issue.
Additional resources would be required to review logs.
12.Which of the following choices BEST ensures accountability when updating data directly in a
production database?
Justification:
A. Creating before and after images is the best way to ensure that the appropriate data have
been updated in a direct data change. The screen shots would include the data prior to
and after the change.
B. Having approved implementation plans would verify that the change was approved to be
implemented but will not ensure that the appropriate change was made.
C. Having an approved validation plan will ensure that the data change had a validation plan
designed prior to the data change but will not ensure that the data change was appropriate
and correct.
D. Data file security would only ensure that the user making the data change was appropriate.
It would not ensure that the data change was correct.
13.Which of the following specifically addresses how to detect cyberattacks against an organization’s
IT systems and how to recover from an attack?
B. An IT contingency plan
Justification:
A. The incident response plan (IRP) determines the information security responses to
incidents such as cyberattacks on systems and/or networks. This plan establishes
procedures to enable security personnel to identify, mitigate and recover from malicious
computer incidents such as unauthorized access to a system or data, denial-of-service
(DoS) or unauthorized changes to system hardware or software.
B. The IT contingency plan addresses IT system disruptions and establishes procedures for
recovering from a major application or general support system failure. The contingency plan
deals with ways to recover from an unexpected failure, but it does not address the
identification or prevention of cyberattacks.
C. The business continuity plan (BCP) addresses business processes and provides procedures
for sustaining essential business operations while recovering from a significant disruption.
While a cyberattack could be severe enough to require use of the BCP, the IRP would be
used to determine which actions should be taken—both to stop the attack as well as to
resume normal operations after the attack.
D. The continuity of operations plan (COOP) addresses the subset of an organization’s missions
that are deemed most critical and contains procedures to sustain these functions at an
alternate site for a short time period.
14.The PRIMARY objective of performing a postincident review is that it presents an opportunity to:
Justification:
A. A postincident review examines both the cause and response to an incident. The lessons
learned from the review can be used to improve internal controls. Understanding the
purpose and structure of postincident reviews and follow-up procedures enables the
information security manager to continuously improve the security program. Improving
the incident response plan based on the incident review is an internal (corrective) control.
B. A postincident review may result in improvements to controls, but its primary purpose is not
to harden a network.
C. The purpose of postincident review is to ensure that the opportunity is presented to learn
lessons from the incident. It is not intended as a forum to educate management.
D. An incident may be used to emphasize the importance of incident response, but that is not
the intention of the postincident review.
15.In a small organization, developers may release emergency changes directly to production. Which
of the following will BEST control the risk in this situation?
Justification:
B. Restricting release time frame may help somewhat; however, it would not apply to
emergency changes and cannot prevent unauthorized release of the programs.
D. Disabling the compiler option in the production machine is not relevant in an emergency
situation.
16.During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-
privilege access that allows the director to process requests for changes to the application access
roles (access types). Which of the following should the IS auditor recommend?
B. Hire additional staff to provide a segregation of duties (SoD) for application role
changes.
Justification:
B. While it is preferred that a strict segregation of duties (SoD) be adhered to and that
additional staff be recruited, this practice is not always possible in small enterprises. The IS
auditor must look at recommended alternative processes.
C. An automated process for managing application roles may not be practical to prevent
improper changes being made by the IS director, who also has the most privileged access to
the application.
D. Making the existing process available on the enterprise intranet would not provide any value
to protect the system.
17.An IS auditor discovers that some users have installed personal software on their PCs. This is not
explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is
to recommend that the:
Justification:
B. Lack of specific language addressing unauthorized software in the acceptable use policy is
a weakness in administrative controls. The policy should be reviewed and updated to
address the issue—and provide authority for the IT department to implement technical
controls.
18.Which of the following is a prevalent risk in the development of end-user computing (EUC)
applications?
Justification:
A. End-user computing (EUC) is defined as the ability of end users to design and implement
their own information system utilizing computer software products. End-user developed
applications may not be subjected to an independent outside review by systems analysts
and frequently are not created in the context of a formal development methodology.
These applications may lack appropriate standards, controls, quality assurance
procedures, and documentation. A risk of end-user applications is that management may
rely on them as much as traditional applications.
B. EUC systems typically result in reduced application development and maintenance costs.
19.During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the IS auditor
observes that some remote offices have very limited local IT resources. Which of the following
observations would be the MOST critical for the IS auditor?
A. A test has not been made to ensure that local resources could maintain security and
service standards when recovering from a disaster or incident.
B. The corporate business continuity plan (BCP) does not accurately document the
systems that exist at remote offices.
C. Corporate security measures have not been incorporated into the test plan.
D. A test has not been made to ensure that tape backups from the remote offices are
usable.
A is the correct answer.
Justification:
A. Regardless of the capability of local IT resources, the most critical risk would be the lack of
testing, which would identify quality issues in the recovery process.
B. The corporate business continuity plan (BCP) may not include disaster recovery plan (DRP)
details for remote offices. It is important to ensure that the local plans have been tested.
C. Security is an important issue because many controls may be missing during a disaster.
However, not having a tested plan is more important.
D. The backups cannot be trusted until they have been tested. However, this should be done as
part of the overall tests of the DRP.
20.Which of the following is the BEST indicator of the effectiveness of backup and restore
procedures while restoring data after a disaster?
Justification:
A. The availability of key personnel does not ensure that backup and restore procedures will
work effectively.
B. The effectiveness of backup and restore procedures is best ensured by recovery time
objectives (RTOs) being met because these are the requirements that are critically defined
during the business impact analysis stage, with the inputs and involvement of all business
process owners.
C. The inventory of the backup tapes is only one element of the successful recovery.
D. The restoration of backup tapes is a critical success, but only if they were able to be restored
within the time frames set by the RTO.
21.An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which
approval is the MOST important when determining the availability of system resources required
for the plan?
A. Executive management
B. IT management
C. Board of directors
D. Steering committee
B is the correct answer.
Justification:
B. Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT
services, IT management’s approval would be most important to verify that the system
resources will be available in the event that a disaster event is triggered.
C. The board of directors may review and approve the DRP, but the IT department is
responsible for managing system resources and their availability as related to DR.
D. The steering committee would determine the requirements for disaster recovery (recovery
time objective [RTO] and recovery point objective [RPO]); however, the IT department is
responsible for managing system resources and their availability as related to DR.
22.Which of the following is the MOST efficient way to test the design effectiveness of a change
control process?
Justification:
B. Testing changes that have been authorized may not provide sufficient assurance of the
entire process because it does not test the elements of the process related to authorization
or detect changes that bypassed the controls.
C. Interviewing personnel in charge of the change control process is not as effective as a walk-
through of the change controls process because people may know the process but not
follow it.
D. Observation is the best and most effective method to test changes to ensure that the
process is effectively designed.
23.Which of the following is the GREATEST risk of an organization using reciprocal agreements for
disaster recovery between two business units?
Justification:
A. Inadequate agreements between two business units is a risk, but generally a lesser one than
the risk that both organizations will suffer a disaster at the same time.
B. The use of reciprocal disaster recovery is based on the probability that both organizations
will not suffer a disaster at the same time.
C. While incompatible IT systems could create problems, it is a less significant risk than both
organizations suffering from the same disaster at the same time.
D. While one party may utilize the other’s resources more frequently, this can be addressed by
contractual provisions and is not a major risk.
DOMAIN 5
1. An information security policy stating that “the display of passwords must be masked or
suppressed” addresses which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation
Justification:
B. This policy only refers to “the display of passwords,” not dumpster diving (looking through
an organization’s trash for valuable information).
C. If a password is displayed on a monitor, any person or camera nearby could look over the
shoulder of the user to obtain the password.
2. With the help of a security officer, granting access to data is the responsibility of:
A. data owners.
B. programmers.
C. system analysts.
D. librarians.
Justification:
A. Data owners are responsible for the access to and use of data. Written authorization for
users to gain access to computerized information should be provided by the data owners.
Security administration with the owners’ approval sets up access rules stipulating which
users or group of users are authorized to access data or files and the level of authorized
access (e.g., read or update).
B. Programmers will develop the access control software that will regulate the ways that users
can access the data (update, read, delete, etc.), but the programmers do not have
responsibility for determining who gets access to data.
C. Systems analysts work with the owners and programmers to design access controls
according to the rules set by the owners.
D. The librarians enforce the access control procedures they have been given but do not
determine who gets access.
Justification:
A. Power line conditioners are used to compensate for peaks and valleys in the power supply
and reduce peaks in the power flow to what is needed by the machine. Any valleys are
removed by power stored in the equipment.
C. Alternative power supplies are intended for power failures that last for longer periods and
are normally coupled with other devices such as an uninterruptible power supply (UPS) to
compensate for the power loss until the alternate power supply becomes available.
D. An interruptible power supply would cause the equipment to come down whenever there
was a power failure.
4. An IS auditor is reviewing the physical security measures of an organization. Regarding the access
card system, the IS auditor should be MOST concerned that:
A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet
but show no proof of identity.
B. access cards are not labeled with the organization’s name and address to facilitate
easy return of a lost card.
C. card issuance and rights administration for the cards are done by different
departments, causing unnecessary lead time for new cards.
D. the computer system used for programming the cards can only be replaced after
three weeks in the event of a system failure.
Justification:
A. Physical security is meant to control who is entering a secured area, so identification of all
individuals is of utmost importance. It is not adequate to trust unknown external people
by allowing them to write down their alleged name without proof, e.g., identity card,
driver’s license.
B. Having the name and address of the organization on the card may be a concern because a
malicious finder could use a lost or stolen card to enter the organization’s premises.
C. Separating card issuance from technical rights management is a method to ensure the
proper segregation of duties so that no single person can produce a functioning card for a
restricted area within the organization’s premises. The long lead time is an inconvenience
but not a serious audit risk.
D. System failure of the card programming device would normally not mean that the readers
do not function anymore. It simply means that no new cards can be issued, so this option is
minor compared to the threat of improper identification.
5. The PRIMARY purpose of installing data leak prevention (DLP) software is to control which of the
following choices?
Justification:
A. Access privileges to confidential files stored on the server will be controlled through digital
rights management (DRM) software.
B. Potential attacks to systems on the internal network would normally be controlled through
an intrusion detection system (IDS) and intrusion prevention system (IPS) as well as by
security controls of the systems themselves. Data leak prevention (DLP) systems focus on
data leaving the enterprise.
C. Controlling what external systems can access internal resources is the function of a firewall
rather than a DLP system.
D. A server running a DLP software application uses predefined criteria to check whether any
confidential documents or data are leaving the internal network.
B. solve problems where large and general sets of training data are not obtainable.
D. make assumptions about the shape of any curve relating variables to the output.
Justification:
B. Neural networks will not work well at solving problems for which sufficiently large and
general sets of training data are not obtainable.
C. Neural networks can be used to attack problems that require consideration of numerous
input variables. They are capable of capturing relationships and patterns often missed by
other statistical methods, but they will not discover new trends.
D. Neural networks make no assumption about the shape of any curve relating variables to the
output.
A. establish ownership.
Justification:
A. Data classification is necessary to define access rules based on a need-to-do and need-to
know basis. The data owner is responsible for defining the access rules; therefore,
establishing ownership is the first step in data classification.
D. Input for a data dictionary is prepared from the results of the data classification process.
8. From a control perspective, the PRIMARY objective of classifying information assets is to:
A. establish guidelines for the level of access controls that should be assigned.
Justification:
B. Not all information needs to be protected through access controls. Overprotecting data
would be expensive.
C. The classification of information is usually based on the risk assessment, not the other way
around.
D. Insuring assets is valid; however, this is not the primary objective of information
classification.
9. When reviewing the procedures for the disposal of computers, which of the following should be
the GREATEST concern for the IS auditor?
A. Hard disks are overwritten several times at the sector level but are not reformatted
before leaving the organization.
B. All files and folders on hard disks are separately deleted, and the hard disks are
formatted before leaving the organization.
D. The transport of hard disks is escorted by internal security staff to a nearby metal
recycling company, where the hard disks are registered and then shredded.
Justification:
A. Overwriting a hard disk at the sector level would completely erase data, directories, indices
and master file tables. Reformatting is not necessary because all contents are destroyed.
Overwriting several times makes useless some forensic measures, which are able to
reconstruct former contents of newly overwritten sectors by analyzing special magnetic
features of the platter’s surface.
B. Deleting and formatting does not completely erase the data but only marks the sectors
that contained files as being free. There are tools available over the Internet which allow
one to reconstruct most of a hard disk’s contents.
C. While hole-punching does not delete file contents, the hard disk cannot be used anymore,
especially when head parking zones and track zero information are impacted.
Reconstructing data would be extremely expensive because all analysis must be performed
under a clean room atmosphere and is only possible within a short time frame or until the
surface is corroded.
D. Data reconstruction from shredded hard disks is virtually impossible, especially when the
scrap is mixed with other metal parts. If the transport can be secured and the destruction be
proved as described in the option, this is a valid method of disposal.
Justification:
A. Dumpster diving is used to steal documents or computer media that were not properly
discarded. Users should be educated to know the risk of carelessly discarding sensitive
documents and other items.
B. The shred bins may not be properly used if users are not aware of proper security
techniques.
C. A media disposal policy is a good idea; however, if users are not aware of the policy it may
not be effective.
D. The shredders may not be properly used if users are not aware of proper security
techniques.
11.Which of the following is the BEST way for an IS auditor to determine the effectiveness of a
security awareness and training program?
Justification:
A. A security training program may be well designed, but the results of the program will be
determined by employee awareness.
B. Asking the security administrator would not show the effectiveness of a security awareness
and training program because such a program should target more than just the
administrator.
D. Reviewing the security reminders to the employees is not the best way to find out the
effectiveness of the training awareness because sending reminders may result in little actual
awareness.
12.Which of the following is the MAIN reason an organization should have an incident response
plan? The plan helps to:
C. ensure that customers are promptly notified of issues such as security breaches.
D. minimize the impact of an adverse event.
Justification:
A. Incident response plans generally deal with a wide range of possible issues, but are not a
replacement for a DRP or business continuity plan (BCP). The primary focus of a DRP, not the
incident response plan, is to restore IT systems to a working state.
B. An effective incident response plan could minimize damage to the organization, which
minimizes costs, but the main purpose of the incident response plan is to minimize damage.
Possible damage could include nonfinancial metrics, such as damage to a company’s
reputation.
C. While an incident response plan includes elements such as when and how to contact
customers about a significant incident, the primary purpose of the plan is to minimize the
impact.
D. An incident response plan helps minimize the impact of an incident because it provides a
controlled response to incidents. The phases of the plan include planning, detection,
evaluation, containment, eradication, escalation, response, recovery, reporting,
postincident review and a review of lessons learned.
Justification:
C. Implementing individual solutions is unlikely and inefficient, but not a serious risk.
Justification:
A. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the
IS auditor in monitoring for preventive controls. The approach will detect and monitor for
errors that have already occurred. In addition, continuous monitoring will benefit the
internal audit function in reducing the use of auditing resources and in the timely reporting
of errors or inconsistencies.
B. System integrity is typically associated with preventive controls such as input controls and
quality assurance reviews. These controls do not typically benefit an internal auditing
function implementing continuous monitoring. Continuous monitoring benefits the internal
audit function because it reduces the use of auditing resources.
C. Continuous audit will detect errors but not correct them. Correcting errors is the function of
the organization's management and not the internal audit function. Continuous auditing
benefits the internal audit function because it reduces the use of auditing resources to
create a more efficient auditing function.
D. Continuous auditing techniques assist the auditing function in reducing the use of auditing
resources through continuous collection of evidence. This approach assists the IS auditors
in identifying fraud in a timely fashion and allows the auditors to focus on relevant data.
15.The internal audit department has written some scripts that are used for continuous auditing of
some information systems. The IT department has asked for copies of the scripts so that they can
use them for setting up a continuous monitoring process on key systems. Would sharing these
scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to pre-audit
systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all
programs and software that runs on IS systems regardless of audit independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits may still be
conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS auditors who
wrote the scripts would not be permitted to audit any IS systems where the scripts
are being used for monitoring.
C is the correct answer.
Justification:
A. The ability of IT to continuously monitor and address any issues on IT systems would not
affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for the sake of quality assurance and
configuration management, but that would not impair the ability to audit.
C. IS audit can still review all aspects of the systems. They may not be able to review the
effectiveness of the scripts themselves, but they can still audit the systems.
D. An audit of an IS system would encompass more than just the controls covered in the
scripts.
A. having line managers assume a portion of the responsibility for control monitoring.
B. assigning staff managers the responsibility for building, but not monitoring, controls.
Justification:
C. The implementation of stringent controls will not ensure that the controls are working
correctly.
D. Better supervision is a compensating and detective control and may assist in ensuring
control effectiveness, but would work best when used in a formal process such as CSA.
17.When conducting an IT security risk assessment, the IS auditor asked the IT security officer to
participate in a risk identification workshop with users and business unit representatives. What is
the MOST important recommendation that the IS auditor should make to obtain successful
results and avoid future conflicts?
A. Ensure that the IT security risk assessment has a clearly defined scope.
B. Require the IT security officer to approve each risk rating during the workshop.
C. Suggest that the IT security officer accept the business unit risk and rating.
D. Select only commonly accepted risk with the highest submitted rating.
A is the correct answer.
Justification:
A. The IT risk assessment should have a clearly defined scope to be efficient and meet the
objectives of risk identification. The IT risk assessment should include relationships with
risk assessments in other areas, if appropriate.
B. It is most likely that the IT security officer is not in a position to approve risk ratings, and the
results of the workshop may need to be compiled and analyzed following the workshop,
making approval during the workshop improbable.
C. The facilitator of the workshop should encourage input from all parties without causing
embarrassment or intimidation. However, the IT security officer is not expected to accept
risk—that is a senior management function.
D. The purpose of a workshop is to brainstorm and draw out the input of all participants, not
just to address commonly accepted risk.
18.An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The
audit scope includes disaster recovery, so the auditor observes the data center staff response to
the alarm. Which of the following is the MOST important action for the data center staff to
complete in this scenario?
Justification:
A. Life safety is always the first priority, and notifying the fire department of the alarm is not
typically necessary because most data center alarms are configured to automatically report
to the local authorities.
B. Fire suppression systems are designed to operate automatically, and activating the system
when staff are not yet evacuated could create confusion and panic, leading to injuries or
even fatalities. Manual triggering of the system could be necessary under certain conditions,
but only after all other data center personnel are safely evacuated.
C. In an emergency, safety of life is always the first priority; therefore, the complete and
orderly evacuation of the facility staff would be the most important activity.
D. Removal of backup tapes from the data center is not an appropriate action because it could
delay the evacuation of personnel. Most companies would have copies of backup tapes in
offsite storage to mitigate the risk of data loss for this type of disaster.
19.When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor
should PRIMARILY be concerned with the risk of:
Justification:
B. The failure of the application interface is a risk, but not the most serious issue. Usually such a
problem is temporary and easily fixed.
C. Foremost among the risk associated with electronic data interchange (EDI) is improper
transaction authorization. Because the interaction with the parties is electronic, there is
no inherent authentication. Improper authentication would pose a serious risk of financial
loss.
D. The integrity of EDI transactions is important, but not as significant as the risk of
unauthorized transactions.
20.An organization is replacing a payroll program that it developed in-house, with the relevant
subsystem of a commercial enterprise resource planning (ERP) system. Which of the following
would represent the HIGHEST potential risk?
B. Faulty migration of historical data from the old system to the new system
Justification:
A. Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of
data integrity when migrating data from the old system to the new system.
B. The most significant risk after a payroll system conversion is loss of data integrity and not
being able to pay employees in a timely and accurate manner or have records of past
payments. As a result, maintaining data integrity and accuracy during migration is
paramount.
C. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem
of an existing commercially available (and therefore probably well-tested) system.
D. Setting up the new system, including access permissions and payroll data, always presents
some level of risk; however, the greatest risk is related to the migration of data from the old
system to the new system.
21.An IS auditor reviewing a series of completed projects finds that the implemented functionality
often exceeded requirements and most of the projects ran significantly over budget. Which of
these areas of the organization’s project management process is the MOST likely cause of this
issue?
Justification:
A. Because the implemented functionality is greater than what was required, the most likely
cause of the budget issue is failure to effectively manage project scope. Project scope
management is defined as the processes required to ensure that the project includes all of
the required work, and only the required work, to complete the project.
B. Project time management is defined as the processes required to ensure timely completion
of the project. The issue noted in the question does not mention whether projects were
completed on time, so this is not the most likely cause.
C. Project risk management is defined as the processes concerned with identifying, analyzing
and responding to project risk. Although the budget overruns mentioned above represent
one form of project risk, they appear to be caused by implementing too much functionality,
which relates more directly to project scope.
D. Project procurement management is defined as the processes required to acquire goods and
services from outside the performing organization. Although purchasing goods and services
that are too expensive can cause budget overruns, in this case the key to the question is that
implemented functionality is greater than what was required, which is more likely related to
project scope.
22.Which of the following techniques would BEST help an IS auditor gain reasonable assurance that
a project can meet its target date?
A. Estimation of the actual end date based on the completion percentages and estimated time
to complete, taken from status reports
B. Confirmation of the target date based on interviews with experienced managers and staff
involved in the completion of the project deliverables
C. Extrapolation of the overall end date based on completed work packages and current
resources
D. Calculation of the expected end date based on current resources and remaining available
project budget
C is the correct answer.
Justification:
A. The IS auditor cannot count on the accuracy of data in status reports for reasonable
assurance.
B. Interviews are a valuable source of information, but will not necessarily identify any project
challenges because the people being interviewed are involved in project.
C. Direct observation of results is better than estimations and qualitative information gained
from interviews or status reports. Project managers and involved staff tend to
underestimate the time needed for completion and the necessary time buffers for
dependencies between tasks, while overestimating the completion percentage for tasks
underway (i.e., 80:20 rule).
D. The calculation based on remaining budget does not take into account the speed at which
the project has been progressing.
23.An IS auditor has been asked to participate in project initiation meetings for a critical project. The
IS auditor’s MAIN concern should be that the:
A. complexity and risk associated with the project have been analyzed.
D. a contract for external parties involved in the project has been completed.
Justification:
A. Understanding complexity and risk, and actively managing these throughout a project are
critical to a successful outcome.
A. define, agree on, record and manage the required levels of service.
B. ensure that services are managed to deliver the highest achievable level of
availability.
Justification:
B. SLM does not necessarily ensure that services are delivered at the highest achievable level of
availability (e.g., redundancy and clustering). Although maximizing availability might be
necessary for some critical services, it cannot be applied as a general rule of thumb.
C. SLM cannot ensure that costs for all services will be kept at a low or minimum level because
costs associated with a service will directly reflect the customer’s requirements.
25.The BEST audit procedure to determine if unauthorized changes have been made to production
code is to:
A. examine the change control system records and trace them forward to object code
files.
C. examine object code to find instances of changes and trace them back to change
control records.
D. review change approved designations established within the change control system.
Justification:
A. Checking the change control system will not detect changes that were not recorded in the
control system.
B. Reviewing access control permissions will not identify unauthorized changes made
previously.
C. The procedure of examining object code files to establish instances of code changes and
tracing these back to change control system records is a substantive test that directly
addresses the risk of unauthorized code changes.
26.Which of the following is the BEST method for determining the criticality of each application
system in the production environment?
Justification:
A. Interviews with the application programmers will provide limited information related to the
criticality of the systems.
B. A gap analysis is relevant to system development and project management but does not
determine application criticality.
C. The audits may not contain the required information about application criticality or may not
have been done recently.
D. A business impact analysis (BIA) will give the impact of the loss of each application. A BIA
is conducted with representatives of the business that can accurately describe the
criticality of a system and its importance to the business.
27.Which of the following issues should be the GREATEST concern to the IS auditor when reviewing
an IT disaster recovery test?
A. Due to the limited test time window, only the most essential systems were tested.
The other systems were tested separately during the rest of the year.
B. During the test, some of the backup systems were defective or not working, causing
the test of these systems to fail.
C. The procedures to shut down and secure the original production site before starting
the backup site required far more time than planned.
D. Every year, the same employees perform the test. The recovery plan documents are
not used because every step is well known by all participants.
Justification:
A. This is not a concern because over the course of the year, all the systems were tested.
B. The purpose of the test is to test the backup plan. When the backup systems are not
working then the plan cannot be counted on in a real disaster. This is the most serious
problem.
C. In a real disaster, there is no need for a clean shutdown of the original production
environment because the first priority is to bring the backup site up.
D. A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if
the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should
not rely on key staff because a disaster can occur when they are not available. However, the
fact that the test works is less serious than the failure of the systems and infrastructure that
the recovery plan counts on. Good practice would rotate different people through the test
and ensure that the plan itself is followed and tested.
28.Which of the following groups is the BEST source of information for determining the criticality of
application systems as part of a business impact analysis (BIA)?
B. IT management
D. Industry experts
Justification:
A. Business process owners have the most relevant information to contribute because the
business impact analysis (BIA) is designed to evaluate criticality and recovery time lines,
based on business needs.
B. While IT management must be involved, they may not be fully aware of the business
processes that need to be protected.
C. While senior management must be involved, they may not be fully aware of the criticality of
applications that need to be protected.
D. The BIA is dependent on the unique business needs of the organization and the advice of
industry experts is of limited value.
29.While designing the business continuity plan (BCP) for an airline reservation system, the MOST
appropriate method of data transfer/backup at an offsite location would be:
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
Justification:
A. In shadow file processing, exact duplicates of the files are maintained at the same site or
at a remote site. The two files are processed concurrently. This is used for critical data files
such as airline booking systems.
B. Electronic vaulting electronically transmits data either to direct access storage, an optical
disc or another storage medium; this is a method used by banks. This is not usually in real
time as much as a shadow file system is.
C. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions
and operations occur on two hard disks in the same server.
D. A hot site is an alternate site ready to take over business operations within a few hours of
any business interruption and is not a method for backing up data.
30.The information security policy that states “each individual must have his/her badge read at
every controlled door” addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
Justification:
B. Shoulder surfing (looking over the shoulder of a person to view sensitive information on a
screen or desk) would not be prevented by the implementation of this policy.
C. Dumpster diving, looking through an organization’s trash for valuable information, could be
done outside the company’s physical perimeter; therefore, this policy would not address this
attack method.
31.An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment
questionnaires are sent using URL shortening services. The use of URL shortening services would
MOST likely increase the risk of which of the following attacks?
B. Phishing
D. Denial-of-service (DoS)
Justification:
A. The URL is based on Hypertext Transmission Protocol (HTTP); IP spoofing is used to change
the source IP address in a transmission control protocol/Internet protocol (TCP/IP) packet,
not in the HTTP protocol.
B. URL shortening services have been adopted by hackers to fool users and spread malware,
i.e., phishing.
C. Although URL shortening services can be used to perform structured query language (SQL)
injections, their primary risk is being used for phishing.
D. Denial-of-service (DoS) attacks are not affected by URL shortening services.
32.A company is planning to install a network-based intrusion detection system (IDS) to protect the
web site that it hosts. Where should the device be installed?
Justification:
A. While an intrusion detection system (IDS) can be installed on the local network to ensure
that systems are not subject to internal attacks, a company’s public web server would not
normally be installed on the local network, but rather in the demilitarized zone (DMZ).
B. It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is
reaching the firewall, but this would not be used to specifically protect the web application.
C. Network-based IDSs detect attack attempts by monitoring network traffic. A public web
server is typically placed on the protected network segment known as the demilitarized
zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity
originating from the Internet as well as the internal network, thus allowing the
administrator to take action.
D. A host-based IDS would be installed on the web server, but a network-based IDS would not.
33.What would be the MOST effective control for enforcing accountability among database users
accessing sensitive information?
Justification:
A. Accountability means knowing what is being done by whom. The best way to enforce the
principle is to implement a log management process that would create and store logs with
pertinent information such as user name, type of transaction and hour.
C. Using table views would restrict users from seeing data that they should not be able to see,
but would not record what users did with data they were allowed to see.
D. Separating database and application servers may help in better administration or even in
implementing access controls, but does not address the accountability issues.
C. Strong authentication
D. User education
Justification:
A. Intrusion detection systems (IDSs) will capture network or host traffic for analysis and may
detect malicious activity but are not effective against phishing attacks.
B. Assessing web site security does not mitigate the risk. Phishing is based on social
engineering and often distributed through email. Web site security is only a small part of the
problem.
C. Phishing attacks can be mounted in various ways, often through email; strong two-factor
authentication cannot mitigate most types of phishing attacks.
D. The best way to mitigate the risk of phishing is to educate users to take caution with
suspicious Internet communications and not to trust them until verified. Users require
adequate training to recognize suspicious web pages and email.
Justification:
A. Elliptical curve cryptography (ECC) requires limited bandwidth resources and is suitable for
encrypting mobile devices.
B. Data encryption standard (DES) uses less processing power when compared with advanced
encryption standard (AES), but ECC is more suitable for encrypting data on mobile devices.
C. AES is a symmetric algorithm and has the problem of key management and distribution. ECC
is an asymmetric algorithm and is better suited for a mobile environment.
D. The use of the Blowfish algorithm consumes too much processing power.
36.When protecting an organization’s IT systems, which of the following is normally the next line of
defense after the network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
Justification:
A. Personal firewalls would be later in the defensive strategy, being located on the endpoints.
B. Antivirus programs would be installed on endpoints as well as on the network, but the next
layer of defense after a firewall is an intrusion detection system (IDS)/intrusion protection
system (IPS).
C. An IDS would be the next line of defense after the firewall. It would detect anomalies in
the network/server activity and try to detect the perpetrator.
D. Virtual local area network (VLAN) configurations are not intended to compensate for a
compromise of the firewall. They are an architectural best practice.
37.Which of the following would MOST effectively enhance the security of a challenge-response
based authentication system?
Justification:
A. Selecting a more robust algorithm will enhance the security; however, this may not be as
important in terms of risk mitigation when compared to man-in-the-middle attacks.
C. Frequently changing passwords is a good security practice; however, the exposures lurking
in communication pathways may pose a greater risk.
D. Increasing the length of authentication strings will not prevent man-in-the-middle or session
hijacking attacks.
38.An IS auditor is reviewing a software-based firewall configuration. Which of the following
represents the GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule in the rule base.
C. has been configured with rules permitting or denying access to systems or networks.
Justification:
C. A firewall configuration should have rules allowing or denying access according to policy.
D. A firewall is often set up as the endpoint for a virtual private network (VPN).