The IS auditor is reviewing an organization's human resources (HR) database implementation.

The
IS auditor discovers that the database servers are clustered for high availability, all default database
accounts have been removed and database audit logs are kept and reviewed on a weekly basis.
What other area should the IS auditor check to ensure that the databases are appropriately
secured?
A. Database digital signatures
B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters

An IS auditor finds that the data warehouse query performance decreases significantly at certain
times of the day. Which of the following controls would be MOST relevant for the IS auditor to
review?
A. Permanent table-space allocation
B. Commitment and rollback controls
C. User spool and database limit controls
D. Read/write access log controls

A characteristic of a data warehouse is:

A. object orientation.
B. subject orientation.
C. departmental specific.
D. volatile databases.

Following a recent reorganization of the company's

legacy database, it was discovered that certain records
were accidentally deleted. Which of the following
controls would have MOST effectively detected this
occurrence?
A. Range check
B. Table look-ups
C. Run-to-run totals
D. One-for-one checking

An effective way of protecting applications against Structured Query Language (SQL) injection
vulnerability is to:
A. validate and sanitize client side inputs.
B. harden the database listener component.
C. normalize the database schema to the third normal form.
D. ensure that the security patches are updated on operating systems.
Database Management System (DBMS) is
A. Collection of interrelated data
B. Collection of programs to access data
C. Collection of data describing one particular enterprise
D. All of the above
Which of the following is the LEAST effective transaction redundancy implementation?
on-site mirroring
Electronic Vaulting
Remote Journaling
Database Shadowing

A business application system accesses a corporate databaseusing a single ID and password

embedded in a program. Which of the following would provide efficient access control over the
organization's data?
A. Introduce a secondary authentication method such as card swipe.
B. Apply role-based permissions within the application system.
C. Have users input the ID and password for each database transaction.
D. Set an expiration period for the database password embedded in the program.

Which of the following should an IS auditor review to gain an understanding of the effectiveness of
controls over the management of multiple projects?
A.Project database
B.Policy documents
C.Project portfolio database
D.Program organization

Which of the following should concern an IS auditor when reviewing security in a client-server
environment?
Protecting data using an encryption technique
Disabling floppy drives on the users' machines
Preventing unauthorized access using a diskless workstation
The ability of users to access and modify the database directly
n IS auditor reviewing the application change management process for a large multinational
company should be MOST concerned when:
A.test systems run different configurations than do production systems.
B.change management records are paper based.
C.the configuration management database is not maintained.
D.the test environment is installed on the production server.

A financial services enterprise has a small IT department, and individuals perform more than one
role. Which of the following practices represents the GREATEST risk?
A.
The developers promote code into the production environment.
B.
The business analyst writes the requirements and performs functional testing.
C.
The IT manager also performs systems administration.
D.
The database administrator (DBA) also performs data backups.

A database administrator (DBA) who needs to make emergency changes to a database after normal
working hours should log in:
A.with their named account to make the changes.
B.with the shared DBA account to make the changes.
C.to the server administrative account to make the changes.
D.to the user's account to make the changes.
In a relational database with referential integrity, the use of which ofthe following keys would prevent
deletion of a row from a customer table as long as the customer number ofthat row is stored with
liveorders on the orders table? a. Foreign key b. Primary key c. Secondary key d. Public key

Which one of the following combinations of roles should be

of GREATEST concern for the IS auditor?
A. Network administrators are responsible for quality assurance.
B. System administrators are application programmers.
C. End users are security administrators for critical applications.
D. Systems analysts are database administrators.

An IS auditor discovers that programmers have update

access to the live environment. In this situation the IS
auditor is LEAST likely to be concerned that
programmers can:
A. authorize transactions.
B. add transactions directly to the database.
C. make modifications to programs directly.
D. access data from live environment and provide faster
maintenance.
An IS auditor reviewing operating system access
discovers that the system is not properly secured. In this
situation the IS auditor is LEAST likely to be concerned
that the user might:
A. create new users.
B. delete database and log files.
C. access the system utility tools.
D. access the system writeable directories.
Which of the following access control functions is
LEAST likely to be performed by a database
management system (DBMS) software package?
A. User access to field data
B. User sign-on at the network level
C. User authentication at the program level
D. User authentication at the transaction level

A database administrator is responsible for:

A. defining data ownership.
B. establishing operational standards for the data dictionary.
C. creating the logical and physical database.
D. establishing ground rules for ensuring data integrity and security.

Following a recent reorganization of the company's

legacy database, it was discovered that certain records
were accidentally deleted. Which of the following
controls would have MOST effectively detected this
occurrence?
A. Range check
B. Table look-ups
C. Run-to-run totals
D. One-for-one checking

Which of the following data validation edits is effective

in detecting transposition and transcription errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check

Which of the following is a compensating control to a

programmer having access to accounts payable
production data?
A. Processing controls such as range checks and logic
edits
B. Reviewing accounts payable output reports by data
entry
C. Reviewing system-produced reports for checks
(cheques) over a stated amount
D. Having the accounts payable supervisor match all
checks (cheques) to approved invoices
Which of the following data validation edits is effective in detecting transposition and transcription
errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check

Which of the following controls helps prevent duplication of vouchers during data entry?
A. A range check
B. Transposition and substitution
C. A sequence check
D. A cyclic redundancy check (CRC)

You have been asked to recommend a control that can detect the following: An order is normally
for no more than 20 items, yet this order is for 2,000. Which control works best to detect this?
A. Validity check
B. Range check
C. Reasonableness check
D. Limit check

The most effective defense against a buffer overflow attack is

A. Disallow dynamic construction of queries
B. Bounds checking
C. Encode the output
D. Forced garbage collection

M1- 73 Which two of the following techniques are most likely to detect a data entry error for a
transaction?
I. Hash total
II. Check digit
III. Keystroke verification
IV. Reasonableness test
a. I and II
b. II and III
c. II and IV
d. III and IV

Which of the following controls helps prevent duplication of vouchers during data entry?
A. A range check
B. Transposition and substitution
C. A sequence check
D. A cyclic redundancy check (CRC)
An application package for workmen wages, had an option for entering additional hours worked.
The additional time option merely accepted the number of additional hours for a worker without any
validation and range checks nor logged such entries. When the IS auditor pointed out the risks with
such an option, the user claimed that this option was necessary during some emergencies when
workmen worked far beyond normal hours. The BEST recommendation that the auditor canmake in
this case is:
a. remove such an option as it may allow unauthorized manipulation of hours worked for wage
calculation and is a grave risk for the company.
b. have the system calculate additional hours worked from the basic transaction record of start and
end time of work reported
c. restrict access to this option through authorizing only two passwords held by two officers of the
company
d. revise company procedures to no longer allow workers to work beyond normal hours

You have been asked to design a control. The organization would like to limit what check numbers
are used. Specfically, they would like to be able to flag a check numbered 318 if the days first
check had the number 120 and the days last check was number 144. What type of validation check
does the department require?
A. Limit check
B. Range check
C. Validity check
D. Sequence check

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For
what purpose would the auditor be interested in using a check digit?
A. To detect data transposition errors
B. To ensure that transactions do not exceed predetermined amounts
C. To ensure that data entered are within reasonable limits
D. To ensure that data entered are within a predetermined range of values

Which one of the following input controls or edit checks would catch certain types of errors within the
payment amount field of a transaction?
A. Record count.
B. Check digit.
C. Echo check.
D. Limit check.
A control that detects transmission errors by appending
calculated bits onto the end of each segment of data is
known as a:
A. reasonableness check.
B. parity check.
C. redundancy check.
D. check digits.
 Which of the following data entry controls provides the
GREATEST assurance that data entered does not contain
errors?
A. Key verification
B. Segregation of the data entry function from data entry
verification
C. Maintaining a log/record detailing the time, date,
employee's initials/user -id and progress of various
data preparation and verification tasks"
D. Check digits

Which of the following data validation techniques involves the LEAST amount of Bits to be added to
a transmission?
A) Cyclic Redundancy Check
B) Check digit
C) One-for-one checking
D) Parity Check

Which of the following types of data validation editing checks is used to determine if a field contains
data, and not zeros or blanks?
A. Check digit
B. Existence check
C. Completeness check
D. Reasonableness check

Which of the following would be a compensating control to mitigate risks resulting from an
inadequate segregation of duties?
A. Sequence check
B. Check digit
C. Source documentation retention
D. Batch control reconciliations

Which of the following is a check (control) for completeness?

A. Check digits
B. Parity bits
C. One for one checking
D. Prerecorded input

An example of an individual point of verification in a computerized application is

A. An inference check.
B. A boundary protection.
C. A sensitive transaction.
D. A check digit.
A hardware control that helps to detect errors when data are communicated from one computer to
another is known as a:
A. duplicate check.
B. table lookup.
C. validity check.
D. parity check.

The input/output control function is responsible for:

A. pulling and returning all tape files.
B. entering and key verifying data.
C. logging batches and reconciling hash totals.
D. executing both production and test jobs.

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor
should PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.

There are two main forms of batch controls:

a. sequence control and control total
b. sequence control and parallel control
c. sequence total and control total
d. sequence control and parallel total

Verification that the total number of documents in the batch equals thetotal number of documents
processed
a.Total monetary amount
b.Total items
c.Total documents
d.Hash totals

Data input validation routines include

A. Terminal logs.
B. Passwords.
C. Hash totals.
D. Backup controls.
c
Which of the following can be used to verify output results and control totals by matching them
against the input data and control totals?
A. Batch header forms
B. Batch balancing
C. Data conversion error corrections
D. Access controls over print spools
b

Which of the following is the MOST effective when determining the correctness of individual account
balances migrated from one database to another?
A. Compare the hash total before and after the migration.
B. Verify that the number of records is the same for both databases.
C. Perform sample testing of the migrated account balances.
D. Compare the control totals of all of the transactions.
C

IS general controls, as opposed to IS application controls, would not normally include:

A. Batch or hash totals.
B. The plan of organisation and operation of the IS activity.
C. Controls over access to equipment and data files.
D. Hardware controls.