Attempt 1

All knowledge areas

All questions
Question 1: Incorrect
An IS auditor wants to determine the effectiveness of managing user access to a
server room.
Which of the following is the BEST evidence of effectiveness?

Interview with security personnel

Interview with management

Review of the procedure manual

(Incorrect)

Observation of a logged event

(Correct)

Explanation

Observation of a logged event is correct. Observation of the process to reset an

employee’s security access to the server room and the subsequent logging of this
event provide the best evidence of the adequacy of the physical security control.
A review of the procedure manual is incorrect. Although reviewing the procedure manual
can be helpful in gaining an overall understanding of a process, it is not evidence of the
effectiveness of the execution of a control.

The interview with management is incorrect. Although interviewing management can be

helpful in gaining an overall understanding of a process, it is not evidence of the
effectiveness of the execution of a control.
 Interview with security personnel is incorrect. Although interviewing security personnel can
be helpful in gaining an overall understanding of a process, it is not evidence of the
effectiveness of the execution of a control.

Question 2: Skipped
When developing a security architecture, which of the following steps should be
executed FIRST?

Developing security procedures

Specifying an access control methodology

Defining a security policy

(Correct)

Defining roles and responsibilities

Explanation

Defining a security policy is correct. Defining a security policy for information and related
technology is the first step toward building a security architecture. A security policy
communicates a coherent security standard to users, management and technical staff.
Security policies often set the stage in terms of the tools and procedures that are needed
for an organization. Developing security procedures is incorrect. Policy is used to provide
direction for procedures, standards and baselines. Therefore, developing security
procedures should be executed only after defining a security policy. Specifying an access
control methodology is incorrect. This is an implementation concern and should be
executed only after defining a security policy. Defining roles and responsibilities is incorrect.
This should be executed only after defining a security policy.
Question 3: Skipped
Many IT projects experience problems because the development time and/or resource
requirements are underestimated. Which of the following techniques provides the
GREATEST assistance in developing an estimate of project duration?


 Program evaluation review technique chart

(Correct)

Object-oriented system development

Rapid application development

Function point analysis

Explanation

A program evaluation review technique chart is correct. This will help determine
project duration once all the activities and the work involved with those activities are
known.

Function point analysis is incorrect. This is a technique for determining the size of a
development task based on the number of function points. Function points are factors such
as inputs, outputs, inquiries and logical internal files. While this will help determine the size
of individual activities, it will not assist in determining project duration because there are
many overlapping tasks.

Rapid application development is incorrect. This is a methodology that enables

organizations to develop strategically important systems faster while reducing development
costs and maintaining quality.

Object-oriented system development is incorrect. This is the process of solution

specification and modeling but will not assist in calculating project duration.

Question 4: Skipped
Suppose, the development of an application has been outsourced to an offshore
vendor.

Which of the following should be of GREATEST concern to an IS auditor?

The contract does not cover change management procedures.


 The right to audit clause was not included in the contract.

The business case was not established.

(Correct)

There was no source code escrow agreement.

Explanation
The business case was not established is correct. Because the business case was not
established, it is likely that the business rationale, risk and risk mitigation strategies
for outsourcing the application development were not fully evaluated and the
appropriate information was not provided to senior management for formal approval.
This situation presents the biggest risk to the organization.

The right to audit clause was not included in the contract is incorrect. The lack of the right
to audit clause presents a risk to the organization; however, the risk is not as consequential
as the lack of a business case.

There was no source code escrow agreement is incorrect. If the source code is held by the
provider and not provided to the organization, the lack of source code escrow presents a
risk to the organization; however, the risk is not as consequential as the lack of a business
case.

The contract does not cover change management procedures is incorrect. The lack of
change management procedures presents a risk to the organization, especially with the
possibility of extraordinary charges for any required changes; however, the risk is not as
consequential as the lack of a business case.

Question 5: Skipped
The PRIMARY purpose of the IS audit charter is to -

detail the resource requirements needed for the audit function.

outline the responsibility and authority of the IS audit function.

(Correct)


illustrate the reporting responsibilities of the IS audit function.

establish the organizational structure of the audit department.

Explanation

Outline the responsibility and authority of the is audit function is correct. The primary
purpose of the IS audit charter is to set forth the purpose, responsibility, authority,
and accountability of the IS audit function. The charter document grants authority to
the audit function on behalf of the board of directors and organization stakeholders.

Establish the organizational structure of the audit department is incorrect. The IS audit
charter does not set forth the organizational structure of the IS audit department. The
charter serves as a directive to create the IS audit function.

Illustrate the reporting responsibilities of the is audit function is incorrect. The IS audit
charter does not dictate the reporting requirements of the IS audit department. The charter
sets forth the purpose, responsibility, authority, and accountability of the information
systems audit function.
Detail the resource requirements needed for the audit function is incorrect. Resources are
determined by the audit and not the charter.

Question 6: Skipped
Which of the following assures an enterprise of the existence and effectiveness of
internal controls relative to the service provided by a third party?

The current service level agreement

The current business continuity plan procedures

A recent disaster recovery plan test report

A recent independent third-party external audit report

 (Correct)

Explanation
A recent independent third-party audit report is correct. An independent third-party
audit report such as a Statements on Standards for Attestation Engagements 16 would
provide assurance of the existence and effectiveness of internal controls at the third
party.
The current service level agreement is incorrect. A service level agreement defines the
contracted level of service; however, it would not provide assurance related to internal
controls.

The current business continuity plan procedures is incorrect. While a business continuity
plan is essential, it would not provide assurance related to internal controls.
A recent disaster recovery plan test report is incorrect. While a disaster recovery plan is
essential, it would not provide assurance related to internal controls.

Question 7: Skipped
An IS auditor performing an audit of the risk assessment process should FIRST confirm
that -

assets have been identified and ranked.

(Correct)

reasonable threats to the information assets are identified.

the effects of potential security breaches have been evaluated.

technical and organizational vulnerabilities have been analyzed.

Explanation

Assets have been identified and ranked is correct. Identification and ranking of
information assets (e.g., data criticality, sensitivity, locations of assets) will set the
tone or scope of how to assess risk in relation to the organizational value of the asset.
 Reasonable threats to the information assets are identified is incorrect. The threats facing
each of the organization’s assets should be analyzed according to their value to the
organization. This occurs after identifying and ranking assets.

Technical and organizational vulnerabilities have been analyzed is incorrect. Analyzing how
these weaknesses, in the absence of mitigating controls, will impact the organization’s
information assets occurs after the assets and weaknesses have been identified.
The effects of potential security breaches have been evaluated is incorrect. The effect of
security breaches is dependent on the value of the assets and the threats, vulnerabilities,
and effectiveness of mitigating controls. The impact of an attack against a weakness should
be identified so that controls can be evaluated to determine if they effectively mitigate the
weaknesses.

Question 8: Skipped
An IS auditor has found that employees are emailing sensitive company information
to public web-based email domains.

Which of the following is the BEST remediation option for the IS auditor to
recommend?

Encrypted mail accounts

Data loss prevention

(Correct)

Activity monitoring

Training and awareness

Explanation

Data loss prevention is correct. This is an automated preventive tool that can block
sensitive information from leaving the network, while at the same time logging the
offenders. This is a better choice than relying on training and awareness because it
works equally well when there is intent to steal data.
 Encrypted email accounts is incorrect. These will secure the information being sent but will
not prevent an employee from sending the information to an unauthorized person.
Training and awareness is incorrect. These may influence employee behavior but are not
effective as preventative controls when dealing with intentional exfiltration.
Activity monitoring is incorrect. This is a detective control and will not prevent data from
leaving the network.

Question 9: Skipped
During an exit interview, in cases where there is disagreement regarding the impact of
a finding, an IS auditor should -

accept the auditee's position because they are the process owners.

ask the auditee to sign a release form accepting full legal responsibility.

report the disagreement to the audit committee for resolution.

elaborate on the significance of the finding and the risk of not correcting it.

(Correct)

Explanation

Elaborate on the significance of the finding and the risk of not correcting it is correct.
If the auditee disagrees with the impact of a finding, it is important for an IS auditor
to elaborate and clarify the risk and exposures because the auditee may not fully
appreciate the magnitude of the exposure. The goal should be to enlighten the
auditee or uncover new information of which an IS auditor may not have been aware
of. Anything that appears to threaten the auditee lessens effective communications
and sets up an adversarial relationship, but an IS auditor should not automatically
agree just because the auditee expresses an alternate point of view.

Ask the auditee to sign a release form accepting full legal responsibility is incorrect.
Management is always responsible and liable for risk. The role of the IS auditor is to inform
management of the findings and associated risk discovered in an audit.
 Report the disagreement to the audit committee for resolution is incorrect. The audit report
contains the finding from the IS auditor and the response from management. It is the
responsibility of management to accept the risk or mitigate it appropriately. The role of the
auditor is to inform management clearly and thoroughly so that the best decision can be
made.
Accept the auditee’s position because they are the process owners is incorrect. The IS
auditor must be professional, competent and independent. They must not just accept an
explanation or argument from management unless the process used to generate the finding
was flawed.

Question 10: Skipped

Which of the following BEST helps to prioritize project activities and determine the
time line for a project?

Earned value analysis

A Gantt chart

Function point analysis

Program evaluation review technique

(Correct)

Explanation
Program evaluation review technique (PERT) is correct. The PERT method works on
the principle of obtaining project timelines based on project events for three likely
scenarios—worst, best and normal. The timeline is calculated by a predefined formula
and identifies the critical path, which identifies the key activities that must be
prioritized.

A Gantt chart is incorrect. This is a simple project management tool and would help with the
prioritization requirement, but it is not as effective as PERT.
 Earned value analysis is incorrect. This is a technique to track project cost versus project
deliverables but does not assist in prioritizing tasks.
Function point analysis is incorrect. This measures the complexity of input and output and
does not help to prioritize project activities.
Question 11: Skipped
Which of the following is MOST critical for the successful implementation and
maintenance of a security policy?

Stringent implementation, monitoring and enforcing of rules by the security officer through
access control software

Assimilation of the framework and intent of a written security policy by all appropriate
parties

(Correct)

Enforcement of security rules by providing punitive actions for any violation of security rules

Management support and approval for the implementation and maintenance of a security
policy

Explanation

Assimilation of the framework and intent of a written security policy by all appropriate
parties is correct. This is critical to the successful implementation and maintenance of the
security policy. If a policy is not assimilated into daily actions, it will not be effective.
Management support and approval for the implementation and maintenance of a security
policy is incorrect. Management support and commitment is, no doubt, important, but for
successful implementation and maintenance of a security policy, educating the users on the
importance of security is paramount. Enforcement of security rules by providing punitive
actions for any violation of security rules is incorrect. Punitive actions are needed to enforce
the policy but are not the key to successful implementation. Stringent implementation,
monitoring and enforcing of rules by the security officer through access control software is
incorrect. The stringent implementation, monitoring and enforcing of rules by the security
officer through access control software, and provision for punitive actions for violation of
 security rules is important, but it is dependent on the support and education of
management and users on the importance of security.
Question 12: Skipped
By evaluating application development projects against the capability maturity model
(CMM), an IS auditor should be able to verify that -

reliable products are guaranteed.

security requirements are designed.

programmers' efficiency is improved.

predictable software processes are followed.

(Correct)

Explanation

Predictable software processes are followed is correct. By evaluating the

organization’s development projects against the capability maturity model, an IS
auditor determines whether the development organization follows a stable,
predictable software development process.

Reliable products are guaranteed is incorrect. Although the likelihood of success should
increase as the software processes mature toward the optimizing level, mature processes do
not guarantee a reliable product.
Programmers’ efficiency is improved is incorrect. The capability maturity model does not
evaluate technical processes such as programming efficiency.

Security requirements are designed is incorrect. The capability maturity model does not
evaluate security requirements or other application controls.

Question 13: Skipped

Organizations requiring employees to take a mandatory vacation each year. What it
PRIMARILY want to ensure -


adequate cross-training exists between functions.

an effective internal control environment is in place by increasing morale.

potential irregularities in processing are identified by a temporary replacement.

(Correct)

the risk of processing errors is reduced.

Explanation

Potential irregularities in processing are identified by a temporary replacement is

correct. Employees who perform critical and sensitive functions within an organization
should be required to take some time off to help ensure that irregularities and fraud
are detected.

Adequate cross-training exists between functions is incorrect. Cross-training is a good

practice to follow but can be achieved without the requirement for mandatory vacation.

An effective internal control environment is in place by increasing morale is incorrect. Good

employee morale and high levels of employee satisfaction are worthwhile objectives, but
they should not be considered a means to achieve an effective internal control system.

The risk of processing errors is reduced is incorrect. Although rotating employees could
contribute to fewer processing errors, this is not typically a reason to require a mandatory
vacation policy.

Question 14: Skipped

The information security policy that states “each individual must have his/her badge
read at every controlled door” addresses which of the following attack methods?

Impersonation


 Dumpster diving

Shoulder surfing

Piggybacking

(Correct)

Explanation

Piggybacking is correct. This refers to unauthorized persons following authorized

persons, either physically or virtually, into restricted areas. This policy addresses the
polite behavior problem of holding doors open for a stranger. If every employee must
have their badge read at every controlled door, no unauthorized person could enter
the sensitive area.

Shoulder surfing is incorrect. This, which is looking over the shoulder of a person to view
sensitive information on a screen or desk, would not be prevented by the implementation of
this policy.

Dumpster diving is incorrect. This is looking through an organization’s trash for valuable
information and could be done outside the company’s physical perimeter; therefore, this
policy would not address this attack method.

Impersonation is incorrect. This refers to a social engineer acting as an employee, trying to

retrieve the desired information. Some forms of social engineering attacks could join an
impersonation attack and piggybacking, but this information security policy does not
address the impersonation attack.

Question 15: Skipped

A perpetrator looking to gain access to and gather information about encrypted data
being transmitted over a network would MOST likely use -

masquerading.

eavesdropping.


traffic analysis.

(Correct)

spoofing.

Explanation
Traffic analysis is correct. In traffic analysis, which is a passive attack, an intruder
determines the nature of the traffic flow between defined hosts and through an
analysis of session length, frequency and message length, the intruder is able to guess
the type of communication taking place. This typically is used when messages are
encrypted, and eavesdropping would not yield any meaningful results.

Eavesdropping is incorrect. In eavesdropping, which is a passive attack, the intruder gathers

the information flowing through the network with the intent of acquiring message contents
for personal analysis or for third parties.

Encrypted traffic is generally protected against eavesdropping Spoofing is incorrect. This is

an active attack. In spoofing, a user receives an email that appears to have originated from
one source when it actually was sent from another source.

Masquerading is incorrect. In masquerading, the intruder presents an identity other than the
original identity. This is an active attack.

Question 16: Skipped

Which of the following is the PRIMARY purpose of a risk-based audit?

Material areas are addressed first.

(Correct)

High-impact areas are addressed first.

Audit resources are allocated efficiently.



Management concerns are prioritized.

Explanation

Material areas are addressed first is correct. Material risk is audited according to the
risk ranking, thus enabling the audit team to concentrate on high-risk areas first.

High-impact areas are addressed first is incorrect. High-impact does not necessarily indicate
high risk. Risk also takes into consideration probability.

Audit resources are allocated efficiently is incorrect. Although a risk-based audit approach
does address the allocation of resources, that is not the primary function of a risk-based
audit approach.

Management concerns are prioritized is incorrect. Management concerns may not be

aligned with high-risk areas.
Question 17: Skipped
During an IS audit of a bank, the IS auditor is assessing whether the enterprise
properly manages staff member access to the operating system.

The IS auditor should determine whether the enterprise performs -

periodic review of user activity logs.

(Correct)

periodic review of changing data files.

review of data communication access activity logs.

verification of user authorization at the field level.

Explanation
 Periodic review of user activity logs is correct. General operating system access
control functions include logging user activities, events, etc. Reviewing these logs may
identify users performing activities that should not have been permitted.

Verification of user authorization at the field level is incorrect. This is a database- and/or an
application-level access control function and not applicable to an operating system.

Review of data communication access activity logs is incorrect. This is a network control
feature.

Periodic review of changing data files is incorrect. This is related to a change control
process.
Question 18: Skipped
What is the GREATEST advantage of using web services for the exchange of
information between the two systems?

improved performance.

enhanced documentation.

secure communication.

efficient interfacing.

(Correct)

Explanation

Efficient interfacing is correct. Web services facilitate the interoperable exchange of

information between two systems regardless of the operating system or programming
language used.
Secure communication is incorrect. Communication is not necessarily more secure using
web services.

Improved performance is incorrect. The use of web services will not necessarily increase
performance.
 Enhanced documentation is incorrect. There is no documentation benefit in using web
services.
Question 19: Skipped
In auditing a database environment, an IS auditor will be MOST concerned if the
database administrator is performing which of the following functions?

Performing database changes according to change management procedures

Performing backup and recovery procedures

Installing patches or upgrades to the operating system

(Correct)

Sizing table space and consulting on table join limitations

Explanation
Installing patches or upgrades to the operating system is correct. This is a function
that should be performed by a systems administrator, not by a database administrator
(DBA). If a DBA were performing this function, there would be a risk-based on
inappropriate segregation of duties.

Performing database changes according to change management procedures is incorrect.

This would be a normal function of the DBA and would be compliant with the procedures of
the organization.

Sizing table space and consulting on table join limitations is incorrect. A DBA is expected to
support the business through helping design, create and maintain databases and the
interfaces to the databases.

Performing backup and recovery procedures is incorrect. The DBA often performs or
supports database backup and recovery procedures.

Question 20: Skipped

During a post-implementation review of an enterprise resource management system,
an IS auditor would MOST likely -


evaluate system testing.

review access control configuration.

(Correct)

review detailed design documentation.

evaluate interface testing.

Explanation

Review access control configuration is correct. Reviewing access control configuration

would be the first task performed to determine whether security has been
appropriately mapped in the system.
Evaluate interface testing is incorrect. Because a post-implementation review is done after
user acceptance testing and actual implementation, one would not engage in interface
testing or detailed design documentation. Evaluating interface testing would be part of the
implementation process.

Review detailed design documentation is incorrect. The issue of reviewing detailed design
documentation is not generally relevant to an enterprise resource management system
because these are usually vendor packages with user manuals. System testing should be
performed before the final user signoff. Further, because the system has been implemented,
the IS auditor would only check the detailed design if there appeared to be a gap between
design and functionality.

Evaluate system testing is incorrect. System testing should be performed before the final
user signoff. The IS auditor should not need to review the system tests post-
implementation.

Question 21: Skipped

What would be the NEXT step in the business continuity planning process after
completing the business impact analysis?


 Implement the plan.

Develop a specific plan.

Test and maintain the plan.

Develop recovery strategies.

(Correct)

Explanation

Develop recovery strategies is correct. Once the business impact analysis (BIA) is
completed, the next phase in the business continuity plan (BCP) development is to
identify the various recovery strategies and select the most appropriate strategy for
recovering from a disaster that will meet the timelines and priorities defined through
the BIA.

Test and maintain the plan is incorrect. After selecting a strategy, a specific BCP can be
developed, tested and implemented.

Develop a specific plan is incorrect. After selecting a strategy, a specific BCP can be
developed, tested and implemented.
Implement the plan is incorrect. After selecting a strategy, a specific BCP can be developed,
tested and implemented.

Question 22: Skipped

During a logical access controls review, an IS auditor observes that user accounts are
shared. The GREATEST risk resulting from this situation is that -

user accountability may not be established.

(Correct)

passwords are easily guessed.



an unauthorized user may use the ID to gain access.

user access management is time consuming.

Explanation

User accountability may not be established is correct. The use of a user ID by more
than one individual precludes knowing who, in fact, used that ID to access a system;
therefore, it is impossible to hold anyone accountable.

An unauthorized user may use the ID to gain access is incorrect. The ability of unauthorized
users to use a shared ID is more likely than of an individual ID—but the misuse of another
person’s ID is always a risk.

User access management is time consuming is incorrect. Using shared IDs would not pose
an increased risk due to work effort required for managing access.

Passwords are easily guessed is incorrect. Shared user IDs do not necessarily have easily
guessed passwords.

Question 23: Skipped

Which of the following is MOST important to ensure that effective application
controls are maintained?

Control self-assessment

(Correct)

Peer reviews

Manager involvement

Exception reporting
 Explanation
Control self-assessment (CSA) is correct. CSA is the review of business objectives and
internal controls in a formal and documented collaborative process. It includes testing
the design of automated application controls.
Exception reporting is incorrect. This only looks at errors or problems but will not ensure
controls are still working.

The manager oversight is incorrect. This is important but may not be a consistent or well-
defined process compared to CSA.
Peer reviews is incorrect. These lack the direct involvement of audit specialists and
management.

Question 24: Skipped

Which of the following choices BEST helps information owners to properly classify
data?

Understanding of technical controls that protect data

Training on organizational policies and standards

(Correct)

Use of an automated data leak prevention tool

Understanding which people need to access the data

Explanation

Training on organizational policies and standards is correct. While implementing data

classification, it is most essential that organizational policies and standards, including
the data classification schema, are understood by the owner or custodian of the data
so they can be properly classified.

Understanding of technical controls that protect data is incorrect. While this is important,
these controls might not be applied properly if the data classification schema is not well
understood.
 Use of an automated data leak prevention tool is incorrect. While an automated data leak
prevention (DLP) tool may enhance productivity, the users of the application would still
need to understand what classification schema was in place.

Understanding which people need to access the data is incorrect. In terms of protecting the
data, the data requirements of end users are critical, but if the data owner does not
understand what data classification schema is in place, it would be likely that inappropriate
access to sensitive data might be granted by the data owner.

Question 25: Skipped

An IS auditor wants to analyze audit trails on critical servers to discover potential
anomalies in user or system behavior.

Which of the following is the MOST suitable for performing that task?

Computer-aided software engineering tools

Trend/variance detection tools

(Correct)

Heuristic scanning tools

Embedded data collection tools

Explanation

Trend/variance detection tools are correct. They look for anomalies in user or system
behavior, such as invoices with increasing invoice numbers.

Computer-aided software engineering tools is incorrect. These are used to assist in software
development.

Embedded data collection tools is incorrect. Embedded (audit) data collection software,
such as systems control audit review file or systems audit review file, is used to provide
sampling and production statistics, but not to conduct an audit log analysis.

Heuristic scanning tools is incorrect. These are a type of virus scanning used to indicate
possible infected traffic.
 Question 26: Skipped
An enterprise's risk appetite is BEST established by -

the steering committee.

(Correct)

security management.

the chief legal officer.

the audit committee.

Explanation

The steering committee is correct. This group is best suited to determine the
enterprise’s risk appetite because the committee draws its representation from senior
management.
The chief legal officer is incorrect. Although chief legal officers can give guidance regarding
legal issues on the policy, they cannot determine the risk appetite.
Security management is incorrect. The security management team is concerned with
managing the security posture but not with determining the posture.

The audit committee is incorrect. This group is not responsible for setting the risk tolerance
or appetite of the enterprise.

Question 27: Skipped

When selecting audit procedures, an IS auditor should use professional judgment to
ensure that-

significant deficiencies will be corrected within a reasonable period.


 all material weaknesses will be identified.

sufficient evidence will be collected.

(Correct)

audit costs will be kept at a minimum level.

Explanation
Sufficient evidence will be collected is correct. Procedures are processes that an IS
auditor may follow in an audit engagement. In determining the appropriateness of
any specific procedure, an IS auditor should use professional judgment that is
appropriate to the specific circumstances. Professional judgment involves subjective
and often qualitative evaluation of conditions arising during an audit. The judgment
addresses a grey area where binary (yes/no) decisions are not appropriate, and the IS
auditor’s past experience plays a key role in making a judgment. The IS auditor should
use judgment in assessing the sufficiency of the evidence to be collected. ISACA’s
guidelines provide information on how to meet the standards when performing IS
audit work.

Significant deficiencies will be corrected within a reasonable period is incorrect. The

correction of deficiencies is the responsibility of management and is not a part of the audit
procedure selection process.

All material weaknesses will be identified is incorrect. Identifying material weaknesses is the
result of appropriate competence, experience and thoroughness in planning and executing
the audit, and not of professional judgment. Professional judgment is not a primary input to
the financial aspects of the audit. Audit procedures and the use of professional judgment
cannot ensure that all deficiencies/weaknesses will be identified and corrected.
Audit costs will be kept at a minimum level is incorrect. Professional judgment ensures that
audit resources and costs are used wisely, but this is not the primary objective of the auditor
when selecting audit procedures.

Question 28: Skipped

At the completion of a system development project, a post-project review should
include which of the following?


 Assessing risk that may lead to downtime after the production release

Identifying lessons learned that may be applicable to future projects

(Correct)

Verifying that the controls in the delivered system are working

Ensuring that test data are deleted

Explanation

Identifying lessons learned that may be applicable to future projects is correct. A

project team has something to learn from each and every project. As risk assessment
is a key issue for project management, it is important for the organization to
accumulate lessons learned and integrate them into future projects.

Assessing risk that may lead to downtime after the production release is incorrect. An
assessment of potential downtime should be made with the operations group and other
specialists before implementing a system.

Verifying that the controls in the delivered system are working is incorrect. Verifying that
controls are working should be covered during the acceptance test phase and possibly,
again in the post-implementation review. The post-project review will focus on project-
related issues.

Ensuring that test data are deleted is incorrect. Test data should be retained for future
regression testing.

Question 29: Skipped

An IS auditor of a health care organization is reviewing contractual terms and
conditions of a third-party cloud provider being considered to host patient health
information.

Which of the follow contractual terms would be the GREATEST risk to the customer
organization?

Data ownership is retained by the customer organization.



The third-party provider reserves the right to access data to perform certain operations.

(Correct)

The customer organization is responsible for backup, archive and restore.

Bulk data withdrawal mechanisms are undefined.

Explanation

The third-party provider reserves the right to access data to perform certain
operations is correct. Some service providers reserve the right to access customer
information (third-party access) to perform certain transactions and provide certain
services. In the case of protected health information, regulations may restrict certain
access. Organizations must review the regulatory environment in which the cloud
provider operates because it may have requirements or restrictions of its own.
Organizations must then determine whether the cloud provider provides appropriate
controls to ensure that data are appropriately secure.

Data ownership is retained by the customer organization is incorrect. The customer

organization would want to retain data ownership and, therefore, this would not be a risk.

Bulk data withdrawal mechanisms are undefined is incorrect. An organization may

eventually wish to discontinue its service with a third-party cloud-based provider. The
organization would then want to remove its data from the system and ensure that the
service provider clears the system (including any backups) of its data. Some providers do
not offer automated or bulk data withdrawal mechanisms, which the organization needs to
migrate its data. These aspects should be clarified prior to using a third-party provider.

The customer organization is responsible for backup, archive and restore is incorrect. An
organization may need to plan its own data recovery processes and procedures if the
service provider does not make this available or the organization has doubts about the
service provider’s processes. This would only be a risk if the customer organization was
unable to perform these activities itself.

Question 30: Skipped

To support an organization's goals, an IT department should have -


 long- and short-term plans.

(Correct)

plans to acquire new hardware and software.

leading-edge technology.

a low-cost philosophy.

Explanation

Long- and short-term plans is correct. To ensure its contribution to the realization of an
organization’s overall goals, the IT department should have long- and short-range plans
that are consistent with the organization’s broader and strategic plans for attaining its goals.
A low-cost philosophy is incorrect. This is one objective, but more important is the cost-
benefit and the relation of IT investment cost to business strategy. Leading-edge
technology is incorrect. This is an objective, but IT plans would be needed to ensure that
those plans are aligned with organizational goals. Plans to acquire new hardware and
software is incorrect. This could be a part of the overall plan but would be required only if
hardware or software is needed to achieve the organizational goals.
Question 31: Skipped
With the help of a security officer, granting access to data is the responsibility of -

librarians

data owners

(Correct)

system analysts


programmers

Explanation

Data owners is correct. These individuals are responsible for the access to and use of
data. Written authorization for users to gain access to computerized information
should be provided by the data owners. Security administration with the owners’
approval sets up access rules stipulating which users or group of users are authorized
to access data or files and the level of authorized access (e.g., read or update).
Programmers is incorrect. These individuals will develop the access control software that will
regulate the ways that users can access the data (update, read, delete, etc.), but the
programmers do not have responsibility for determining who gets access to data.

Systems analysts is incorrect. These individuals work with the owners and programmers to
design access controls according to the rules set by the owners.

Librarians is incorrect. These individuals enforce the access control procedures they have
been given but do not determine who gets access.

Question 32: Skipped

Which of the following audit techniques is the MOST appropriate for addressing the
emerging risk of a retail business with a large volume of transactions?

Continuous auditing

(Correct)

Use of computer-assisted audit techniques

Quarterly risk assessments

Sampling of transaction logs

Explanation
 Continuous auditing is correct. The implementation of continuous auditing enables a
real-time feed of information to management through automated reporting processes
so that management may implement corrective actions more quickly.

The use of computer-assisted audit techniques is incorrect. Using software tools such as
computer-assisted audit techniques to analyze transaction data can provide a detailed
analysis of trends and potential risk, but it is not as effective as continuous auditing, because
there may be a time differential between executing the software and analyzing the results.

Quarterly risk assessment is incorrect. This may be a good technique, but it is not as
responsive as continuous auditing.

The sampling of transaction logs is incorrect. This is a valid audit technique; however, the
risk may exist that is not captured in the transaction log, and there may be a potential time
lag in the analysis.

Question 33: Skipped

IS auditor should use statistical sampling and not judgmental (nonstatistical)
sampling, when -

the probability of error must be objectively quantified.

(Correct)

the tolerable error rate cannot be determined.

generalized audit software is unavailable.

the auditor wants to avoid sampling risk.

Explanation

The probability of error must be objectively quantified is correct. Given an expected

error rate and confidence level, statistical sampling is an objective method of
sampling, which helps an IS auditor determine the sample size and quantify the
probability of error (confidence coefficient).
 The auditor wants to avoid sampling risk is incorrect. Sampling risk is the risk of a sample
not being representative of the population. This risk exists for judgment and statistical
samples.

Generalized audit software is unavailable is incorrect. Statistical sampling can use

generalized audit software, but it is not required.

The tolerable error rate cannot be determined is incorrect. The tolerable error rate must be
predetermined for both judgment and statistical sampling.

Question 34: Skipped

In which of the following situations is it MOST appropriate to implement data
mirroring as the recovery strategy?

Disaster tolerance is high.

The recovery point objective is low.

(Correct)

The recovery time objective is high.

The recovery point objective is high.

Explanation

The recovery point objective (RPO) is low is correct. The RPO indicates the latest point
in time at which it is possible to recover the data. This determines how often the data
must be backed up to minimize data loss. If the RPO is low, then the organization
does not want to lose much data and must use a process such as data mirroring to
prevent data loss.

Disaster tolerance is high is incorrect. Data mirroring is a data recovery technique, and
disaster tolerance addresses the allowable time for an outage of the business.

The recovery time objective (RTO) is high is incorrect. RTO is an indicator of the disaster
tolerance. Data mirroring addresses data loss, not the RTO.
 The recovery point objective is high is incorrect. If the RPO is high, then a less expensive
backup strategy can be used; data mirroring should not be implemented as the data
recovery strategy.

Question 35: Skipped

An organization can ensure that the recipients of emails from its employees can
authenticate the identity of the sender by -

password protecting all email messages.

encrypting all email messages.

digitally signing all email messages.

(Correct)

compressing all email messages.

Explanation

Digitally signing all email messages is correct. By digitally signing all email messages,
the receiver will be able to validate the authenticity of the sender.

Encrypting all email messages is incorrect. This would ensure that only the intended
recipient will be able to open the message; however, it would not ensure the authenticity of
the sender.

Compressing all email messages is incorrect. This would reduce the size of the message but
would not ensure authenticity.

Password protecting all email messages is incorrect. This would ensure that only those who
have the password would be able to open the message; however, it would not ensure
authenticity of the sender.

Question 36: Skipped

In an online banking application, which of the following would BEST protect against
identity theft?


Restricting the user to a specific terminal

Encryption of personal password

Two-factor authentication

(Correct)

Periodic review of access logs

Explanation

Two-factor authentication is correct. This requires two independent methods for

establishing identity and privileges. Factors include something you know such as a
password; something you have such as a token; and something you are which is
biometric. Requiring two of these factors makes identity theft more difficult.

Encryption of personal password is incorrect. A password alone is only single-factor

authentication and could be guessed or broken.

Restricting the user to a specific terminal is incorrect. This is not a practical alternative for an
online application because the users may need to log in from multiple devices.

Periodic review of access logs is incorrect. This is a detective control and does not protect
against identity theft.
Question 37: Skipped
An enterprise selected a vendor to develop and implement a new software system. To
ensure that the enterprise’s investment in software is protected, which of the
following security clauses is MOST important to include in the master services
agreement?

Service level requirements


 Software escrow

(Correct)

Limitation of liability

Version control

Explanation
Software escrow is correct. These clauses in a contract ensure that the software source
code will still be available to the organization in the event of a vendor issue, such as
insolvency and copyright issues.
The limitation of liability is incorrect. A limitation of liability clause protects the financial
exposure of the organization but not its software investment.

Service level requirements is incorrect. These specify financial penalties for not meeting
standards, but these do not address issues of vendor insolvency.

Version control is incorrect. This is related to the software development life cycle and not
the software investment.

Question 38: Skipped

What is the PRIMARY advantage of a continuous audit approach? It-

simplifies the extraction and correlation of data from multiple and complex systems.

allows the IS auditor to review and follow up on audit issues in a timely manner.

(Correct)

does not require an IS auditor to collect evidence on system reliability while processing is
taking place.


 places the responsibility for enforcement and monitoring of controls on the security
department instead of audit.

Explanation

Allows the IS auditor to review and follow up on audit issues in a timely manner is
correct. The continuous audit allows audit and response to audit issues in a timely
manner because audit findings are gathered in near real-time.

It does not require an IS auditor to collect evidence on system reliability while processing is
taking place is incorrect. The continuous audit approach often requires an IS auditor to
collect evidence on system reliability while processing is taking place.
Places the responsibility for enforcement and monitoring of controls on the security
department instead of audit is incorrect. Responsibility for enforcement and monitoring of
controls is primarily the responsibility of management.

Simplifies the extraction and correlation of data from multiple and complex systems is
incorrect. The use of continuous audit is not based on the complexity or number of systems
being monitored.

Question 39: Skipped

Consider a financial organization where wire transfer is one of the primary business
function. As an IS auditor, which technique would you use to test the existence of dual
control?

Re-performance

Observation

(Correct)

Interviewing personnel

Analysis of transaction logs

Explanation
 Observation is correct. Dual control requires that two people carry out an operation.
The observation technique helps to ascertain whether two individuals do get involved
in execution of the operation and an element of oversight exists. It is obvious if one
individual is masquerading and filling in the role of the second person.

Analysis of transaction logs is incorrect. This would help to show that dual control is in place
but does not necessarily guarantee that this process is being followed consistently.
Therefore, observation is the better test technique.

Re-performance is incorrect. Although re-performance could provide assurance that dual

control was in effect, re-performing wire transfers at a bank would not be an option for an
IS auditor.

Interviewing personnel is incorrect. This is useful to determine the level of awareness and
understanding of the personnel carrying out the operations. However, it does provide direct
evidence confirming the existence of dual control, because the information provided may
not accurately reflect the process being performed.

Question 40: Skipped

An organization discovers that the computer of the chief financial officer has been
infected with malware that includes a keystroke logger and a rootkit.

The FIRST action to take would be to -

immediately ensure that no additional data are compromised.

update the antivirus signature on the PC to ensure that the malware or virus is detected and
removed.

contact the appropriate law enforcement authorities to begin an investigation.

disconnect the PC from the network.

(Correct)

Explanation
 Disconnect the PC from the network is correct. The most important task is to prevent
further data compromise and preserve evidence by disconnecting the computer from
the network.

Contact the appropriate law enforcement authorities to begin an investigation is incorrect.

Although contacting law enforcement may be needed, the first step would be to halt data
flow by disconnecting the computer from the network.
Immediately ensure that no additional data are compromised is incorrect. The first step is to
disconnect the computer from the network thus ensuring that no additional data are
compromised. and then, using proper forensic techniques, capture the information stored in
temporary files, network connection information, programs loaded into memory and other
information on the machine.

Update the antivirus signature on the pc to ensure that the malware or virus is detected and
removed is incorrect. Preserve the machine in a forensically sound condition and do not
make any changes to it except to disconnect it from the network. Otherwise evidence would
be destroyed by powering off the PC or updating the software on the PC. Information
stored in temporary files, network connection information, programs loaded into memory,
and other information may be lost.

Question 41: Skipped

To aid management in achieving IT and business alignment, an IS auditor should
recommend the use of -

a business impact analysis.

business process reengineering.

control self-assessments.

an IT balanced scorecard.

(Correct)

Explanation
 An IT balanced scorecard is correct. This provides the bridge between IT objectives
and business objectives by supplementing the traditional financial evaluation with
measures to evaluate customer satisfaction, internal processes and the ability to
innovate.

Control self-assessments is incorrect. These are used to improve the monitoring of security
controls but are not used to align IT with organizational objectives.
A business impact analysis is incorrect. This is used to calculate the impact on the business
in the event of an incident that affects business operations, but it is not used to align IT with
organizational objectives.

Business process reengineering is incorrect. This is an excellent tool to review and improve
business processes but is not focused on aligning IT with organizational objectives.
Question 42: Skipped
During an audit of an enterprise that is dedicated to e-commerce, the IS manager
states that digital signatures are used when receiving communications from
customers. To substantiate this, an IS auditor must prove which of the following is
used?

The customer's scanned signature encrypted with the customer's public key

A biometric, digitalized and encrypted parameter with the customer's public key

A hash of the data that is transmitted and encrypted with the customer's public key

A hash of the data that is transmitted and encrypted with the customer's private key

(Correct)

Explanation

A hash of the data that is transmitted and encrypted with the customer’s private key is
correct. The calculation of a hash, or digest, of the data that are transmitted, and its
encryption require the private key of the client (sender) and is called a signature of
the message, or digital signature. The receiver hashes the received message and
 compares the hash they compute with the received hash, after the digital signature
has been decrypted with the sender’s public key. If the hash values are the same, the
conclusion would be that there is integrity in the data that have arrived, and the
origin is authenticated. The concept of encrypting the hash with the private key of the
originator provides nonrepudiation because it can only be decrypted with their public
key, and the private key would not be known to the recipient. Simply put, in a key-
pair situation, anything that can be decrypted by a sender’s public key must have
been encrypted with their private key, so they must have been the sender (i.e.,
nonrepudiation).
A biometric, digitalized and encrypted parameter with the customer’s public key is incorrect.
Biometrics are not used in digital signatures or public key encryption.

A hash of the data that is transmitted and encrypted with the customer’s public key is
incorrect. It would not be correct to encrypt the hash with the customer’s public key
because then the recipient would need access to the customer’s private key to decrypt the
digital signature.

The customer’s scanned signature encrypted with the customer’s public key is incorrect. A
scan of the customer’s signature would be known as a digitized signature, not a digital
signature, and would be of little or no value in this scenario.

Question 43: Skipped

Which of the following public key infrastructure (PKI) elements describes procedure
for disabling a compromised private key?

Certificate policy

Certification practice statement

(Correct)

PKI disclosure statement

Certificate revocation list

Explanation
 Certification practice statement is correct. This is the how-to document used in policy-
based public key infrastructure (PKI).
Certificate revocation list is incorrect. This is a list of certificates that have been revoked
before their scheduled expiration date.
Certificate policy is incorrect. This sets the requirements that are subsequently implemented
by the CPS.

PKI disclosure statement is incorrect. This covers critical items such as the warranties,
limitations and obligations that legally bind each party.
Question 44: Skipped
The technique used to ensure security in virtual private networks is called -

data encapsulation.

(Correct)

data wrapping.

data hashing.

data transformation.

Explanation

Data encapsulation is correct. Encapsulation, or tunneling, is a technique used to

encrypt the traffic payload so that it can be securely transmitted over an insecure
network.

Data wrapping is incorrect. This is used where the original packet is wrapped in another
packet but is not directly related to security.

Data transformation is incorrect. To transform or change the state of the communication

would not be used for security.

Data hashing is incorrect. This is used in virtual private networks to ensure message
integrity.
 Question 45: Skipped
Which of the following is the MOST critical to the quality of data in a data warehouse?

Accuracy of the data transformation

Accuracy of the extraction process

Credibility of the data source

Accuracy of the source data

(Correct)

Explanation

Accuracy of the source data is correct. Accuracy of source data is a prerequisite for the
quality of the data in a data warehouse. Inaccurate source data will corrupt the
integrity of the data in the data warehouse.
Credibility of the data source is incorrect. The credibility of the data source is important but
would not change inaccurate data into quality (accurate) data.
Accuracy of the extraction process is incorrect. Accurate extraction processes are important
but would not change inaccurate data into quality (accurate) data.

Accuracy of the data transformation is incorrect. Accurate transformation routines are

important but would not change inaccurate data into quality (accurate) data.

Question 46: Skipped

An IS auditor discovers that some hard drives disposed of by an enterprise were not
sanitized in a manner that would reasonably ensure the data could not be recovered.
In addition, the enterprise does not have a written policy on data disposal.
The IS auditor should FIRST -

determine the sensitivity of the information on the hard drives.

 (Correct)

discuss with the IT manager the good practices in data disposal.

draft an audit finding and discuss it with the auditor in charge.

develop an appropriate data disposal policy for the enterprise.

Explanation

Determine the sensitivity of the information on the hard drives is correct. Even though
a policy is not available, the IS auditor should determine the nature of the information
on the hard drives to quantify, as much as possible, the risk.

Draft an audit finding and discuss it with the auditor in charge is incorrect. Drafting a finding
without a quantified risk would be premature.

Discuss with the IT manager good practices in data disposal is incorrect. It would be
premature to discuss good practices with the IT manager until the extent of the incident has
been quantified.

Develop an appropriate data disposal policy for the enterprise is incorrect. An IS auditor
should not develop policies.

Question 47: Skipped

While reviewing sensitive electronic work papers, the IS auditor noticed that they
were not encrypted. This could compromise the -

approval of the audit phases.

access rights to the work papers.

audit trail of the versioning of the work papers.



confidentiality of the work papers.

(Correct)

Explanation

The confidentiality of the work papers is correct. Encryption provides confidentiality

for the electronic work papers.

The audit trail of the versioning of the work papers is incorrect. Audit trails do not, by
themselves, affect the confidentiality, but are part of the reason for requiring encryption.
Approval of the audit phases is incorrect. Audit phase approvals do not, by themselves,
affect the confidentiality of the work papers, but are part of the reason for requiring
encryption.

Access rights to the work papers is incorrect. Access to the work papers should be limited by
the need to know; however, a lack of encryption breaches the confidentiality of the work
papers, not the access rights to the papers.

Question 48: Skipped

An organization is considering using a new IT service provider. From an audit
perspective, which of the following would be the MOST important item to review?

References from other clients for the service provider

The physical security of the service provider site

Background checks of the service provider's employees

The proposed service level agreement with the service provider

(Correct)

Explanation
 The proposed service level agreement with the service provider is correct. When
contracting with a service provider, it is a good practice to enter into an SLA with the
provider. An SLA is a guarantee that the provider will deliver the services according to
the contract. The IS auditor will want to ensure that performance and security
requirements are clearly stated in the SLA.
References from other clients for the service provider is incorrect. A due diligence activity
such as reviewing references from other clients is a good practice, but the service level
agreement (SLA) would be most critical because it would define what specific levels of
performance would be required and make the provider contractually obligated to deliver
what was promised.

The physical security of the service provider site is incorrect. A due diligence activity such as
reviewing physical security controls is a good practice, but the SLA would be most critical
because it would define what specific levels of security would be required and make the
provider contractually obligated to deliver what was promised.

Background checks of the service provider’s employees is incorrect. A due diligence activity
such as the use of background checks for the service provider’s employees is a good
practice, but the SLA would be most critical because it would define what specific levels of
security and labor practices would be required and make the provider contractually
obligated to deliver what was promised.

Question 49: Skipped

The MOST likely effect of the lack of senior management commitment to IT strategic
planning is -

an absence of control over technology contracts.

technology not aligning with organization objectives.

(Correct)

a lack of a methodology for systems development.

a lack of investment in technology.

 Explanation
Technology not aligning with organization objectives is correct. A steering committee
should exist to ensure that the IT strategies support the organization’s goals. The absence of
an information technology committee or a committee not composed of senior managers is
an indication of a lack of top-level management commitment. This condition increases the
risk that IT is aligned with organization strategy. Lack of investment in technology is
incorrect. Lack of management commitment will almost certainly affect investment, but the
primary loss will be the lack of alignment of IT strategy with the strategy of the business.
Lack of a methodology for systems development is incorrect. Systems development
methodology is a process-related function and not a key concern of management. Absence
of control over technology contracts is incorrect. Approval for contracts is a business
process and would be controlled through financial process controls. This is not applicable
here.
Question 50: Skipped
A local area network (LAN) administrator normally should restricted from -

having programming responsibilities.

(Correct)

reporting to the end-user manager.

having end-user responsibilities.

being responsible for LAN security administration.

Explanation

Having programming responsibilities is correct. A local area network (LAN)

administrator should not have programming responsibilities because that could allow
modification of production programs without proper separation of duties, but the
LAN administrator may have end-user responsibilities.

Having end-user responsibilities is incorrect. Although not ideal, a LAN administrator may
have end-user responsibilities.
 Reporting to the end-user manager is incorrect. The LAN administrator may report to the
director of the information processing facility (IPF) or, in a decentralized operation, to the
end-user manager.

Being responsible for LAN security administration is incorrect. In small organizations, the
LAN administrator may also be responsible for security administration over the LAN.

Question 51: Skipped

The MOST important element for the effective design of an information security
policy is the:

enterprise risk appetite.

(Correct)

emerging technologies.

prior security incidents.

threat landscape.

Explanation

Enterprise risk appetite is correct. The risk appetite is the amount of risk on a broad
level that an entity is willing to accept in pursuit of its mission to meet its strategic
objectives. The purpose of the information security policy is to manage information
risk to an acceptable level, so that the policy is principally aligned with the risk
appetite.

Threat landscape is incorrect. The threat landscape is dynamic. It should be considered

when developing policy, but it is not the primary factor as policy is not meant to change as
often as the threat landscape.

Prior security incidents is incorrect. This may provide insight into the risk appetite statement;
however, they are more likely to affect security standards and procedures.
 Emerging technologies is incorrect. These are continually evolving. They should be
considered when developing policy, but they are not the primary factor as policy is not
meant to change as often as technology.

Question 52: Skipped

When auditing the proposed acquisition of a new computer system, an IS auditor
should FIRST ensure that -

a clear business case has been approved by management.

(Correct)

users will be involved in the implementation plan.

the new system will meet all required user functionality.

corporate security standards will be met.

Explanation

A clear business case has been approved by management is correct. The first concern
of an IS auditor is to ensure that the proposal meets the needs of the business. This
should be established by a clear business case.

Corporate security standards will be met is incorrect. Compliance with security standards is
essential, but it is too early in the procurement process for this to be an IS auditor’s first
concern.

Users will be involved in the implementation plan is incorrect. Having users involved in the
implementation process is essential, but it is too early in the procurement process for this to
be an IS auditor’s first concern.

The new system will meet all required user functionality is incorrect. Meeting the needs of
the users is essential, and this should be included in the business case presented to
management for approval.
Question 53: Skipped
 Which of the following is the BEST method for determining the criticality of each
application system in the production environment?

Interview the application programmers.

Perform a gap analysis.

Perform a business impact analysis.

(Correct)

Review the most recent application audits.

Explanation

Perform a business impact analysis (BIA) is correct. A BIA will give the impact of the
loss of each application. A BIA is conducted with representatives of the business that
can accurately describe the criticality of a system and its importance to the business.
Interview the application programmers is incorrect. This will provide limited information
related to the criticality of the systems.
Perform a gap analysis is incorrect. A gap analysis is relevant to system development and
project management but does not determine application criticality.

Review the most recent application audits is incorrect. The audits may not contain the
required information about application criticality or may not have been done recently.

Question 54: Skipped

While conducting an audit of a service provider, an IS auditor observes that the
service provider has outsourced a part of the work to another provider. Because the
work involves confidential information, the IS auditor's PRIMARY concern should be
that the -

contract may be terminated because prior permission from the outsourcer was not
obtained.


outsourcer will approach the other service provider directly for further work.

other service provider to whom work has been outsourced is not subject to audit.

requirement for protecting confidentiality of information can be compromised.

(Correct)

Explanation

Requirement for protecting confidentiality of information can be compromised is

correct. Many countries have enacted regulations to protect the confidentiality of
information maintained in their countries and/or exchanged with other countries.
When a service provider outsources part of its services to another service provider,
there is a potential risk that the confidentiality of the information will be
compromised.
Contract may be terminated because prior permission from the outsourcer was not
obtained is incorrect. Terminating the contract for a violation of the terms of the contract
could be a concern but is not related to ensuring the security of information.

Other service provider to whom work has been outsourced is not subject to audit is
incorrect. The outsourcer not being subject to an audit could be a concern but is not related
to ensuring the security of information.

Outsourcer will approach the other service provider directly for further work is incorrect.
There is no reason why an IS auditor should be concerned with the outsourcer approaching
the other service providers directly for further work.

Question 55: Skipped

As part of audit planning, an IS auditor is designing various data validation tests to
effectively detect transposition and transcription errors. Which of the following
will BEST help in detecting these errors?

Validity check


 Range check

Check digit

(Correct)

Duplicate check

Explanation
The check digit is correct. A check digit is a numeric value that has been calculated
mathematically and is added to data to ensure that original data have not been
altered or that an incorrect, but valid, a match has occurred. The check digit control is
effective in detecting transposition and transcription errors.
The range check is incorrect. Range checks can only ensure that data falls within a
predetermined range but cannot detect transposition errors.

A validity check is incorrect. Validity checks are generally programmed checking of data
validity in accordance with predetermined criteria.

Duplicate check is incorrect. Duplicate check analysis is used to test defined or selected
primary keys for duplicate primary key values.
Question 56: Skipped
During a review of a business continuity plan, an IS auditor noticed that the point at
which a situation is declared to be a crisis has not been defined. The MAJOR risk
associated with this is that -

execution of the disaster recovery plan could be impacted.

(Correct)

assessment of the situation may be delayed.

potential crisis recognition might be delayed.



notification of the teams might not occur.

Explanation

Execution of the disaster recovery plan could be impacted is correct. Execution of the
business continuity and disaster recovery plans would be impacted if the organization
does not know when to declare a crisis.
Assessment of the situation may be delayed is incorrect. Problem and severity assessment
would provide information necessary in declaring a disaster, but the lack of a crisis
declaration point would not delay the assessment.

Notification of the teams might not occur is incorrect. After a potential crisis is recognized,
the teams responsible for crisis management need to be notified. Delaying the declaration
of a disaster would impact or negate the effect of having response teams, but this is only
one part of the larger impact.

Potential crisis recognition might be delayed is incorrect. Potential crisis recognition is the
first step in recognizing or responding to a disaster and would occur prior to the declaration
of a disaster.
Question 57: Skipped
Which of the following would be MOST useful for an IS auditor for accessing and
analyzing digital data to collect relevant audit evidence from diverse software
environments?

Structured Query Language

Application software reports

Data analytics controls

Computer-assisted auditing techniques

(Correct)
 Explanation
Computer-assisted auditing techniques (CAATs) are tools used for accessing data in an
electronic form from diverse software environments, record formats, etc. CAATs serve
as useful tools for collecting and evaluating audit evidence according to audit
objectives and can create efficiencies for collecting this evidence.

Structured Query Language is incorrect. This provides options for auditors to query specific
tables of a database according to audit objectives. However, skills are required to query
specific databases, and a user must be able to understand the record structure to access the
data.

Application software reports is incorrect. Reports from application software may be useful,
but they are not as beneficial as CAATs.
Data analytics controls is incorrect. These might be a good technique to use for control
testing, but they are not as comprehensive as CAATs.

Question 58: Skipped

Which of the following is an advantage of an integrated test facility (ITF)?

It validates application systems and ensures the correct operation of the system.

Periodic testing does not require separate test processes.

(Correct)

It uses actual master files or dummies and the IS auditor does not have to review the source
of the transaction.

The need to prepare test data is eliminated.

Explanation

Periodic testing does not require separate test processes is correct. An integrated test
facility (ITF) creates a fictitious entity in the database to process test transactions
simultaneously with live input. Its advantage is that periodic testing does not require
 separate test processes. Careful planning is necessary, and test data must be isolated
from production data.
It uses actual master files or dummies, and the IS auditor does not have to review the source
of the transaction is incorrect. The ITF tests a test transaction as if it were a real transaction
and validates that transaction processing is being done correctly. It is not related to
reviewing the source of a transaction.
It validates application systems and ensures the correct operation of the system is incorrect.
An ITF does validate the correct operation of a transaction in an application, but it does not
ensure that a system is being operated correctly.

The need to prepare test data is eliminated is incorrect. The ITF is based on the integration
of test data into the normal process flow, so test data is still required.
Question 59: Skipped
Which of the following sampling methods is the MOST appropriate for testing
automated invoice authorization controls to ensure that exceptions are not made for
specific users?

Variable sampling

Stratified random sampling

(Correct)

Judgmental sampling

Systematic sampling

Explanation

Stratification random sampling is correct. Stratification is the process of dividing a

population into subpopulations with similar characteristics explicitly defined so that
each sampling unit can belong to only one stratum. This method of sampling ensures
that all sampling units in each subgroup have a known, nonzero chance of selection. It
is the most appropriate in this case.
 Variable sampling is incorrect. This is used for substantive testing to determine the
monetary or volumetric impact of characteristics of a population. This is not the most
appropriate in this case.

Judgmental sampling is incorrect. In judgmental sampling, professionals place a bias on the

sample (e.g., all sampling units over a certain value, all for a specific type of exception or all
negatives). It should be noted that a judgmental sample is not statistically based, and results
should not be extrapolated over the population because the sample is unlikely to be
representative of the population.
Systematic sampling is incorrect. This involves selecting sampling units using a fixed interval
between selections with the first interval having a random start. This is not the most
appropriate in this case.

Question 60: Skipped

An IS auditor is involved in the re-engineering process that aims to optimize IT
infrastructure.

Which of the following will BEST identify the issues to be resolved?

Self-assessment

Gap analysis

(Correct)

Prototyping

Reverse engineering

Explanation

Gap analysis is correct. This would be the best method to identify issues that need to
be addressed in the reengineering process. Gap analysis indicates which parts of
current processes conform to good practices (desired state) and which do not.
 Self-assessment is incorrect. This may be one of the viable options with which to start;
however, the results only indicate current conditions, not desired state, and tend to become
subjective.

Reverse engineering is incorrect. This is a technique applied to analyze how a device or

program works and is not appropriate here.

Prototyping is incorrect. applied to ensure that user requirements are met prior to being
engaged in a full-blown development process.

Question 61: Skipped

The decisions and actions of an IS auditor are MOST likely to affect which of the
following types of risk?

Inherent

Business

Detection

(Correct)

Control

Explanation

Detection risk is correct. This is directly affected by the IS auditor’s selection of audit
procedures and techniques. Detection risk is the risk that a review will not detect or
notice a material issue.

Inherent risk is incorrect. This is the risk that a material error could occur if there are no
related internal controls to prevent or detect the error. Inherent risk is not usually affected
by an IS auditor.

Control risk is incorrect. This is the risk that a material error exists that would not be
prevented or detected on a timely basis by the system of internal controls. Control risk can
be mitigated by the actions of the organization’s management.
 Business risk is incorrect. This is a probable situation with uncertain frequency and
magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.
Question 62: Skipped
Although management has stated otherwise, an IS auditor has reasons to believe that
the organization is using software that is not licensed. In this situation, the IS auditor
should FIRST -

discuss the issue with senior management because it could have a negative impact on the
organization.

include the item in the audit report.

verify the software is in use through testing.

(Correct)

include the statement from management in the audit report.

Explanation

Verify the software is in use through testing is correct. When there is an indication
that an organization might be using unlicensed software, the IS auditor should obtain
sufficient evidence before including it in report.

Include the statement from management in the audit report is incorrect. The statement from
management may be included in the audit report, but the auditor should independently
validate the statements made by management to ensure completeness and accuracy.

Include the item in the audit report is incorrect. With respect to this matter, representations
obtained from management cannot be independently verified.

Discuss the issue with senior management because it could have a negative impact on the
organization is incorrect. If the organization is using software that is not licensed, the IS
auditor, to maintain objectivity and independence, must include this in the report, but the IS
auditor should verify that this is, in fact, the case before presenting it to senior management.

Question 63: Skipped

 An IS auditor is reviewing an organization's disaster recovery plan (DRP)
implementation. The project was completed on time and on budget. During the
review, the auditor uncovers several areas of concern.

Which of the following presents the GREATEST risk?

The business impact analysis was conducted, but the results were not used.

(Correct)

Testing of the DRP has not been performed.

The disaster recovery project manager for the implementation has recently left the
organization.

The disaster recovery strategy does not specify use of a hot site.

Explanation
The business impact analysis (BIA) was conducted, but the results were not used is
correct. The risk of not using the results of the BIA for disaster recovery planning
means that the disaster recovery plan (DRP) may not be designed to recover the most
critical assets in the correct order. As a result, the plan may not be adequate to allow
the organization to recover from a disaster.

Testing of the DRP has not been performed is incorrect. Although testing a DRP is a critical
component of a successful disaster recovery strategy, this is not the biggest risk; the biggest
risk comes from a plan that is not properly designed.

The disaster recovery strategy does not specify use of a hot site is incorrect. The use of a hot
site is a strategic determination based on tolerable downtime, cost, and other factors.
Although using a hot site may be considered a good practice, this is a very costly solution
that may not be required for the organization.

The disaster recovery project manager for the implementation has recently left the
organization is incorrect. If the DRP is designed and documented properly, the loss of an
experienced project manager should have minimal impact. The risk of a poorly designed
 plan that may not meet the requirements of the business is much more significant than the
risk posed by loss of the project manager.
Question 64: Skipped
Which of the following controls would be MOST effective in ensuring that production
source code and object code are synchronized?

Library control software restricting changes to source code

Date and time-stamp reviews of source and object code

(Correct)

Restricted access to source code and object code

Release-to-release source and object comparison reports

Explanation
Date and time-stamp reviews of source and object code is correct. This would ensure
that source code, which has been compiled, matches the production object code. This
is the most effective way to ensure that the approved production source code is
compiled and is the one being used.

Release-to-release source and object comparison reports is incorrect. Using version control
software and comparing source and object code is a good practice but may not detect a
problem where the source code is a different version than the object code.

Library control software restricting changes to source code is incorrect. All production
libraries should be protected with access controls, and this may protect source code from
tampering. However, this will not ensure that source and object codes are based on the
same version.

Restricted access to source code and object code is incorrect. It is a good practice to protect
all source and object code—even in development. However, this will not ensure the
synchronization of source and object code.

Question 65: Skipped

 What would be the PRIMARY concern of an IS Auditor when reviewing system
parameters?

Critical business processes for ascertaining the priority for recovery

(Correct)

Risk such as single point-of-failure and infrastructure risk

Threats to critical business processes

Resources required for resumption of business

Explanation

Critical business processes for ascertaining the priority for recovery is correct. The
identification of critical business processes should be addressed first so that the
priorities and timelines for recovery can be documented.
Risk such as single-point-of-failure and infrastructure risk is incorrect. Risk should be
identified after the critical business processes have been identified.
Threats to critical business processes is incorrect. The identification of threats to critical
business processes can only be determined after the critical business processes have been
identified.

Resources required for resumption of business is incorrect. Identification of resources

required for business resumption will occur after the identification of critical business
processes.

Question 66: Skipped

Which of the following is an implementation risk within the process of decision
support systems?

Changes in decision processes



Inability to specify purpose and usage patterns

(Correct)

Semistructured dimensions

Management control

Explanation

The inability to specify purpose and usage patterns is correct. This is a risk that
developers need to anticipate while implementing a DSS.
Management control is incorrect. This is not a type of risk, but a characteristic of a decision
support system (DSS).

Semistructured dimensions is incorrect. This is not a type of risk, but a characteristic of a

DSS.

Changes in decision processes is incorrect. These are not a type of risk, but a characteristic
of a DSS.

Question 67: Skipped

A PRIMARY benefit derived for an organization employing control self-assessment
techniques is that it-

allows management to relinquish responsibility for control.

can identify high-risk areas that might need a detailed review later.

(Correct)

allows IS auditors to independently assess risk.



can be used as a replacement for traditional audits.

Explanation

Can identify high-risk areas that might need a detailed review later is correct. Control
self-assessment (CSA) is predicated on the review of high-risk areas that either need
immediate attention or may require a more thorough review later.
Allows IS auditors to independently assess risk is incorrect. CSA requires the involvement of
IS auditors and line management. The internal audit function shifts some of the control
monitoring responsibilities to the functional areas.

It can be used as a replacement for traditional audits is incorrect. CSA is not a replacement
for traditional audits. CSA is not intended to replace the audit’s responsibilities, but to
enhance them.
Allows management to relinquish responsibility for control is incorrect. CSA does not allow
management to relinquish its responsibility for control.

Question 68: Skipped

Which of the following is the MOST critical element to effectively execute a disaster
recovery plan?

Offsite storage of backup data

(Correct)

Availability of a replacement data center

Clearly defined recovery time objective (RTO)

Up-to-date list of key disaster recovery contacts

Explanation
 Offsite storage of backup data is correct. Remote storage of backups is the most
critical disaster recovery plan (DRP) element of the items listed because access to
backup data is required to restore systems.

Up-to-date list of key disaster recovery contacts is incorrect. Having a list of key contacts is
important but not as important as having adequate data backup.

Availability of a replacement data center is incorrect. A DRP may use a replacement data
center or some other solution such as a mobile site, reciprocal agreement or outsourcing
agreement.

Clearly defined recovery time objective is incorrect. Having a clearly defined recovery time
objective is especially important for business continuity planning, but the core element of
disaster recovery (the recovery of IT infrastructure and capability) is data backup.
Question 69: Skipped
Which of the following cryptography options would increase overhead/cost?

The hash is encrypted rather than the message.

A secret key is used.

The encryption is symmetric rather than asymmetric.

A long asymmetric encryption key is used.

(Correct)

Explanation

A long asymmetric encryption key is used is correct. Computer processing time is

increased for longer asymmetric encryption keys, and the increase may be
disproportionate. For example, one benchmark showed that doubling the length of an
RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-
fold.

The encryption is symmetric rather than asymmetric is incorrect. An asymmetric algorithm

requires more processing time than symmetric algorithms.
 The hash is encrypted rather than the message is incorrect. A hash is usually shorter than
the original message; therefore, a smaller overhead is required if the hash is encrypted
rather than the message.

A secret key is used is incorrect. Use of a secret key, as a symmetric encryption key, is
generally small and used for the purpose of encrypting user data.

Question 70: Skipped

Consider you are performing a review of the software quality management process in
an organization. Your FIRST step should be to -

verify how the organization complies with the standards.

identify and report the existing controls.

review the metrics for quality evaluation.

request all standards adopted by the organization.

(Correct)

Explanation
Request all standards adopted by the organization is correct. Because an audit
measures compliance with the standards of the organization, the first step of the
review of the software quality management process should be to determine the
evaluation criteria in the form of standards adopted by the organization. The
evaluation of how well the organization follows their own standards cannot be
performed until the IS auditor has determined what standards exist.

Verify how the organization complies the standards is incorrect. The auditor needs to know
what standards the organization has adopted and then measure compliance with those
standards. Determining how the organization follows the standards is secondary to knowing
what the standards are. The other items listed—verifying how well standards are being
followed, identifying relevant controls and reviewing the quality metrics—are secondary to
the identification of standards.
 Identify and report the existing controls is incorrect. The first step is to know the standards
and what policies and procedures are mandated for the organization, then to document the
controls and measure compliance.

Review the metrics for quality evaluation is incorrect. The metrics cannot be reviewed until
the auditor has a copy of the standards that describe or require the metrics.

Question 71: Skipped

What an IS auditor should FIRST review when reviewing the implementation of a local
area network?

acceptance test report.

network diagram.

(Correct)

users list.

node list.

Explanation

Network diagram is correct. To properly review a local area network implementation,

an IS auditor should first verify the network diagram to identify risk or single points
of failure.

Node list is incorrect. Verification of nodes from the node list would follow the review of the
network diagram.

Acceptance test report is incorrect. The review of the acceptance test report would follow
the verification of nodes from the node list.

Users list is incorrect. The users' list would be reviewed after the acceptance test report.

Question 72: Skipped

Two-factor authentication can be circumvented through which of the following
attacks?


Man-in-the-middle

(Correct)

Denial-of-service

Brute force

Key logging

Explanation

Man-in-the-middle is correct. This attack is similar to piggybacking in that the

attacker pretends to be the legitimate destination, and then merely retransmits
whatever is sent by the authorized user along with additional transactions after
authentication has been accepted. This is done in many instances of bank fraud.

Denial-of-service is incorrect. This attack does not have a relationship to authentication.

Key logging is incorrect. This could circumvent single-factor authentication but not two-
factor authentication.
Brute force is incorrect. This could circumvent single-factor authentication but not two-
factor authentication.
Question 73: Skipped
Which of the following is an example of a passive cybersecurity attack?

Traffic analysis

(Correct)

Denial-of-service


Email spoofing

Masquerading

Explanation

Traffic analysis is correct. Cybersecurity threats/vulnerabilities are divided into passive

and active attacks. A passive attack is one that monitors or captures network traffic
but does not in any way modify, insert or delete the traffic. Examples of passive
attacks include network analysis, eavesdropping and traffic analysis.

Masquerading is incorrect. Because masquerading alters the data by modifying the origin, it
is an active attack.

Denial-of-service is incorrect. Because a denial-of–service attack floods the network with

traffic or sends malformed packets over the network, it is an active attack.

Email spoofing is incorrect. Because email spoofing alters the email header, it is an active
attack.

Question 74: Skipped

As a 3rd party, what is the role of a certificate authority (CA) ?

confirm the identity of the entity owning a certificate issued by that CA.

(Correct)

provide secured communication and networking services based on certificates.

act as a trusted intermediary between two communication partners.

host a repository of certificates with the corresponding public and secret keys issued by that
CA.
 Explanation
Confirm the identity of the entity owning a certificate issued by that certificate
authority (CA) is correct. The primary activity of a CA is to issue certificates. The
primary role of the CA is to check the identity of the entity owning a certificate and to
confirm the integrity of any certificate it issued.

Provide secured communication and networking services based on certificates is incorrect.

Providing a communication infrastructure is not a CA activity.

Host a repository of certificates with the corresponding public and secret keys issued by
that CA is incorrect. The secret keys belonging to the certificates would not be archived at
the CA.

Act as a trusted intermediary between two communication partners is incorrect. The CA can
contribute to authenticating the communicating partners to each other, but the CA is not
involved in the communication stream itself.

Question 75: Skipped

While evaluating software development practices in an organization, an IS auditor
notes that quality assurance (QA) function reports to project management. The MOST
important concern for an IS auditor is the:

efficiency of the project manager because the QA function needs to communicate with the
project implementation team.

effectiveness of the project manager because the project manager should interact with the
QA function.

efficiency of the QA function because it should interact with the project implementation
team.

effectiveness of the QA function because it should interact between project management

and user management.

(Correct)
 Explanation
Effectiveness of the QA function because it should interact between project
management and user management is correct. To be effective, the quality assurance
(QA) function should be independent of project management. If it is not, project
management may put pressure on the QA function to approve an inadequate product.

Efficiency of the QA function because it should interact with the project implementation
team is incorrect. The efficiency of the QA function is not impacted by interacting with the
project implementation team. The QA team does not release a product for implementation
until it meets QA requirements.

Effectiveness of the project manager because the project manager should interact with the
QA function is incorrect. The project manager responds to the issues raised by the QA team.
This does not impact the effectiveness of the project manager.

Efficiency of the project manager because the QA function needs to communicate with the
project implementation team is incorrect. The QA function’s interaction with the project
implementation team should not impact the efficiency of the project manager.

Question 76: Skipped

An IS auditor examining the security configuration of an operating system should
review the -

authorization tables.

parameter settings.

(Correct)

transaction logs.

routing tables.

Explanation
Parameter settings is correct. Configuration parameters allow a standard piece of
software to be customized for diverse environments and are important in determining
 how a system runs. The parameter settings should be appropriate to an organization’s
workload and control environment. Improper implementation and/or monitoring of
operating systems can result in undetected errors and corruption of the data being
processed, as well as lead to unauthorized access and inaccurate logging of system
usage.
Transaction logs is incorrect. These are used to track and analyze transactions related to an
application or system interface, but that is not the primary source of audit evidence in an
operating system audit.
Authorization tables is incorrect. These are used to verify implementation of logical access
controls and will not be of much help when reviewing control features of an operating
system.

Routing tables is incorrect. These do not contain information about the operating system
and, therefore, provide no information to aid in the evaluation of controls.

Question 77: Skipped

Which of the following is a characteristic of timebox management?

Prevents cost overruns and delivery delays

(Correct)

Separates system and user acceptance testing

Not suitable for prototyping or rapid application development

Eliminates the need for a quality process

Explanation

Prevents cost overruns and delivery delays is correct. Timebox management, by its
nature, sets specific time and cost boundaries. It is effective in controlling costs and
delivery time lines by ensuring that each segment of the project is divided into small
controllable time frames.
 Not suitable for prototyping or rapid application development is incorrect. Timebox
management is very suitable for prototyping and rapid application development.
Eliminates the need for a quality process is incorrect. Timebox management does not
eliminate the need for a quality process.
Separates system and user acceptance testing is incorrect. Timebox management integrates
system and user acceptance testing.

Question 78: Skipped

Which of the following controls would be the MOST comprehensive in a remote
access network with multiple and diverse subsystems?

Firewall installation

Virtual private network

(Correct)

Demilitarized zone

Proxy server

Explanation

Virtual private network (VPN) is correct. The best way to secure remote access is
through the use of encrypted VPNs. This would allow remote users a secure
connection to the main systems.

Proxy server is incorrect. This is a type of firewall installation used as an intermediary to filter
and control traffic between internal and external parties.

Firewall installation is incorrect. While firewall installations are the primary line of defense,
they would need to have encryption and a VPN to secure remote access traffic.

Demilitarized zone (DMZ) is incorrect. This an isolated network used to permit outsiders to
access certain corporate information in a semi-trusted environment. The DMZ may host a
web server or other external facing services. Traffic to a DMZ is not usually encrypted unless
it is terminating on a VPN located in the DMZ.
 Question 79: Skipped
Which of the following is the BEST way to ensure that incident response activities are
consistent with the requirements of business continuity?

Develop a project plan for end-to-end testing of disaster recovery.

Establish a cross-departmental working group to share perspectives.

Develop a scenario and perform a structured walk-through.

(Correct)

Draft and publish a clear practice for enterprise-level incident response.

Explanation

Develop a scenario and perform a structured walk-through is correct. A structured

walk-through including both incident response and business continuity personnel
provides the best opportunity to identify gaps or misalignments between the plans.

Draft and publish a clear practice for enterprise-level incident response is incorrect.
Publishing an enterprise-level incident response plan is effective only if business continuity
aligned itself to incident response. Incident response supports business continuity, not the
other way around.

Establish a cross-departmental working group to share perspectives is incorrect. Sharing

perspectives is valuable, but a working group does not necessarily lead to ensuring that the
interface between plans is workable.

Develop a project plan for end-to-end testing of disaster recovery is incorrect. A project
plan developed for disaster recovery will not necessarily address deficiencies in business
continuity or incident response.

Question 80: Skipped

An IS auditor inspected a windowless room containing phone switching and
networking equipment and documentation binders. The room was equipped with two
handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled
with halon.
 Which of the following should be given the HIGHEST priority in the IS auditor's
report?

The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires
involving solid combustibles (paper).

The documentation binders should be removed from the equipment room to reduce
potential risk.

The halon extinguisher should be removed because halon has a negative impact on the
atmospheric ozone layer.

Both fire suppression systems present a risk of suffocation when used in a closed room.

(Correct)

Explanation

Both fire suppression systems present a risk of suffocation when used in a closed
room is correct. Protecting people’s lives should always be of highest priority in fire
suppression activities. Carbon dioxide (CO2) and halon both reduce the oxygen ratio
in the atmosphere, which can induce serious personal hazards. In many countries,
installing or refilling halon fire suppression systems is not allowed.

The halon extinguisher should be removed because halon has a negative impact on the
atmospheric ozone layer is incorrect. The Montreal Protocol allows existing halon
installations to remain, although some countries may have laws that require its removal.

The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires
involving solid combustibles (paper) is incorrect. CO2 extinguishers can be used on most
types of fires, and their use in a server room would be appropriate.

The documentation binders should be removed from the equipment room to reduce
potential risk is incorrect. Although not of highest priority, removal of the documentation
would probably reduce some of the risk.

Question 81: Skipped

 In auditing the archiving process of emails, the IS auditor should pay the MOST
attention to -

the support and stability of the archiving solution manufacturer.

the storage capacity of the archiving solution.

the existence of a data retention policy.

(Correct)

the level of user awareness concerning email use.

Explanation

The existence of a data retention policy is correct. Without a data retention policy that
is aligned with the company’s business and compliance requirements, the email
archive may not preserve and reproduce the correct information when required.
The storage capacity of the archiving solution is incorrect. This would be irrelevant if the
proper email messages have not been properly preserved and others have been deleted.
The level of user awareness concerning email use is incorrect. This would not directly affect
the completeness and accuracy of the archived email.

The support and stability of the archiving solution manufacturer is incorrect. This is
secondary to the need to ensure a retention policy. Vendor support would not directly affect
the completeness and accuracy of the archived email.

Question 82: Skipped

Which of the following is the MOST likely benefit of implementing a standardized
infrastructure?

Reduced level of investment in the IT infrastructure


 Increased security of the IT service delivery center

Reduced need for testing future application changes

Improved cost-effectiveness of IT service delivery and operational support

(Correct)

Explanation

Improved cost-effectiveness of IT service delivery and operational support is correct.

A standardized IT infrastructure provides a consistent set of platforms and operating
systems across the organization. This standardization reduces the time and effort
required to manage a set of disparate platforms and operating systems. In addition,
the implementation of enhanced operational support tools (e.g., password
management tools, patch management tools and auto provisioning of user access) is
simplified. These tools can help the organization reduce the cost of IT service delivery
and operational support.
Increased security of the IT service delivery center is incorrect. A standardized infrastructure
results in a more homogeneous environment, which is more prone to attacks.

Reduced level of investment in the IT infrastructure is incorrect. While standardization can

reduce support costs, the transition to a standardized kit can be expensive; therefore, the
overall level of IT infrastructure investment is not likely to be reduced.

Reduced need for testing future application changes is incorrect. A standardized

infrastructure may simplify testing of changes, but it does not reduce the need for such
testing.

Question 83: Skipped

What is the PRIMARY purpose of a business impact analysis? To -

improve recovery testing.

define recovery strategies.

 (Correct)

identify the alternate site.

calculate the annual loss expectancy.

Explanation
Define recovery strategies is correct. One of the primary outcomes of a business
impact analysis (BIA) is the recovery time objective and the recovery point objective,
which help in defining the recovery strategies.

Identify the alternate site is incorrect. A BIA, itself, will not help in identifying the alternate
site. That is determined during the recovery strategy phase of the project.

Improve recovery testing is incorrect. A BIA, itself, will not help improve recovery testing.
That is done during the implementation and testing phase of the project.

Calculate the annual loss expectancy is incorrect. The annual loss expectancy of critical
business assets and processes is determined during the risk assessment and will be
reviewed in the BIA, but this is not the primary advantage.

Question 84: Skipped

Which of the following reports should an IS auditor use to check compliance with a
service level agreement's requirement for uptime?

Hardware error reports

Utilization reports

Availability reports

(Correct)


 System logs

Explanation

Availability reports is correct. IS inactivity, such as downtime, is addressed by

availability reports. These reports provide the time periods during which the
computer was available for utilization by users or other processes.

Utilization reports is incorrect. These document the use of computer equipment, and can be
used by management to predict how, where and/or when resources are required.

Hardware error reports is incorrect. These provide information to aid in detecting hardware
failures and initiating corrective action. These error reports may not indicate actual system
uptime.

System logs is incorrect. These are used for recording the system’s activities. They may not
indicate availability.
Question 85: Skipped
You are reviewing IT projects for a large company and want to determine whether the
IT projects undertaken in a given year are those which have been assigned the highest
priority by the business and which will generate the greatest business value.

Which of the following is MOST relevant?

Portfolio management

(Correct)

A capability maturity model (CMM)

Configuration management

Project management body of knowledge (PMBOK)

Explanation

Portfolio management is correct. This is designed to assist in the definition,

prioritization, approval and running of a set of projects within a given organization.
 These tools offer data capture, workflow and scenario planning functionality, which
can help identify the optimum set of projects (from the full set of ideas) to take
forward within a given budget.

A capability maturity model is incorrect. This would not help determine the optimal portfolio
of capital projects because it is a means of assessing the relative maturity of the IT processes
within an organization: running from Level 0 (Incomplete—Processes are not implemented
or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured,
and continuous improvement techniques are in place).
Configuration management is incorrect. A configuration management database (which
stores the configuration details for an organization’s IT systems) is an important tool for IT
service delivery and, in particular, change management. It may provide information that
would influence the prioritization of projects but is not designed for that purpose.
The project management body of knowledge is incorrect. This is a methodology for the
management and delivery of projects. It offers no specific guidance or assistance in
optimizing a project portfolio.
Question 86: Skipped
Suppose a new database is being set up in an overseas location to provide information
to the general public and to increase the speed at which the information is made
available. The overseas database is to be housed at a data center and will be updated
in real-time to mirror the information stored locally.

Which of the following areas of operations should be considered as having the

HIGHEST risk?

The hardware being used to run the database application

(Correct)

Remote access to the backup database

Confidentiality of the information stored in the database

Backups of the information in the overseas database

 Explanation
The hardware being used to run the database application is correct. The business
objective is to make the information available to the public in a timely manner.
Because the database is physically located overseas, hardware failures that are left
unfixed can reduce the availability of the system to users.

Confidentiality of the information stored in the database is incorrect. This is not a major
concern, because the information is intended for public use.

Backups of the information in the overseas database is incorrect. These are not a major
concern, because the overseas database is a mirror of the local database; thus, a backup
copy exists locally.

Remote access to the backup database is incorrect. This does not impact availability.

Question 87: Skipped

An IS auditor discovers that the chief information officer (CIO) of an organization is
using a wireless broadband modem using a global system for mobile communications
(GSM) technology. This modem is being used to connect the CIO's laptop to the
corporate virtual private network when the CIO travels outside of the office.

The IS auditor should -

recommend that the CIO stop using the laptop computer until encryption is enabled.

ensure that media access control address filtering is enabled on the network so
unauthorized wireless users cannot connect.

do nothing because the inherent security features of GSM technology are appropriate.

(Correct)

suggest that two-factor authentication be used over the wireless link to prevent
unauthorized communications.

Explanation
 Do nothing because the inherent security features of GSM technology are appropriate
is correct. The inherent security features of the global system for mobile
communications (GSM) technology combined with the use of a virtual private
network (VPN) is appropriate. The confidentiality of the communication on the GSM
radio link is ensured by the use of encryption and the use of a VPN signifies that an
encrypted session is established between the laptop and the corporate network. GSM
is a global standard for cellular telecommunications that can be used for both voice
and data. Currently deployed commercial GSM technology has multiple overlapping
security features that prevent eavesdropping, session hijacking or unauthorized use of
the GSM carrier network. While other wireless technologies such as 802.11 wireless
local area network (LAN) technologies have been designed to allow the user to adjust
or even disable security settings, GSM does not allow any devices to connect to the
system unless all relevant security features are active and enabled.
Recommend that the chief information officer (CIO) stop using the laptop computer until
encryption is enabled is incorrect. Because the CIO is using a VPN it can be assumed that
encryption is enabled in addition to the security features in GSM. In addition, VPNs will not
allow the transfer of data for storage on the remote device (such as the CIO’s laptop).

Ensure that media access control (MAC) address filtering is enabled on the network so
unauthorized wireless users cannot connect is incorrect. MAC filtering can be used on a
wireless LAN but does not apply to a GSM network device.

Suggest that two-factor authentication be used over the wireless link to prevent
unauthorized communications is incorrect. Because the GSM network is being used rather
than a wireless LAN, it is not possible to configure settings for two-factor authentication
over the wireless link. However, two-factor authentication is recommended as it will better
protect against unauthorized access than single-factor authentication.

Question 88: Skipped

An IS auditor determined that the IT manager recently changed the vendor that is
responsible for performing maintenance on critical computer systems to cut costs.
While the new vendor is less expensive, the new maintenance contract specifies a
change in incident resolution time specified by the original vendor.

Which of the following should be the GREATEST concern to the IS auditor?

Transactional business data may be lost in the event of system failure.

The new maintenance vendor is not familiar with the organization's policies.


Application owners were not informed of the change.

(Correct)

Disaster recovery plans may be invalid and need to be revised.

Explanation
Application owners were not informed of the change is correct. The greatest risk of
making a change to the maintenance of critical systems is that the change could have
an adverse impact on a critical business process. While there is a benefit in selecting a
less expensive maintenance vendor, the resolution time must be aligned with the
needs of the business.

Disaster recovery plans (DRPs) must support the needs of the business, but the greater risk
is that application owners are not aware of the change in resolution time.

Transactional business data loss is determined by data backup frequency and, consequently,
the backup schedule.

The vendor must abide by the terms of the contract and those should include compliance
with the privacy policies of the organization, but the lack of application owner involvement
is the most important concern.

Question 89: Skipped

When testing program change requests for a remote system, an IS auditor finds that
the number of changes available for sampling would not provide a reasonable level of
assurance.

What is the MOST appropriate action for the IS auditor to take?

Create additional sample data to test additional changes.

Develop an alternate testing procedure.

(Correct)


 Report the finding to management.

Perform a walk-through of the change management process.

Explanation

Develop an alternate testing procedure is correct. If a sample-size objective cannot be

met with the given data, the IS auditor cannot provide assurance regarding the testing
objective. In this instance, the IS auditor should develop (with audit management
approval) an alternate testing procedure.

Report the finding to management is incorrect. There is not enough evidence to report the
finding as a deficiency.

Perform a walkthrough of the change management process is incorrect. A walkthrough

should not be initiated until an analysis is performed to confirm that this could provide the
required assurance.
Create additional sample data to test additional changes is incorrect. It is not appropriate
for an IS auditor to create sample data for the purpose of the audit.

Question 90: Skipped

Which of the following situations is addressed by a software escrow agreement?

The system administrator requires access to software to recover from a disaster.

An IT auditor requires access to software code written by the organization.

A user requests to have software reloaded onto a replacement hard drive.

The vendor of custom-written software goes out of business.

(Correct)

Explanation
 The vendor of custom-written software goes out of business is correct. A software escrow is
a legal agreement between a software vendor and a customer to guarantee access to source
code. The application source code is held by a trusted third party, according to the contract.
This agreement is necessary in the event that the software vendor goes out of business,
there is a contractual dispute with the customer or the software vendor fails to maintain an
update of the software as promised in the software license agreement. The system
administrator requires access to software to recover from a disaster is incorrect. Access to
software should be managed by an internally managed software library. Escrow refers to the
storage of software with a third party—not the internal libraries. A user requests to have
software reloaded onto a replacement hard drive is incorrect. Providing the user with a
backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted
third party. An IS auditor requires access to software code written by the organization is
incorrect. Software escrow is used to protect the intellectual property of software developed
by one organization and sold to another organization. This is not used for software being
reviewed by an auditor of the organization that wrote the software.
Question 91: Skipped
What the disaster recovery planning addresses?

functional aspect of BCP.

operational part of BCP.

overall coordination of BCP.

technological aspect of business continuity planning (BCP).

(Correct)

Explanation

Technological aspect of business continuity planning (BCP) is correct. Disaster

recovery planning (DRP) is the technological aspect of BCP that focuses on IT systems
and operations.

Operational part of BCP is incorrect. Business resumption planning addresses the

operational part of BCP.
 Functional aspect of BCP is incorrect. Disaster recovery addresses the technical components
of business recovery.
Operational part of BCP overall coordination of BCP is incorrect. The overall coordination of
BCP is accomplished through business continuity management and strategic plans. DRP
addresses the technical aspects of BCP.

Question 92: Skipped

Assume a clerk changed the interest rate for a loan on a master file. The rate entered
is outside the normal range for such a loan.

Which of the following controls is MOST effective in providing reasonable assurance

that the change was authorized?

The system will not process the change until the clerk's manager confirms the change by
entering an approval code.

(Correct)

The system displays a warning message to the clerk.

The system generates a weekly report listing all rate exceptions and the report is reviewed
by the clerk's manager.

The system requires the clerk to enter an approval code.

Explanation

The system will not process the change until the clerk’s manager confirms the change
by entering an approval code is correct. Requiring an approval code by a manager
would prevent or detect the use of an unauthorized interest rate.

The system generates a weekly report listing all rate exceptions and the report is reviewed
by the clerk’s manager is incorrect. A weekly report would inform the manager after the fact
that a change was made, thereby making it possible for transactions to use an unauthorized
rate prior to management review.
 The system requires the clerk to enter an approval code is incorrect. Having a clerk enter an
approval code would not provide separation of duties and would not prevent the clerk from
entering an unauthorized rate change.

The system displays a warning message to the clerk is incorrect. A warning message would
alert the clerk in case the change was being made in error but would not prevent the clerk
from entering an unauthorized rate change.
Question 93: Skipped
Consider an organization that has just completed its annual risk assessment.
Regarding the business continuity plan, what should an IS auditor recommend as the
next step for the organization?

Review and evaluate the business continuity plan for adequacy

(Correct)

Train and educate employees regarding the business continuity plan

Notify critical contacts in the business continuity plan

Perform a full simulation of the business continuity plan

Explanation

Review and evaluate the business continuity plan for adequacy is correct. The business
continuity plan should be reviewed every time a risk assessment is completed for the
organization.

Perform a full simulation of the business continuity plan is incorrect. Performing a

simulation should be completed after the business continuity plan has been deemed
adequate for the organization.

Train and educate employees regarding the business continuity plan is incorrect. Training of
the employees should be performed after the business continuity plan has been deemed
adequate for the organization.
 Notify critical contacts in the business continuity plan is incorrect. There is no reason to
notify the business continuity plan contacts at this time.
Question 94: Skipped
An IS auditor is reviewing a new web-based order entry system the week before it
goes live. The IS auditor has identified that the application, as designed, may be
missing several critical controls regarding how the system stores customer credit card
information.

The IS auditor should FIRST -

verify that security requirements have been properly specified in the project plan.

(Correct)

determine whether system administrators have disabled security controls for any reason.

validate whether security controls are based on requirements which are no longer valid.

determine whether system developers have proper training on adequate security measures.

Explanation

Verify that security requirements have been properly specified in the project plan is
correct. If there are significant security issues identified by an IS auditor, the first
question is whether the security requirements were correct in the project plan.
Depending on whether the requirements were included in the plan would affect the
recommendations the auditor would make.

Determine whether system developers have proper training on adequate security measures
is incorrect. While it is important for programmers to understand security, it is more
important that the security requirements were properly stated in the project plan.

Determine whether system administrators have disabled security controls for any reason is
incorrect. System administrators may have made changes to the controls, but it is assumed
that the auditor is reviewing the system as designed a week prior to implementation so the
administrators have not yet configured the system.
 Validate whether security controls are based on requirements which are no longer valid is
incorrect. It is possible that security requirements will change over time based on new
threats or vulnerabilities, but if critical controls are missing, this points toward a faulty
design that was based on incomplete requirements.

Question 95: Skipped

The waterfall life cycle model of software development is most appropriately used
when -

requirements are well understood and the project is subject to time pressures.

the project intends to apply an object-oriented design and programming approach.

the project will involve the use of new technology.

requirements are well understood and are expected to remain stable, as is the business
environment in which the system will operate.

(Correct)

Explanation

Requirements are well understood and are expected to remain stable, as is the
business environment in which the system will operate is correct. Historically, the
waterfall model has been best suited to stable conditions and well-defined
requirements.
Requirements are well understood and the project is subject to time pressures is incorrect.
When the degree of uncertainty of the system to be delivered and the conditions in which it
will be used rises, the waterfall model has not been successful. In these circumstances, the
various forms of iterative development life cycle give the advantage of breaking down the
scope of the overall system to be delivered, making the requirements gathering and design
activities more manageable. The ability to deliver working software earlier also acts to
alleviate uncertainty and may allow an earlier realization of benefits.
 The project intends to apply an object-oriented design and programming approach is
incorrect. The choice of a design and programming approach is not, itself, a determining
factor of the type of software development life cycle that is appropriate.

The project will involve the use of new technology is incorrect. The use of new technology in
a project introduces a significant element of risk. An iterative form of development,
particularly one of the agile or exploratory methods that focuses on the early development
of actual working software, is likely to be the better option to manage this uncertainty.

Question 96: Skipped

Which of the following BEST ensures the integrity of a server's operating system?

Setting a boot password

Hardening the server configuration

(Correct)

Protecting the server in a secure location

Implementing activity logging

Explanation

Hardening the server configuration is correct. This means to configure it in the most
secure manner (install latest security patches, properly define access authorization for
users and administrators, disable insecure options and uninstall unused services) to
prevent nonprivileged users from gaining the right to execute privileged instructions
and, thus, take control of the entire machine, jeopardizing the integrity of the OS.

Protecting the server in a secure location is incorrect. This is a good practice, but it does not
ensure that a user will not try to exploit logical vulnerabilities and compromise the
operating system (OS).

Setting a boot password is incorrect. This is a good practice but does not ensure that a user
will not try to exploit logical vulnerabilities and compromise the OS.
 Implementing activity logging is incorrect. This has two weaknesses in this scenario—it is a
detective control (not a preventive one), and the attacker who already gained privileged
access can modify logs or disable them.

Question 97: Skipped

A programmer maliciously modified a production program to change data and then
restored it back to the original code. Which of the following would MOST effectively
detect malicious activity?

Comparing source code

Reviewing executable and source code integrity

Reviewing system log files

(Correct)

Comparing object code

Explanation

Reviewing system log files is correct. This is the only trail that may provide
information about the unauthorized activities in the production library.

Comparing source code is incorrect. Source code comparisons are ineffective because the
original programs were restored, and the changed program does not exist.

Comparing object code is incorrect. Object code comparisons are ineffective because the
original programs were restored, and the changed program does not exist.

Reviewing executable and source code integrity is incorrect. This is an ineffective control,
because the source code was changed back to the original and will agree with the current
executable.

Question 98: Skipped

The reliability of an application system's audit trail may be questionable if -


 the security administrator has read-only rights to the audit file.

user IDs are recorded in the audit trail.

date and time stamps are recorded when an action occurs.

users can amend audit trail records when correcting system errors.

(Correct)

Explanation

Users can amend audit trail records when correcting system errors is correct. An audit
trail is not effective if the details in it can be amended.

User IDs are recorded in the audit trail is incorrect. An audit trail must record the identity of
the person or process involved in the logged activity to establish accountability.

The security administrator has read-only rights to the audit file is incorrect. Restricting the
administrator to read-only access will protect the audit file from alteration.

Date and time stamps are recorded when an action occurs is incorrect. Date and time
stamps should be recorded when an action occurs. These should be recorded in the logs to
enable the reconstruction and correlation of events on multiple systems.

Question 99: Skipped

An IS auditor finds out-of-range data in some tables of a database. Which of the
following controls should the IS auditor recommend to avoid this situation?

Log all table update transactions.

Implement before-and-after image reporting.


 Use tracing and tagging.

Implement integrity constraints in the database.

(Correct)

Explanation

Implement integrity constraints in the database is correct. This is a preventive control

because data are checked against predefined tables or rules, preventing any
undefined data from being entered.

Log all table update transactions is incorrect. This is a detective control that would not help
avoid invalid data entry.
Implement before-and-after image reporting is incorrect. This is a detective control that
would not help avoid the situation.

Use tracing and tagging is incorrect. These are used to test application systems and controls
and could not prevent out-of-range data.

Question 100: Skipped

An IS auditor reviewing digital rights management applications should expect to find
extensive use for which of the following technologies?

Steganography

(Correct)

Digitalized signatures

Parsing

Hashing

Explanation
 Steganography is correct. This is a technique for concealing the existence of messages
or information within another message. An increasingly important steganographical
technique is digital watermarking, which hides data within data (e.g., by encoding
rights information in a picture or music file without altering the picture or music’s
perceivable aesthetic qualities).
Digitalized signatures is incorrect. These are the scans of a signature (not the same as a
digital signature) and not related to digital rights management.

Hashing is incorrect. This creates a message hash or digest, which is used to ensure the
integrity of the message; it is usually considered a part of cryptography.

Parsing is incorrect. This is the process of splitting up a continuous stream of characters for
analytical purposes and is widely applied in the design of programming languages or in
data entry editing.

Question 101: Skipped

Sharing risk is a key factor in which of the following methods of managing risk?

Terminating risk

Transferring risk

(Correct)

Treating risk

Tolerating risk

Explanation

Transferring risk is correct. This (e.g., by taking an insurance policy) is a way to share
risk.

Tolerating risk is incorrect. This means that the risk is accepted, but not shared.

Terminating risk is incorrect. This would not involve sharing the risk because the
organization has chosen to terminate the process associated with the risk.
 Treating risk is incorrect. There are several ways of treating or controlling the risk, which may
involve reducing or sharing the risk, but this is not as precise an answer as transferring the
risk.

Question 102: Skipped

Which of the following controls would BEST detect intrusion?

Automatic logoff of the system occurs after a specified number of unsuccessful attempts.

User IDs and user privileges are granted through authorized procedures.

Automatic logoff is used when a workstation is inactive for a particular period of time.

Unsuccessful logon attempts are monitored by the security administrator.

(Correct)

Explanation
Unsuccessful logon attempts are monitored by the security administrator is correct.
Intrusion is detected by the active monitoring and review of unsuccessful logon
attempts.
User IDs and user privileges are granted through authorized procedures is incorrect. This
defines a policy. This is a type of administrative or managerial control that may prevent
intrusion but would not detect it.

Automatic logoff is used when a workstation is inactive for a particular period of time is
incorrect. Automatic logoff is a method of preventing access through unattended or inactive
terminals but is not a detective control.

Automatic logoff of the system occurs after a specified number of unsuccessful attempts is
incorrect. Unsuccessful attempts to log on are a method for preventing intrusion, not
detecting it.

Question 103: Skipped

The PRIMARY objective of implementing corporate governance is to -


align IT with business.

control business operations.

implement good practices.

provide strategic direction.

(Correct)

Explanation

Provide strategic direction is correct. Corporate governance is a set of management

practices to provide strategic direction to the organization as a whole, thereby
ensuring that goals are achievable, the risk is properly addressed and organizational
resources are properly used. Hence, the primary objective of corporate governance is
to provide strategic direction.

Control business operations is incorrect. Business operations are directed and controlled
based on the strategic direction.

Align IT with the business is incorrect. Corporate governance applies strategic planning,
monitoring, and accountability to the entire organization, not just to IT.
Implement good practices is incorrect. Governance is applied through the use of good
practices, but this is not the objective of corporate governance.

Question 104: Skipped

During a security audit of IT processes, an IS auditor found that documented security
procedures did not exist. The IS auditor should -

issue an opinion of the current state and end the audit.


 identify and evaluate existing practices.

(Correct)

conduct compliance testing on available data.

create the procedures document based on the practices.

Explanation
Identify and evaluate existing practices is correct. One of the main objectives of an
audit is to identify potential risk; therefore, the most proactive approach is to identify
and evaluate the existing security practices being followed by the organization and
submit the findings and risk to management, with recommendations to document the
current controls or enforce the documented procedures.

Create the procedures document based on the practices is incorrect. IS auditors should not
prepare documentation because the process may not be compliant with management
objectives and doing so could jeopardize their independence.

Issue an opinion of the current state and end the audit is incorrect. Ending the audit and
issuing an opinion will not address the identification of potential risks. The auditor should
evaluate the practices in place. The recommendation may still be for the organization to
develop written procedures. Terminating the audit may prevent achieving one of the basic
audit objectives—identification of potential risk.

Conduct compliance testing on available data is incorrect. Because there are no

documented procedures, there is no basis against which to test compliance.

Question 105: Skipped

An organization is developing a strategy to upgrade to a newer version of its database
software.

Which of the following tasks can an IS auditor perform without compromising the
objectivity of the IS audit function?

Recommend to the project manager how to improve the efficiency of the migration.


 Review the acceptance test case documentation before the tests are carried out.

(Correct)

Advise on the adoption of application controls to the new database software.

Provide future estimates of the licensing expenses to the project team.

Explanation
Review the acceptance test case documentation before the tests are carried out is
correct. The review of the test cases will facilitate the objective of successful migration
and ensure that proper testing is conducted. An IS auditor can advise as to the
completeness of the test cases.
Advise on the adoption of application controls to the new database software is incorrect.
Independence can be compromised if the IS auditor advises on the adoption of specific
application controls.

Provide future estimates of the licensing expenses to the project team is incorrect.
Independence can be compromised if the IS auditor were to audit the estimate of future
expenses used to support a business case for management approval of the project.
Recommend to the project manager how to improve the efficiency of the migration is
incorrect. Advising the project manager on how to increase the efficiency of the migration
may compromise the IS auditor’s independence.

Question 106: Skipped

Which of the following line media would provide the BEST security for a
telecommunication network?

Dedicated lines

(Correct)

Broadband network digital transmission


 Baseband network

Dial-up

Explanation

Dedicated lines is correct. These are set apart for a particular user or organization.
Because there is no sharing of lines or intermediate entry points, the risk of
interception or disruption of telecommunications messages is lower.
Broadband network digital transmission is incorrect. The secure use of broadband
communications is subject to whether the network is shared with other users, the data are
encrypted and the risk of a network interruption.

Baseband network is incorrect. A baseband network is one that is usually shared with many
other users and requires encryption of traffic but still may allow some traffic analysis by an
attacker.
Dialup is incorrect. A dial-up line is fairly secure because it is a private connection, but it is
too slow to be considered for most commercial applications today.

Question 107: Skipped

A digital signature contains a message digest to -

show if the message has been altered after transmission.

(Correct)

define the encryption algorithm.

confirm the identity of the originator.

enable message transmission in a digital format.

Explanation
 Show if the message has been altered after transmission is correct. The message
digest is calculated and included in a digital signature to prove that the message has
not been altered. The message digest sent with the message should have the same
value as the recalculation of the digest of the received message.

Define the encryption algorithm is incorrect. The message digest does not define the
algorithm; it is there to ensure integrity.
Confirm the identity of the originator is incorrect. The message digest does not confirm the
identity of the user; it is there to ensure integrity.

Enable message transmission in a digital format is incorrect. The message digest does not
enable the transmission in digital format; it is there to ensure integrity.

Question 108: Skipped

Change control for business application systems being developed using prototyping
could be complicated by the -

iterative nature of prototyping.

lack of integrated tools.

emphasis on reports and screens.

rapid pace of modifications in requirements and design.

(Correct)

Explanation

Rapid pace of modifications in requirements and design is correct. Changes in

requirements and design happen so quickly that they are seldom documented or
approved.

Iterative nature of prototyping is incorrect. A characteristic of prototyping is its iterative

nature, but it does not have an adverse effect on change control.
 Emphasis on reports and screens is incorrect. A characteristic of prototyping is its emphasis
on reports and screens, but it does not have an adverse effect on change control.
Lack of integrated tools is incorrect. This is a characteristic of prototyping, but it does not
have an adverse effect on change control.
Question 109: Skipped
The PRIMARY goal of a web site certificate is -

authentication of the web site that will be surfed.

(Correct)

authentication of the user who surfs through that site.

preventing surfing of the web site by hackers.

the same purpose as that of a digital certificate.

Explanation

Authentication of the web site that will be surfed is correct. This is the primary goal of
a web certificate.
Authentication of the user who surfs through that site is incorrect. This is achieved through
passwords and not by a web site certificate.

Preventing surfing of the web site by hackers is incorrect. The site certificate does not
prevent hacking, nor does it authenticate a person.

The same purpose as that of a digital certificate is incorrect. Web site certificates may serve
the same purpose as a digital certificate, but the goal of certificates is authentication.

Question 110: Skipped

Consider that you are performing an audit in the data center when the fire alarm
begins sounding. The audit scope includes disaster recovery, so the auditor observes
the data center staff's response to the alarm.
 Which of the following is the MOST important action for the data center staff to
complete in this scenario?

Ensure all persons in the data center are evacuated.

(Correct)

Remove all backups from the data center.

Notify the local fire department of the alarm condition.

Prepare to activate the fire suppression system.

Explanation

Ensure all persons in the data center are evacuated is correct. In an emergency, the
safety of life is always the first priority; therefore, the complete and orderly
evacuation of the facility staff would be the most important activity.
Notify the local fire department of the alarm condition is incorrect. Life safety is always the
first priority, and notifying the fire department of the alarm is not typically necessary
because most data center alarms are configured to automatically report to the local
authorities.

Prepare to activate the fire suppression system is incorrect. Fire suppression systems are
designed to operate automatically, and activating the system when staff is not yet
evacuated could create confusion and panic, leading to injuries or even fatalities. Manual
triggering of the system could be necessary under certain conditions, but only after all other
data center personnel are safely evacuated.

Remove all backups from the data center is incorrect. Removal of backups from the data
center is not an appropriate action because it could delay the evacuation of personnel. Most
companies would have copies of backups in offsite storage to mitigate the risk of data loss
for this type of disaster.

Question 111: Skipped

When segregation of duties concerns exist between IT support staff and end users,
what would be a suitable compensating control?


Restricting physical access to computing equipment

Locking user sessions after a specified period of inactivity

Reviewing transaction and application logs

(Correct)

Performing background checks prior to hiring IT staff

Explanation

Reviewing transaction and application logs is correct. This directly addresses the
threat posed by poor segregation of duties. The review is a means of detecting
inappropriate behavior and also discourages abuse, because people who may
otherwise be tempted to exploit the situation are aware of the likelihood of being
caught.

Restricting physical access to computing equipment is incorrect. IT support staff usually

require physical access to computing equipment to perform their job functions. It would not
be reasonable to take this away.

Performing background checks prior to hiring IT staff is incorrect. Performing background

checks is a useful control to ensure IT staff are trustworthy and competent but does not
directly address the lack of an optimal segregation of duties.

Locking user sessions after a specified period of inactivity is incorrect. This acts to prevent
unauthorized users from gaining system access, but the issue of a lack of segregation of
duties is more the misuse (deliberately or inadvertently) of access privileges that have
officially been granted.

Question 112: Skipped

A comprehensive and effective email policy should address the issues of email
structure, policy enforcement, monitoring and -

rebuilding.


reuse.

retention.

(Correct)

recovery.

Explanation

Retention is correct. Besides being a good practice, laws and regulations may require an
organization to keep information that has an impact on the financial statements. The
prevalence of lawsuits in which email communication is held in the same regard as the
official form of classic paper makes the retention policy of corporate email a necessity. All
email generated on an organization’s hardware is the property of the organization, and an
email policy should address the retention of messages, considering both known and
unforeseen litigation. The policy should also address the destruction of emails after a
specified time to protect the nature and confidentiality of the messages themselves.
Recovery is incorrect. Email policy should address the business and legal requirements of
email retention. Addressing the retention issue in the email policy would facilitate recovery.
Rebuilding is incorrect. Email policy should address the business and legal requirements of
email retention. Addressing the retention issue in the email policy would facilitate
rebuilding. Reuse is incorrect. Email policy should address the business and legal
requirements of email retention. Reuse of email is not a policy matter.
Question 113: Skipped
The purpose of a checksum on an amount field in an electronic data interchange
communication of financial transactions is to ensure -

nonrepudiation.

authenticity.


 integrity.

(Correct)

authorization.

Explanation

Integrity is correct. A checksum that is calculated on an amount field and included in

the electronic data interchange communication can be used to identify unauthorized
modifications.

Authenticity is incorrect. This cannot be established by a checksum alone and needs other
controls.
Authorization is incorrect. This cannot be established by a checksum alone and needs other
controls.

Nonrepudiation is incorrect. This can be ensured by using digital signatures.

Question 114: Skipped

To ensure compliance with a security policy requiring that passwords be a
combination of letters and numbers, an IS auditor should recommend that -

an automated password management tool be used.

(Correct)

passwords are periodically changed.

the company policy be changed.

security awareness training is delivered.

Explanation
 An automated password management tool be used is correct. The use of an
automated password management tool is a preventive control measure. The software
would prevent repetition (semantic) and would enforce syntactic rules, thus making
the passwords robust. It would also provide a method for ensuring frequent changes
and would prevent the same user from reusing his/her old password for a designated
period of time.

The company policy be changed is incorrect. The policy is appropriate and does not require
change. Changing the policy would not ensure compliance.
Passwords are periodically changed is incorrect. Having a requirement to periodically
change passwords is good practice and should be in the password policy.

Security awareness training is delivered is incorrect. Security awareness training would not
enforce compliance.

Question 115: Skipped

During the planning phase of an IS compliance audit, which of the following is
the BEST factor for determining the required extent of data collection?

Auditor's familiarity with the organization

Complexity of the organization's operation

Purpose, objective and scope of the audit

(Correct)

Findings and issues noted from the prior year

Explanation

Purpose, objective and scope of the audit is the correct answer. The extent to which
data will be collected during an IS audit is related directly to the purpose, objective
and scope of the audit. An audit with a narrow purpose and limited objective and
scope is most likely to result in less data collection than an audit with a wider purpose
and scope. Statistical analysis may also determine the extent of data collection, such
as sample size or means of data collection.
 Complexity of the organization’s operation is incorrect. The complexity of the organization’s
operation is a factor in the planning of an audit but does not directly affect the
determination of how much data to collect. The extent of data collection is subject to the
intensity, scope, and purpose of the audit.

Findings and issues noted from the prior year is incorrect. Prior findings and issues are
factors in the planning of an audit but do not directly affect the determination of how much
data to collect. Data must be collected outside of areas of previous findings.

Auditor’s familiarity with the organization is incorrect. An auditor’s familiarity with the
organization is a factor in the planning of an audit but does not directly affect the
determination of how much data to collect. The audit must be based on sufficient evidence
of the monitoring of controls and not unduly influenced by the auditor’s familiarity with the
organization.
Question 116: Skipped
When shared user accounts are discovered, which of the following is
the MOST appropriate action for an IS auditor to take? To-

request that the IDs be removed from the system.

inform the audit committee of the potential issue.

document the finding and explain the risk of using shared IDs.

(Correct)

review audit logs for the IDs in question.

Explanation
Document the finding and explain the risk of using shared IDs is correct. An IS
auditor’s role is to detect and document findings and control deficiencies. Part of the
audit report is to explain the reasoning behind the findings. The use of shared IDs is
not recommended because it does not allow for the accountability of transactions. An
IS auditor defers to management to decide how to respond to the findings presented.
 Inform the audit committee of the potential issue is incorrect. It is not appropriate for an IS
auditor to report findings to the audit committee before conducting a more detailed review
and presenting them to management for a response.

Review audit logs for the IDs in question is incorrect. This would not be useful because
shared IDs do not provide for individual accountability.

Request that the IDs be removed from the system is incorrect as this is not the role of an IS
auditor.

Question 117: Skipped

The application systems of an organization using open-source software have no single
recognized developer producing patches.

Which of the following would be the MOST secure way of updating open-source
software?

Rewrite the patches and apply them.

Develop in-house patches.

Review the code and application of available patches.

Identify and test suitable patches before applying them.

(Correct)

Explanation

Identify and test suitable patches before applying them is correct. Suitable patches
from the existing developers should be selected and tested before applying them.

Rewrite the patches and apply them is incorrect. This would require skilled resources and
time to rewrite the patches.

Review the code and application of available patches is incorrect. Code review could be
possible, but tests need to be performed before applying the patches.
 Develop in-house patches is incorrect. Because the system was developed outside the
organization, the IT department may not have the necessary skills and resources to develop
patches.

Question 118: Skipped

There are several methods of providing telecommunication continuity. The method of
routing traffic through split cable or duplicate cable facilities is called -

long-haul network diversity.

diverse routing.

(Correct)

last-mile circuit protection.

alternative routing.

Explanation

Diverse routing is correct. This routes traffic through split-cable facilities or duplicate-
cable facilities. This can be accomplished with different and/or duplicate cable
sheaths. If different cable sheaths are used, the cable may be in the same conduit and,
therefore, subject to the same interruptions as the cable it is backing up. The
communication service subscriber can duplicate the facilities by having alternate
routes, although the entrance to and from the customer premises may be in the same
conduit. The subscriber can obtain diverse routing and alternate routing from the
local carrier, including dual-entrance facilities. This type of access is time consuming
and costly.

Alternative routing is incorrect. This is a method of routing information via an alternate

medium such as copper cable or fiber optics. This involves the use of different networks,
circuits or end points should the normal network be unavailable.

Long-haul network diversity is incorrect. This is a diverse, long-distance network using

different packet switching circuits among the major long-distance carriers. It ensures long-
distance access should any carrier experience a network failure.
 Last-mile circuit protection is incorrect. This is a redundant combination of local carrier T-1s
(E-1s in Europe), microwave and/or coaxial cable access to the local communications loop.
This enables the facility to have access during a local carrier communication disaster.
Alternate local-carrier routing is also used.

Question 119: Skipped

An IS auditor evaluating the resilience of a high-availability network should be MOST
concerned if -

diverse routing is implemented for the network.

a hot site is ready for activation.

the setup is geographically dispersed.

the servers are clustered in one site.

(Correct)

Explanation

The servers are clustered in one site is correct. A clustered setup in one site makes the
entire network vulnerable to natural disasters or other disruptive events.
The setup is geographically dispersed is incorrect. Dispersed geographic locations provide
backup if a site has been destroyed.

A hot site is ready for activation is incorrect. A hot site would also be a good alternative for
a single-point-of-failure site.

Diverse routing is implemented for the network is incorrect. Diverse routing provides
telecommunications backup if a network is not available.
Question 120: Skipped
Which of the following is the BEST indicator of the effectiveness of backup and
restore procedures while restoring data after a disaster?


 Members of the recovery team were available.

Recovery time objectives were met.

(Correct)

Inventory of backup tapes was properly maintained.

Backup tapes were completely restored at an alternate site.

Explanation

Recovery time objectives (RTOs) were met is correct. The effectiveness of backup and
restore procedures is best ensured RTOs being met because these are the
requirements that are critically defined during the business impact analysis stage, with
the inputs and involvement of all business process owners.

Members of the recovery team were available is incorrect. The availability of key personnel
does not ensure that backup and restore procedures will work effectively.
Inventory of backup tapes was properly maintained is incorrect. The inventory of the backup
tapes is only one element of the successful recovery.
Backup tapes were completely restored at an alternate site is incorrect. The restoration of
backup tapes is a critical success, but only if they were able to be restored within the time
frames set by the RTO.

Question 121: Skipped

Which of the following will MOST successfully identify overlapping key controls in
business application systems?

Submitting test transactions through an integrated test facility

Reviewing system functionalities that are attached to complex business processes


 Testing controls to validate that they are effective

Replacing manual monitoring with an automated auditing solution

(Correct)

Explanation

Replacing manual monitoring with an automated auditing solution is correct. As part

of the effort to realize continuous audit management, there are cases for introducing
an automated monitoring and auditing solution. All key controls need to be clearly
aligned for systematic implementation; thus, analysts can discover unnecessary or
overlapping key controls in existing systems.

Reviewing system functionalities that are attached to complex business processes is

incorrect. In general, highly complex business processes may have more key controls than
business areas with less complexity; however, finding, with certainty, unnecessary controls in
complex areas is not always possible. If a well-thought-out key control structure was
established from the beginning, finding any overlap in key controls will not be possible.

Submitting test transactions through an integrated test facility is incorrect. An integrated

test facility is an audit technique to test the accuracy of the processes in the application
system. It may find control flaws in the application system, but it would be difficult to find
the overlap in key controls.

Testing controls to validate that they are effective is incorrect. By testing controls to validate
whether they are effective, the IS auditor can identify whether there are overlapping
controls; however, the process of implementing an automated auditing solution would
better identify overlapping controls.

Question 122: Skipped

An IS auditor should ensure that review of online electronic funds transfer
reconciliation procedures should include -

vouching.

tracing.

(Correct)


corrections.

authorizations.

Explanation

Tracing is correct. This is a transaction reconciliation effort that involves following the
transaction from the original source to its final destination. In electronic funds
transfer transactions, the direction on tracing may start from the customer-printed
copy of the receipt, proceed to check the system audit trails and logs, and end with
checking the master file records for daily transactions.
Vouching is incorrect. This is usually performed during the fund transfer, not during the
reconciliation effort.

Authorizations is incorrect. In online processing, authorizations are normally done

automatically by the system, not during the reconciliation.

Corrections are incorrect. These entries should be reviewed during a reconciliation; however,
they are normally done by an individual other than the person entrusted to do
reconciliations and are not as important as tracing.

Question 123: Skipped

An organization is reviewing its contract with a cloud computing provider. For which
of the following reasons would the organization want to remove a lock-in clause from
the cloud service contract?

Agility

Portability

(Correct)

Scalability


 Availability

Explanation

Portability is correct. When drawing up a contract with a cloud service provider, the
ideal practice is to remove the customer lock-in clause. It may be important for the
client to secure portability of their system assets (i.e., the right to transfer from one
vendor to another).

Availability is incorrect. Removing the customer lock-in clause will not secure availability of
the systems resources stored in a cloud computing environment.

Agility is incorrect. This refers to efficiency of solutions enabling organizations to respond to

business needs faster. This is a desirable quality of cloud computing.

Scalability is incorrect. This is the strength of cloud computing through the ability to adjust
service levels according to changing business circumstances. Therefore, this is not the best
option.

Question 124: Skipped

What is a risk associated with attempting to control physical access to sensitive areas
such as computer rooms using card keys or locks?

The contingency plan for the organization cannot effectively test controlled access practices.

Unauthorized individuals wait for controlled doors to open and walk in behind those
authorized.

(Correct)

Access cards, keys and pads can be easily duplicated allowing easy compromise of the
control.

Removing access for those who are no longer authorized is complex.

Explanation
 Unauthorized individuals wait for controlled doors to open and walk in behind those
authorized is correct. Piggybacking or tailgating can compromise the physical access
controls.

The contingency plan for the organization cannot effectively test controlled access practices
is incorrect. The testing of controlled access would be of minimal concern in a disaster
recovery environment.
Access cards, keys and pads can be easily duplicated allowing easy compromise of the
control is incorrect. Duplicating access control cards or keys is technically challenging.

Removing access for those who are no longer authorized is complex is incorrect. An access
control system should have easily followed procedures for managing user access
throughout the access life cycle.
Question 125: Skipped
Documentation of a business case used in an IT development project should be
retained until -

the project is approved.

the end of the system's life cycle.

(Correct)

the system is in production.

user acceptance of the system.

Explanation

The end of the system’s life cycle is correct. A business case can and should be used
throughout the life cycle of the product. It serves as an anchor for new (management)
personnel, helps to maintain focus and provides valuable information on estimates
versus actuals. Questions such as “Why do we do that?”, “What was the original
intent?” and “How did we perform against the plan?” can be answered, and lessons
for developing future business cases can be learned.
 The project is approved is incorrect. The business case should be retained even after project
approval to provide the ability to review and validate the business case once the project is
implemented.

User acceptance of the system is incorrect. The business case will be retained throughout
the system development life cycle for later reference and validation.

The system is in production is incorrect. Once the system is in production, the business case
can be validated to ensure that the promised costs and benefits were correct.

Question 126: Skipped

Assume that an IS auditor is reviewing security controls for a critical web-based
system prior to implementation. The results of the penetration test are inconclusive,
and the results will not be finalized prior to implementation.

Which of the following is the BEST option for the IS auditor?

Publish a report omitting the areas where the evidence obtained from testing was
inconclusive.

Publish a report based on the available information, highlighting the potential security
weaknesses and the requirement for follow-up audit testing.

(Correct)

Inform management that audit work cannot be completed prior to implementation and
recommend that the audit be postponed.

Request a delay of the implementation date until additional security testing can be
completed and evidence of appropriate controls can be obtained.

Explanation

Publish a report based on the available information, highlighting the potential

security weaknesses and the requirement for follow-up audit testing is correct. If the
IS auditor cannot gain sufficient assurance for a critical system within the agreed-on
time frame, this fact should be highlighted in the audit report and follow-up testing
should be scheduled for a later date. Management can then determine whether any of
 the potential weaknesses identified were significant enough to delay the go-live date
for the system.
Publish a report omitting the areas where the evidence obtained from testing was
inconclusive is incorrect. It is not acceptable for the IS auditor to ignore areas of potential
weakness because conclusive evidence could not be obtained within the agreed-on audit
time frame. ISACA IS Audit and Assurance Standards are violated if these areas are omitted
from the audit report.

Request a delay of the implementation date until additional security testing can be
completed and evidence of appropriate controls can be obtained is incorrect. Extending the
time frame for the audit and delaying the go-live date is unlikely to be acceptable in this
scenario where the system involved is business-critical. In any case, a delay to the go-live
date must be the decision of business management, not the IS auditor. In this scenario, the
IS auditor should present business management with all available information by the
agreed-on date.

Inform management that audit work cannot be completed prior to implementation and
recommend that the audit be postponed is incorrect. Failure to obtain sufficient evidence in
one part of an audit engagement does not justify canceling or postponing the audit; this
violates the audit guideline concerning due professional care.

Question 127: Skipped

Value delivery from IT to the business is MOST effectively achieved by -

providing a positive return on investment.

embedding accountability in the enterprise.

aligning the IT strategy with the enterprise strategy.

(Correct)

establishing an enterprisewide risk management process.

Explanation
 Aligning the IT strategy with the enterprise strategy is correct. IT’s value delivery to
the business is driven by aligning IT with the enterprise’s strategy.
Embedding accountability in the enterprise is incorrect. Embedding accountability in the
enterprise promotes risk management (another element of corporate governance).
Providing a positive return on investment is incorrect. While the return on investment is
important, it is not the only criterion by which the value of IT is assessed.

Establishing an enterprise-wide risk management process is incorrect. Enterprise-wide risk

management is critical to IT governance; however, by itself, it will not guarantee that IT
delivers value to the business unless the IT strategy is aligned with the enterprise strategy.
Question 128: Skipped
IS control objectives are useful to IS auditors because they provide the basis for
understanding the -

desired result or purpose of implementing specific control procedures.

(Correct)

best IS security control practices relevant to a specific entity.

security policy.

techniques for securing information.

Explanation

Desired result or purpose of implementing specific control procedures is correct. An IS

control objective is defined as the statement of the desired result or purpose to be achieved
by implementing control procedures in a particular IS activity. Best IS security control
practices relevant to a specific entity is incorrect. Control objectives provide the actual
objectives for implementing controls and may or may not be based on good practices.
Techniques for securing information is incorrect. Techniques are the means of achieving an
objective, but it is more important to know the reason and objective for the control than to
understand the technique itself. A security policy is incorrect. This mandates the use of IS
controls, but the controls are not used to understand policy.
 Question 129: Skipped
Which of the following IT governance good practices improves strategic alignment?

Top management mediates between the imperatives of business and technology.

(Correct)

Supplier and partner risk is managed.

A knowledge base on customers, products, markets and processes is in place.

A structure is provided that facilitates the creation and sharing of business information.

Explanation

Top management mediates between the imperatives of business and technology is correct.
This is an IT strategic alignment good practice.

Supplier and partner risk is managed is incorrect. This is a risk management good practice
but not a strategic function.

A knowledge base on customers, products, markets and processes is in place is incorrect.

This is an IT value delivery good practice but does not ensure strategic alignment.
A structure is provided that facilitates the creation and sharing of business information is
incorrect. This is an IT value delivery and risk management good practice but is not as
effective as top management involvement in business and technology alignment.

Question 130: Skipped

Who should review and approve system deliverables as they are defined and
accomplished to ensure the successful completion and implementation of a new
business system application?

Senior management


 Quality assurance staff

User management

(Correct)

Project steering committee

Explanation
User management is correct. This group assumes ownership of the project and
resulting system, allocates qualified representatives to the team and actively
participates in system requirements definition, acceptance testing and user training.
User management should review and approve system deliverables as they are defined
and accomplished, or implemented.

A project steering committee is incorrect. This group provides overall direction, ensures
appropriate representation of the major stakeholders in the project’s outcome, reviews
project progress regularly and holds emergency meetings when required. A project steering
committee is ultimately responsible for all deliverables, project costs, and schedules.

Senior management is incorrect. This group demonstrates a commitment to the project and
approves the necessary resources to complete the project. This commitment from senior
management helps ensure involvement by those who are needed to complete the project.

Quality assurance staff is incorrect. This group reviews results and deliverables within each
phase, and at the end of each phase confirm compliance with standards and requirements.
The timing of reviews depends on the system development life cycle, the impact of potential
deviation methodology used, the structure and magnitude of the system and the impact of
potential deviation.

Question 131: Skipped

Which of the following has the MOST significant impact on the success of an
application systems implementation?

The software reengineering technique

The overall organizational environment

 (Correct)

The prototyping application development methodology

Compliance with applicable external requirements

Explanation
The overall organizational environment is correct. This has the most significant impact
on the success of applications systems implemented. This includes the alignment
between IT and the business, the maturity of the development processes and the use
of change control and other project management tools.
The prototyping application development methodology is incorrect. This reduces the time
to deploy systems primarily by using faster development tools that allow a user to see a
high-level view of the workings of the proposed system within a short period of time. The
use of any one development methodology will have a limited impact on the success of the
project.

Compliance with applicable external requirements is incorrect. This has an impact on the
implementation success, but the impact is not as significant as the impact of the overall
organizational environments.

The software reengineering technique is incorrect. This is a process of updating an existing

system by extracting and reusing design and program components. This is used to support
major changes in the way an organization operates. Its impact on the success of the
application systems that are implemented is small compared with the impact of the overall
organizational environment.
Question 132: Skipped
Which of the following audit technique provides the BEST evidence of the segregation
of duties in an IT department?

Discussion with management

Testing of user access rights


 Review of the organization chart

Observation and interviews

(Correct)

Explanation

Observation and interviews is correct. Based on the observations and interviews, the
IS auditor can evaluate the segregation of duties. By observing the IT staff performing
their tasks, an IS auditor can identify whether they are performing any incompatible
operations. By interviewing the IT staff, the auditor can get an overview of the tasks
performed.

Discussion with management is incorrect. Management may not be aware of the detailed
functions of each employee in the IT department and whether the controls are being
followed. Therefore, discussion with the management provides only limited information
regarding the segregation of duties.

A review of the organization chart is incorrect. An organization chart does not provide
details of the functions of the employees or whether the controls are working correctly.

The testing of user access rights is incorrect. This provides information about the rights
users have within the IS systems but does not provide complete information about the
functions they perform. Observation is a better option because user rights can be changed
between audits.

Question 133: Skipped

Suppose as an IS auditor you are developing an audit plan for an environment that
includes new systems. The organization’s management wants you to focus on recently
implemented systems. How should you respond as an IS auditor?

Audit systems not included in last year’s scope.

Determine the highest-risk systems and plan accordingly.

(Correct)


 Audit the new systems as requested by management.

Audit both the systems not in last year’s scope and the new systems

Explanation

Determine the highest-risk systems and plan accordingly is the correct answer. The
best action is to conduct a risk assessment and design the audit plan to cover the
areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in
Planning), statement 1202.1: “The IS audit and assurance function shall use an
appropriate risk assessment approach and supporting methodology to develop the
overall IS audit plan and determine priorities for the effective allocation of IS audit
resources.”

Audit the new systems as requested by management is incorrect and does not reflect a risk-
based approach. Although the system can contain sensitive data and may present a risk of
data loss or disclosure to the organization, without a risk assessment, the decision to solely
audit the newly implemented system is not a risk-based decision.

Audit systems not included in last year’s scope is incorrect and does not reflect a risk-based
approach. In addition, management may know about problems with the new system and
maybe intentionally trying to steer the audit away from that vulnerable area. Although at
first, the new system may seem to be the riskiest area, an assessment must be conducted
rather than relying on the judgment of the IS auditor or IT manager.

Audit both the systems not in last year’s scope and the new systems is incorrect. The
creation of the audit plan should be performed in cooperation with management and based
on risk. The IS auditor should not arbitrarily decide on what needs to be audited.

Question 134: Skipped

The IS auditor is reviewing an organization's human resources (HR) database
implementation. The IS auditor discovers that the database servers are clustered for
high availability, all default database accounts have been removed and database audit
logs are kept and reviewed on a weekly basis.

What other areas should the IS auditor check to ensure that the databases are
appropriately secured?

Database administrators are restricted from access to HR data.


 Database stored procedures are encrypted.

Database logs are encrypted.

Database initialization parameters are appropriate.

(Correct)

Explanation

Database initialization parameters are appropriate is correct. When a database is

opened, many of its configuration options are governed by initialization parameters.
These parameters are usually governed by a file (“init.ora” in the case of Oracle
Database Management System), which contains many settings. The system
initialization parameters address many “global” database settings, including
authentication, remote access and other critical security areas. To effectively audit a
database implementation, the IS auditor must examine the database initialization
parameters.
Database administrators are restricted from access to HR data is incorrect. Database
administrators would have access to all data on the server, but there is no practical control
to prevent that; therefore, this would not be a concern.

Database logs are encrypted is incorrect. Database audit logs normally would not contain
any confidential data; therefore, encrypting the log files is not required.

Database stored procedures are encrypted is incorrect. If a stored procedure contains a

security sensitive function such as encrypting data, it can be a requirement to encrypt the
stored procedure. However, this is less critical than ensuring initialization parameters are
correct.

Question 135: Skipped

An IS auditor is evaluating management's risk assessment of information systems.

The IS auditor should FIRST review -

effectiveness of the controls.


 controls in place.

threats/vulnerabilities affecting the assets.

(Correct)

mechanism for monitoring the risk.

Explanation
Threats/vulnerabilities affecting the assets is correct. One of the key factors to be
considered while assessing the information systems risk is the value of the systems
(the assets) and the threats and vulnerabilities affecting the assets. The risk related to
the use of information assets should be evaluated in isolation from the installed
controls.

Controls in place is incorrect. The controls are irrelevant until the IS auditor knows the
threats and risks that the controls are intended to address.

The effectiveness of the controls is incorrect. The effectiveness of the controls must be
measured in relation to the risk (based on assets, threats, and vulnerabilities) that the
controls are intended to address.
The mechanism for monitoring the risk is incorrect. The first step must be to determine the
risk that is being managed before reviewing the mechanism of monitoring risk.

Question 136: Skipped

Which of the following would be expected to approve the audit charter?

Chief executive officer

Audit committee

(Correct)

Chief financial officer



Audit steering committee

Explanation

Audit committee is correct. One of the primary functions of the audit committee is to
create and approve the audit charter.

The chief financial officer (CFO) is incorrect. CFO does not approve the audit charter but may
be responsible for allocating funds in support of the audit charter. The CFO may also be a
part of the audit committee or audit steering committee but would not approve the charter
on their own.

The chief executive officer (CEO) is incorrect. CEO does not approve the audit charter. The
CEO may be informed, but they are independent of the audit committee.

Audit steering committee is incorrect. The steering committee would most likely be
composed of various members of senior management whose purpose is to work under the
framework of the audit charter and would not approve the charter itself.

Question 137: Skipped

Which of the following is MOST important when an operating system patch is to be
applied to a production environment?

Patch installation at alternate sites

Approval from the security officer

Successful regression testing by the developer

Approval from the information asset owner

(Correct)

Explanation
 Approval from the information asset owner is correct. It is most important that
information owners approve any changes to production systems to ensure that no
serious business disruption takes place as the result of the patch release.

Successful regression testing by the developer is incorrect. While testing is important for
any patch, in this case it should be assumed that the operating system (OS) vendor tested
the patch before releasing it. Before this OS patch is put into production, the organization
should do system testing to ensure that no issues will occur.

Approval from the security officer is incorrect. The security officer does not normally need to
approve every OS patch.

Patch installation at alternate sites is incorrect. Security patches need to be deployed

consistently across the organization, including alternate sites. However, approval from the
information asset owner is still the most important consideration.

Question 138: Skipped

As an IS auditor, you are reviewing the third-party agreement for a new cloud-based
accounting service provider.

Which of the following would be your MOST important consideration with regard to
the privacy of the accounting data?

Data retention, backup and recovery

Return or destruction of information

(Correct)

A patch management process

Network and intrusion detection

Explanation

Return or destruction of information is correct. When reviewing a third-party

agreement, the most important consideration with regard to the privacy of the data is
 the clause concerning the return or secure destruction of information at the end of
the contract.
Data retention, backup and recovery is incorrect. These are important controls; however,
they do not guarantee data privacy.
Network and intrusion detection is incorrect. These are helpful when securing the data, but
on their own, they do not guarantee data privacy stored at a third-party provider.

A patch management process is incorrect. This helps secure servers and may prohibit
unauthorized disclosure of data; however, it does not affect the privacy of the data.
Question 139: Skipped
A human resources company offers wireless Internet access to its guests, after
authenticating with a generic user ID and password. The generic ID and password are
requested from the reception desk.

Which of the following controls BEST addresses the situation?

A stateful inspection firewall is used between the public wireless and company networks.

The password for the wireless network is changed on a weekly basis.

The public wireless network is physically segregated from the company network.

(Correct)

An intrusion detection system is deployed within the wireless network.

Explanation

The public wireless network is physically segregated from the company network is
correct. Keeping the wireless network physically separate from the company network
is the best way to secure the company network from intrusion.

The password for the wireless network is changed on a weekly basis is incorrect. Changing
the password for the wireless network does not secure against unauthorized access to the
company network, especially because a guest could gain access to the wireless local area
network at any time prior to the weekly password change interval.
 A stateful inspection firewall is used between the public wireless and company networks is
incorrect. A stateful inspection firewall will screen all packets from the wireless network into
the company network; however, the configuration of the firewall would need to be audited
and firewall compromises, although unlikely, is possible.

An intrusion detection system is deployed within the wireless network is incorrect. An

intrusion detection system will detect intrusions but will not prevent unauthorized
individuals from accessing the network.

Question 140: Skipped

The PRIMARY objective of the audit initiation meeting with an IS audit client is to -

collect audit evidence.

identify resource requirements of the audit.

select the methodology of the audit.

discuss the scope of the audit.

(Correct)

Explanation
Discuss the scope of the audit is correct. The primary objective of the initial meeting
with an audit client is to help define the scope of the audit.

Identify resource requirements of the audit is incorrect. Determining the resource

requirements of the IS audit is typically done by IS audit management during the early
planning phase of the project rather than at the initiation meeting.

Select the methodology of the audit is incorrect. Selecting the methodology of the audit is
not normally an objective of the initiation meeting.

Collect audit evidence is incorrect. For most audits, collecting audit evidence is performed
during the course of the engagement and is not normally collected during the initiation
meeting.
 Question 141: Skipped
When implementing an IT governance framework in an organization the MOST
important objective is -

IT alignment with the business.

(Correct)

enhancing the return on IT investments.

value realization with IT.

accountability.

Explanation

IT alignment with the business is correct. The goals of IT governance are to improve IT
performance, deliver optimum business value and ensure regulatory compliance. The key
practice in support of these goals is the strategic alignment of IT with the business. To
achieve alignment, all other choices need to be tied to business practices and strategies.

Accountability is incorrect. This is important, but the most important objective of IT

governance is to ensure that IT investment and oversight is aligned with business
requirements.

Value realization with IT is incorrect. IT must demonstrate value to the organization, but this
value is dependent on the ability of IT to align with, and support, business requirements.

Enhancing the return on IT investments is incorrect. Enhancing return is a requirement of

the IT governance framework, but this requirement is only demonstrated through aligning
IT with business requirements.

Question 142: Skipped

Which of the following is the GREATEST risk when storage growth in a critical file
server is not managed properly?


 Storage operational costs would significantly increase.

Backup operational costs would significantly increase.

Backup time would steadily increase.

Server recovery work may not meet the recovery time objective.

(Correct)

Explanation

Server recovery work may not meet the recovery time objective (RTO) is correct. In
case of a crash, recovering a server with an extensive amount of data could require a
significant amount of time. If the recovery cannot meet the RTO, there will be a
discrepancy in IT strategies. It is important to ensure that server restoration can meet
the RTO.

Backup time would steadily increase is incorrect. Backup time may increase, but that can be
managed. The most important issue is the time taken to recover the data.

Backup operational costs would significantly increase is incorrect. The backup cost issues are
not as significant as not meeting the RTO.
Storage operational costs would significantly increase is incorrect. The storage cost issues
are not as significant as not meeting the RTO.

Question 143: Skipped

The MOST important factor in planning a black box penetration test is -

knowledge by the management staff of the client organization.

(Correct)

the documentation of the planned testing procedure.



scheduling and deciding on the timed length of the test.

a realistic evaluation of the environment architecture to determine scope.

Explanation

Knowledge by the management staff of the client organization is correct. Black box
penetration testing assumes no prior knowledge of the infrastructure to be tested.
Testers simulate an attack from someone who is unfamiliar with the system. It is
important to have management knowledge of the proceedings so that if the test is
identified by the monitoring systems, the legality of the actions can be determined
quickly.

The documentation of the planned testing procedure is incorrect. A penetration test should
be carefully planned and executed, but the most important factor is proper approvals.

A realistic evaluation of the environment architecture to determine scope is incorrect. In a

black box penetration test, the environment is not known to the testing organization.

Scheduling and deciding on the timed length of the test is incorrect. A test must be
scheduled so as to minimize the risk of affecting critical operations; however, this is part of
working with the management of the organization.

Question 144: Skipped

Which of the following antivirus software implementation strategies would be the
MOST effective in an interconnected corporate network?

Perimeter-based antivirus software

Server-based antivirus software

Enterprise-based antivirus software

(Correct)


 Workstation-based antivirus software

Explanation

Enterprise-based antivirus software is correct. An important means of controlling the

spread of viruses is to deploy an enterprisewide antivirus solution that will monitor
and analyze traffic at many points. This provides a layered defense model that is more
likely to detect malware regardless of how it comes into the organization— through a
universal serial bus (USB) or portable storage, a network, an infected download or
malicious web application.

Server-based antivirus software is incorrect. An effective antivirus solution must be a

combination of server-, network- and perimeter-based scanning and protection.

Workstation-based antivirus software is incorrect. Only checking for a virus on workstations

would not be adequate because malware can infect many network devices or servers as
well.

Perimeter-based antivirus software is incorrect. Because malware can enter an organization

through many different methods, only checking for malware at the perimeter is not enough
to protect the organization.

Question 145: Skipped

When planning to add personnel to tasks imposing time constraints on the duration
of a project, which of the following should be re-validated FIRST?

The critical path for the project

(Correct)

The personnel assigned to other tasks

The length of the remaining tasks

The project budget

Explanation
 The critical path for the project is correct. Adding resources may change the route of
the critical path, the critical path must be reevaluated to ensure that additional
resources will, in fact, shorten the project duration.

The project budget is incorrect. Given that there may be slack time available on some of the
other tasks not on the critical path, the resource allocation should be based on the project
segments that affect delivery dates.
The length of the remaining tasks is incorrect. Given that there may be slack time available
on some of the other tasks not on the critical path, a factor such as the length of other tasks
may or may not be affected.

The personnel assigned to other tasks is incorrect. Depending on the skill level of the
resources required or available, the addition of resources may not, in fact, shorten the
timeline. Therefore, the first step is to examine what resources are required to address the
times on the critical path.

Question 146: Skipped

The MAJOR consideration for an IS auditor reviewing an organization's IT project
portfolio is the -

IT budget.

business plan.

(Correct)

existing IT environment.

investment plan.

Explanation

Business plan is correct. One of the most important reasons for which projects get funded is
how well a project meets an organization’s strategic objectives. Portfolio management takes
a holistic view of a company’s overall IT strategy. IT strategy should be aligned with the
business strategy and, hence, reviewing the business plan should be the major
consideration. IT budget is incorrect. The IT budget is important to ensure that the resources
 are being used in the best manner, but this is secondary to the importance of reviewing the
business plan. Existing IT environment is incorrect. The existing IT environment is important
and used to determine gap analysis but is secondary to the importance of reviewing the
business plan. Investment plan is incorrect. The investment plan is important to set out
project priorities, but secondary to the importance of reviewing the business plan.
Question 147: Skipped
As an IS auditor, you review an organizational chart PRIMARILY for -

an understanding of the complexity of the organizational structure.

investigating various communication channels.

understanding the responsibilities and authority of individuals.

(Correct)

investigating the network connected to different employees.

Explanation

Understanding the responsibilities and authority of individuals is correct. An

organizational chart provides information about the responsibilities and authority of
individuals in the organization. This helps an IS auditor to know if there is proper
segregation of functions.

Understanding the complexity of the organizational structure is incorrect and is not the
primary reason to review an organizational chart because the chart will not necessarily
depict the complexity.

Investigating various communication channels is incorrect. The organizational chart is a key

tool for an auditor to understand roles and responsibilities and reporting lines but is not
used for examining communications channels.

Investigating the network connected to different employees is incorrect. A network diagram

will provide information about the usage of various communication channels and will
indicate the connection of users to the network.

Question 148: Skipped

 As an IS auditor, you are reviewing a software application that is built on the
principles of service-oriented architecture.
What is the INITIAL step you should do?

Understanding services and their allocation to business processes by reviewing the service
repository documentation.

(Correct)

Sampling the use of service security standards as represented by the Security Assertions
Markup Language.

Auditing the core service and its dependencies on other systems.

Reviewing the service level agreements established for all system providers.

Explanation
Understanding services and their allocation to business processes by reviewing the
service repository documentation is correct. A service-oriented architecture relies on
the principles of a distributed environment in which services encapsulate business
logic as a black box and might be deliberately combined to depict real-world business
processes. Before reviewing services in detail, it is essential for the IS auditor to
comprehend the mapping of business processes to services.

Sampling the use of service security standards as represented by the Security Assertions
Markup Language is incorrect. It is an essential follow-up step to understanding services
and their allocation to business but is not the initial step.

Reviewing the service level agreements is incorrect. It is an essential follow-up step to

understanding services and their allocation to business but is not the initial step.

Auditing the core service and its dependencies on other systems is incorrect. This would
most likely be a part of the audit, but the IS auditor must first gain an understanding of the
business processes and how the systems support those processes.

Question 149: Skipped

 The MOST important difference between hashing and encryption is that hashing -

output is the same length as the original message

is concerned with integrity and security

is irreversible

(Correct)

is the same at the sending and receiving end

Explanation
Is irreversible is correct. Hashing works one way—by applying a hashing algorithm to
a message, a message hash/digest is created. If the same hashing algorithm is applied
to the message digest, it will not result in the original message. As such, hashing is
irreversible, while encryption is reversible. This is the basic difference between
hashing and encryption.

Output is the same length as the original message is incorrect. Hashing creates a fixed-
length output that is usually smaller than the original message, and encryption creates an
output that is usually the same length as the original message.

Is concerned with integrity and security is incorrect. Hashing is used to verify the integrity of
the message and does not address security. The same hashing algorithm is used at the
sending and receiving ends to generate and verify the message hash/digest.

Is the same at the sending and receiving end is incorrect. Encryption may use different keys
or a reverse process at the sending and receiving ends to encrypt and decrypt.

Question 150: Skipped

The MOST likely explanation for a successful social engineering attack is -

technology


computer errors

judgment errors

(Correct)

expertise

Explanation

Judgment error is correct. Social engineering is fundamentally about obtaining from

someone a level of trust that is not warranted.
Computer error is incorrect. Social engineering focuses on human behavior.

Expertise is incorrect. Generally, social engineering attacks do not require significant

expertise; often, the attacker is not proficient in information technology or systems.

Technology is incorrect. This may facilitate social engineering, but it is fundamentally about
obtaining human trust.

Continue
Retake test

 Overview
 Q&A
 Notes
 Announcements