SAMPLE IT PL MOCK TEST ANSWER

1. In which of the following model regression testing is a major part of the life cycle?"

The options are:

a. Code and Fix Model
b. Iterative Model
c. V Model
d. Waterfall Model

The correct answer is: c. V Model.

Explanation:

Regression testing is a significant part of the V-Model (Verification and Validation Model) because
this model emphasizes testing at every stage of the software development lifecycle. Whenever a
change is made, regression testing ensures that existing functionalities are not affected.

2. Which of the following BEST describes the early stages of an IS audit?"

The options are:

a. Assessing the IS environment
b. Observing key organizational facilities
c. Understanding the business process and environment applicable to the review
d. Reviewing prior IS audit reports

The correct answer is: c. Understanding the business process and environment applicable to the
review.

Explanation:

In the early stages of an IS audit, auditors focus on gaining a comprehensive understanding of the
business processes and the environment related to the review. This understanding helps in
identifying key risks, controls, and areas requiring detailed examination.

3. Which audit technique provides the BEST evidence of the segregation of duties in an IS
department?

a. Review of the organization chart

b. Observation and interviews
c. Testing of user access rights
d. Discussion with management
Correct Answer: c. Testing of user access rights.
Reason: This method directly verifies whether access controls are implemented correctly to
enforce segregation of duties, providing the most concrete evidence.

4. Why is change control considered a governance issue?

a. It forces separation of duties to ensure that at least two people agree with the decision.
b. Change control increases the number of people employed and therefore provides a
valuable economic advantage.
c. It allows management to hire less-skilled personnel and still get the same results.
d. Proper implementation of governance saves money by reducing the need for change
control.

Correct Answer: a. It forces separation of duties to ensure that at least two people agree with
the decision.
Reason: Change control ensures accountability and reduces risks by requiring multiple approvals,
aligning with governance principles of segregation of duties

5. An IS auditor is auditing adoption of digital signature by the CFO of an FI as a measure of

cost savings through workflow efficiencies in the accounting department. What is the MAIN
purpose of a digital signature?

a. To identify and validate each transaction paperless

b. To share data without the fear of disclosing sensitive information
c. To improve internal control and the authenticity of data
d. To authenticate a message and to guarantee its integrity

Correct Answer: d. To authenticate a message and to guarantee its integrity.

Reason: The primary purpose of a digital signature is to ensure that the message or data is
authentic and has not been tampered with, guaranteeing both authenticity and integrity.

6. Which of the risk analysis methods is generally performed during a business impact
analysis (BIA)?

a. A quantitative risk analysis

b. A qualitative risk analysis
c. A semi-quantitative risk analysis
d. None of the above

Correct Answer: b. A qualitative risk analysis.

Reason: During a BIA, qualitative risk analysis is typically used to assess the potential impact of
disruptions by prioritizing business processes and functions based on their criticality to the
organization.
7. To ensure that 3rd party contractors understand their responsibilities and are suitable for
the roles for which they are considered is:

a. Screening
b. Management responsibilities
c. Employee responsibilities
d. None of the above

Correct Answer: a. Screening.

Reason: Screening is conducted to verify that third-party contractors meet the required
qualifications and understand their responsibilities, ensuring they are suitable for the roles they will
perform.

8. An IS auditor is reviewing IT security of an Oil Company, when he found evidence of stealing

user data, such as internet usage, credit card, and bank account details. Which of the
following collects personal and sensitive information that it sends to advertisers, data
collection firms, or malicious actors for a profit?

a. VMware
b. Adware
c. Spyware
d. Malware

Correct Answer: c. Spyware.

Reason: Spyware is malicious software designed to secretly collect personal and sensitive
information from users and send it to advertisers, data collection firms, or malicious entities for
profit without the user's consent.

9. There are six categories of Fraud and Misconduct mentioned in Imran’s presentation. Which one
of the following is not included?

Options:
a. Fraudulent financial reporting.
b. Misappropriation of assets.
c. Improper expenditures or liabilities.
d. Over acquisition of revenues or assets.

Answer:
d. Over acquisition of revenues or assets.

Reason:
"Over acquisition of revenues or assets" is not typically listed as a category of fraud or misconduct.
The common categories include fraudulent financial reporting, misappropriation of assets, and
improper expenditures or liabilities, among others.
NB: The six common categories of fraud and misconduct are typically as follows:

1. Fraudulent financial reporting – Intentional misrepresentation or omission of financial

information to deceive stakeholders.

2. Misappropriation of assets – Theft or misuse of an organization's resources.

3. Improper expenditures or liabilities – Unauthorized or unethical use of funds or incurring

liabilities.

4. Corruption – Abuse of power for personal gain, including bribery or kickbacks.

5. Regulatory non-compliance – Failure to adhere to laws, regulations, or policies.

6. Conflict of interest – Situations where personal interests conflict with professional

responsibilities.

10. Question: What is an important advantage of ISO 27001 accreditation?

Options:
a. To show financial liability
b. To show compliance with legislation and regulations
c. To show control of suppliers
d. To show customer orientation

Correct Answer: b. To show compliance with legislation and regulations

Reason: ISO 27001 accreditation demonstrates that an organization has implemented a

systematic approach to managing sensitive information securely, including compliance with
applicable legal and regulatory requirements.

11. Question: An IS auditor is carrying out a system configuration review. Which of the following
would be the BEST evidence in support of the current system configuration settings?

Options:
a. Standard report with configuration values retrieved from the system by the IS auditor
b. Annual review of approved system configuration values by the business owner
c. System configuration values imported to a spreadsheet by the system administrator
d. Dated screenshot of the system configuration settings made available by the system
administrator

Correct Answer: a. Standard report with configuration values retrieved from the system by
the IS auditor

Reason: A standard report directly retrieved from the system by the IS auditor provides the most
reliable and current evidence of the actual configuration settings, eliminating the risk of tampering
or outdated information.
12. Question: An IS auditor is reviewing a project risk assessment and notices that the overall risk
level is high due to confidentiality requirements. Which of the following types of risk is normally
high due to the number of users and business areas the project may affect?

Options:
a. Compliance risk
b. Inherent risk
c. Residual risk
d. Control risk

Correct Answer: b. Inherent risk

Reason: Inherent risk refers to the risk level that exists naturally before the application of controls,
especially when many users and business areas are affected, as this increases the likelihood of
vulnerabilities and confidentiality breaches.

13. Question: For mission-critical systems with a low tolerance to interruption and a high cost of
recovery, the IS auditor would, in principle, recommend the use of which of the following recovery
options?

Options:
a. Hot site
b. Mobile site
c. Cold site
d. Warm site

Correct Answer: a. Hot site

Reason: A hot site is a fully operational backup facility that is immediately available for use in case
of a system failure. It is ideal for mission-critical systems with a low tolerance for downtime and
high recovery costs, as it minimizes recovery time.

NB:

b. Mobile site
A mobile site is a portable recovery solution, such as a trailer equipped with essential hardware
and software, which can be transported to the desired location during a disaster. While flexible, it
typically requires more setup time than a hot site, making it less suitable for systems with very low
tolerance to interruptions.

c. Cold site
A cold site is a facility that provides physical space but lacks pre-installed hardware, software, or
data. It requires significant time to set up and activate during a disaster, making it cost-effective
but unsuitable for systems that need immediate recovery.

d. Warm site
A warm site is a backup facility that has some infrastructure, such as hardware and networking,
but may not have the latest data or fully configured systems. It offers a compromise between cost
and recovery speed but is slower than a hot site, making it less ideal for mission-critical systems.

14. Question: Successful SDLC projects are measured three ways though the majority of SDLC
projects fail to achieve even two of these goals. Which of the following is NOT one of the three
goals?

Options:
a. Creating a quality product
b. Creating contract terms
c. Completing on an approved timetable
d. Completing at a budgeted cost

Correct Answer: b. Creating contract terms

Reason: The three key goals of successful SDLC projects are delivering a quality product,
completing within the approved timetable, and staying within the budgeted cost. "Creating
contract terms" is not typically considered one of the primary measures of SDLC project success.

15. Question: Which of the following is the MOST critical control over database administration?

Options:
a. Approval of DBA activities
b. Review of access logs and activities
c. Review of the use of database tools
d. Segregation of duties

Correct Answer: d. Segregation of duties

Reason: Segregation of duties is the most critical control because it prevents a single individual
(e.g., a database administrator) from having excessive control or access, which could lead to
unauthorized activities or misuse of the database. This control helps ensure accountability and
minimizes risks related to fraud or errors.

16. Question: What is the title of ISO 27001:2013?

Options:
a. Information Security Management
b. Auditing Information Security
c. Information Technology Security
d. None

Correct Answer: a. Information Security Management

Reason: The full title of ISO 27001:2013 is "Information Security Management Systems –
Requirements." It specifies the requirements for establishing, implementing, maintaining, and
continually improving an information security management system (ISMS).
17. Question: A backup rotation scheme is a system of backing up data to computer media (such
as tapes) that ____.

Options:
a. complies with external regulations, laws, and contracts
b. requires developing a strategic plan
c. designs the IT function to match the organization's needs
d. minimizes, by re-use, the number of media used

Correct Answer: d. minimizes, by re-use, the number of media used

Reason: A backup rotation scheme, such as the Grandfather-Father-Son method, involves

systematically reusing backup media in a way that reduces the total amount of media required
while ensuring data retention and recovery objectives are met.

18. Question: The ___ is the point in time to which you must recover data as defined by your
organization. This is generally a definition of what an organization determines is an "acceptable
loss" in a disaster situation.

Options:
a. IDS
b. CDD
c. RTO
d. RPO

Correct Answer: d. RPO

Reason: RPO (Recovery Point Objective) refers to the maximum acceptable amount of data loss
measured in time. It defines the point in time to which data must be recovered to ensure minimal
disruption to the organization in a disaster scenario.

Here are the meanings of the listed abbreviations:

a. IDS

• Intrusion Detection System: A security system that monitors network or system activities
for malicious actions or policy violations and reports them. Examples include Snort,
OSSEC, and Suricata.

b. CDD

• Customer Due Diligence: A process used by financial institutions and other businesses to
collect and evaluate relevant information about a customer to assess potential risks,
typically in compliance with anti-money laundering (AML) and counter-terrorism financing
regulations.
c. RTO

• Recovery Time Objective: The maximum acceptable amount of time that a system,
application, or business process can be down after a failure or disaster before causing
significant harm to the organization. It defines the target timeframe for recovery.

d. RPO

• Recovery Point Objective: The maximum tolerable amount of data loss measured in time.
It indicates the point in time to which data must be restored to resume operations
effectively after a disaster or failure (e.g., the last backup taken).

19. Question: An IS auditor is auditing all defined and documented responsibilities and
accountabilities that are established in the organization and communicated to all relevant
personnel and management. When he reads that roles & responsibilities of the committee is to
discuss security issues, and establish and approve security practices it is the ___

Options:
a. IS/IT Security Advisory Group
b. Information Security Steering Committee
c. IS/IT Steering Committee
d. IS/IT Risk Management Committee

Correct Answer: b. Information Security Steering Committee

Reason: The Information Security Steering Committee is typically responsible for discussing
security-related issues, establishing policies, and approving security practices. It serves as a
governance body for managing the organization's information security initiatives.

20. Question: Which of the following does not refer to a Business application? Business
application refers to any application:

Options:
a. Business applications can range from large line-of-business systems to specialized tools.
b. Could be commercial off-the-shelf products or customized third-party systems or internally
developed systems.
c. Important to running business.
d. Consider all the applications that run only client computers not servers.

Correct Answer: d. Consider all the applications that run only client computers not servers.

Reason: Business applications are not limited to running only on client computers; they can also
operate on servers or in hybrid environments. The description in option "d" is restrictive and does
not fully align with the broad scope of what constitutes business applications
21. Question: Where does the P in the PDCA cycle stand for?

Options:
a. Project
b. Procedure
c. Plan
d. Process

Correct Answer: c. Plan

Reason: The "P" in the PDCA (Plan-Do-Check-Act) cycle stands for "Plan." This phase involves
setting objectives and processes necessary to deliver results in accordance with the desired
goals.

22. Question: Which method covers the following areas: value governance, portfolio
management, and investment governance?

Options:
a. Val IT
b. ISO 14001
c. ITIL
d. ISO 9001

Correct Answer: a. Val IT

Reason: Val IT is a governance framework that focuses on value delivery, portfolio management,
and investment governance, ensuring organizations derive maximum value from their IT
investments.

NB: b. ISO 14001

• Environmental Management System (EMS):

ISO 14001 is an international standard that specifies requirements for an environmental
management system. It helps organizations enhance their environmental performance by
reducing waste, improving resource efficiency, and complying with environmental laws.

c. ITIL (Information Technology Infrastructure Library)

• IT Service Management Framework:

ITIL is a set of best practices for IT service management (ITSM). It focuses on aligning IT
services with the needs of the business, emphasizing service delivery, support, and
lifecycle management.
 d. ISO 9001

• Quality Management System (QMS):

ISO 9001 is a standard that specifies requirements for a quality management system. It
helps organizations ensure that their products or services consistently meet customer and
regulatory requirements, emphasizing customer satisfaction and continual improvement

23. Question: It is very difficult to ensure the return or destruction of confidential information
disclosed to a third party at the end of the agreement. Which of the following is the MOST effective
control when addressing security in engaging third-party vendors?

Options:
a. Vendor to have certified compliance with recognized security standards, e.g., ISO 27001.
b. Administrator access is provided for a limited period.
c. Digital Rights Management (DRM).
d. Vendor access corresponds to the service level agreement (SLA).

Correct Answer: a. Vendor to have certified compliance with recognized security standards,
e.g., ISO 27001.

Reason: Certification to recognized security standards like ISO 27001 ensures that third-party
vendors have robust security management systems in place, providing confidence in their handling
and protection of confidential information.

24. Question: Logical access control filters used to validate access credentials that cannot be
controlled or modified by normal users or data owners are in fact:

Options:
a. Role-Based Access Control
b. Mandatory Access Controls
c. Discretionary Access Controls
d. Rule-Based Access Control

Correct Answer: b. Mandatory Access Controls

Reason: Mandatory Access Controls (MAC) are strict and centrally controlled by the operating
system or security policies, and users or data owners cannot alter or modify them. This ensures a
high level of security by enforcing policies set by the organization

25. Question: A paper walk-through of BCP, involving major players in the plan's execution who
reason out what might happen in a particular type of service disruption and where IS auditor may
walk through the entire plan or just a portion. This is the description of:

Options:
a. Full operational test
b. Preparedness test
c. Desk-based evaluation
d. None of the above

Correct Answer: c. Desk-based evaluation

Reason: A desk-based evaluation, also known as a tabletop exercise, involves participants

reviewing and discussing the business continuity plan (BCP) in a simulated scenario. It is a low-
cost, simple way to identify gaps and ensure that everyone understands their roles without actually
executing the plan operationally.

26. Question: An IS auditor has been asked to review the security controls for a critical web-based
order system shortly before the scheduled go-live date. The IS auditor conducts a penetration test
which produces inconclusive results and additional testing cannot be concluded by the completion
date agreed on for the audit. Which of the following is the BEST option for the IS auditor?

Options:
a. Publish a report omitting the areas where the evidence obtained from testing was inconclusive.
b. Inform management that audit work cannot be completed within the agreed time frame and
recommend that the audit be postponed.
c. Publish a report based on the available information, highlighting the potential security
weaknesses and the requirement for follow-up audit testing.
d. Request a delay of the go-live date until additional security testing can be completed and
evidence of appropriate controls can be obtained.

Correct Answer: c. Publish a report based on the available information, highlighting the
potential security weaknesses and the requirement for follow-up audit testing.

Reason: The IS auditor's primary responsibility is to ensure that management is informed about the
current state of the system's security, including any identified weaknesses. Publishing a report with
the available findings ensures transparency, allows management to make informed decisions
about the go-live process, and highlights the need for further testing without unnecessarily delaying
operations. Delaying the go-live date (option d) is a decision for management, not the auditor.

27. Question: An IS auditor is auditing system availability, i.e., whether the information is
accessible and modifiable in a timely fashion by those authorized to do so. Which one is MOST
significant to ensure high availability of information assets?

Options:
a. Authentication server for network
b. Eliminate single points of failure
c. Detect failures as they occur
d. Design for reliability

Correct Answer: b. Eliminate single points of failure

Reason: Eliminating single points of failure is the most critical factor in ensuring high availability.
High availability systems rely on redundancy and failover mechanisms to minimize downtime.
While designing for reliability (option d) and detecting failures (option c) are important, they are
secondary to addressing single points of failure. Authentication servers (option a) are a component
of availability, but they are not as significant as eliminating systemic vulnerabilities.

28. Question: E-commerce is often seen as simply buying and selling using the internet, but do the
following perspectives also apply to e-commerce?

Options:
a. A service perspective
b. A communications perspective
c. A business process perspective
d. All of the above

Correct Answer: d. All of the above

Reason: E-commerce encompasses a broad range of perspectives:

• Service perspective: It focuses on delivering customer-oriented services.

• Communications perspective: It involves exchanging information, conducting

transactions, and communicating with stakeholders online.

• Business process perspective: It includes optimizing and integrating business processes

to support online activities.

Together, these perspectives highlight the multifaceted nature of e-commerce beyond just buying
and selling.

29. Question: If the recovery point objective (RPO) is low, which of the following techniques would
be the most appropriate solutions?

Options:
a. Clustering
b. Remote journaling
c. Database shadowing
d. Tape backup

Correct Answer: c. Database shadowing

Reason: A low RPO indicates the need to minimize data loss in the event of a disruption. Database
shadowing is ideal because it creates near-real-time copies of the database, ensuring minimal
data loss.
30. Question: Which of the following statements is TRUE concerning the steering committee?

Options:
a. Steering committee membership is composed of directors from each department.
b. Absence of a formal charter indicates a lack of controls.
c. The steering committee conducts formal management oversight reviews.
d. The steering committee focuses the agenda on IT issues.

Correct Answer: b. Absence of a formal charter indicates a lack of controls.

Reason:
A steering committee is a governance body that oversees and guides the execution of strategies,
often related to IT or business initiatives. A formal charter establishes its purpose, authority, and
responsibilities. Without a formal charter, there is a lack of defined scope and controls, making it
challenging to enforce accountability and proper oversight.

31. Question: Which of these would refer to the exploration of the apt, ethical behaviors that are
related to the digital media platform and online environment?

Options:
a. Cyber-ethics
b. Cyber-safety
c. Cybersecurity
d. Cyberlaw

Correct Answer: a. Cyber-ethics

Reason: Cyber-ethics refers to the study and application of ethical principles in digital media and
online environments. It focuses on responsible behavior, privacy, and the moral implications of
digital interactions. While cyber-safety (option b) pertains to physical and online security,
cybersecurity (option c) deals with protecting systems, and cyberlaw (option d) concerns legal
frameworks, none specifically address ethical behaviors like cyber-ethics does.

32. Question: Auditing Standards provide minimum guidance for the auditor that helps determine
the extent of audit steps and procedures that should be applied to fulfill -

Options:
a. Guidelines
b. Audit Objectives
c. Audit guidelines
d. Audit specifications

Correct Answer: b. Audit Objectives

Reason: Auditing Standards serve as a framework to guide auditors in achieving specific audit
objectives. These objectives ensure the audit is conducted effectively, covering essential aspects
of accuracy, reliability, and compliance. While guidelines (options a and c) and specifications
(option d) may support the process, the primary focus of Auditing Standards is on fulfilling audit
objectives.

33. Question: Business Continuity Planning Life Cycle is

Options:
a. Analysis, Solution Design, Implementation, Testing & Acceptance, Maintenance.
b. Risk Assessment, Business Impact Analysis, Strategy & Plan Development, Test Train & Maintain.
c. Measure, Identify, Analyze, Design, Execute.
d. All of the above.

Correct Answer: b. Risk Assessment, Business Impact Analysis, Strategy & Plan Development,
Test Train & Maintain.

Reason: The Business Continuity Planning (BCP) Life Cycle primarily follows the structured steps
of Risk Assessment, Business Impact Analysis (BIA), Strategy and Plan Development, and
Testing, Training, and Maintenance. These steps ensure a comprehensive approach to identifying
risks, assessing their impact, and maintaining the continuity of critical operations. Options a and c
refer to general project management phases, but they don't specifically align with the BCP
methodology.

34. Question: Which of the following tools is required for an Audit Trail?

Options:
a. Audit Hooks
b. Snapshot
c. CIS
d. SCARF/EAM

Correct Answer: d. SCARF/EAM

Reason: SCARF/EAM (System Control Audit Review File/Embedded Audit Module) is a tool
designed for facilitating the creation and maintenance of audit trails by capturing and recording
system activities. It ensures that auditors can trace actions and reconstruct events for review and
analysis. While Audit Hooks and Snapshots are useful audit-related tools, SCARF/EAM is
specifically focused on audit trails. CIS does not directly relate to audit trails.

35. Question: COBIT stands for Control Objectives for Information and Related ________.

Options:
a. Technologies
b. Tools
c. Terminology
d. Terms

Correct Answer: a. Technologies

Reason: COBIT stands for Control Objectives for Information and Related Technologies. It is a
framework created by ISACA for IT governance and management, focusing on aligning IT strategies
with business objectives and ensuring control over IT processes and technologies. The other
options are unrelated to the full name of COBIT.

36. Question: Which of the following outlines the overall authority to perform an IS audit?

Options:
a. The approved audit charter
b. A request from management to perform an audit
c. The approved audit schedule
d. The audit scope, with goals and objectives

Correct Answer: a. The approved audit charter

Reason: The approved audit charter is a formal document that defines the purpose, authority, and
responsibilities of the internal audit function. It grants the overall authority to perform audits,
establishes the auditor's right to access relevant records, and ensures the independence of the
audit function. While other options relate to audit activities, they do not establish the overall
authority.

37. Question: An IS auditor is auditing the Business Continuity Plan of an entity, his MOST
important task should be:

Options:
a. Reviewing the BIA findings to ensure that they reflect current business priorities and current
controls
b. Reviewing the results from previous tests performed
c. Understanding and evaluating business continuity strategy and its connection to business
objectives
d. Evaluating cloud-based mechanisms

Correct Answer: a. Reviewing the BIA findings to ensure that they reflect current business priorities
and current controls

Reason: The Business Impact Analysis (BIA) is the foundation of a Business Continuity Plan. It
identifies critical processes, assesses the potential impact of disruptions, and ensures that the
continuity plan aligns with current business priorities and controls. While understanding strategies
(option c) and reviewing test results (option b) are significant, ensuring that the BIA findings are
accurate and relevant is the most critical task for the IS auditor. Cloud-based mechanisms (option
d)

38. Question: Many developers believe that their embedded devices are not targets for hackers
because their software isn’t used by as many people as, say, an operating system such as
Windows. How do you consider this belief?
Options:
a. Partially right
b. Partially wrong
c. Right
d. Wrong

Correct Answer: d. Wrong

Reason: The belief that embedded devices are not targets for hackers is incorrect. While
embedded systems may not have as large a user base as mainstream operating systems like
Windows, they are increasingly targeted due to their widespread use in critical applications (e.g.,
IoT, industrial controls, healthcare devices). Hackers exploit vulnerabilities in embedded systems,
which often lack robust security updates or configurations, making them appealing targets
regardless of their user base size.

39. Question: Increasing regulation of organizations significantly hinders the IS auditor’s ability to
verify the adequacy of internal controls through the use of sampling techniques.

Options:
a. False
b. True

Correct Answer: a. False

Reason: Increasing regulation does not hinder the use of sampling techniques for verifying the
adequacy of internal controls. Instead, regulations often provide structured frameworks and
guidelines that enhance the auditor's ability to assess compliance and control adequacy
effectively. Sampling techniques remain a valid and efficient method for evaluating controls in
complex or regulated environments.

40. Question: In information technology, logical access controls are tools and protocols used for:

Options:
a. Confidentiality, integrity, availability, and reputation.
b. Identification, accountability, development, and implementation.
c. Appropriate, feasible, admissible, and applicable standards.
d. Identification, authentication, authorization, access, auditing, and accountability.

Correct Answer: d. Identification, authentication, authorization, access, auditing, and

accountability.

Reason: Logical access controls ensure secure access to systems and data by implementing
mechanisms such as identification, authentication, and authorization. They also facilitate auditing
and accountability, which are critical for tracking and verifying access activities to prevent
unauthorized usage and breaches.
41. Question: An IS auditor performing a review of an application's controls finds a weakness in
system software that could materially impact the application. The IS auditor should:

Options:
a. Include in the report a statement that the audit was limited to a review of the application's
controls.
b. Disregard these control weaknesses since a system software review is beyond the scope of this
review.
c. Review the system software controls as relevant and recommend a detailed system software
review.
d. Conduct a detailed system software review and report the control weaknesses.

Correct Answer: c. Review the system software controls as relevant and recommend a detailed
system software review.

Reason: When an IS auditor encounters weaknesses in system software that could materially
impact an application, it is essential to recognize the relevance of the issue. The auditor should
include it in the scope of the report and recommend further investigation through a detailed system
software review. This approach ensures proper follow-up without exceeding the initial scope of the
audit.

42. Question: The PRIMARY benefit of database normalization is the:

Options:
a. Maximization of database integrity by providing information in more than one table.
b. Minimization of response time through faster processing of information.
c. Ability to satisfy more queries.
d. Minimization of redundancy of information in tables required to satisfy users' needs.

Correct Answer: d. Minimization of redundancy of information in tables required to satisfy

users' needs.

Reason: The primary purpose of database normalization is to minimize redundancy and eliminate
duplicate data by organizing tables and their relationships efficiently. This process ensures data
consistency and optimizes database performance without unnecessarily duplicating information.

43. Question: Which statement about the Capability Maturity Model is not true?

Options:
a. Level 5 maturity converts a product into a commodity and allows a company to pay less
and demand unquestionable adherence to management's authority.
b. Level 5 provides maximum control in outsourcing because the definition of requirements
is very specific.
c. Level 3 provides quantitative measurement of the process output.
d. Level 3 processes have published objectives, measurements, and standards that are in
effect across departmental boundaries.

Correct Answer: a. Level 5 maturity converts a product into a commodity and allows a
company to pay less and demand unquestionable adherence to management's
authority.

Reason: In the Capability Maturity Model (CMM), Level 5 represents the "Optimizing" stage,
where the focus is on continuous improvement and the use of feedback to enhance
processes. The description in option a does not align with the principles of Level 5 maturity,
making it an incorrect statement. The other options correctly describe aspects of Levels 3
and 5 in the CMM.

44. Question: Intruders are the most common security threat, which is referred to as:

Options:
a. Computer Access.
b. Data Access.
c. Hacker or Cracker.
d. Account Access.

Correct Answer: c. Hacker or Cracker.

Reason: Intruders who pose security threats are often categorized as "hackers" or
"crackers." Hackers typically exploit vulnerabilities for various purposes, including
unauthorized access to systems or data. The other options refer to potential consequences
or targets of these intrusions, but they do not specifically define the intruders themselves.

45. Question: Which of the following represents the best explanation of the balanced
scorecard?

Options:
a. Measures IT help desk performance
b. Specifies procedures for equal opportunity employment
c. Ensures that the IT strategy supports the business strategy
d. Provides IT benchmarking against standards

Correct Answer: c. Ensures that the IT strategy supports the business strategy

Reason: The balanced scorecard is a strategic performance management tool that links
business objectives to IT strategies, ensuring alignment with the overall goals of the
organization. It provides a comprehensive framework for measuring performance beyond
just financial metrics by focusing on business strategy alignment. The other options do not
reflect the purpose of the balanced scorecard.

46. Question: Prior to the start of fieldwork, Internal Audit meets with client management
to FIRST:

Options:
a. establish an audit timeline.
b. identify risks.
c. discuss audit deliverables.
d. determine preliminary audit objectives.

Correct Answer: d. determine preliminary audit objectives.

Reason: Before fieldwork begins, the internal audit team must establish the scope and
objectives of the audit to ensure clarity and alignment with management. This step
provides the foundation for the audit plan, ensuring that the timeline, risk identification,
and deliverables align with the agreed-upon objectives.

47. Question: The Software Engineering Institute’s Capability Maturity Model (CMM) is best
described by which of the following statements?

Options:
a. Relationship of application performance to the user’s stated requirement
b. Baseline of the current progress or regression
c. Documentation of accomplishments achieved during program development
d. Measurement of resources necessary to ensure a reduction in coding defects

Correct Answer: b. Baseline of the current progress or regression

Reason: The Capability Maturity Model (CMM) provides a framework to assess the maturity
of an organization’s processes. It helps establish a baseline for current progress and
identifies areas for improvement or regression. This structured approach ensures
processes are repeatable, predictable, and continuously optimized.

48. Question: While conducting VA/PT, an IS Auditor found that a web application firewall
was not installed on the business organization’s infrastructure. How will he evaluate the
finding?

Options:
a. Create common action rules in the case of security breaches.
b. SIEM solution should be installed.
c. Installation depends on the size of the organization.
d. Not appropriate as per good practice.

Correct Answer: d. Not appropriate as per good practice.

Reason: A web application firewall (WAF) is considered a best practice for protecting web
applications from attacks such as SQL injection and cross-site scripting (XSS). The lack of
a WAF indicates a gap in adhering to security best practices, and the auditor should report
it as a critical issue for remediation.

49. Question: Managing the services provided to the customer is a critical piece of the IS
organization business, because it is the point from which the relationship is managed.
Which of the following is the MOST critical to manage the relationship between an
organization and an outsourced service provider?

Options:
a. Due diligence
b. Periodic evaluation
c. SLA
d. Contingency plan

Correct Answer: c. SLA

Reason: A Service Level Agreement (SLA) is a formal document that defines the expected
service standards, roles, and responsibilities between an organization and the outsourced
provider. It is the cornerstone of managing the relationship, ensuring accountability and
measurable performance metrics.

50. Question: When safeguards for protecting data and data collections based on their
classification are additional, unsupervised remote access by a 3rd party for technical
support is not allowed. This indicates the information asset is classified as:

Options:
a. Critical
b. Classified
c. Top secret
d. Restricted

Correct Answer: d. Restricted

Reason: Restricted data is highly sensitive and requires strict safeguards, including
preventing unsupervised remote access by third parties. This classification emphasizes the
need to minimize exposure to unauthorized access or potential breaches.
51. Question: How do laws and regulations affect the IS Audit process?

Options:
a. Legal requirements (laws, regulatory and contractual agreements) placed on audit.
b. Legal requirements placed on the auditee and its systems, data management, reporting,
etc.
c. All of the above
d. None of the above

Correct Answer: c. All of the above

Reason: The IS audit process is influenced by multiple legal and regulatory factors. These
include the legal requirements imposed on the audit itself (e.g., audit standards) and those
placed on the auditee, such as compliance with laws regarding data management,
security, and reporting. Together, these factors shape the scope and objectives of IS audits.

52. Question: What are the key elements of ISO?

Options:
a. High-level structure
b. Identical core text
c. Common terms and core definitions
d. All the above

Correct Answer: d. All the above

Reason: ISO standards are designed to promote consistency and compatibility across
various management systems. The key elements include a high-level structure (to maintain
uniformity), identical core text (to ensure clarity and consistency), and common terms and
definitions (to avoid confusion). These elements help streamline implementation and
integration of different ISO standards.

53. Question: An IS auditor is auditing environmental exposure control of backup media.

Which one of the following is MOST appropriate to ensure protection?

Options:
a. Physical exposure only
b. Logical exposure only
c. Mainly physical exposure and some level of logical exposure
d. Physical and logical exposures at the same level

Correct Answer: d. Physical and logical exposures at the same level

Reason: Backup media require comprehensive protection because they can be vulnerable
to both physical threats (like theft, fire, or water damage) and logical threats (like
unauthorized access or tampering). Ensuring both physical and logical exposures are
managed equally helps mitigate all potential risks effectively.

54. Question: Which one of the following should be used as a first step to IT security?

Options:
a. Follow-up access violations
b. Audit plan
c. Security baseline
d. Full security evaluation

Correct Answer: c. Security baseline

Reason: Establishing a security baseline is the first step in IT security. It defines the
minimum acceptable security standards and serves as a benchmark to assess and
improve the security posture of systems and processes. This helps in identifying gaps and
planning further actions such as audits, evaluations, and incident follow-ups.

55. Question: Which of the following user profiles should be of MOST concern to the IS
auditor when performing an audit of an EFT system?

Options:
a. Three users with the ability to capture and verify their own messages
b. Three users with the ability to capture and verify the messages of other users and to send
their own messages
c. Five users with the ability to verify other users and to send their own messages
d. Five users with the ability to capture and send their own messages

Correct Answer: a. Three users with the ability to capture and verify their own
messages

Reason: The ability to capture and verify their own messages poses the highest risk as it
undermines segregation of duties. This creates the potential for fraud or errors to go
undetected, as the same person is performing both the entry and verification processes.
Effective controls in an EFT system require separation of duties to ensure integrity and
accountability.

56. Question: Which of the following network components is PRIMARILY set up to serve as
a security measure by preventing unauthorized traffic between different segments of the
network?
Options:
a. Firewalls
b. Virtual local area networks (VLANs)
c. Routers
d. Layer 2 switches

Correct Answer: a. Firewalls

Reasoning:
Firewalls are primarily designed as security devices to filter and control network traffic
based on pre-defined security rules. They prevent unauthorized access to and from
different network segments, ensuring that only permitted traffic flows through. Other
components like VLANs and routers have specific roles in network segmentation and
routing but lack the dedicated focus on traffic inspection and security enforcement that
firewalls provide.

57. Question: What is the primary purpose of employee contracts?

Options:
a. Specify the terms of employee benefits
b. Prevent individuals from ever working for competitors
c. Define the relationship as work for hire
d. Enforce the requirement to join a union

Correct Answer: c. Define the relationship as work for hire

Reasoning:
The primary purpose of an employee contract is to clearly define the terms of the
employment relationship, including roles, responsibilities, expectations, compensation,
and the classification of the work (e.g., "work for hire"). While contracts may include
clauses about benefits or restrictions like non-compete agreements, these are not their
primary purpose. Enforcing union membership is not typically a contract's purpose unless
governed by specific laws or agreements.

58. Question: All Institutional Information Assets should be classified into one of three
sensitivity tiers or classifications.

Options:
a. Tier 1: Public Information, Tier 2: Internal Information, Tier 3: Restricted Information
b. Tier 1: Public Information, Tier 2: Internal Information, Tier 3: Regulator Information
c. Tier 1: Classified Information, Tier 2: Unclassified Information, Tier 3: Top Secret
Information
d. Tier 1: Company-only Information, Tier 2: Unclassified Information, Tier 3: Restricted
Information

Correct Answer: a. Tier 1: Public Information, Tier 2: Internal Information, Tier 3:

Restricted Information

Reasoning:
The classification system for institutional information assets often categorizes data by its
sensitivity and intended audience. Tier 1 (Public) represents data meant for public access.
Tier 2 (Internal) is for use within the organization and not shared publicly. Tier 3 (Restricted)
involves sensitive data requiring stringent access controls due to potential harm if
disclosed.

59. Question: Which of the following would BEST maintain the confidentiality of data
transmitted over a network?

Options:
a. Network devices are hardened.
b. Cables are secured.
c. A hash is appended to all messages.
d. Data are encrypted before transmission.

Correct Answer: d. Data are encrypted before transmission

Reasoning:
Encryption ensures that data transmitted over a network cannot be read or intercepted by
unauthorized entities, thus maintaining confidentiality. Other measures like hardening
devices and securing cables can enhance overall security but do not specifically protect
the confidentiality of data in transit. Adding a hash helps with data integrity, not
confidentiality.

60. Question: Forensic analysis involves a thorough review of various aspects of the hard
drive, including logical file structure and unused file space.

Options:
a. False
b. True

Correct Answer: b. True

Reasoning:
Forensic analysis includes examining all aspects of a storage device, such as its logical file
structure (how files are organized and stored) and unused file space (which may contain
remnants of deleted data or hidden files). These elements are critical for uncovering
evidence or understanding the history of data use on the device.

61. Question: Software audits may be conducted for a number of reasons, including:

Options:
a. Verifying licensing compliance.
b. Monitoring for quality assurance (QA).
c. Compliance with industry standards.
d. All of the above.

Correct Answer: d. All of the above

Reasoning:
Software audits serve multiple purposes, including ensuring that software is properly
licensed (avoiding legal and financial risks), monitoring processes for quality assurance (to
maintain reliability and efficiency), and verifying compliance with industry standards (to
align with regulations and best practices). All these factors highlight the comprehensive
role of software audits.

62. Question: What is the primary purpose of the IT steering committee?

Options:
a. Identify business issues and objectives.
b. Make technical recommendations.
c. Specify the IT organizational structure.
d. Review vendor contracts.

Correct Answer: a. Identify business issues and objectives.

Reasoning:
The IT steering committee aligns IT initiatives with the organization’s strategic goals by
identifying business issues and objectives. It ensures that IT priorities support broader
business strategies, promoting effective governance and resource allocation. Other tasks,
such as making technical recommendations or reviewing contracts, may be delegated to
specialized teams.

NB: IT Steering Committee is a governance body responsible for aligning IT strategies and
initiatives with the overall business objectives of an organization. Its main focus is on
decision-making and prioritizing IT projects to ensure they deliver value to the organization.
Primary Responsibilities:

1. Align IT with Business Goals: Ensure that IT initiatives support the organization’s
overall strategy and objectives.

2. Prioritize IT Projects: Review and approve IT projects based on their importance

and resource availability.

3. Oversee IT Investments: Monitor IT budgets, resource allocation, and return on

investment for IT initiatives.

4. Provide Governance: Establish policies and frameworks for IT operations and risk
management.

5. Monitor Performance: Track the performance and outcomes of IT projects and

ensure they meet the desired objectives.

Purpose:

The IT Steering Committee acts as a bridge between the business and IT functions,
ensuring that technology investments are aligned with business needs, resources are used
efficiently, and risks are managed effectively.

It typically consists of senior executives from both IT and business units to maintain a
balanced perspective.

63. Question: Which one of the following is the MOST important use of data encryption
for protecting messages from disclosure?

Options:

• a. Data migration

• b. Data transmission

• c. Data access rules

• d. Data mining

Correct Answer:

b. Data transmission
Reasoning:

Encryption is most crucial during data transmission, as data is most vulnerable while in
transit over networks. Encrypting messages ensures their confidentiality and protects them
from unauthorized interception or eavesdropping.

64. Question:

An IS auditor is auditing the password encryption policy of an organization where

passwords are stored in an encrypted form called a “hash.” She was testing the security
strength against an attacker’s attempt to steal the file of hashed passwords and then break
the hashed passwords using a precomputed table for reversing cryptographic hash
functions. Which of the following attacks was she referring to?

Options:

• a. Hash cracking

• b. CrackStation

• c. Dictionary attack

• d. Rainbow tables

Correct Answer:

d. Rainbow tables

Reasoning:

Rainbow table attacks use precomputed tables of hash values to reverse cryptographic
hash functions and retrieve the original passwords. This method is effective against hashed
passwords, making it a relevant concern for the scenario described.

NB:

a. Hash Cracking

• Meaning: General term for any process used to break or reverse hashed passwords
to retrieve their plaintext form.

b. CrackStation

• Meaning: A specific online tool or service used for cracking hashes using dictionary
and brute-force attacks.
c. Dictionary Attack

• Meaning: A method where a list of common passwords is hashed and compared to

the stored hashed passwords to find matches.

d. Rainbow Tables

• Meaning: A specific attack method that uses precomputed hash tables to reverse
cryptographic hash functions efficiently.

65. Question: Which of the following statements has the best correlation to the definition
of strategy?

Options:
a. Defines what business we are in for the next three years
b. Defines guidelines to follow in a recipe for success
c. Defines the supporting techniques to be used in support of the business objective
d. Defines the necessary procedures to accomplish the goal

Correct Answer:
b. Defines guidelines to follow in a recipe for success

Reasoning:

• A strategy outlines the overarching approach or plan to achieve long-term

objectives, much like a "recipe for success." It provides a broad direction but does
not include detailed tactics or procedures, which are more operational in nature.

• Other options focus on specific operational or time-bound aspects, which do not

fully encapsulate the meaning of "strategy."

66. Question: When an IS auditor is reviewing the access control system of a telco that
prevents unauthorized access and modification to the company’s sensitive data and the
use of system-critical functions, he will look for that the ACS is capable of:

Options:
a. identification, authentication, and access authorization
b. unnecessary bypass security features are deactivated
c. logging and reporting of user activities
d. all of the above

Correct Answer: d. all of the above

Reasoning:

• An effective Access Control System (ACS) should incorporate:

o Identification, authentication, and access authorization to ensure only

authorized individuals can access sensitive resources.

o Deactivation of unnecessary bypass security features to minimize

vulnerabilities.

o Logging and reporting user activities to monitor and investigate access

events for auditing and security purposes.
Thus, all options combined are essential features of a robust ACS.

67. Question: In order for management to effectively monitor the compliance of processes
and applications, which of the following would be the MOST ideal?

Options:
a. A central document repository
b. A dashboard
c. A knowledge management system
d. Benchmarking

Correct Answer:
b. A dashboard

Reasoning:
A dashboard provides real-time monitoring and visualization of key metrics, enabling
management to track compliance effectively and identify potential issues quickly. It offers
actionable insights through a user-friendly interface, making it the most ideal tool for
ongoing compliance monitoring.

68. Question:
An IS auditor is conducting a post-implementation review of an enterprise's network.
Which of the following findings would be of MOST concern?

Options:
a. All communication links do not utilize encryption
b. Wireless mobile devices are not password-protected
c. An outbound web proxy does not exist
d. Default passwords are not changed when installing network devices

Correct Answer:
a. All communication links do not utilize encryption
Reasoning:
The lack of encryption for communication links is the most critical concern because it
directly exposes sensitive data to interception and unauthorized access during
transmission. This poses a significant threat to data confidentiality and overall network
security.

71. Question:
After detecting an IT incident or suspected incident, there are three phases of follow-up
action and response. Which one comes first?

Options:
a. Incident recovery and resumption of normal operations
b. Incident containment and damage assessment
c. Determine the objective of the fraud investigation
d. Collection and analysis of digital evidence

Correct Answer:
b. Incident containment and damage assessment

Reasoning:
The first step in responding to an IT incident is to contain the incident to prevent further
damage and assess its impact. This ensures that the situation is under control before
proceeding with evidence collection, investigation, and recovery efforts.

72. Question:
To determine who has been given permission to use a particular system resource, the IS
auditor should review?

Options:
a. Password lists
b. Access control lists
c. Activity lists
d. Logon ID lists

Correct Answer:
b. Access control lists

Reasoning:
Access control lists (ACLs) specify the permissions assigned to users or groups for
particular system resources. Reviewing ACLs allows the auditor to identify who has been
granted access and the level of that access, making it the most relevant choice for
determining resource permissions.
73. Question:
Which of the following is a governance problem that may occur when projects are funded
under the “sponsor pays” method?

Options:
a. The sponsor may not have enough funding.
b. The definition of quality may be insufficient.
c. The sponsor may not implement the proper controls.
d. Deliverables are determined by the sponsor.

Correct Answer:
c. The sponsor may not implement the proper controls.

Reasoning:
In the "sponsor pays" method, governance issues can arise if the sponsor does not enforce
adequate controls to ensure the project aligns with organizational goals, risk management
practices, and quality standards. Proper controls are essential to maintain accountability
and oversight, making this the key governance concern.

74. Question:
The BEST time for an IS auditor to assess the control specifications of a new application
software package which is being considered for acquisition is during:

Options:
a. Testing and prior to user acceptance.
b. The requirements gathering process.
c. The implementation phase.
d. The internal lab testing phase.

Correct Answer:
b. The requirements gathering process.

Reasoning:
The requirements gathering process is the most effective time to assess control
specifications because it ensures that security, compliance, and operational controls are
built into the software from the start. Identifying and addressing control requirements early
in the acquisition process prevents costly changes and mitigates risks before
implementation or testing phases.
75. Question:
The IS auditor is to obtain __________ evidence to achieve the audit objectives effectively.

Options:
a. solid, hard, and conclusive
b. sufficient, relevant, and useful
c. direct, to the point, and persuasive
d. All of the above

Correct Answer:
b. sufficient, relevant, and useful

Reasoning:
Evidence collected during an audit must meet the criteria of sufficiency, relevance, and
usefulness to support audit conclusions and recommendations effectively. This ensures
that the audit objectives are met while maintaining the integrity and reliability of the
findings. Other terms like "hard" or "conclusive" may not fully align with audit standards
emphasizing sufficiency and relevance.

76. Question:
Which of the following would an IS auditor use to determine if unauthorized modifications
were made to production programs?

Options:
a. Forensic analysis
b. System log analysis
c. Analytical review
d. Compliance testing

Correct Answer:
b. System log analysis

Reasoning:
System log analysis involves reviewing logs that record changes to production programs.
These logs can reveal unauthorized modifications, including details such as who made the
changes, when they occurred, and what was altered. This method is direct and provides
concrete evidence of unauthorized activity.

77. Question:
Which of the following would be included in an IS strategic plan?

Options:
a. Brochures for future hardware purchases
b. At least a six-month list of goals from the IT manager
c. Target dates for development projects
d. Plans and directives from senior non-IT managers

Correct Answer:
c. Target dates for development projects

Reasoning:
An IS strategic plan outlines long-term objectives and priorities for information systems,
including timelines for key initiatives such as development projects. These target dates
ensure alignment with business goals and resource planning. Short-term goals or
brochures are too operational, and directives from non-IT managers lack the IT-specific
focus required for an IS strategy.

78. Question:
Which of the following situations would increase the likelihood of fraud?

Options:
a. Administrators are implementing vendor patches to vendor-supplied software without
following change control procedures
b. Database administrators are implementing changes to data structures
c. Operations support staff members are implementing changes to batch schedules
d. Application programmers are implementing changes to production programs

Correct Answer:
d. Application programmers are implementing changes to production programs

Reasoning:
Allowing application programmers to implement changes directly to production bypasses
segregation of duties, a critical control that prevents unauthorized or fraudulent changes.
Without this segregation, programmers could insert malicious code or alter data for
fraudulent purposes, significantly increasing the risk of fraud.

79. Question:
What is the purpose of job descriptions and the change control review board?

Options:
a. Provide optimum allocation of IT resources
b. Eliminate disputes over who has the authority
c. Provide guidance to the IT steering committee
d. Identify the hierarchy of personnel seniority
Correct Answer:
b. Eliminate disputes over who has the authority

Reasoning:
Job descriptions and the change control review board clearly define roles, responsibilities,
and authority levels within an organization. This helps avoid disputes by establishing
accountability and decision-making processes, particularly during IT changes or other
operational activities.

80. Question:
Network infrastructure refers to hardware, software, and services that enable network
connectivity, communication, operation, and management. If your network is not secure, it
presents a significant vulnerability to various attacks such as denial-of-service, malware,
spam, and unauthorized access. Which of the following is the MOST significant to ensure
network security?

Options:
a. Malware protection
b. Passwords
c. Monitoring and logging
d. All of the above

Correct Answer:
d. All of the above

Reasoning:
Ensuring network security requires a combination of strategies:

• Malware protection prevents harmful software from infiltrating the network.

• Strong passwords protect against unauthorized access.

• Monitoring and logging help detect and respond to suspicious activity.

A comprehensive approach is necessary for robust network security, making all
these elements equally significant.

81. Question:
The Capability Maturity Model (CMM) contains five levels of achievement. Which of the
following answers contains three of the levels in proper sequence?
CMM: Initial, Managed, Repeatable, Optimized, Defined (not in order).
Options:
a. Defined, Managed, Optimized
b. Managed, Defined, Repeatable
c. Initial, Managed, Defined
d. Initial, Managed, Repeatable

Correct Answer:

a. Defined, Managed, Optimized

Reasoning:

The proper sequence of levels in the Capability Maturity Model (CMM) is:

1. Initial

2. Repeatable

3. Defined

4. Managed

5. Optimized

82. Question:
One of the main objectives of the outsourcing governance process, as defined in the
outsourcing contract, is to ensure continuity of service at the appropriate levels and
profitability and added value to sustain the commercial viability of both parties.

Options:
a. True
b. False

Correct Answer:
a. True

Reasoning:
The outsourcing governance process is designed to ensure that both parties in an
outsourcing agreement maintain service continuity, achieve profitability, and add value.
This objective supports the long-term sustainability and commercial success of the
outsourcing arrangement for both parties.

83. Question:
Which of the following is the GREATEST challenge in using test data?
Options:
a. Minimizing the impact of additional transactions on the application being tested
b. Ensuring the program version tested is the same as the production program
c. Creating test data that covers all possible valid and invalid conditions
d. Creating test data that covers all possible valid and invalid conditions

Correct Answer:
c. Creating test data that covers all possible valid and invalid conditions

Reasoning:
The greatest challenge in testing is generating comprehensive test data that includes all
possible valid and invalid scenarios. Ensuring complete coverage is complex and resource-
intensive because it involves addressing an extensive range of input combinations and
edge cases. This is critical for accurate testing and minimizing risks of undetected errors.

84. Question:

An IS Auditor is conducting an audit of Network Infrastructure Security of a large

corporation. Which of the following does she consider critical? Network control functions
should be performed by an operator who is:

Options:
a. part of senior management
b. having proper audit skill
c. technically qualified
d. cyber security expert

Correct Answer:

c. technically qualified

Reasoning:

For network infrastructure security, it is critical that operators performing network control
functions have the technical qualifications necessary to manage and secure the systems
effectively. While cybersecurity expertise (option d) is valuable, the broader requirement for
technical qualifications is more applicable to ensuring competency in managing network
control functions.

85. Question: What is a major risk of using Single Sign-On (SSO)?

a. Leads to a lockout of valid users.
b. Has a single authentication point.
c. Causes an administrative bottleneck.
d. Represents a single point of failure.

Correct Answer:
d. Represents a single point of failure.

Reasoning:
With SSO, if the authentication system fails or is compromised, it can grant or block access
to multiple systems, making it a critical single point of failure.

86. Question:
Which of the following functions should be separated from the others if segregation of
duties cannot be achieved in an automated system?
a. Origination
b. Reprocessing
c. Correction
d. Authorization

Correct Answer:
d. Authorization

Reasoning:
Authorization is a critical function that must be separated to ensure proper checks and
balances, particularly in cases where segregation of duties is limited. This helps prevent
unauthorized activities or fraud in automated systems.

87. Question:
Which of the following BEST defines Business Continuity?
a. The ability to continue delivering agreed products and services during disruption.
b. The ability to recover all your IT systems within 24 hours.
c. An organizational cultural discipline for best practice.
d. A method for preventing disruption to all products and services.

Correct Answer:
a. The ability to continue delivering agreed products and services during disruption.

Reasoning:
Business Continuity focuses on maintaining the delivery of critical products and services
during disruptions, ensuring the organization can operate effectively despite challenges. It
is broader than IT recovery or complete prevention of disruptions.

88. Question:
The risk of an error which could occur in an audit area, and which could be material,
individually or in combination with other errors, will not be prevented or detected and
corrected on a timely basis by the internal control system is known as:
a. Detection Risk
b. Inherent Risk
c. Control Risk
d. Prevention Risk

Correct Answer:
c. Control Risk

Reasoning:
Control risk refers to the possibility that material errors or frauds may not be prevented,
detected, or corrected by the organization's internal control system on a timely basis. It
reflects the effectiveness of the controls in place.

89. Question:
An IS auditor has imported data from the client’s database. The next step—confirming
whether the imported data are complete—is performed by:
a. Sorting the data to confirm whether the data are in the same order as the original data.
b. Filtering data for different categories and matching them to the original data.
c. Reviewing the printout of the first 100 records of original data with the first 100 records of
imported data.
d. Matching control totals of the imported data to control totals of the original data.

Correct Answer:
d. Matching control totals of the imported data to control totals of the original data.

Reasoning:
Matching control totals (such as record counts, sums, or hashes) is the most reliable and
efficient method for confirming the completeness of imported data. It ensures that no
records are missing or altered during the data import process.

90. Question:
An IS Auditor should assess whether, before appointing an outsourcing service provider,
the organization has carried out proper due diligence and also has a process to evaluate
the activities of the service provider based on the following:
a. Objective behind Outsourcing
b. Economic viability
c. Risks and security concerns
d. All of the above
Correct Answer:
d. All of the above

Reasoning:
Before appointing an outsourcing service provider, an organization must evaluate multiple
factors to ensure effective decision-making. This includes understanding the objective
behind outsourcing, assessing the economic viability of the service provider, and
identifying risks and security concerns to ensure a robust and secure outsourcing
arrangement.

91. Question:
The PRIMARY reason an IS auditor performs a functional walk-through during the
preliminary phase of an audit assignment is to:
a. Plan substantive testing.
b. Identify control weakness.
c. Understand the business process.
d. Comply with auditing standards.

Correct Answer:
c. Understand the business process.

Reasoning:
The primary purpose of a functional walk-through during the preliminary phase is to gain a
clear understanding of the business process. This understanding is crucial for the IS
auditor to assess risks, evaluate controls, and design an effective audit plan.

92. Question:
While performing a Hardware Review, which of the following tasks does not cover the
purview of the IS Auditor?
a. System software security
b. Capacity Management
c. Acquisition plan
d. Problem logs

Correct Answer:
c. Acquisition plan

Reasoning:
The IS Auditor typically focuses on evaluating system software security, capacity
management, and problem logs as part of ensuring operational efficiency and security.
However, the acquisition plan, which involves decisions about procuring hardware or
software, is more aligned with management's responsibilities rather than the IS Auditor's
primary role.

93. Question:
Which of the following is a characteristic of Agile development?
a. Test-driven development
b. Implement the simplest solution to meet today's problem
c. Continual feedback from the customer
d. All of the above

Correct Answer:
d. All of the above

Reasoning:
Agile development emphasizes test-driven development, simplicity in solutions to address
current problems, and frequent feedback from customers to ensure the product aligns with
their needs. These practices are core principles of Agile methodologies.

94. Question:
Which of the following is the function of an eCommerce software?
a. Product configuration
b. Web traffic data analysis
c. All of the above
d. None of the above

Correct Answer:
c. All of the above

Reasoning:
eCommerce software typically provides functionalities for product configuration
(managing product listings and options), web traffic data analysis (tracking user behavior
and metrics), and other related features to support online business operations. Thus, "All of
the above" is the correct answer.

95. Question:
The key objective of capacity planning procedures is to ensure that:
a. available resources are used efficiently and effectively.
b. new resources will be added for new applications in a timely manner.
c. utilization of resources does not drop below 85 percent.
d. available resources are fully utilized.
Correct Answer:
a. available resources are used efficiently and effectively.

Reasoning:
Capacity planning aims to ensure that the organization uses its resources optimally to
meet current and future demands. It focuses on balancing efficiency and effectiveness
rather than merely full utilization or specific utilization thresholds.

96. a. The employee’s recent history of login account activity should be reviewed in the
audit log.
b. Any company property in possession of the employee must be returned.
c. The company must follow HR termination procedures.
d. The employee must be allowed to copy any personal files from their computer.

Correct Answer:
d. The employee must be allowed to copy any personal files from their computer.

Reasoning:
While it is essential to ensure proper procedures for termination, including auditing
account activity, recovering company property, and following HR protocols, allowing an
employee unrestricted access to copy personal files may pose a security risk. Personal
files on company systems are typically reviewed and handled according to company policy,
not unconditionally permitted for copying.

97. Question:
Electromagnetic emissions from a terminal represent an exposure because they:
a. produce dangerous levels of electric current.
b. disrupt processor functions.
c. affect noise pollution.
d. can be detected and displayed.

Correct Answer:
d. can be detected and displayed.

Reasoning:
Electromagnetic emissions can unintentionally transmit sensitive information, as these
emissions can be intercepted and reconstructed by attackers. This is a significant security
risk, especially in environments where sensitive data is processed.

98. Question:
Digital dashboard, also known as:
a. Artificial intelligence tool
b. Augmented reality tool
c. Security tool
d. Business intelligence tool

Correct Answer:
d. Business intelligence tool

Reasoning:
A digital dashboard is a business intelligence tool used to visualize and monitor key
performance indicators (KPIs) and other relevant data in real-time, enabling better
decision-making and performance tracking.

99. Question:
IS Audit process collects and evaluates evidence to determine whether the information
systems and related resources:
a. can bring threats for organization which may lead to financial loss.
b. protect organization from any loss from reduced sales revenue.
c. adequately safeguard assets.
d. restrict the rights of run, distribute, study and improve to user of the software.

Correct Answer:
c. adequately safeguard assets.

Reasoning:
The primary objective of an IS audit process is to ensure that information systems and
resources are designed and managed to safeguard the organization's assets, ensure data
integrity, and promote operational efficiency.

100. Question:
What is the FIRST and most important security planning step to manage the enterprise IT
environment?
a. Possibility that a threat event or potential exposure can occur.
b. Consider the overall control structure of the security solution desired by the
management.
c. Report the finding to management as a deficiency.
d. Consider availability, compatibility, reliability, scalability, performance, and security.

Correct Answer:
b. Consider the overall control structure of the security solution desired by the
management.
Reasoning:
The first step in security planning is to align the security framework with management's
goals by considering the overall control structure. This ensures that security solutions meet
organizational requirements and objectives while addressing potential risks effectively.

101. Question:
A hacker could obtain passwords without the use of computer tools or programs through
the technique of:
a. back doors.
b. social engineering.
c. sniffers.
d. Trojan horses.

Correct Answer:
b. social engineering.

Reasoning:
Social engineering involves manipulating people to disclose sensitive information, such as
passwords, without using technical tools or programs. It exploits human behavior rather
than technological vulnerabilities.

NB: Here’s the meaning of the other options:

a. Back doors
Back doors are hidden access points intentionally or unintentionally left in a system to
bypass security mechanisms. These are usually embedded by developers or malicious
actors for future access.

c. Sniffers
Sniffers are tools or programs used to capture and analyze network traffic to intercept
sensitive information, such as passwords, as it travels over the network.

d. Trojan horses
Trojan horses are malicious programs disguised as legitimate software. They trick users
into installing them, allowing attackers to gain unauthorized access or steal sensitive data.

102. Question: The classification based on criticality of a software application as part of an

IS business continuity plan is determined by:
a. vendor support available for the application.
b. nature of the business and the value of the application to the business.
c. replacement cost of the application.
d. associated threats and vulnerabilities of the application.
Correct Answer:
b. nature of the business and the value of the application to the business.

Reasoning:
The criticality of a software application is determined by its importance to the
organization's operations and goals. This involves assessing how the application's
functionality supports the business and how its absence would impact operations, making
it a core component of business continuity planning.

103. Question:
To detect software licensing violations, the IS auditor should FIRST review:
a. The listing of all standard, used, and licensed application and system software.
b. Scan the entire network to produce a list of installed software.
c. Obtain copies of all software contracts to determine the nature of license agreements.
d. Compare the license agreements with installed software, noting any violations.

Correct Answer:
a. The listing of all standard, used, and licensed application and system software.

Reasoning:
The first step in detecting software licensing violations is to compile a complete and
accurate inventory of all software currently in use. This provides a baseline for further
comparison and analysis against license agreements and installed software. Without this
initial review, it would be difficult to assess compliance or detect violations.

104. Question:
Software validation is the responsibility of:
a. QA Team
b. Tester
c. Developer
d. Designer

Correct Answer:
a. QA Team

Reasoning:
Software validation ensures that the product meets the intended requirements and works
as expected. This process is typically the responsibility of the QA (Quality Assurance)
Team, as they are tasked with verifying the overall quality and functionality of the software
through systematic testing and evaluation methods.
105. Question:
Incidents that cause a negative material impact on business processes and may affect
other systems, departments, or even outside clients should be classified as:
a. Negligible
b. Crisis
c. Minor
d. Major

Correct Answer:
d. Major

Reasoning:
Such incidents have a broad and material impact on the organization, potentially affecting
key business processes, multiple systems, and external clients. These characteristics align
with the definition of a "major" incident, as it necessitates urgent attention and resolution
to mitigate widespread consequences.

106. Question:
While auditing Cloud, which of the following should the IS auditor be additionally aware of?
a. Legal requirements
b. Cyber threat
c. Intimidation
d. Added consultancy opportunity

Correct Answer:
a. Legal requirements

Reasoning:
Auditing cloud environments involves specific legal and regulatory compliance issues,
such as data residency, privacy laws, and service-level agreements (SLAs). The IS auditor
must be aware of these requirements to ensure that the cloud services comply with
applicable legal and regulatory framework.

107. Question:

Which one of the following statements of testing SDLC projects is NOT correct?
a. Integrated testing completed for each system element
b. Stress testing completed for overall system and related interfaces
c. System testing completed for online performance and data storage/retrieval
d. Unit testing completed for each system element
Correct Answer:
a. Integrated testing completed for each system element

Reasoning:
Integrated testing focuses on testing the interaction between modules or components
rather than being completed for each individual system element. It ensures that combined
components work together as intended, but it is not intended for testing individual system
elements. Instead, unit testing is performed for individual elements, and integration testing
is performed on grouped components.

NB: Testing in SDLC (Software Development Life Cycle) is a crucial phase that ensures
the quality, functionality, and reliability of the software product. Below are the key types of
testing typically conducted in SDLC projects:

1. Unit Testing

• Objective: Test individual components or modules of the system.

• Performed by: Developers.

• Focus: Validates that each module works as expected in isolation.

2. Integration Testing

• Objective: Test the interactions and data flow between combined modules or
components.

• Performed by: Testers or developers.

• Focus: Identifies issues in the integration of modules.

3. System Testing

• Objective: Test the entire system as a whole to validate end-to-end functionality.

• Performed by: Testers.

• Focus: Ensures that the software meets business and functional requirements.

4. Stress Testing

• Objective: Evaluate system performance under extreme or adverse conditions.

• Performed by: Performance engineers or testers.

• Focus: Checks system stability, robustness, and behavior under peak load.
5. Performance Testing

• Objective: Test the responsiveness, speed, and scalability of the application.

• Performed by: Testers or performance engineers.

• Focus: Measures performance benchmarks like response time and throughput.

6. Acceptance Testing

• Objective: Validate that the system meets user requirements and is ready for
deployment.

• Performed by: End-users or business stakeholders.

• Focus: Ensures readiness for production use.

108. Question:
The organization that outsources is effectively reconfiguring its _______ by identifying those
activities that are core to its business, retaining them, and making noncore activities
candidates for outsourcing:
a. Organogram.
b. Processes.
c. Key performance indicators.
d. Value chain.

Correct Answer:
d. Value chain.

Reasoning:
The value chain represents all the activities an organization performs to deliver a product or
service. By identifying core and noncore activities, the organization reconfigures its value
chain to focus on what provides the most value to the business while outsourcing noncore
activities. This approach helps improve efficiency and maintain a competitive edge.

109. Question:
An IS auditor interviewing a payroll clerk finds that the answers do not support job
descriptions and documented procedures. Under these circumstances, the IS auditor
should:
a. Conclude that the controls are inadequate.
b. Suspend the audit.
c. Place greater reliance on previous audits.
d. Expand the scope to include substantive testing.

Correct Answer:
d. Expand the scope to include substantive testing.

Reasoning:
When the IS auditor finds inconsistencies between the payroll clerk's answers and
documented procedures, it raises concerns about the adequacy of controls. Instead of
jumping to conclusions or relying on prior audits, the auditor should expand the audit
scope to perform substantive testing. This involves directly verifying transactions,
records, and processes to determine if the controls are functioning effectively and to
identify any potential issues.

112. Question:
An IS auditor is carrying out an audit of software licensing and digital rights of an NGO
where he found the NGO uses software that is free initially but must be purchased after a
brief trial period, having limited functionality compared to the full commercial version. He
understands that the organization acquired:
a. Open source software
b. Freeware software
c. Shareware software
d. None of the above

Correct Answer:
c. Shareware software

Reasoning:
Shareware software is distributed free of charge for a trial period, often with limited
functionality. After the trial period ends, users are required to purchase the software to
continue using it or unlock full functionality. This matches the situation described in the
question.

113. Question:
When testing program change requests for a remote system, an IS auditor finds that the
number of changes available for sampling is too small to provide a reasonable level of
assurance. What is the MOST appropriate action for the IS auditor to take?

Options:
a. Create additional sample changes to programs.
b. Report the finding to management as a deficiency.
c. Develop an alternate testing procedure.
d. Perform a walk-through of the change management process.

Correct Answer:
c. Develop an alternate testing procedure.

Reasoning:
If the sample size is too small to provide reasonable assurance, the auditor should develop
an alternative testing procedure. This might involve testing a larger period, reviewing
documentation, or applying other methods to gather sufficient evidence. Creating
additional sample changes artificially (option a) would not be valid, and immediately
reporting it as a deficiency (option b) might be premature. A walk-through (option d) is a
useful step but may not fully resolve the issue.

114. Question:
The National Institute of Standards and Technology (NIST) reports that 64% of software
vulnerabilities stem from programming errors and not a lack of security features.

Options:
a. True
b. False

Correct Answer:
a. True

Reasoning:
According to studies by NIST, the majority of software vulnerabilities arise due to
programming errors rather than the absence of security features. These errors can include
poor coding practices, lack of input validation, and insufficient error handling, which lead
to exploitable vulnerabilities in the software.

115. Question:
Hot Site is a term used in disaster recovery to describe a location that an organization can
move to after a disaster occurs. What does a Hot Site actually mean?

Options:
a. A location that can resume some essential operations but obviously not all.
b. A location that does not have the capacity to resume all operations but has the potential
to give enough time.
c. A location fully equipped to resume operations.
d. All of the above.
Correct Answer:
c. A location fully equipped to resume operations.

Reasoning:
A Hot Site is a fully operational facility that mirrors an organization’s IT infrastructure and is
equipped to take over operations immediately in case of a disaster. It includes hardware,
software, networking equipment, and backup data, ensuring minimal downtime. Options a
and b describe less comprehensive solutions, like Warm or Cold Sites, which are not fully
equipped to resume all operations instantly.

116. Question:
Which of the following controls should the Auditor investigate while auditing mobile
devices (laptops, tablets, and smartphones) that are also known as Bring Your Own Device
(BYOD)?

Options:
a. Alignment with organization strategy.
b. Risk assessment of mobile devices.
c. Policies governing the use of devices.
d. All of the above.

Correct Answer:
d. All of the above.

Reasoning:
When auditing a BYOD program, the auditor should evaluate multiple aspects:

• Alignment with organization strategy (a): Ensures that the BYOD policy aligns with
the organization's goals and objectives.

• Risk assessment of mobile devices (b): Identifies security risks such as

unauthorized access, malware, and data loss associated with using personal
devices.

• Policies governing the use of devices (c): Ensures clear rules for device usage,
access control, encryption, and data protection.
Since all these controls are essential, the correct answer is "All of the above."

117. Question:
Which of the following is the MOST effective method for an IS auditor to use in testing the
program change management process?
Options:
a. Examine change management documentation for evidence of completeness.
b. Trace from the change management documentation to a system-generated audit trail.
c. Examine change management documentation for evidence of accuracy.
d. Trace from system-generated information to the change management documentation.

Correct Answer:
b. Trace from the change management documentation to a system-generated audit
trail.

Reasoning:
The most effective method to test the program change management process is to ensure
that the documented changes are accurately reflected in the system. By tracing from the
change management documentation to a system-generated audit trail, the auditor can
verify:

1. That changes were properly authorized.

2. That changes were implemented as documented.

3. That there is a complete and accurate record of the process.

This method ensures accountability and alignment between the documented changes and
the actual changes made to the system, providing robust evidence of the process.

118. Question: Which framework advises to make sure the IT objectives and the business
objectives are aligned and control the effective implementation of joint decisions?

Options:
a. CobiT
b. ITIL
c. VALIT
d. eSCM

Correct Answer:
a. CobiT

Reasoning:
CobiT (Control Objectives for Information and Related Technologies) is a governance and
management framework for IT. It focuses on aligning IT objectives with business
objectives to ensure that IT delivers value to the business while managing risks and
resources effectively. It is widely used to provide a structured approach to IT governance
and control, ensuring that IT supports business goals and decisions.
Other options:

• ITIL (b): Focuses on IT service management, emphasizing service delivery and

processes rather than governance.

• VALIT (c): Concentrates on value management for IT investments but is often

considered complementary to CobiT.

• eSCM (d): Focuses on improving outsourcing relationships, not IT governance.

119. When reviewing a network used for Internet communications, an IS auditor will
FIRST examine the:

Options:
a. network architecture and design.
b. architecture of the client-server application.
c. validity of password change occurrences.
d. firewall protection and proxy servers.

Correct Answer:
a. network architecture and design.

Reasoning:
When reviewing a network used for Internet communications, the network architecture
and design is the first aspect an IS auditor examines. This ensures that the network's
foundational structure is robust and capable of supporting secure and efficient
communication. Analyzing the architecture helps identify potential weaknesses in design,
scalability, or integration, which could lead to vulnerabilities.

120. A standard is a document that provides _______, _______, _______ or characteristics

that can be used consistently to ensure that materials, products, processes, and
services are fit for their purpose.

Options:
a. Guidelines, Requirements, Products
b. Characteristics, Requirements, Materials
c. Requirements, Guidelines, Process
d. Requirements, Specifications, Guidelines

Correct Answer:
d. Requirements, Specifications, Guidelines

Reasoning:
A standard defines a set of requirements, specifications, and guidelines to ensure that
products, services, or processes consistently meet their intended purpose. These
elements help maintain quality, reliability, and safety in various industries. The other
options include terms that do not align with the formal definition of a standard.

121. What is the simple definition of strategy?

Options:
a. Using best practices in a uniform application
b. Ethical behavior of the executive management team to follow an iterative process of
development
c. Implementing standards and procedures in a multilayered approach to accomplish the
business
d. Fundamental change in the way we do business

Correct Answer:
d. Fundamental change in the way we do business

Reasoning:
Strategy refers to a fundamental plan or approach to achieve long-term goals, often
involving changes in how an organization operates or competes in its environment. While
the other options touch on aspects of management or operational processes, they do not
capture the essence of strategy as a fundamental change or approach to conducting
business.

122. The question is:

IS auditors should determine that all remote access capabilities used by an

organization provide for effective security of the organization's information resources
where remote access security controls should be ________ for authorized users
operating outside of the trusted network environment.

Options:
a. documented and implemented
b. as per service level agreements (SLAs)
c. evaluated for cost effectiveness
d. assessed for remote access points of entry

Correct Answer:
a. documented and implemented

Reasoning:
Effective security measures for remote access should always be documented and
implemented to ensure proper compliance, auditing, and enforcement. Proper
documentation provides a baseline for how controls should operate, and implementation
ensures those controls are functioning as designed to protect information resources,
particularly for users outside the trusted network.

123. The question is:

IS audit has changed dramatically over the last ten years in terms of:

Options:
a. The relationship between IS and financial audit
b. The focus of the IS audit
c. Technologies employed
d. All of the above

Correct Answer:
d. All of the above

Reasoning:
Over the past decade, Information Systems (IS) auditing has evolved in various ways:

1. Relationship between IS and financial audit: There is increased integration of IS

audits with financial audits, as IT systems play a critical role in financial processes
and reporting.

2. Focus of IS audit: The focus has shifted to include risk management, cybersecurity,
data privacy, and compliance with new regulations.

3. Technologies employed: With advancements in technology, new tools and

frameworks, such as artificial intelligence and machine learning, have been
adopted in IS auditing processes.

124. The question is:

During the SDLC, several risks can become real problems. Which of the following is
the greatest concern to the auditor?

Options:
a. The project exceeded a 14 percent cost overrun from the original budget.
b. The depth and breadth of user operation manuals is not sufficient.
c. User acceptance testing lasted only 1 hour.
d. User requirements and objectives were not met.

Correct Answer:
d. User requirements and objectives were not met
Reasoning:
Meeting user requirements and objectives is the most critical goal of the SDLC (System
Development Life Cycle). If these are not met, the entire project fails to deliver its intended
value, regardless of the budget, documentation, or testing duration

125. The vice president of human resources has requested an audit to identify payroll
overpayments for the previous year. Which would be the BEST audit technique to use
in this situation?

Options:
a. Embedded audit module
b. Integrated test facility
c. Generalized audit software
d. Test data

Correct Answer:
c. Generalized audit software

Reasoning:
Generalized audit software (GAS) is the best technique for analyzing historical data, such
as payroll records, to identify overpayments. It allows auditors to efficiently examine large
datasets, perform calculations, and identify anomalies or errors in transactions.

Other

option:

a. Embedded audit module: This is used for ongoing monitoring rather than reviewing
past transactions.

b. Integrated test facility: This involves inserting test data into a live system to evaluate
processing accuracy, which is not applicable to analyzing past records.

d. Test data: This is used to validate system controls during system implementation, not
for reviewing historical data.

126. In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts. Next, an IS auditor should?

Options:
a. Identify information assets and the underlying systems.
b. Disclose the threats and impacts to management.
c. Identify and assess the risk assessment process used by management.
d. Identify and evaluate the existing controls.
Correct Answer:
d. Identify and evaluate the existing controls.

Reasoning:
Once threats and potential impacts have been identified, the next step is to evaluate the
existing controls to determine whether they are sufficient to mitigate the identified risks.
This step helps in understanding the organization's current security posture and highlights
any gaps in controls that may require attention.

127. The FIRST feature for 2FA (Two-Factor Authentication):

Options:
a. Clock synchronization between a token generator and an authentication server.
b. PIN assigned to user.
c. New resources will be added for new applications in a timely manner.
d. Token automatically generated in hardware every 30 seconds.

Correct Answer:
a. Clock synchronization between a token generator and an authentication server.

Explanation:
In Two-Factor Authentication (2FA) systems, especially those that use time-based tokens
(like Time-based One-Time Passwords or TOTP), clock synchronization between the token
generator (e.g., a hardware device or mobile app) and the authentication server is critical.
Without synchronization, the server cannot verify that the generated tokens are valid within
the given time window.

128. An IS auditor reviewing a proposed application software acquisition should

ensure that the:

Options:
a. Operating system (OS) being used is compatible with the existing hardware platform.
b. Product is compatible with the current or planned OS.
c. Planned OS updates have been scheduled to minimize negative impacts on company
needs.
d. OS has the latest versions and updates.

Correct Answer:
b. Product is compatible with the current or planned OS.

Explanation:
When acquiring new application software, it is essential to ensure that the software is
compatible with the operating system (OS) that is currently in use or planned for future
implementation. This compatibility ensures proper functioning, reduces risks of
operational disruptions, and avoids additional costs for OS upgrades or replacements.

129. Question: Which of the following is the PRIMARY advantage of using computer
forensic software for investigations?

Options:
a. Efficiency and effectiveness
b. Ability to search for violations of intellectual property rights
c. Time and cost savings
d. The preservation of the chain of custody for electronic evidence

Correct Answer:
d. The preservation of the chain of custody for electronic evidence

Reasoning:
The primary advantage of using computer forensic software is ensuring the preservation of
the chain of custody for electronic evidence. This is critical in legal and investigative
contexts, as it maintains the integrity and authenticity of the evidence, making it
admissible in court. While efficiency and other factors are important, the integrity of the
chain of custody is the most critical aspect of forensic investigations.

130. Which one of these is not a good reason for an organization to decide to reverse its
outsourcing decision and bring the work back to be performed in-house?

Options:
a. Recognizing added delays in the overall delivery of service to their customers
b. Recognizing added expense after considering the total cost of long-distance supervision
and price to make changes
c. Wanting to copy a competitor without doing the hard research
d. Realizing a loss of control

Correct Answer:
c. Wanting to copy a competitor without doing the hard research

Reasoning:
Deciding to reverse an outsourcing decision should be based on strategic, operational, or
financial considerations that impact the organization’s efficiency, cost, or control. Simply
copying a competitor without conducting thorough research is not a valid or rational
reason, as it lacks strategic alignment and does not consider the organization's unique
needs or circumstances.
131. During a security audit of IT processes, an IS auditor found that there were no
documented security procedures. The IS auditor should:

Options:
a. Create the procedures document.
b. Identify and evaluate existing practices.
c. Conduct compliance testing.
d. Plan and carry out an independent review of computer operations.

Correct Answer:
b. Identify and evaluate existing practices.

Reasoning:
The auditor's role is to assess and evaluate the current state of controls and processes, not
to create documentation or implement solutions. By identifying and evaluating existing
practices, the auditor can determine whether they meet security requirements and
recommend appropriate improvements or formal documentation. This ensures
independence and maintains the proper scope of the audit process.

132. Using a GAS (Generalized Audit Software) such as ACL means the auditor does not
review a sample of the data but rather reviews or examines _____ of the data and
transactions.

Options:
a. 50%
b. 80%
c. 60%
d. 100%

Correct Answer:
d. 100%

Reasoning:
GAS tools like ACL are designed to process and analyze the entirety of a dataset rather than
relying on sampling methods. This allows auditors to identify anomalies, patterns, and
potential issues in 100% of the data, ensuring a comprehensive review of all transactions
and records.

133. Question:
Which of the following is the GREATEST benefit of B2C eCommerce?
Options:
a. Reduce the use of newspaper advertisements and sell personal items.
b. Many goods and services are cheaper when purchased via the Web.
c. Elimination of intermediate organizations between the producer and the consumer.
d. Enterprises can sell to a global market.

Correct Answer:
d. Enterprises can sell to a global market.

Reasoning:
The greatest advantage of B2C (Business-to-Consumer) eCommerce is that it allows
businesses to reach a global market without the constraints of geographical location. This
expands the customer base significantly, enabling enterprises to sell products and
services to consumers worldwide, which is more impactful compared to the other listed
benefits.

134. Question:
An IS auditor is conducting a compliance audit of a health care organization operating an
online system that contains sensitive health care information. Which of the following
should an IS auditor FIRST review?

Options:
a. Legal and regulatory requirements regarding data privacy
b. Network diagram and firewall rules surrounding the online system
c. Adherence to organizational policies and procedures
d. IT infrastructure and IS department organizational chart

Correct Answer:
a. Legal and regulatory requirements regarding data privacy

Reasoning:
When auditing a healthcare organization that handles sensitive information, the first step is
to ensure compliance with applicable legal and regulatory requirements regarding data
privacy, such as HIPAA (in the U.S.) or GDPR (in the EU). These regulations mandate how
sensitive data should be managed and protected. Focusing on these requirements ensures
that the organization meets its legal obligations and provides a foundation for further
compliance and security measures.

135. Question:
To which domain can ITIL and ISO 20000 be applied?
Options:
a. IT service management
b. IT governance
c. IT component management
d. Activity management

Correct Answer:
a. IT service management

Reasoning:
ITIL and ISO 20000 are specifically designed to address IT service management (ITSM).
They provide structured frameworks and standards for delivering, managing, and improving
IT services to meet the needs of businesses and customers. The primary focus is on
optimizing service delivery, ensuring quality, and aligning IT services with organizational
goals, making IT service management the most appropriate domain for their application.

136. Question:
The policy that includes information for all information resources (hardware, software,
networks, Internet, etc.) and describes the organizational permissions for the usage of IT
and information-related resources is:

Options:
a. Information Security Policy
b. Acceptable Use Policy
c. End-user Computing Policy
d. Access Control Policies

Correct Answer:
b. Acceptable Use Policy

Reasoning:
The Acceptable Use Policy (AUP) outlines the acceptable and appropriate use of an
organization's IT resources, including hardware, software, networks, and internet access. It
specifies the permissions and responsibilities of users, ensuring that resources are used
ethically and within the boundaries set by the organization. This policy directly addresses
usage rules for IT and information resources, distinguishing it from other policies that focus
on security, specific technical controls, or end-user guidelines.

137. Question:
An auditor should serve in the interest of _______ in a lawful manner, while maintaining high
standards of conduct and character and not discrediting their profession or the
Association.
Options:
a. Stakeholders
b. Public
c. Shareholders
d. Auditors

Correct Answer:
b. Public

Reasoning:
Auditors are expected to act in the public interest, as their role often involves providing
assurance on financial and operational matters that affect the broader community. By
upholding lawful and ethical standards, auditors help maintain trust and confidence in
their profession and the organizations they serve. This focus on the public interest
distinguishes auditors from simply serving the needs of stakeholders or shareholders.

138. Question:
An IS auditor should ensure that IT governance performance measures:

Options:
a. evaluate the IT department.
b. provide strategic IT drivers.
c. adhere to regulatory reporting standards and definitions.
d. evaluate the activities of IT oversight committees.

Correct Answer:
b. provide strategic IT drivers.

Reasoning:
IT governance performance measures are designed to align IT objectives with the overall
strategic goals of the organization. By focusing on providing strategic IT drivers, the IS
auditor ensures that IT governance contributes to business value, supports decision-
making, and ensures accountability. While other options may be relevant in specific
contexts, aligning with strategic IT drivers best reflects the purpose of IT governance
measures.

139. Question:
Governance of Enterprise IT (GEIT) is the responsibility of the:

Options:
a. board of directors.
b. management.
c. board of directors and executive management.
d. shareholders and board of directors.

Correct Answer:
c. board of directors and executive management.

Reasoning:
Governance of Enterprise IT (GEIT) ensures that IT investments and operations align with
the organization’s strategic objectives and deliver value. It is a joint responsibility of the
board of directors, who provide oversight and strategic direction, and executive
management, who implement governance processes and manage IT-related risks and
resources. This collaboration ensures accountability, alignment, and the effective use of IT
resources. Other groups, such as shareholders, are not directly responsible for IT
governance.

140. Question:
Why is the knowledge of IT governance of an enterprise fundamental to the work of the IS
auditor? It helps to understand the enterprise’s:

Options:
a. discuss audit deliverables.
b. identify risks.
c. IT strategy and objectives.
d. establish an audit timeline.

Correct Answer:
c. IT strategy and objectives.

Reasoning:
Understanding IT governance is essential for IS auditors because it provides insight into the
enterprise’s IT strategy and objectives. This knowledge helps the auditor evaluate whether
IT resources and processes are aligned with the organization's goals, ensuring they deliver
value and comply with governance frameworks. Identifying risks, discussing deliverables,
or setting an audit timeline, while important, are secondary to understanding the
enterprise’s strategic IT direction.

141. Question:
An IS auditor is evaluating a corporate network for a possible penetration by employees.
Which of the following findings should give the IS auditor the GREATEST concern?

Options:
a. Network monitoring is very limited.
b. Users can install software on their desktops.
c. Many user IDs have identical passwords.
d. There are a number of external modems connected to the network.

Correct Answer:
c. Many user IDs have identical passwords.

Reasoning:
The greatest concern for an IS auditor in this scenario is the presence of identical
passwords for multiple user IDs. This represents a critical vulnerability because it
significantly increases the risk of unauthorized access, privilege abuse, and data breaches.
While limited network monitoring, external modems, or the ability to install software pose
risks, they do not present as immediate or widespread a threat to security as poor
password practices, which could be exploited by employees or external attackers.

142. Question:
There is an increasing reliance on external service providers as partners in achieving the
growth targets and as __________.

Options:
a. a means of protecting your own firm
b. relinquishing control
c. effective cost alternatives
d. they save time and money

Correct Answer:
c. effective cost alternatives

Reasoning:
Organizations increasingly depend on external service providers because they offer
effective cost alternatives. These providers help reduce overhead expenses, streamline
operations, and enable companies to focus on their core competencies while leveraging
external expertise and resources for specific functions. While time and money savings
(option d) are benefits, the focus on cost-effective solutions highlights their strategic value
in achieving growth targets.

143. Question:
An IS auditor is auditing the controls related to employee termination. Which of the
following is the most important aspect to be reviewed?

Options:
a. The details of the employee have been removed from active payroll files.
b. Company staff members are notified about the termination.
c. Company property provided to the employee has been returned.
d. All login accounts of the employee are terminated.

Correct Answer:
d. All login accounts of the employee are terminated.

Reasoning:
The termination of login accounts is critical to ensure that the former employee no longer
has access to the organization's systems and data, thereby mitigating the risk of
unauthorized access or data breaches. While other options, such as updating payroll files
or retrieving company property, are important administrative tasks, securing IT systems by
deactivating login credentials is the top priority from a security perspective.

144. Question:
The FIRST step in preparing a new BCP or in updating an existing one _________ of those key
processes that are responsible for both the permanent growth of the business and for the
fulfillment of the business goals.

Options:
a. is to identify the business processes of strategic importance
b. is a critical component
c. is directly proportional to the impact on the organization
d. is generally followed by the business and supporting units

Correct Answer:
a. is to identify the business processes of strategic importance

Reasoning:
The initial step in developing or revising a Business Continuity Plan (BCP) involves
identifying the critical business processes that are essential to the organization's strategic
goals and long-term growth. This allows the organization to prioritize resources, plan
effectively, and ensure that the most impactful processes are resilient to disruptions.
Identifying these processes is foundational to creating a robust BCP.

145. Question:
A financial services company has a website used by its independent agents to administer
their customer accounts. During a review of logical access to the system, an IS auditor
notices that user IDs are shared among agents. The MOST appropriate action for an IS
auditor to take is to:
Options:
a. Contact the security manager to request that the IDs be removed from the system.
b. Document the finding and explain the risk of using shared IDs.
c. Request a detailed review of audit logs for the IDs in question.
d. Inform the audit committee that there is a potential issue.

Correct Answer:
b. Document the finding and explain the risk of using shared IDs.

Reasoning:
The primary responsibility of the IS auditor is to document findings, assess the risks, and
provide recommendations for mitigating those risks. Shared IDs undermine accountability
and traceability in the system, as actions cannot be attributed to specific individuals. The
auditor must document the issue and explain the associated risks (e.g., lack of
accountability, potential for misuse, or difficulty in auditing activities) to enable
management to take corrective actions.

Immediate actions, such as contacting the security manager or notifying the audit
committee, would typically follow after the issue is formally documented and presented.

146. Question:
The ____ is the duration of time and a service level within which a business process must
be restored after a disaster (or disruption) in order to avoid unacceptable consequences
associated with a break in business continuity.

Options:
a. RTO
b. RPO
c. CDD
d. IDS

Correct Answer:
a. RTO

Explanation:
The Recovery Time Objective (RTO) is the maximum duration of time within which a
business process must be restored after a disruption to avoid unacceptable
consequences. It focuses on the time frame for recovery and ensures continuity of
operations after an incident.

• RPO (Recovery Point Objective) refers to the maximum acceptable amount of data
loss measured in time before the disaster or disruption.
 • CDD (Customer Due Diligence) and IDS (Intrusion Detection System) are
unrelated to the context of business continuity planning.

147. Question:
What is the first an IS auditor should review while auditing remote access into a computer
facility?

Options:
a. All users are connected through secure remote secure VPN service, e.g., PPTP VPN, SSL
VPN, etc.
b. Free internet-based remote access support is forbidden, e.g., TeamViewer, Radmin, etc.
c. Activity logs.
d. Whether configuration of VPN service is on Cisco router, Cisco ASA firewall, Linux box,
and appliances.

Correct Answer:
a. All users are connected through secure remote secure VPN service, e.g., PPTP VPN,
SSL VPN, etc.

Explanation:
When auditing remote access, the first priority is to ensure that all users are connecting
securely. A secure VPN service (such as PPTP VPN or SSL VPN) ensures encryption of data
during transmission, protecting sensitive information from interception or unauthorized
access.

148. Question:
In a critical server, an IS auditor discovers a Trojan horse that was produced by a known
virus that exploits a vulnerability of an operating system. Which of the following should an
IS auditor do FIRST?

Options:
a. Install the patch that eliminates the vulnerability.
b. Analyze the operating system log.
c. Investigate the virus's author.
d. Ensure that the malicious code is removed.

Correct Answer:
d. Ensure that the malicious code is removed.

Explanation:
The first priority in this scenario is to eliminate the immediate threat posed by the Trojan
horse to ensure the security and stability of the system. Removing the malicious code
helps prevent further exploitation or damage.

149. Question:
Encryption plays a key role in the protection of sensitive and valuable information, but key
exchange between the sender and recipient of information must occur over a secure
channel. It is the MAIN challenge of which of the cryptographic systems?

Options:
a. Private Key Cryptosystems
b. Public Key Infrastructures
c. Digital Signatures
d. Public Key Cryptosystems

Correct Answer:
a. Private Key Cryptosystems

Explanation:
In private key cryptosystems (also known as symmetric key cryptosystems), the same key
is used for both encryption and decryption. The main challenge is securely exchanging this
key between the sender and the recipient, as the security of the system depends on
keeping the key confidential. This requires a secure channel or pre-existing trust, which can
be difficult to establish and maintain.

• Option b (Public Key Infrastructures): This refers to systems that use public and
private keys and address the challenges of key distribution.

• Option c (Digital Signatures): While related to cryptography, digital signatures are

used for verifying integrity and authenticity rather than key exchange.

• Option d (Public Key Cryptosystems): These use asymmetric keys (public and
private) and do not require a secure channel for key exchange, addressing the issue
mentioned in the question.

150. Question:
Which of the following is MOST important to audit whether effective application controls
are maintained?

Options:
a. Peer review
b. Control self-assessment (CSA)
c. Exception reporting
d. Manager involvement
Correct Answer:
b. Control self-assessment (CSA)

Explanation:
Control self-assessment (CSA) is a process through which business process owners and
managers assess the effectiveness of their own controls. It helps ensure that application
controls are functioning as intended and remain effective. CSA provides a structured
framework for identifying weaknesses and gaps, making it the most comprehensive
approach to auditing effective application controls.