View
20.785
Download
6
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Mock Exam
CISA Complete 200 Multiple Choice Questions with detailed solutions and reasoning
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
1
1. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):
A. Implementor
B. Facilitator
C. Developer
D. Sponsor
Answer: B
TThhee ttrraaddiittiioonnaall rroollee ooff aann IISS aauuddiittoorr iinn aa ccoonnttrrooll sseellff--aasssseessssmmeenntt ((CCSSAA)) sshhoouulldd bbee tthhaatt ooff aa ffaacciilliittaattoorr..
2. What is the primary objective of a control self-assessment (CSA) program?
A. Enhancement of the audit responsibility
B. Elimination of the audit responsibility
C. Replacement of the audit responsibility
D. Integrity of the audit responsibility
Answer: A
AAuuddiitt rreessppoonnssiibbiilliittyy eennhhaanncceemmeenntt iiss aann oobbjjeeccttiivvee ooff aa ccoonnttrrooll sseellff--aasssseessssmmeenntt ((CCSSAA)) pprrooggrraamm..
3. IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial
evaluation of the controls, they conclude that control risks are within the acceptable limits. True
or false?
A. True
B. False
Answer: A
IISS aauuddiittoorrss aarree mmoosstt lliikkeellyy ttoo ppeerrffoorrmm ccoommpplliiaannccee tteessttss ooff iinntteerrnnaall ccoonnttrroollss iiff,, aafftteerr tthheeiirr iinniittiiaall
eevvaalluuaattiioonn ooff tthhee ccoonnttrroollss,, tthheeyy ccoonncclluuddee tthhaatt ccoonnttrrooll rriisskkss aarree wwiitthhiinn tthhee aacccceeppttaabbllee lliimmiittss.. TThhiinnkk ooff iitt
tthhiiss wwaayy:: IIff aannyy rreelliiaannccee iiss ppllaacceedd oonn iinntteerrnnaall ccoonnttrroollss,, tthhaatt rreelliiaannccee mmuusstt bbee vvaalliiddaatteedd tthhrroouugghh
ccoommpplliiaannccee tteessttiinngg.. HHiigghh ccoonnttrrooll rriisskk rreessuullttss iinn lliittttllee rreelliiaannccee oonn iinntteerrnnaall ccoonnttrroollss,, wwhhiicchh rreessuullttss iinn
aaddddiittiioonnaall ssuubbssttaannttiivvee tteessttiinngg..
4. As compared to understanding an organization's IT process from evidence directly collected,
how valuable are prior audit reports as evidence?
A. The same value.
B. Greater value.
C. Lesser value.
D. Prior audit reports are not relevant.
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
2
Answer: C
PPrriioorr aauuddiitt rreeppoorrttss aarree ccoonnssiiddeerreedd ooff lleesssseerr vvaalluuee ttoo aann IISS aauuddiittoorr aatttteemmppttiinngg ttoo ggaaiinn aann
uunnddeerrssttaannddiinngg ooff aann oorrggaanniizzaattiioonn''ss IITT pprroocceessss tthhaann eevviiddeennccee ddiirreeccttllyy ccoolllleecctteedd..
5. What is the PRIMARY purpose of audit trails?
A. To document auditing efforts
B. To correct data integrity errors
C. To establish accountability and responsibility for processed transactions
D. To prevent unauthorized access to data
Answer: C
TThhee pprriimmaarryy ppuurrppoossee ooff aauuddiitt ttrraaiillss iiss ttoo eessttaabblliisshh aaccccoouunnttaabbiilliittyy aanndd rreessppoonnssiibbiilliittyy ffoorr pprroocceesssseedd
ttrraannssaaccttiioonnss..
6. How does the process of systems auditing benefit from using a risk-based approach to audit
planning?
A. Controls testing starts earlier.
B. Auditing resources are allocated to the areas of highest concern.
C. Auditing risk is reduced.
D. Controls testing is more thorough.
Answer: B
AAllllooccaattiioonn ooff aauuddiittiinngg rreessoouurrcceess ttoo tthhee aarreeaass ooff hhiigghheesstt ccoonncceerrnn iiss aa bbeenneeffiitt ooff aa rriisskk--bbaasseedd aapppprrooaacchh ttoo
aauuddiitt ppllaannnniinngg..
7. After an IS auditor has identified threats and potential impacts, the auditor should:
A. Identify and evaluate the existing controls
B. Conduct a business impact analysis (BIA)
C. Report on existing controls
D. Propose new controls
Answer: A
AAfftteerr aann IISS aauuddiittoorr hhaass iiddeennttiiffiieedd tthhrreeaattss aanndd ppootteennttiiaall iimmppaaccttss,, tthhee aauuddiittoorr sshhoouulldd tthheenn iiddeennttiiffyy aanndd
eevvaalluuaattee tthhee eexxiissttiinngg ccoonnttrroollss..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
3
8. The use of statistical sampling procedures helps minimize:
A. Detection risk
B. Business risk
C. Controls risk
D. Compliance risk
Answer: A
TThhee uussee ooff ssttaattiissttiiccaall ssaammpplliinngg pprroocceedduurreess hheellppss mmiinniimmiizzee ddeetteeccttiioonn rriisskk..
9. What type of risk results when an IS auditor uses an inadequate test procedure and concludes
that material errors do not exist when errors actually exist?
A. Business risk
B. Detection risk
C. Residual risk
D. Inherent risk
Answer: B
DDeetteeccttiioonn rriisskk rreessuullttss wwhheenn aann IISS aauuddiittoorr uusseess aann iinnaaddeeqquuaattee tteesstt pprroocceedduurree aanndd ccoonncclluuddeess tthhaatt
mmaatteerriiaall eerrrroorrss ddoo nnoott eexxiisstt wwhheenn eerrrroorrss aaccttuuaallllyy eexxiisstt..
10. A primary benefit derived from an organization employing control self-assessment (CSA)
techniques is that it can:
A. Identify high-risk areas that might need a detailed review later
B. Reduce audit costs
C. Reduce audit time
D. Increase audit accuracy
Answer: C
AA pprriimmaarryy bbeenneeffiitt ddeerriivveedd ffrroomm aann oorrggaanniizzaattiioonn eemmppllooyyiinngg ccoonnttrrooll sseellff--aasssseessssmmeenntt ((CCSSAA)) tteecchhnniiqquueess iiss
tthhaatt iitt ccaann iiddeennttiiffyy hhiigghh--rriisskk aarreeaass tthhaatt mmiigghhtt nneeeedd aa ddeettaaiilleedd rreevviieeww llaatteerr..
11. What type of approach to the development of organizational policies is often driven by risk
assessment?
A. Bottom-up
B. Top-down
C. Comprehensive
D. Integrated
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
4
Answer: B
AA bboottttoomm--uupp aapppprrooaacchh ttoo tthhee ddeevveellooppmmeenntt ooff oorrggaanniizzaattiioonnaall ppoolliicciieess iiss oofftteenn ddrriivveenn bbyy rriisskk aasssseessssmmeenntt..
12. Who is accountable for maintaining appropriate security measures over information assets?
A. Data and systems owners
B. Data and systems users
C. Data and systems custodians
D. Data and systems auditors
Answer: A
DDaattaa aanndd ssyysstteemmss oowwnneerrss aarree aaccccoouunnttaabbllee ffoorr mmaaiinnttaaiinniinngg aapppprroopprriiaattee sseeccuurriittyy mmeeaassuurreess oovveerr
iinnffoorrmmaattiioonn aasssseettss..
13. Proper segregation of duties prohibits a system analyst from performing quality-assurance
functions. True or false?
A. True
B. False
Answer: A
PPrrooppeerr sseeggrreeggaattiioonn ooff dduuttiieess pprroohhiibbiittss aa ssyysstteemm aannaallyysstt ffrroomm ppeerrffoorrmmiinngg qquuaalliittyy--aassssuurraannccee ffuunnccttiioonnss..
14. What should an IS auditor do if he or she observes that project-approval procedures do not
exist?
A. Advise senior management to invest in project-management training for the staff
B. Create project-approval procedures for future project implementations
C. Assign project leaders
D. Recommend to management that formal approval procedures be adopted and documented
Answer: D
IIff aann IISS aauuddiittoorr oobbsseerrvveess tthhaatt pprroojjeecctt--aapppprroovvaall pprroocceedduurreess ddoo nnoott eexxiisstt,, tthhee IISS aauuddiittoorr sshhoouulldd
rreeccoommmmeenndd ttoo mmaannaaggeemmeenntt tthhaatt ffoorrmmaall aapppprroovvaall pprroocceedduurreess bbee aaddoopptteedd aanndd ddooccuummeenntteedd..
15. Who is ultimately accountable for the development of an IS security policy?
A. The board of directors
B. Middle management
C. Security administrators
D. Network administrators
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
5
Answer: A
TThhee bbooaarrdd ooff ddiirreeccttoorrss iiss uullttiimmaatteellyy aaccccoouunnttaabbllee ffoorr tthhee ddeevveellooppmmeenntt ooff aann IISS sseeccuurriittyy ppoolliiccyy..
16. Proper segregation of duties normally does not prohibit a LAN administrator from also having
programming responsibilities. True or false?
A. True
B. False
Answer: B
PPrrooppeerr sseeggrreeggaattiioonn ooff dduuttiieess nnoorrmmaallllyy pprroohhiibbiittss aa LLAANN aaddmmiinniissttrraattoorr ffrroomm aallssoo hhaavviinngg pprrooggrraammmmiinngg
rreessppoonnssiibbiilliittiieess..
17. A core tenant of an IS strategy is that it must:
A. Be inexpensive
B. Be protected as sensitive confidential information
C. Protect information confidentiality, integrity, and availability
D. Support the business objectives of the organization
Answer: D
AAbboovvee aallll eellssee,, aann IISS ssttrraatteeggyy mmuusstt ssuuppppoorrtt tthhee bbuussiinneessss oobbjjeeccttiivveess ooff tthhee oorrggaanniizzaattiioonn..
18. Batch control reconciliation is a _____________________ (fill in the blank) control for
mitigating risk of inadequate segregation of duties.
A. Detective
B. Corrective
C. Preventative
D. Compensatory
Answer: D
BBaattcchh ccoonnttrrooll rreeccoonncciilliiaattiioonnss iiss aa ccoommppeennssaattoorryy ccoonnttrrooll ffoorr mmiittiiggaattiinngg rriisskk ooff iinnaaddeeqquuaattee sseeggrreeggaattiioonn
ooff dduuttiieess..
19. Key verification is one of the best controls for ensuring that:
A. Data is entered correctly
B. Only authorized cryptographic keys are used
C. Input is authorized
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
6
D. Database indexing is performed properly
Answer: A
KKeeyy vveerriiffiiccaattiioonn iiss oonnee ooff tthhee bbeesstt ccoonnttrroollss ffoorr eennssuurriinngg tthhaatt ddaattaa iiss eenntteerreedd ccoorrrreeccttllyy..
20. If senior management is not committed to strategic planning, how likely is it that a company's
implementation of IT will be successful?
A. IT cannot be implemented if senior management is not committed to strategic planning.
B. More likely.
C. Less likely.
D. Strategic planning does not affect the success of a company's implementation of IT.
Answer: C
AA ccoommppaannyy''ss iimmpplleemmeennttaattiioonn ooff IITT wwiillll bbee lleessss lliikkeellyy ttoo ssuucccceeeedd iiff sseenniioorr mmaannaaggeemmeenntt iiss nnoott ccoommmmiitttteedd
ttoo ssttrraatteeggiicc ppllaannnniinngg..
21. Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST
answer.
A. Lack of employee awareness of a company's information security policy
B. Failure to comply with a company's information security policy
C. A momentary lapse of reason
D. Lack of security policy enforcement procedures
Answer: A
LLaacckk ooff eemmppllooyyeeee aawwaarreenneessss ooff aa ccoommppaannyy''ss iinnffoorrmmaattiioonn sseeccuurriittyy ppoolliiccyy ccoouulldd lleeaadd ttoo aann uunniinntteennttiioonnaall
lloossss ooff ccoonnffiiddeennttiiaalliittyy..
22. What topology provides the greatest redundancy of routes and the greatest network fault
tolerance?
A. A star network topology
B. A mesh network topology with packet forwarding enabled at each host
C. A bus network topology
D. A ring network topology
Answer: B
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
7
AA mmeesshh nneettwwoorrkk ttooppoollooggyy pprroovviiddeess aa ppooiinntt--ttoo--ppooiinntt lliinnkk bbeettwweeeenn eevveerryy nneettwwoorrkk hhoosstt.. IIff eeaacchh hhoosstt iiss
ccoonnffiigguurreedd ttoo rroouuttee aanndd ffoorrwwaarrdd ccoommmmuunniiccaattiioonn,, tthhiiss ttooppoollooggyy pprroovviiddeess tthhee ggrreeaatteesstt rreedduunnddaannccyy ooff
rroouutteess aanndd tthhee ggrreeaatteesstt nneettwwoorrkk ffaauulltt ttoolleerraannccee..
23. An IS auditor usually places more reliance on evidence directly collected. What is an example
of such evidence?
A. Evidence collected through personal observation
B. Evidence collected through systems logs provided by the organization's security administration
C. Evidence collected through surveys collected from internal staff
D. Evidence collected through transaction reports provided by the organization's IT administration
Answer: A
AAnn IISS aauuddiittoorr uussuuaallllyy ppllaacceess mmoorree rreelliiaannccee oonn eevviiddeennccee ddiirreeccttllyy ccoolllleecctteedd,, ssuucchh aass tthhrroouugghh ppeerrssoonnaall
oobbsseerrvvaattiioonn..
24. What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to
ensure reliable communication?
A. Nonconnection-oriented protocols
B. Connection-oriented protocols
C. Session-oriented protocols
D. Nonsession-oriented protocols
Answer: B
TThhee ttrraannssppoorrtt llaayyeerr ooff tthhee TTCCPP//IIPP pprroottooccooll ssuuiittee pprroovviiddeess ffoorr ccoonnnneeccttiioonn--oorriieenntteedd pprroottooccoollss ttoo eennssuurree
rreelliiaabbllee ccoommmmuunniiccaattiioonn..
25. How is the time required for transaction processing review usually affected by properly
implemented Electronic Data Interface (EDI)?
A. EDI usually decreases the time necessary for review.
B. EDI usually increases the time necessary for review.
C. Cannot be determined.
D. EDI does not affect the time necessary for review.
Answer: A
EElleeccttrroonniicc ddaattaa iinntteerrffaaccee ((EEDDII)) ssuuppppoorrttss iinntteerrvveennddoorr ccoommmmuunniiccaattiioonn wwhhiillee ddeeccrreeaassiinngg tthhee ttiimmee
nneecceessssaarryy ffoorr rreevviieeww bbeeccaauussee iitt iiss uussuuaallllyy ccoonnffiigguurreedd ttoo rreeaaddiillyy iiddeennttiiffyy eerrrroorrss rreeqquuiirriinngg ffoollllooww--uupp..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
8
26. What would an IS auditor expect to find in the console log? Choose the BEST answer.
A. Evidence of password spoofing
B. System errors
C. Evidence of data copy activities
D. Evidence of password sharing
Answer: B
AAnn IISS aauuddiittoorr ccaann eexxppeecctt ttoo ffiinndd ssyysstteemm eerrrroorrss ttoo bbee ddeettaaiilleedd iinn tthhee ccoonnssoollee lloogg..
27. Atomicity enforces data integrity by ensuring that a transaction is either completed in its
entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. True
or false?
A. True
B. False
Answer: A
AAttoommiicciittyy eennffoorrcceess ddaattaa iinntteeggrriittyy bbyy eennssuurriinngg tthhaatt aa ttrraannssaaccttiioonn iiss eeiitthheerr ccoommpplleetteedd iinn iittss eennttiirreellyy oorr
nnoott aatt aallll.. AAttoommiicciittyy iiss ppaarrtt ooff tthhee AACCIIDD tteesstt rreeffeerreennccee ffoorr ttrraannssaaccttiioonn pprroocceessssiinngg..
28. Why does the IS auditor often review the system logs?
A. To get evidence of password spoofing
B. To get evidence of data copy activities
C. To determine the existence of unauthorized access to data by a user or program
D. To get evidence of password sharing
Answer: C
WWhheenn ttrryyiinngg ttoo ddeetteerrmmiinnee tthhee eexxiisstteennccee ooff uunnaauutthhoorriizzeedd aacccceessss ttoo ddaattaa bbyy aa uusseerr oorr pprrooggrraamm,, tthhee IISS
aauuddiittoorr wwiillll oofftteenn rreevviieeww tthhee ssyysstteemm llooggss..
29. What is essential for the IS auditor to obtain a clear understanding of network management?
A. Security administrator access to systems
B. Systems logs of all hosts providing application services
C. A graphical map of the network topology
D. Administrator access to systems
Answer: C
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
9
AA ggrraapphhiiccaall iinntteerrffaaccee ttoo tthhee mmaapp ooff tthhee nneettwwoorrkk ttooppoollooggyy iiss eesssseennttiiaall ffoorr tthhee IISS aauuddiittoorr ttoo oobbttaaiinn aa
cclleeaarr uunnddeerrssttaannddiinngg ooff nneettwwoorrkk mmaannaaggeemmeenntt..
30. How is risk affected if users have direct access to a database at the system level?
A. Risk of unauthorized access increases, but risk of untraceable changes to the database decreases.
B. Risk of unauthorized and untraceable changes to the database increases.
C. Risk of unauthorized access decreases, but risk of untraceable changes to the database increases.
D. Risk of unauthorized and untraceable changes to the database decreases.
Answer: B
IIff uusseerrss hhaavvee ddiirreecctt aacccceessss ttoo aa ddaattaabbaassee aatt tthhee ssyysstteemm lleevveell,, rriisskk ooff uunnaauutthhoorriizzeedd aanndd uunnttrraacceeaabbllee
cchhaannggeess ttoo tthhee ddaattaabbaassee iinnccrreeaasseess..
31. What is the most common purpose of a virtual private network implementation?
A. A virtual private network (VPN) helps to secure access between an enterprise and its partners when
communicating over an otherwise unsecured channel such as the Internet.
B. A virtual private network (VPN) helps to secure access between an enterprise and its partners when
communicating over a dedicated T1 connection.
C. A virtual private network (VPN) helps to secure access within an enterprise when communicating over
a dedicated T1 connection between network segments within the same facility.
D. A virtual private network (VPN) helps to secure access between an enterprise and its partners when
communicating over a wireless connection.
Answer: A
AA vviirrttuuaall pprriivvaattee nneettwwoorrkk ((VVPPNN)) hheellppss ttoo sseeccuurree aacccceessss bbeettwweeeenn aann eenntteerrpprriissee aanndd iittss ppaarrttnneerrss wwhheenn
ccoommmmuunniiccaattiinngg oovveerr aann ootthheerrwwiissee uunnsseeccuurreedd cchhaannnneell ssuucchh aass tthhee IInntteerrnneett..
32. What benefit does using capacity-monitoring software to monitor usage patterns and trends
provide to management? Choose the BEST answer.
A. The software can dynamically readjust network traffic capabilities based upon current usage.
B. The software produces nice reports that really impress management.
C. It allows users to properly allocate resources and ensure continuous efficiency of operations.
D. It allows management to properly allocate resources and ensure continuous efficiency of operations.
Answer: D
UUssiinngg ccaappaacciittyy--mmoonniittoorriinngg ssooffttwwaarree ttoo mmoonniittoorr uussaaggee ppaatttteerrnnss aanndd ttrreennddss eennaabblleess mmaannaaggeemmeenntt ttoo
pprrooppeerrllyy aallllooccaattee rreessoouurrcceess aanndd eennssuurree ccoonnttiinnuuoouuss eeffffiicciieennccyy ooff ooppeerraattiioonnss..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
10
33. What can be very helpful to an IS auditor when determining the efficacy of a systems
maintenance program? Choose the BEST answer.
A. Network-monitoring software
B. A system downtime log
C. Administration activity reports
D. Help-desk utilization trend reports
Answer: B
AA ssyysstteemm ddoowwnnttiimmee lloogg ccaann bbee vveerryy hheellppffuull ttoo aann IISS aauuddiittoorr wwhheenn ddeetteerrmmiinniinngg tthhee eeffffiiccaaccyy ooff aa ssyysstteemmss
mmaaiinntteennaannccee pprrooggrraamm..
34. What are used as a countermeasure for potential database corruption when two processes
attempt to simultaneously edit or update the same information? Choose the BEST answer.
A. Referential integrity controls
B. Normalization controls
C. Concurrency controls
D. Run-to-run totals
Answer: A
CCoonnccuurrrreennccyy ccoonnttrroollss aarree uusseedd aass aa ccoouunntteerrmmeeaassuurree ffoorr ppootteennttiiaall ddaattaabbaassee ccoorrrruuppttiioonn wwhheenn ttwwoo
pprroocceesssseess aatttteemmpptt ttoo ssiimmuullttaanneeoouussllyy eeddiitt oorr uuppddaattee tthhee ssaammee iinnffoorrmmaattiioonn..
35. What increases encryption overhead and cost the most?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key
Answer: B
AA lloonngg aassyymmmmeettrriicc eennccrryyppttiioonn kkeeyy ((ppuubblliicc kkeeyy eennccrryyppttiioonn)) iinnccrreeaasseess eennccrryyppttiioonn oovveerrhheeaadd aanndd ccoosstt.. AAllll
ootthheerr aannsswweerrss aarree ssiinnggllee sshhaarreedd ssyymmmmeettrriicc kkeeyyss..
36. Which of the following best characterizes "worms"?
A. Malicious programs that can run independently and can propagate without the aid of a carrier
program such as email
B. Programming code errors that cause a program to repeatedly dump data
C. Malicious programs that require the aid of a carrier program such as email
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
11
D. Malicious programs that masquerade as common applications such as screensavers or macro-enabled
Word documents
Answer: A
WWoorrmmss aarree mmaalliicciioouuss pprrooggrraammss tthhaatt ccaann rruunn iinnddeeppeennddeennttllyy aanndd ccaann pprrooppaaggaattee wwiitthhoouutt tthhee aaiidd ooff aa
ccaarrrriieerr pprrooggrraamm ssuucchh aass eemmaaiill..
37. What is an initial step in creating a proper firewall policy?
A. Assigning access to users according to the principle of least privilege
B. Determining appropriate firewall hardware and software
C. Identifying network applications such as mail, web, or FTP servers
D. Configuring firewall access rules
Answer: C
IIddeennttiiffyyiinngg nneettwwoorrkk aapppplliiccaattiioonnss ssuucchh aass mmaaiill,, wweebb,, oorr FFTTPP sseerrvveerrss ttoo bbee eexxtteerrnnaallllyy aacccceesssseedd iiss aann
iinniittiiaall sstteepp iinn ccrreeaattiinngg aa pprrooppeerr ffiirreewwaallll ppoolliiccyy..
38. What type of cryptosystem is characterized by data being encrypted by the sender using the
recipient's public key, and the data then being decrypted using the recipient's private key?
A. With public-key encryption, or symmetric encryption
B. With public-key encryption, or asymmetric encryption
C. With shared-key encryption, or symmetric encryption
D. With shared-key encryption, or asymmetric encryption
Answer: B
WWiitthh ppuubblliicc kkeeyy eennccrryyppttiioonn oorr aassyymmmmeettrriicc eennccrryyppttiioonn,, ddaattaa iiss eennccrryypptteedd bbyy tthhee sseennddeerr uussiinngg tthhee
rreecciippiieenntt''ss ppuubblliicc kkeeyy;; tthhee ddaattaa iiss tthheenn ddeeccrryypptteedd uussiinngg tthhee rreecciippiieenntt''ss pprriivvaattee kkeeyy..
39. How does the SSL network protocol provide confidentiality?
A. Through symmetric encryption such as RSA
B. Through asymmetric encryption such as Data Encryption Standard, or DES
C. Through asymmetric encryption such as Advanced Encryption Standard, or AES
D. Through symmetric encryption such as Data Encryption Standard, or DES
Answer: D
TThhee SSSSLL pprroottooccooll pprroovviiddeess ccoonnffiiddeennttiiaalliittyy tthhrroouugghh ssyymmmmeettrriicc eennccrryyppttiioonn ssuucchh aass DDaattaa EEnnccrryyppttiioonn
SSttaannddaarrdd,, oorr DDEESS..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
12
40. What are used as the framework for developing logical access controls?
A. Information systems security policies
B. Organizational security policies
C. Access Control Lists (ACL)
D. Organizational charts for identifying roles and responsibilities
Answer: A
IInnffoorrmmaattiioonn ssyysstteemmss sseeccuurriittyy ppoolliicciieess aarree uusseedd aass tthhee ffrraammeewwoorrkk ffoorr ddeevveellooppiinngg llooggiiccaall aacccceessss ccoonnttrroollss..
41. Which of the following are effective controls for detecting duplicate transactions such as
payments made or received?
A. Concurrency controls
B. Reasonableness checks
C. Time stamps
D. Referential integrity controls
Answer: C
TTiimmee ssttaammppss aarree aann eeffffeeccttiivvee ccoonnttrrooll ffoorr ddeetteeccttiinngg dduupplliiccaattee ttrraannssaaccttiioonnss ssuucchh aass ppaayymmeennttss mmaaddee oorr
rreecceeiivveedd..
42. Which of the following is a good control for protecting confidential data residing on a PC?
A. Personal firewall
B. File encapsulation
C. File encryption
D. Host-based intrusion detection
Answer: C
FFiillee eennccrryyppttiioonn iiss aa ggoooodd ccoonnttrrooll ffoorr pprrootteeccttiinngg ccoonnffiiddeennttiiaall ddaattaa rreessiiddiinngg oonn aa PPCC..
43. Which of the following is a guiding best practice for implementing logical access controls?
A. Implementing the Biba Integrity Model
B. Access is granted on a least-privilege basis, per the organization's data owners
C. Implementing the Take-Grant access control model
D. Classifying data according to the subject's requirements
Answer: B
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
13
LLooggiiccaall aacccceessss ccoonnttrroollss sshhoouulldd bbee rreevviieewweedd ttoo eennssuurree tthhaatt aacccceessss iiss ggrraanntteedd oonn aa lleeaasstt--pprriivviilleeggee bbaassiiss,,
ppeerr tthhee oorrggaanniizzaattiioonn''ss ddaattaa oowwnneerrss..
44. What does PKI use to provide some of the strongest overall control over data confidentiality,
reliability, and integrity for Internet transactions?
A. A combination of public-key cryptography and digital certificates and two-factor authentication
B. A combination of public-key cryptography and two-factor authentication
C. A combination of public-key cryptography and digital certificates
D. A combination of digital certificates and two-factor authentication
Answer: C
PPKKII uusseess aa ccoommbbiinnaattiioonn ooff ppuubblliicc--kkeeyy ccrryyppttooggrraapphhyy aanndd ddiiggiittaall cceerrttiiffiiccaatteess ttoo pprroovviiddee ssoommee ooff tthhee
ssttrroonnggeesstt oovveerraallll ccoonnttrrooll oovveerr ddaattaa ccoonnffiiddeennttiiaalliittyy,, rreelliiaabbiilliittyy,, aanndd iinntteeggrriittyy ffoorr IInntteerrnneett ttrraannssaaccttiioonnss..
45. Which of the following do digital signatures provide?
A. Authentication and integrity of data
B. Authentication and confidentiality of data
C. Confidentiality and integrity of data
D. Authentication and availability of data
Answer: A
TThhee pprriimmaarryy ppuurrppoossee ooff ddiiggiittaall ssiiggnnaattuurreess iiss ttoo pprroovviiddee aauutthheennttiiccaattiioonn aanndd iinntteeggrriittyy ooff ddaattaa..
46. Regarding digital signature implementation, which of the following answers is correct?
A. A digital signature is created by the sender to prove message integrity by encrypting the message
with the sender's private key. Upon receiving the data, the recipient can decrypt the data using the
sender's public key.
B. A digital signature is created by the sender to prove message integrity by encrypting the message with
the recipient's public key. Upon receiving the data, the recipient can decrypt the data using the
recipient's public key.
C. A digital signature is created by the sender to prove message integrity by initially using a hashing
algorithm to produce a hash value or message digest from the entire message contents. Upon receiving
the data, the recipient can independently create it.
D. A digital signature is created by the sender to prove message integrity by encrypting the message
with the sender's public key. Upon receiving the data, the recipient can decrypt the data using the
recipient's private key.
Answer: C
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
14
AA ddiiggiittaall ssiiggnnaattuurree iiss ccrreeaatteedd bbyy tthhee sseennddeerr ttoo pprroovvee mmeessssaaggee iinntteeggrriittyy bbyy iinniittiiaallllyy uussiinngg aa hhaasshhiinngg
aallggoorriitthhmm ttoo pprroodduuccee aa hhaasshh vvaalluuee,, oorr mmeessssaaggee ddiiggeesstt,, ffrroomm tthhee eennttiirree mmeessssaaggee ccoonntteennttss.. UUppoonn
rreecceeiivviinngg tthhee ddaattaa,, tthhee rreecciippiieenntt ccaann iinnddeeppeennddeennttllyy ccrreeaattee iittss oowwnn mmeessssaaggee ddiiggeesstt ffrroomm tthhee ddaattaa ffoorr
ccoommppaarriissoonn aanndd ddaattaa iinntteeggrriittyy vvaalliiddaattiioonn.. PPuubblliicc aanndd pprriivvaattee kkeeyyss aarree uusseedd ttoo eennffoorrccee ccoonnffiiddeennttiiaalliittyy..
HHaasshhiinngg aallggoorriitthhmmss aarree uusseedd ttoo eennffoorrccee iinntteeggrriittyy..
47. Which of the following would provide the highest degree of server access control?
A. A mantrap-monitored entryway to the server room
B. Host-based intrusion detection combined with CCTV
C. Network-based intrusion detection
D. A fingerprint scanner facilitating biometric access control
Answer: D
AA ffiinnggeerrpprriinntt ssccaannnneerr ffaacciilliittaattiinngg bbiioommeettrriicc aacccceessss ccoonnttrrooll ccaann pprroovviiddee aa vveerryy hhiigghh ddeeggrreeee ooff sseerrvveerr
aacccceessss ccoonnttrrooll..
48. What are often the primary safeguards for systems software and data?
A. Administrative access controls
B. Logical access controls
C. Physical access controls
D. Detective access controls
Answer: B
LLooggiiccaall aacccceessss ccoonnttrroollss aarree oofftteenn tthhee pprriimmaarryy ssaaffeegguuaarrddss ffoorr ssyysstteemmss ssooffttwwaarree aanndd ddaattaa..
49. Which of the following is often used as a detection and deterrent control against Internet
attacks?
A. Honeypots
B. CCTV
C. VPN
D. VLAN
Answer: A
HHoonneeyyppoottss aarree oofftteenn uusseedd aass aa ddeetteeccttiioonn aanndd ddeetteerrrreenntt ccoonnttrrooll aaggaaiinnsstt IInntteerrnneett aattttaacckkss..
50. Which of the following BEST characterizes a mantrap or deadman door, which is used as a
deterrent control for the vulnerability of piggybacking?
A. A monitored double-doorway entry system
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
15
B. A monitored turnstile entry system
C. A monitored doorway entry system
D. A one-way door that does not allow exit after entry
Answer: A
AA mmoonniittoorreedd ddoouubbllee--ddoooorrwwaayy eennttrryy ssyysstteemm,, aallssoo rreeffeerrrreedd ttoo aass aa mmaannttrraapp oorr ddeeaaddmmaann ddoooorr,, iiss uusseedd aass
aa ddeetteerrrreenntt ccoonnttrrooll ffoorr tthhee vvuullnneerraabbiilliittyy ooff ppiiggggyybbaacckkiinngg..
51. Which of the following is an effective method for controlling downloading of files via FTP?
Choose the BEST answer.
A. An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall
Answer: B
AApppplliiccaattiioonn--llaayyeerr ggaatteewwaayyss,, oorr pprrooxxyy ffiirreewwaallllss,, aarree aann eeffffeeccttiivvee mmeetthhoodd ffoorr ccoonnttrroolllliinngg ddoowwnnllooaaddiinngg ooff
ffiilleess vviiaa FFTTPP.. BBeeccaauussee FFTTPP iiss aann OOSSII aapppplliiccaattiioonn--llaayyeerr pprroottooccooll,, tthhee mmoosstt eeffffeeccttiivvee ffiirreewwaallll nneeeeddss ttoo bbee
ccaappaabbllee ooff iinnssppeeccttiinngg tthhrroouugghh tthhee aapppplliiccaattiioonn llaayyeerr..
52. Which of the following provides the strongest authentication for physical access control?
A. Sign-in logs
B. Dynamic passwords
C. Key verification
D. Biometrics
Answer: D
BBiioommeettrriiccss ccaann bbee uusseedd ttoo pprroovviiddee eexxcceelllleenntt pphhyyssiiccaall aacccceessss ccoonnttrrooll..
53. What is an effective countermeasure for the vulnerability of data entry operators potentially
leaving their computers without logging off? Choose the BEST answer.
A. Employee security awareness training
B. Administrator alerts
C. Screensaver passwords
D. Close supervision
Answer: C
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
16
SSccrreeeennssaavveerr ppaasssswwoorrddss aarree aann eeffffeeccttiivvee ccoonnttrrooll ttoo iimmpplleemmeenntt aass aa ccoouunntteerrmmeeaassuurree ffoorr tthhee vvuullnneerraabbiilliittyy
ooff ddaattaa eennttrryy ooppeerraattoorrss ppootteennttiiaallllyy lleeaavviinngg tthheeiirr ccoommppuutteerrss wwiitthhoouutt llooggggiinngg ooffff..
54. What can ISPs use to implement inbound traffic filtering as a control to identify IP packets
transmitted from unauthorized sources? Choose the BEST answer.
A. OSI Layer 2 switches with packet filtering enabled
B. Virtual Private Networks
C. Access Control Lists (ACL)
D. Point-to-Point Tunneling Protocol
Answer: C
IISSPPss ccaann uussee aacccceessss ccoonnttrrooll lliissttss ttoo iimmpplleemmeenntt iinnbboouunndd ttrraaffffiicc ffiilltteerriinngg aass aa ccoonnttrrooll ttoo iiddeennttiiffyy IIPP
ppaacckkeettss ttrraannssmmiitttteedd ffrroomm uunnaauutthhoorriizzeedd ssoouurrcceess..
55. What is the key distinction between encryption and hashing algorithms?
A. Hashing algorithms ensure data confidentiality.
B. Hashing algorithms are irreversible.
C. Encryption algorithms ensure data integrity.
D. Encryption algorithms are not irreversible.
Answer: B
AA kkeeyy ddiissttiinnccttiioonn bbeettwweeeenn eennccrryyppttiioonn aanndd hhaasshhiinngg aallggoorriitthhmmss iiss tthhaatt hhaasshhiinngg aallggoorriitthhmmss aarree
iirrrreevveerrssiibbllee..
56. Which of the following is BEST characterized by unauthorized modification of data before or
during systems data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack
Answer: A
DDaattaa ddiiddddlliinngg iinnvvoollvveess mmooddiiffyyiinngg ddaattaa bbeeffoorree oorr dduurriinngg ssyysstteemmss ddaattaa eennttrryy..
57. Which of the following is used to evaluate biometric access controls?
A. FAR
B. EER
C. ERR
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
17
D. FRR
Answer: B
WWhheenn eevvaalluuaattiinngg bbiioommeettrriicc aacccceessss ccoonnttrroollss,, aa llooww eeqquuaall eerrrroorr rraattee ((EEEERR)) iiss pprreeffeerrrreedd.. EEEERR iiss aallssoo
ccaalllleedd tthhee ccrroossssoovveerr eerrrroorr rraattee ((CCEERR))..
58. Who is ultimately responsible and accountable for reviewing user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors
Answer: C
DDaattaa oowwnneerrss aarree uullttiimmaatteellyy rreessppoonnssiibbllee aanndd aaccccoouunnttaabbllee ffoorr rreevviieewwiinngg uusseerr aacccceessss ttoo ssyysstteemmss..
59. Establishing data ownership is an important first step for which of the following processes?
Choose the BEST answer.
A. Assigning user access privileges
B. Developing organizational security policies
C. Creating roles and responsibilities
D. Classifying data
Answer: D
TToo pprrooppeerrllyy iimmpplleemmeenntt ddaattaa ccllaassssiiffiiccaattiioonn,, eessttaabblliisshhiinngg ddaattaa oowwnneerrsshhiipp iiss aann iimmppoorrttaanntt ffiirrsstt sstteepp..
60. Which of the following is MOST is critical during the business impact assessment phase of
business continuity planning?
A. End-user involvement
B. Senior management involvement
C. Security administration involvement
D. IS auditing involvement
Answer: A
EEnndd--uusseerr iinnvvoollvveemmeenntt iiss ccrriittiiccaall dduurriinngg tthhee bbuussiinneessss iimmppaacctt aasssseessssmmeenntt pphhaassee ooff bbuussiinneessss ccoonnttiinnuuiittyy
ppllaannnniinngg..
61. What type of BCP test uses actual resources to simulate a system crash and validate the
plan's effectiveness?
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
18
A. Paper
B. Preparedness
C. Walk-through
D. Parallel
Answer: B
OOff tthhee tthhrreeee mmaajjoorr ttyyppeess ooff BBCCPP tteessttss ((ppaappeerr,, wwaallkk--tthhrroouugghh,, aanndd pprreeppaarreeddnneessss)),, oonnllyy tthhee pprreeppaarreeddnneessss
tteesstt uusseess aaccttuuaall rreessoouurrcceess ttoo ssiimmuullaattee aa ssyysstteemm ccrraasshh aanndd vvaalliiddaattee tthhee ppllaann''ss eeffffeeccttiivveenneessss..
62. Which of the following typically focuses on making alternative processes and resources
available for transaction processing?
A. Cold-site facilities
B. Disaster recovery for networks
C. Diverse processing
D. Disaster recovery for systems
Answer: D
DDiissaasstteerr rreeccoovveerryy ffoorr ssyysstteemmss ttyyppiiccaallllyy ffooccuusseess oonn mmaakkiinngg aalltteerrnnaattiivvee pprroocceesssseess aanndd rreessoouurrcceess
aavvaaiillaabbllee ffoorr ttrraannssaaccttiioonn pprroocceessssiinngg..
63. Which type of major BCP test only requires representatives from each operational area to meet
to review the plan?
A. Parallel
B. Preparedness
C. Walk-thorough
D. Paper
Answer: C
OOff tthhee tthhrreeee mmaajjoorr ttyyppeess ooff BBCCPP tteessttss ((ppaappeerr,, wwaallkk--tthhrroouugghh,, aanndd pprreeppaarreeddnneessss)),, aa wwaallkk--tthhrroouugghh tteesstt
rreeqquuiirreess oonnllyy tthhaatt rreepprreesseennttaattiivveess ffrroomm eeaacchh ooppeerraattiioonnaall aarreeaa mmeeeett ttoo rreevviieeww tthhee ppllaann..
64. What influences decisions regarding criticality of assets?
A. The business criticality of the data to be protected
B. Internal corporate politics
C. The business criticality of the data to be protected, and the scope of the impact upon the organization
as a whole
D. The business impact analysis
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
19
Answer: C
CCrriittiiccaalliittyy ooff aasssseettss iiss oofftteenn iinnfflluueenncceedd bbyy tthhee bbuussiinneessss ccrriittiiccaalliittyy ooff tthhee ddaattaa ttoo bbee pprrootteecctteedd aanndd bbyy tthhee
ssccooppee ooff tthhee iimmppaacctt uuppoonn tthhee oorrggaanniizzaattiioonn aass aa wwhhoollee.. FFoorr eexxaammppllee,, tthhee lloossss ooff aa nneettwwoorrkk bbaacckkbboonnee
ccrreeaatteess aa mmuucchh ggrreeaatteerr iimmppaacctt oonn tthhee oorrggaanniizzaattiioonn aass aa wwhhoollee tthhaann tthhee lloossss ooff ddaattaa oonn aa ttyyppiiccaall uusseerr''ss
wwoorrkkssttaattiioonn..
65. Of the three major types of off-site processing facilities, what type is characterized by at least
providing for electricity and HVAC?
A. Cold site
B. Alternate site
C. Hot site
D. Warm site
Answer: A
OOff tthhee tthhrreeee mmaajjoorr ttyyppeess ooff ooffff--ssiittee pprroocceessssiinngg ffaacciilliittiieess ((hhoott,, wwaarrmm,, aanndd ccoolldd)),, aa ccoolldd ssiittee iiss
cchhaarraacctteerriizzeedd bbyy aatt lleeaasstt pprroovviiddiinngg ffoorr eelleeccttrriicciittyy aanndd HHVVAACC.. AA wwaarrmm ssiittee iimmpprroovveess uuppoonn tthhiiss bbyy
pprroovviiddiinngg ffoorr rreedduunnddaanntt eeqquuiippmmeenntt aanndd ssooffttwwaarree tthhaatt ccaann bbee mmaaddee ooppeerraattiioonnaall wwiitthhiinn aa sshhoorrtt ttiimmee..
66. With the objective of mitigating the risk and impact of a major business interruption, a
disaster-recovery plan should endeavor to reduce the length of recovery time necessary, as well
as costs associated with recovery. Although DRP results in an increase of pre- and post-incident
operational costs, the extra costs are more than offset by reduced recovery and business impact
costs. True or false?
A. True
B. False
Answer: A
WWiitthh tthhee oobbjjeeccttiivvee ooff mmiittiiggaattiinngg tthhee rriisskk aanndd iimmppaacctt ooff aa mmaajjoorr bbuussiinneessss iinntteerrrruuppttiioonn,, aa ddiissaasstteerr--
rreeccoovveerryy ppllaann sshhoouulldd eennddeeaavvoorr ttoo rreedduuccee tthhee lleennggtthh ooff rreeccoovveerryy ttiimmee nneecceessssaarryy aanndd tthhee ccoossttss
aassssoocciiaatteedd wwiitthh rreeccoovveerryy.. AAlltthhoouugghh DDRRPP rreessuullttss iinn aann iinnccrreeaassee ooff pprree-- aanndd ppoosstt--iinncciiddeenntt ooppeerraattiioonnaall
ccoossttss,, tthhee eexxttrraa ccoossttss aarree mmoorree tthhaann ooffffsseett bbyy rreedduucceedd rreeccoovveerryy aanndd bbuussiinneessss iimmppaacctt ccoossttss..
67. Of the three major types of off-site processing facilities, what type is often an acceptable
solution for preparing for recovery of noncritical systems and data?
A. Cold site
B. Hot site
C. Alternate site
D. Warm site
Answer: A
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
20
AA ccoolldd ssiittee iiss oofftteenn aann aacccceeppttaabbllee ssoolluuttiioonn ffoorr pprreeppaarriinngg ffoorr rreeccoovveerryy ooff nnoonnccrriittiiccaall ssyysstteemmss aanndd ddaattaa..
68. Any changes in systems assets, such as replacement of hardware, should be immediately
recorded within the assets inventory of which of the following? Choose the BEST answer.
A. IT strategic plan
B. Business continuity plan
C. Business impact analysis
D. Incident response plan
Answer: B
AAnnyy cchhaannggeess iinn ssyysstteemmss aasssseettss,, ssuucchh aass rreeppllaacceemmeenntt ooff hhaarrddwwaarree,, sshhoouulldd bbee iimmmmeeddiiaatteellyy rreeccoorrddeedd
wwiitthhiinn tthhee aasssseettss iinnvveennttoorryy ooff aa bbuussiinneessss ccoonnttiinnuuiittyy ppllaann..
69. Although BCP and DRP are often implemented and tested by middle management and end
users, the ultimate responsibility and accountability for the plans remain with executive
management, such as the _______________. (fill-in-the-blank)
A. Security administrator
B. Systems auditor
C. Board of directors
D. Financial auditor
Answer: C
AAlltthhoouugghh BBCCPP aanndd DDRRPP aarree oofftteenn iimmpplleemmeenntteedd aanndd tteesstteedd bbyy mmiiddddllee mmaannaaggeemmeenntt aanndd eenndd uusseerrss,, tthhee
uullttiimmaattee rreessppoonnssiibbiilliittyy aanndd aaccccoouunnttaabbiilliittyy ffoorr tthhee ppllaannss rreemmaaiinn wwiitthh eexxeeccuuttiivvee mmaannaaggeemmeenntt,, ssuucchh aass
tthhee bbooaarrdd ooff ddiirreeccttoorrss..
70. Obtaining user approval of program changes is very effective for controlling application
changes and maintenance. True or false?
A. True
B. False
Answer: A
OObbttaaiinniinngg uusseerr aapppprroovvaall ooff pprrooggrraamm cchhaannggeess iiss vveerryy eeffffeeccttiivvee ffoorr ccoonnttrroolllliinngg aapppplliiccaattiioonn cchhaannggeess aanndd
mmaaiinntteennaannccee..
71. Library control software restricts source code to:
A. Read-only access
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
21
B. Write-only access
C. Full access
D. Read-write access
Answer: A
LLiibbrraarryy ccoonnttrrooll ssooffttwwaarree rreessttrriiccttss ssoouurrccee ccooddee ttoo rreeaadd--oonnllyy aacccceessss..
72. When is regression testing used to determine whether new application changes have
introduced any errors in the remaining unchanged code?
A. In program development and change management
B. In program feasibility studies
C. In program development
D. In change management
Answer: A
RReeggrreessssiioonn tteessttiinngg iiss uusseedd iinn pprrooggrraamm ddeevveellooppmmeenntt aanndd cchhaannggee mmaannaaggeemmeenntt ttoo ddeetteerrmmiinnee wwhheetthheerr
nneeww cchhaannggeess hhaavvee iinnttrroodduucceedd aannyy eerrrroorrss iinn tthhee rreemmaaiinniinngg uunncchhaannggeedd ccooddee..
73. What is often the most difficult part of initial efforts in application development? Choose the
BEST answer.
A. Configuring software
B. Planning security
C. Determining time and resource requirements
D. Configuring hardware
Answer: C
DDeetteerrmmiinniinngg ttiimmee aanndd rreessoouurrccee rreeqquuiirreemmeennttss ffoorr aann aapppplliiccaattiioonn--ddeevveellooppmmeenntt pprroojjeecctt iiss oofftteenn tthhee mmoosstt
ddiiffffiiccuulltt ppaarrtt ooff iinniittiiaall eeffffoorrttss iinn aapppplliiccaattiioonn ddeevveellooppmmeenntt..
74. What is a primary high-level goal for an auditor who is reviewing a system development
project?
A. To ensure that programming and processing environments are segregated
B. To ensure that proper approval for the project has been obtained
C. To ensure that business objectives are achieved
D. To ensure that projects are monitored and administrated effectively
Answer: C
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
22
AA pprriimmaarryy hhiigghh--lleevveell ggooaall ffoorr aann aauuddiittoorr wwhhoo iiss rreevviieewwiinngg aa ssyysstteemmss--ddeevveellooppmmeenntt pprroojjeecctt iiss ttoo eennssuurree
tthhaatt bbuussiinneessss oobbjjeeccttiivveess aarree aacchhiieevveedd.. TThhiiss oobbjjeeccttiivvee gguuiiddeess aallll ootthheerr ssyysstteemmss ddeevveellooppmmeenntt oobbjjeeccttiivveess..
75. Whenever an application is modified, what should be tested to determine the full impact of the
change? Choose the BEST answer.
A. Interface systems with other applications or systems
B. The entire program, including any interface systems with other applications or systems
C. All programs, including interface systems with other applications or systems
D. Mission-critical functions and any interface systems with other applications or systems
Answer: B
WWhheenneevveerr aann aapppplliiccaattiioonn iiss mmooddiiffiieedd,, tthhee eennttiirree pprrooggrraamm,, iinncclluuddiinngg aannyy iinntteerrffaaccee ssyysstteemmss wwiitthh ootthheerr
aapppplliiccaattiioonnss oorr ssyysstteemmss,, sshhoouulldd bbee tteesstteedd ttoo ddeetteerrmmiinnee tthhee ffuullll iimmppaacctt ooff tthhee cchhaannggee..
76. The quality of the metadata produced from a data warehouse is _______________ in the
warehouse's design. Choose the BEST answer.
A. Often hard to determine because the data is derived from a heterogeneous data environment
B. The most important consideration
C. Independent of the quality of the warehoused databases
D. Of secondary importance to data warehouse content
Answer: B
TThhee qquuaalliittyy ooff tthhee mmeettaaddaattaa pprroodduucceedd ffrroomm aa ddaattaa wwaarreehhoouussee iiss tthhee mmoosstt iimmppoorrttaanntt ccoonnssiiddeerraattiioonn iinn
tthhee wwaarreehhoouussee''ss ddeessiiggnn..
77. Function Point Analysis (FPA) provides an estimate of the size of an information system based
only on the number and complexity of a system's inputs and outputs. True or false?
A. True
B. False
Answer: B
FFuunnccttiioonn ppooiinntt aannaallyyssiiss ((FFPPAA)) pprroovviiddeess aann eessttiimmaattee ooff tthhee ssiizzee ooff aann iinnffoorrmmaattiioonn ssyysstteemm bbaasseedd oonn tthhee
nnuummbbeerr aanndd ccoommpplleexxiittyy ooff aa ssyysstteemm''ss iinnppuuttss,, oouuttppuuttss,, aanndd ffiilleess..
78. Who assumes ownership of a systems-development project and the resulting system?
A. User management
B. Project steering committee
C. IT management
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
23
D. Systems developers
Answer: A
UUsseerr mmaannaaggeemmeenntt aassssuummeess oowwnneerrsshhiipp ooff aa ssyysstteemmss--ddeevveellooppmmeenntt pprroojjeecctt aanndd tthhee rreessuullttiinngg ssyysstteemm..
79. If an IS auditor observes that individual modules of a system perform correctly in development
project tests, the auditor should inform management of the positive results and recommend
further:
A. Documentation development
B. Comprehensive integration testing
C. Full unit testing
D. Full regression testing
Answer: B
IIff aann IISS aauuddiittoorr oobbsseerrvveess tthhaatt iinnddiivviidduuaall mmoodduulleess ooff aa ssyysstteemm ppeerrffoorrmm ccoorrrreeccttllyy iinn ddeevveellooppmmeenntt pprroojjeecctt
tteessttss,, tthhee aauuddiittoorr sshhoouulldd iinnffoorrmm mmaannaaggeemmeenntt ooff tthhee ppoossiittiivvee rreessuullttss aanndd rreeccoommmmeenndd ffuurrtthheerr
ccoommpprreehheennssiivvee iinntteeggrraattiioonn tteessttiinngg..
80. When participating in a systems-development project, an IS auditor should focus on system
controls rather than ensuring that adequate and complete documentation exists for all projects.
True or false?
A. True
B. False
Answer: B
WWhheenn ppaarrttiicciippaattiinngg iinn aa ssyysstteemmss--ddeevveellooppmmeenntt pprroojjeecctt,, aann IISS aauuddiittoorr sshhoouulldd aallssoo ssttrriivvee ttoo eennssuurree tthhaatt
aaddeeqquuaattee aanndd ccoommpplleettee ddooccuummeennttaattiioonn eexxiissttss ffoorr aallll pprroojjeeccttss..
81. What is a reliable technique for estimating the scope and cost of a software-development
project?
A. Function point analysis (FPA)
B. Feature point analysis (FPA)
C. GANTT
D. PERT
Answer: A
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
24
AA ffuunnccttiioonn ppooiinntt aannaallyyssiiss ((FFPPAA)) iiss aa rreelliiaabbllee tteecchhnniiqquuee ffoorr eessttiimmaattiinngg tthhee ssccooppee aanndd ccoosstt ooff aa ssooffttwwaarree--
ddeevveellooppmmeenntt pprroojjeecctt..
82. Which of the following is a program evaluation review technique that considers different
scenarios for planning and control projects?
A. Function Point Analysis (FPA)
B. GANTT
C. Rapid Application Development (RAD)
D. PERT
Answer: D
PPEERRTT iiss aa pprrooggrraamm--eevvaalluuaattiioonn rreevviieeww tteecchhnniiqquuee tthhaatt ccoonnssiiddeerrss ddiiffffeerreenntt sscceennaarriiooss ffoorr ppllaannnniinngg aanndd
ccoonnttrrooll pprroojjeeccttss..
83. If an IS auditor observes that an IS department fails to use formal documented methodologies,
policies, and standards, what should the auditor do? Choose the BEST answer.
A. Lack of IT documentation is not usually material to the controls tested in an IT audit.
B. The auditor should at least document the informal standards and policies. Furthermore, the IS auditor
should create formal documented policies to be implemented.
C. The auditor should at least document the informal standards and policies, and test for compliance.
Furthermore, the IS auditor should recommend to management that formal documented policies be
developed and implemented.
D. The auditor should at least document the informal standards and policies, and test for compliance.
Furthermore, the IS auditor should create formal documented policies to be implemented.
Answer: C
IIff aann IISS aauuddiittoorr oobbsseerrvveess tthhaatt aann IISS ddeeppaarrttmmeenntt ffaaiillss ttoo uussee ffoorrmmaall ddooccuummeenntteedd mmeetthhooddoollooggiieess,, ppoolliicciieess,,
aanndd ssttaannddaarrddss,, tthhee aauuddiittoorr sshhoouulldd aatt lleeaasstt ddooccuummeenntt tthhee iinnffoorrmmaall ssttaannddaarrddss aanndd ppoolliicciieess,, aanndd tteesstt ffoorr
ccoommpplliiaannccee.. FFuurrtthheerrmmoorree,, tthhee IISS aauuddiittoorr sshhoouulldd rreeccoommmmeenndd ttoo mmaannaaggeemmeenntt tthhaatt ffoorrmmaall ddooccuummeenntteedd
ppoolliicciieess bbee ddeevveellooppeedd aanndd iimmpplleemmeenntteedd..
84. What often results in project scope creep when functional requirements are not defined as well
as they could be?
A. Inadequate software baselining
B. Insufficient strategic planning
C. Inaccurate resource allocation
D. Project delays
Answer: A
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
25
IInnaaddeeqquuaattee ssooffttwwaarree bbaasseelliinniinngg oofftteenn rreessuullttss iinn pprroojjeecctt ssccooppee ccrreeeepp bbeeccaauussee ffuunnccttiioonnaall rreeqquuiirreemmeennttss
aarree nnoott ddeeffiinneedd aass wweellll aass tthheeyy ccoouulldd bbee..
85. Fourth-Generation Languages (4GLs) are most appropriate for designing the application's
graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation
procedures. True or false?
A. True
B. False
Answer: A
FFoouurrtthh--ggeenneerraattiioonn llaanngguuaaggeess ((44GGLLss)) aarree mmoosstt aapppprroopprriiaattee ffoorr ddeessiiggnniinngg tthhee aapppplliiccaattiioonn''ss ggrraapphhiiccaall
uusseerr iinntteerrffaaccee ((GGUUII)).. TThheeyy aarree iinnaapppprroopprriiaattee ffoorr ddeessiiggnniinngg aannyy iinntteennssiivvee ddaattaa--ccaallccuullaattiioonn pprroocceedduurreess..
86. Run-to-run totals can verify data through which stage(s) of application processing?
A. Initial
B. Various
C. Final
D. Output
Answer: B
RRuunn--ttoo--rruunn ttoottaallss ccaann vveerriiffyy ddaattaa tthhrroouugghh vvaarriioouuss ssttaaggeess ooff aapppplliiccaattiioonn pprroocceessssiinngg..
87. ________________ (fill in the blank) is/are are ultimately accountable for the functionality,
reliability, and security within IT governance. Choose the BEST answer.
A. Data custodians
B. The board of directors and executive officers
C. IT security administration
D. Business unit managers
Answer: B
TThhee bbooaarrdd ooff ddiirreeccttoorrss aanndd eexxeeccuuttiivvee ooffffiicceerrss aarree uullttiimmaatteellyy aaccccoouunnttaabbllee ffoorr tthhee ffuunnccttiioonnaalliittyy,,
rreelliiaabbiilliittyy,, aanndd sseeccuurriittyy wwiitthhiinn IITT ggoovveerrnnaannccee..
88. What can be used to help identify and investigate unauthorized transactions? Choose the
BEST answer.
A. Postmortem review
B. Reasonableness checks
C. Data-mining techniques
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
26
D. Expert systems
Answer: C
DDaattaa--mmiinniinngg tteecchhnniiqquueess ccaann bbee uusseedd ttoo hheellpp iiddeennttiiffyy aanndd iinnvveessttiiggaattee uunnaauutthhoorriizzeedd ttrraannssaaccttiioonnss..
89. Network environments often add to the complexity of program-to-program communication,
making the implementation and maintenance of application systems more difficult. True or false?
A. True
B. False
Answer: A
NNeettwwoorrkk eennvviirroonnmmeennttss oofftteenn aadddd ttoo tthhee ccoommpplleexxiittyy ooff pprrooggrraamm--ttoo--pprrooggrraamm ccoommmmuunniiccaattiioonn,, mmaakkiinngg
aapppplliiccaattiioonn ssyysstteemmss iimmpplleemmeennttaattiioonn aanndd mmaaiinntteennaannccee mmoorree ddiiffffiiccuulltt..
90. ______________ risk analysis is not always possible because the IS auditor is attempting to
calculate risk using nonquantifiable threats and potential losses. In this event, a _______________
risk assessment is more appropriate. Fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective
Answer: A
QQuuaannttiittaattiivvee rriisskk aannaallyyssiiss iiss nnoott aallwwaayyss ppoossssiibbllee bbeeccaauussee tthhee IISS aauuddiittoorr iiss aatttteemmppttiinngg ttoo ccaallccuullaattee rriisskk
uussiinngg nnoonnqquuaannttiiffiiaabbllee tthhrreeaattss aanndd ppootteennttiiaall lloosssseess.. IInn tthhiiss eevveenntt,, aa qquuaalliittaattiivvee rriisskk aasssseessssmmeenntt iiss mmoorree
aapppprroopprriiaattee..
91. What must an IS auditor understand before performing an application audit? Choose the BEST
answer.
A. The potential business impact of application risks.
B. Application risks must first be identified.
C. Relative business processes.
D. Relevant application risks.
Answer: C
AAnn IISS aauuddiittoorr mmuusstt ffiirrsstt uunnddeerrssttaanndd rreellaattiivvee bbuussiinneessss pprroocceesssseess bbeeffoorree ppeerrffoorrmmiinngg aann aapppplliiccaattiioonn
aauuddiitt..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
27
92. What is the first step in a business process re-engineering project?
A. Identifying current business processes
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewed
D. Reviewing the organizational strategic plan
Answer: C
DDeeffiinniinngg tthhee ssccooppee ooff aarreeaass ttoo bbee rreevviieewweedd iiss tthhee ffiirrsstt sstteepp iinn aa bbuussiinneessss pprroocceessss rree--eennggiinneeeerriinngg pprroojjeecctt..
93. When storing data archives off-site, what must be done with the data to ensure data
completeness?
A. The data must be normalized.
B. The data must be validated.
C. The data must be parallel-tested.
D. The data must be synchronized.
Answer: D
WWhheenn ssttoorriinngg ddaattaa aarrcchhiivveess ooffff--ssiittee,, ddaattaa mmuusstt bbee ssyynncchhrroonniizzeedd ttoo eennssuurree ddaattaa ccoommpplleetteenneessss..
94. Which of the following can help detect transmission errors by appending specially calculated
bits onto the end of each segment of data?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check
Answer: A
AA rreedduunnddaannccyy cchheecckk ccaann hheellpp ddeetteecctt ttrraannssmmiissssiioonn eerrrroorrss bbyy aappppeennddiinngg eessppeecciiaallllyy ccaallccuullaatteedd bbiittss oonnttoo
tthhee eenndd ooff eeaacchh sseeggmmeenntt ooff ddaattaa..
95. What is an edit check to determine whether a field contains valid data?
A. Completeness check
B. Accuracy check
C. Redundancy check
D. Reasonableness check
Answer: A
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
28
AA ccoommpplleetteenneessss cchheecckk iiss aann eeddiitt cchheecckk ttoo ddeetteerrmmiinnee wwhheetthheerr aa ffiieelldd ccoonnttaaiinnss vvaalliidd ddaattaa..
96. A transaction journal provides the information necessary for detecting unauthorized
_____________ (fill in the blank) from a terminal.
A. Deletion
B. Input
C. Access
D. Duplication
Answer: B
AA ttrraannssaaccttiioonn jjoouurrnnaall pprroovviiddeess tthhee iinnffoorrmmaattiioonn nneecceessssaarryy ffoorr ddeetteeccttiinngg uunnaauutthhoorriizzeedd iinnppuutt ffrroomm aa
tteerrmmiinnaall..
97. An intentional or unintentional disclosure of a password is likely to be evident within control
logs. True or false?
A. True
B. False
Answer: B
AAnn iinntteennttiioonnaall oorr uunniinntteennttiioonnaall ddiisscclloossuurree ooff aa ppaasssswwoorrdd iiss nnoott lliikkeellyy ttoo bbee eevviiddeenntt wwiitthhiinn ccoonnttrrooll llooggss..
98. When are benchmarking partners identified within the benchmarking process?
A. In the design stage
B. In the testing stage
C. In the research stage
D. In the development stage
Answer: C
BBeenncchhmmaarrkkiinngg ppaarrttnneerrss aarree iiddeennttiiffiieedd iinn tthhee rreesseeaarrcchh ssttaaggee ooff tthhee bbeenncchhmmaarrkkiinngg pprroocceessss..
99. A check digit is an effective edit check to:
A. Detect data-transcription errors
B. Detect data-transposition and transcription errors
C. Detect data-transposition, transcription, and substitution errors
D. Detect data-transposition errors
Answer: B
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
29
AA cchheecckk ddiiggiitt iiss aann eeffffeeccttiivvee eeddiitt cchheecckk ttoo ddeetteecctt ddaattaa--ttrraannssppoossiittiioonn aanndd ttrraannssccrriippttiioonn eerrrroorrss..
100. Parity bits are a control used to validate:
A. Data authentication
B. Data completeness
C. Data source
D. Data accuracy
Answer: B
PPaarriittyy bbiittss aarree aa ccoonnttrrooll uusseedd ttoo vvaalliiddaattee ddaattaa ccoommpplleetteenneessss..
101. An IS auditor is using a statistical sample to inventory the tape library. What type of test would
this be considered?
A.Substantive
B. Compliance
C. Integrated
D. Continuous audit
Answer: A
UUssiinngg aa ssttaattiissttiiccaall ssaammppllee ttoo iinnvveennttoorryy tthhee ttaappee lliibbrraarryy iiss aann eexxaammppllee ooff aa ssuubbssttaannttiivvee tteesstt..
102. Which of the following would prevent accountability for an action performed, thus allowing
nonrepudiation?
A. Proper authentication
B. Proper identification AND authentication
C. Proper identification
D. Proper identification, authentication, AND authorization
Answer: B
IIff pprrooppeerr iiddeennttiiffiiccaattiioonn aanndd aauutthheennttiiccaattiioonn aarree nnoott ppeerrffoorrmmeedd dduurriinngg aacccceessss ccoonnttrrooll,, nnoo aaccccoouunnttaabbiilliittyy
ccaann eexxiisstt ffoorr aannyy aaccttiioonn ppeerrffoorrmmeedd..
103. Which of the following is the MOST critical step in planning an audit?
A. Implementing a prescribed auditing framework such as COBIT
B. Identifying current controls
C. Identifying high-risk audit targets
D. Testing controls
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
30
Answer: C
IInn ppllaannnniinngg aann aauuddiitt,, tthhee mmoosstt ccrriittiiccaall sstteepp iiss iiddeennttiiffyyiinngg tthhee aarreeaass ooff hhiigghh rriisskk..
104. To properly evaluate the collective effect of preventative, detective, or corrective controls within
a process, an IS auditor should be aware of which of the following? Choose the BEST answer.
A. The business objectives of the organization
B. The effect of segregation of duties on internal controls
C. The point at which controls are exercised as data flows through the system
D. Organizational control policies
Answer: C
WWhheenn eevvaalluuaattiinngg tthhee ccoolllleeccttiivvee eeffffeecctt ooff pprreevveennttiivvee,, ddeetteeccttiivvee,, oorr ccoorrrreeccttiivvee ccoonnttrroollss wwiitthhiinn aa pprroocceessss,,
aann IISS aauuddiittoorr sshhoouulldd bbee aawwaarree ooff tthhee ppooiinntt aatt wwhhiicchh ccoonnttrroollss aarree eexxeerrcciisseedd aass ddaattaa fflloowwss tthhrroouugghh tthhee
ssyysstteemm..
105. What is the recommended initial step for an IS auditor to implement continuous-monitoring
systems?
A. Document existing internal controls
B. Perform compliance testing on internal controls
C. Establish a controls-monitoring steering committee
D. Identify high-risk areas within the organization
Answer: D
WWhheenn iimmpplleemmeennttiinngg ccoonnttiinnuuoouuss--mmoonniittoorriinngg ssyysstteemmss,, aann IISS aauuddiittoorr''ss ffiirrsstt sstteepp iiss ttoo iiddeennttiiffyy hhiigghh--rriisskk
aarreeaass wwiitthhiinn tthhee oorrggaanniizzaattiioonn..
106. What type of risk is associated with authorized program exits (trap doors)? Choose the BEST
answer.
A. Business risk
B. Audit risk
C. Detective risk
D. Inherent risk
Answer: D
IInnhheerreenntt rriisskk iiss aassssoocciiaatteedd wwiitthh aauutthhoorriizzeedd pprrooggrraamm eexxiittss ((ttrraapp ddoooorrss))..
107. Which of the following is best suited for searching for address field duplications?
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
31
A. Text search forensic utility software
B. Generalized audit software
C. Productivity audit software
D. Manual review
Answer: B
GGeenneerraalliizzeedd aauuddiitt ssooffttwwaarree ccaann bbee uusseedd ttoo sseeaarrcchh ffoorr aaddddrreessss ffiieelldd dduupplliiccaattiioonnss..
108. Which of the following is of greatest concern to the IS auditor?
A. Failure to report a successful attack on the network
B. Failure to prevent a successful attack on the network
C. Failure to recover from a successful attack on the network
D. Failure to detect a successful attack on the network
Answer: A
LLaacckk ooff rreeppoorrttiinngg ooff aa ssuucccceessssffuull aattttaacckk oonn tthhee nneettwwoorrkk iiss aa ggrreeaatt ccoonncceerrnn ttoo aann IISS aauuddiittoorr..
109. An integrated test facility is not considered a useful audit tool because it cannot compare
processing output with independently calculated data. True or false?
A. True
B. False
Answer: B
AAnn iinntteeggrraatteedd tteesstt ffaacciilliittyy iiss ccoonnssiiddeerreedd aa uusseeffuull aauuddiitt ttooooll bbeeccaauussee iitt ccoommppaarreess pprroocceessssiinngg oouuttppuutt wwiitthh
iinnddeeppeennddeennttllyy ccaallccuullaatteedd ddaattaa..
110. An advantage of a continuous audit approach is that it can improve system security when used in
time-sharing environments that process a large number of transactions. True or false?
A. True
B. False
Answer: A
IItt iiss ttrruuee tthhaatt aann aaddvvaannttaaggee ooff aa ccoonnttiinnuuoouuss aauuddiitt aapppprrooaacchh iiss tthhaatt iitt ccaann iimmpprroovvee ssyysstteemm sseeccuurriittyy
wwhheenn uusseedd iinn ttiimmee--sshhaarriinngg eennvviirroonnmmeennttss tthhaatt pprroocceessss aa llaarrggee nnuummbbeerr ooff ttrraannssaaccttiioonnss..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
32
111. If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties,
such as having the security administrator perform an operations function, what is the auditor's
primary responsibility?
A. To advise senior management.
B. To reassign job functions to eliminate potential fraud.
C. To implement compensator controls.
D. Segregation of duties is an administrative control not considered by an IS auditor.
Answer: A
AAnn IISS aauuddiittoorr''ss pprriimmaarryy rreessppoonnssiibbiilliittyy iiss ttoo aaddvviissee sseenniioorr mmaannaaggeemmeenntt ooff tthhee rriisskk iinnvvoollvveedd iinn nnoott
iimmpplleemmeennttiinngg pprrooppeerr sseeggrreeggaattiioonn ooff dduuttiieess,, ssuucchh aass hhaavviinngg tthhee sseeccuurriittyy aaddmmiinniissttrraattoorr ppeerrffoorrmm aann
ooppeerraattiioonnss ffuunnccttiioonn..
112. Who is responsible for implementing cost-effective controls in an automated system?
A. Security policy administrators
B. Business unit management
C. Senior management
D. Board of directors
Answer: B
BBuussiinneessss uunniitt mmaannaaggeemmeenntt iiss rreessppoonnssiibbllee ffoorr iimmpplleemmeennttiinngg ccoosstt--eeffffeeccttiivvee ccoonnttrroollss iinn aann aauuttoommaatteedd
ssyysstteemm..
113. Why does an IS auditor review an organization chart?
A. To optimize the responsibilities and authority of individuals
B. To control the responsibilities and authority of individuals
C. To better understand the responsibilities and authority of individuals
D. To identify project sponsors
Answer: C
TThhee pprriimmaarryy rreeaassoonn aann IISS aauuddiittoorr rreevviieewwss aann oorrggaanniizzaattiioonn cchhaarrtt iiss ttoo bbeetttteerr uunnddeerrssttaanndd tthhee
rreessppoonnssiibbiilliittiieess aanndd aauutthhoorriittyy ooff iinnddiivviidduuaallss..
114. Ensuring that security and control policies support business and IT objectives is a primary
objective of:
A. An IT security policies audit
B. A processing audit
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
33
C. A software audit
D. A vulnerability assessment
Answer: A
EEnnssuurriinngg tthhaatt sseeccuurriittyy aanndd ccoonnttrrooll ppoolliicciieess ssuuppppoorrtt bbuussiinneessss aanndd IITT oobbjjeeccttiivveess iiss aa pprriimmaarryy oobbjjeeccttiivvee ooff
aann IITT sseeccuurriittyy ppoolliicciieess aauuddiitt..
115. When auditing third-party service providers, an IS auditor should be concerned with which of the
following? Choose the BEST answer.
A. Ownership of the programs and files
B. A statement of due care and confidentiality, and the capability for continued service of the service
provider in the event of a disaster
C. A statement of due care
D. Ownership of programs and files, a statement of due care and confidentiality, and the capability for
continued service of the service provider in the event of a disaster
Answer: D
WWhheenn aauuddiittiinngg tthhiirrdd--ppaarrttyy sseerrvviiccee pprroovviiddeerrss,, aann aauuddiittoorr sshhoouulldd bbee ccoonncceerrnneedd wwiitthh oowwnneerrsshhiipp ooff
pprrooggrraammss aanndd ffiilleess,, aa ssttaatteemmeenntt ooff dduuee ccaarree aanndd ccoonnffiiddeennttiiaalliittyy,, aanndd tthhee ccaappaabbiilliittyy ffoorr ccoonnttiinnuueedd
sseerrvviiccee ooff tthhee sseerrvviiccee pprroovviiddeerr iinn tthhee eevveenntt ooff aa ddiissaasstteerr..
116. When performing an IS strategy audit, an IS auditor should review both short-term (one-year)
and long-term (three- to five-year) IS strategies, interview appropriate corporate management
personnel, and ensure that the external environment has been considered. The auditor should
especially focus on procedures in an audit of IS strategy. True or false?
A. True
B. False
Answer: B
WWhheenn ppeerrffoorrmmiinngg aann IISS ssttrraatteeggyy aauuddiitt,, aann IISS aauuddiittoorr sshhoouulldd rreevviieeww bbootthh sshhoorrtt--tteerrmm ((oonnee--yyeeaarr)) aanndd
lloonngg--tteerrmm ((tthhrreeee-- ttoo ffiivvee--yyeeaarr)) IISS ssttrraatteeggiieess,, iinntteerrvviieeww aapppprroopprriiaattee ccoorrppoorraattee mmaannaaggeemmeenntt ppeerrssoonnnneell,,
aanndd eennssuurree tthhaatt tthhee eexxtteerrnnaall eennvviirroonnmmeenntt hhaass bbeeeenn ccoonnssiiddeerreedd..
117. What process allows IS management to determine whether the activities of the organization
differ from the planned or expected levels? Choose the BEST answer.
A. Business impact assessment
B. Risk assessment
C. IS assessment methods
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
34
D. Key performance indicators (KPIs)
Answer: C
IISS aasssseessssmmeenntt mmeetthhooddss aallllooww IISS mmaannaaggeemmeenntt ttoo ddeetteerrmmiinnee wwhheetthheerr tthhee aaccttiivviittiieess ooff tthhee oorrggaanniizzaattiioonn
ddiiffffeerr ffrroomm tthhee ppllaannnneedd oorr eexxppeecctteedd lleevveellss..
118. When should reviewing an audit client's business plan be performed relative to reviewing an
organization's IT strategic plan?
A. Reviewing an audit client's business plan should be performed before reviewing an organization's IT
strategic plan.
B. Reviewing an audit client's business plan should be performed after reviewing an organization's IT
strategic plan.
C. Reviewing an audit client's business plan should be performed during the review of an organization's
IT strategic plan.
D. Reviewing an audit client's business plan should be performed without regard to an organization's IT
strategic plan.
Answer: A
RReevviieewwiinngg aann aauuddiitt cclliieenntt''ss bbuussiinneessss ppllaann sshhoouulldd bbee ppeerrffoorrmmeedd bbeeffoorree rreevviieewwiinngg aann oorrggaanniizzaattiioonn''ss IITT
ssttrraatteeggiicc ppllaann..
119. Allowing application programmers to directly patch or change code in production programs
increases risk of fraud. True or false?
A. True
B. False
Answer: A
AAlllloowwiinngg aapppplliiccaattiioonn pprrooggrraammmmeerrss ttoo ddiirreeccttllyy ppaattcchh oorr cchhaannggee ccooddee iinn pprroodduuccttiioonn pprrooggrraammss iinnccrreeaasseess
rriisskk ooff ffrraauudd..
120. Who should be responsible for network security operations?
A. Business unit managers
B. Security administrators
C. Network administrators
D. IS auditors
Answer: B
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
35
SSeeccuurriittyy aaddmmiinniissttrraattoorrss aarree uussuuaallllyy rreessppoonnssiibbllee ffoorr nneettwwoorrkk sseeccuurriittyy ooppeerraattiioonnss..
121. Proper segregation of duties does not prohibit a quality control administrator from also being
responsible for change control and problem management. True or false?
A. True
B. False
Answer: A
PPrrooppeerr sseeggrreeggaattiioonn ooff dduuttiieess ddooeess nnoott pprroohhiibbiitt aa qquuaalliittyy--ccoonnttrrooll aaddmmiinniissttrraattoorr ffrroomm aallssoo bbeeiinngg
rreessppoonnssiibbllee ffoorr cchhaannggee ccoonnttrrooll aanndd pprroobblleemm mmaannaaggeemmeenntt..
122. What can be implemented to provide the highest level of protection from external attack?
A. Layering perimeter network protection by configuring the firewall as a screened host in a screened
subnet behind the bastion host
B. Configuring the firewall as a screened host behind a router
C. Configuring the firewall as the protecting bastion host
D. Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal hosts
Answer: A
LLaayyeerriinngg ppeerriimmeetteerr nneettwwoorrkk pprrootteeccttiioonn bbyy ccoonnffiigguurriinngg tthhee ffiirreewwaallll aass aa ssccrreeeenneedd hhoosstt iinn aa ssccrreeeenneedd
ssuubbnneett bbeehhiinndd tthhee bbaassttiioonn hhoosstt pprroovviiddeess aa hhiigghheerr lleevveell ooff pprrootteeccttiioonn ffrroomm eexxtteerrnnaall aattttaacckk tthhaann aallll ootthheerr
aannsswweerrss..
123. The directory system of a database-management system describes:
A. The access method to the data
B. The location of data AND the access method
C. The location of data
D. Neither the location of data NOR the access method
Answer: B
TThhee ddiirreeccttoorryy ssyysstteemm ooff aa ddaattaabbaassee--mmaannaaggeemmeenntt ssyysstteemm ddeessccrriibbeess tthhee llooccaattiioonn ooff ddaattaa aanndd tthhee aacccceessss
mmeetthhoodd..
124. How is the risk of improper file access affected upon implementing a database system?
A. Risk varies.
B. Risk is reduced.
C. Risk is not affected.
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
36
D. Risk is increased.
Answer: D
IImmpprrooppeerr ffiillee aacccceessss bbeeccoommeess aa ggrreeaatteerr rriisskk wwhheenn iimmpplleemmeennttiinngg aa ddaattaabbaassee ssyysstteemm..
125. In order to properly protect against unauthorized disclosure of sensitive data, how should hard
disks be sanitized?
A. The data should be deleted and overwritten with binary 0s.
B. The data should be demagnetized.
C. The data should be low-level formatted.
D. The data should be deleted.
Answer: B
TToo pprrooppeerrllyy pprrootteecctt aaggaaiinnsstt uunnaauutthhoorriizzeedd ddiisscclloossuurree ooff sseennssiittiivvee ddaattaa,, hhaarrdd ddiisskkss sshhoouulldd bbee
ddeemmaaggnneettiizzeedd bbeeffoorree ddiissppoossaall oorr rreelleeaassee..
126. When reviewing print systems spooling, an IS auditor is MOST concerned with which of the
following vulnerabilities?
A. The potential for unauthorized deletion of report copies
B. The potential for unauthorized modification of report copies
C. The potential for unauthorized printing of report copies
D. The potential for unauthorized editing of report copies
Answer: C
WWhheenn rreevviieewwiinngg pprriinntt ssyysstteemmss ssppoooolliinngg,, aann IISS aauuddiittoorr iiss mmoosstt ccoonncceerrnneedd wwiitthh tthhee ppootteennttiiaall ffoorr
uunnaauutthhoorriizzeedd pprriinnttiinngg ooff rreeppoorrtt ccooppiieess..
127. Why is the WAP gateway a component warranting critical concern and review for the IS auditor
when auditing and testing controls enforcing message confidentiality?
A. WAP is often configured by default settings and is thus insecure.
B. WAP provides weak encryption for wireless traffic.
C. WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL.
D. WAP often interfaces critical IT systems.
Answer: C
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
37
FFuunnccttiioonniinngg aass aa pprroottooccooll--ccoonnvveerrssiioonn ggaatteewwaayy ffoorr wwiirreelleessss TTLLSS ttoo IInntteerrnneett SSSSLL,, tthhee WWAAPP ggaatteewwaayy iiss aa
ccoommppoonneenntt wwaarrrraannttiinngg ccrriittiiccaall ccoonncceerrnn aanndd rreevviieeww ffoorr tthhee IISS aauuddiittoorr wwhheenn aauuddiittiinngg aanndd tteessttiinngg
ccoonnttrroollss tthhaatt eennffoorrccee mmeessssaaggee ccoonnffiiddeennttiiaalliittyy..
128. Proper segregation of duties prevents a computer operator (user) from performing security
administration duties. True or false?
A. True
B. False
Answer: A
PPrrooppeerr sseeggrreeggaattiioonn ooff dduuttiieess pprreevveennttss aa ccoommppuutteerr ooppeerraattoorr ((uusseerr)) ffrroomm ppeerrffoorrmmiinngg sseeccuurriittyy
aaddmmiinniissttrraattiioonn dduuttiieess..
129. How do modems (modulation/demodulation) function to facilitate analog transmissions to enter
a digital network?
A. Modems convert analog transmissions to digital, and digital transmission to analog.
B. Modems encapsulate analog transmissions within digital, and digital transmissions within analog.
C. Modems convert digital transmissions to analog, and analog transmissions to digital.
D. Modems encapsulate digital transmissions within analog, and analog transmissions within digital.
Answer: A
MMooddeemmss ((mmoodduullaattiioonn//ddeemmoodduullaattiioonn)) ccoonnvveerrtt aannaalloogg ttrraannssmmiissssiioonnss ttoo ddiiggiittaall,, aanndd ddiiggiittaall
ttrraannssmmiissssiioonnss ttoo aannaalloogg,, aanndd aarree rreeqquuiirreedd ffoorr aannaalloogg ttrraannssmmiissssiioonnss ttoo eenntteerr aa ddiiggiittaall nneettwwoorrkk..
130. Which of the following are effective in detecting fraud because they have the capability to
consider a large number of variables when trying to resolve a problem? Choose the BEST answer.
A. Expert systems
B. Neural networks
C. Integrated synchronized systems
D. Multitasking applications
Answer: B
NNeeuurraall nneettwwoorrkkss aarree eeffffeeccttiivvee iinn ddeetteeccttiinngg ffrraauudd bbeeccaauussee tthheeyy hhaavvee tthhee ccaappaabbiilliittyy ttoo ccoonnssiiddeerr aa llaarrggee
nnuummbbeerr ooff vvaarriiaabblleess wwhheenn ttrryyiinngg ttoo rreessoollvvee aa pprroobblleemm..
131. What supports data transmission through split cable facilities or duplicate cable facilities?
A. Diverse routing
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
38
B. Dual routing
C. Alternate routing
D. Redundant routing
Answer: A
DDiivveerrssee rroouuttiinngg ssuuppppoorrttss ddaattaa ttrraannssmmiissssiioonn tthhrroouugghh sspplliitt ccaabbllee ffaacciilliittiieess,, oorr dduupplliiccaattee ccaabbllee ffaacciilliittiieess..
132. What type(s) of firewalls provide(s) the greatest degree of protection and control because both
firewall technologies inspect all seven OSI layers of network traffic?
A. A first-generation packet-filtering firewall
B. A circuit-level gateway
C. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls
D. An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls
Answer: C
AAnn aapppplliiccaattiioonn--llaayyeerr ggaatteewwaayy,, oorr pprrooxxyy ffiirreewwaallll,, aanndd ssttaatteeffuull--iinnssppeeccttiioonn ffiirreewwaallllss pprroovviiddee tthhee ggrreeaatteesstt
ddeeggrreeee ooff pprrootteeccttiioonn aanndd ccoonnttrrooll bbeeccaauussee bbootthh ffiirreewwaallll tteecchhnnoollooggiieess iinnssppeecctt aallll sseevveenn OOSSII llaayyeerrss ooff
nneettwwoorrkk ttrraaffffiicc..
133. Which of the following can degrade network performance? Choose the BEST answer.
A. Superfluous use of redundant load-sharing gateways
B. Increasing traffic collisions due to host congestion by creating new collision domains
C. Inefficient and superfluous use of network devices such as switches
D. Inefficient and superfluous use of network devices such as hubs
Answer: D
IInneeffffiicciieenntt aanndd ssuuppeerrfflluuoouuss uussee ooff nneettwwoorrkk ddeevviicceess ssuucchh aass hhuubbss ccaann ddeeggrraaddee nneettwwoorrkk ppeerrffoorrmmaannccee..
134. Which of the following provide(s) near-immediate recoverability for time-sensitive systems and
transaction processing?
A. Automated electronic journaling and parallel processing
B. Data mirroring and parallel processing
C. Data mirroring
D. Parallel processing
Answer:B
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
39
DDaattaa mmiirrrroorriinngg aanndd ppaarraalllleell pprroocceessssiinngg aarree bbootthh uusseedd ttoo pprroovviiddee nneeaarr--iimmmmeeddiiaattee rreeccoovveerraabbiilliittyy ffoorr
ttiimmee--sseennssiittiivvee ssyysstteemmss aanndd ttrraannssaaccttiioonn pprroocceessssiinngg..
135. What is an effective control for granting temporary access to vendors and external support
personnel? Choose the BEST answer.
A. Creating user accounts that automatically expire by a predetermined date
B. Creating permanent guest accounts for temporary use
C. Creating user accounts that restrict logon access to certain hours of the day
D. Creating a single shared vendor administrator account on the basis of least-privileged access
Answer: A
CCrreeaattiinngg uusseerr aaccccoouunnttss tthhaatt aauuttoommaattiiccaallllyy eexxppiirree bbyy aa pprreeddeetteerrmmiinneedd ddaattee iiss aann eeffffeeccttiivvee ccoonnttrrooll ffoorr
ggrraannttiinngg tteemmppoorraarryy aacccceessss ttoo vveennddoorrss aanndd eexxtteerrnnaall ssuuppppoorrtt ppeerrssoonnnneell..
136. Which of the following help(s) prevent an organization's systems from participating in a
distributed denial-of-service (DDoS) attack? Choose the BEST answer.
A. Inbound traffic filtering
B. Using access control lists (ACLs) to restrict inbound connection attempts
C. Outbound traffic filtering
D. Recentralizing distributed systems
Answer: C
OOuuttbboouunndd ttrraaffffiicc ffiilltteerriinngg ccaann hheellpp pprreevveenntt aann oorrggaanniizzaattiioonn''ss ssyysstteemmss ffrroomm ppaarrttiicciippaattiinngg iinn aa
ddiissttrriibbuutteedd ddeenniiaall--ooff--sseerrvviiccee ((DDDDooSS)) aattttaacckk..
137. What is a common vulnerability, allowing denial-of-service attacks?
A. Assigning access to users according to the principle of least privilege
B. Lack of employee awareness of organizational security policies
C. Improperly configured routers and router access lists
D. Configuring firewall access rules
Answer: C
IImmpprrooppeerrllyy ccoonnffiigguurreedd rroouutteerrss aanndd rroouutteerr aacccceessss lliissttss aarree aa ccoommmmoonn vvuullnneerraabbiilliittyy ffoorr ddeenniiaall--ooff--sseerrvviiccee
aattttaacckkss..
138. What are trojan horse programs? Choose the BEST answer.
A. A common form of internal attack
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
40
B. Malicious programs that require the aid of a carrier program such as email
C. Malicious programs that can run independently and can propagate without the aid of a carrier
program such as email
D. A common form of Internet attack
Answer: D
TTrroojjaann hhoorrssee pprrooggrraammss aarree aa ccoommmmoonn ffoorrmm ooff IInntteerrnneett aattttaacckk..
139. What is/are used to measure and ensure proper network capacity management and availability
of services? Choose the BEST answer.
A. Network performance-monitoring tools
B. Network component redundancy
C. Syslog reporting
D. IT strategic planning
Answer: A
NNeettwwoorrkk ppeerrffoorrmmaannccee--mmoonniittoorriinngg ttoooollss aarree uusseedd ttoo mmeeaassuurree aanndd eennssuurree pprrooppeerr nneettwwoorrkk ccaappaacciittyy
mmaannaaggeemmeenntt aanndd aavvaaiillaabbiilliittyy ooff sseerrvviicceess..
140. What can be used to gather evidence of network attacks?
A. Access control lists (ACL)
B. Intrusion-detection systems (IDS)
C. Syslog reporting
D. Antivirus programs
Answer: B
IInnttrruussiioonn--ddeetteeccttiioonn ssyysstteemmss ((IIDDSS)) aarree uusseedd ttoo ggaatthheerr eevviiddeennccee ooff nneettwwoorrkk aattttaacckkss..
141. Which of the following is a passive attack method used by intruders to determine potential
network vulnerabilities?
A. Traffic analysis
B. SYN flood
C. Denial of service (DoS)
D. Distributed denial of service (DoS)
Answer: A
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
41
TTrraaffffiicc aannaallyyssiiss iiss aa ppaassssiivvee aattttaacckk mmeetthhoodd uusseedd bbyy iinnttrruuddeerrss ttoo ddeetteerrmmiinnee ppootteennttiiaall nneettwwoorrkk
vvuullnneerraabbiilliittiieess.. AAllll ootthheerrss aarree aaccttiivvee aattttaacckkss..
142. Which of the following fire-suppression methods is considered to be the most environmentally
friendly?
A. Halon gas
B. Deluge sprinklers
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers
Answer: C
AAlltthhoouugghh mmaannyy mmeetthhooddss ooff ffiirree ssuupppprreessssiioonn eexxiisstt,, ddrryy--ppiippee sspprriinnkklleerrss aarree ccoonnssiiddeerreedd ttoo bbee tthhee mmoosstt
eennvviirroonnmmeennttaallllyy ffrriieennddllyy..
143. What is a callback system?
A. It is a remote-access system whereby the remote-access server immediately calls the user back at a
predetermined number if the dial-in connection fails.
B. It is a remote-access system whereby the user's application automatically redials the remote-access
server if the initial connection attempt fails.
C. It is a remote-access control whereby the user initially connects to the network systems via dial-up
access, only to have the initial connection terminated by the server, which then subsequently dials the
user back at a predetermined number stored in the server's configuration database.
D. It is a remote-access control whereby the user initially connects to the network systems via dial-up
access, only to have the initial connection terminated by the server, which then subsequently allows the
user to call back at an approved number for a limited period of time.
Answer: C
AA ccaallllbbaacckk ssyysstteemm iiss aa rreemmoottee--aacccceessss ccoonnttrrooll wwhheerreebbyy tthhee uusseerr iinniittiiaallllyy ccoonnnneeccttss ttoo tthhee nneettwwoorrkk
ssyysstteemmss vviiaa ddiiaall--uupp aacccceessss,, oonnllyy ttoo hhaavvee tthhee iinniittiiaall ccoonnnneeccttiioonn tteerrmmiinnaatteedd bbyy tthhee sseerrvveerr,, wwhhiicchh tthheenn
ssuubbsseeqquueennttllyy ddiiaallss tthhee uusseerr bbaacckk aatt aa pprreeddeetteerrmmiinneedd nnuummbbeerr ssttoorreedd iinn tthhee sseerrvveerr''ss ccoonnffiigguurraattiioonn
ddaattaabbaassee..
144. What type of fire-suppression system suppresses fire via water that is released from a main valve
to be delivered via a system of dry pipes installed throughout the facilities?
A. A dry-pipe sprinkler system
B. A deluge sprinkler system
C. A wet-pipe system
D. A halon sprinkler system
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
42
Answer: A
AA ddrryy--ppiippee sspprriinnkklleerr ssyysstteemm ssuupppprreesssseess ffiirree vviiaa wwaatteerr tthhaatt iiss rreelleeaasseedd ffrroomm aa mmaaiinn vvaallvvee ttoo bbee ddeelliivveerreedd
vviiaa aa ssyysstteemm ooff ddrryy ppiippeess iinnssttaalllleedd tthhrroouugghhoouutt tthhee ffaacciilliittiieess..
145. Digital signatures require the sender to "sign" the data by encrypting the data with the sender's
public key, to then be decrypted by the recipient using the recipient's private key. True or false?
A. False
B. True
Answer: B
DDiiggiittaall ssiiggnnaattuurreess rreeqquuiirree tthhee sseennddeerr ttoo ""ssiiggnn"" tthhee ddaattaa bbyy eennccrryyppttiinngg tthhee ddaattaa wwiitthh tthhee sseennddeerr''ss
pprriivvaattee kkeeyy,, ttoo tthheenn bbee ddeeccrryypptteedd bbyy tthhee rreecciippiieenntt uussiinngg tthhee sseennddeerr''ss ppuubblliicc kkeeyy..
146. Which of the following provides the BEST single-factor authentication?
A. Biometrics
B. Password
C. Token
D. PIN
Answer: A
AAlltthhoouugghh bbiioommeettrriiccss pprroovviiddeess oonnllyy ssiinnggllee--ffaaccttoorr aauutthheennttiiccaattiioonn,, mmaannyy ccoonnssiiddeerr iitt ttoo bbee aann eexxcceelllleenntt
mmeetthhoodd ffoorr uusseerr aauutthheennttiiccaattiioonn..
147. What is used to provide authentication of the website and can also be used to successfully
authenticate keys used for data encryption?
A. An organizational certificate
B. A user certificate
C. A website certificate
D. Authenticode
Answer: C
AA wweebbssiittee cceerrttiiffiiccaattee iiss uusseedd ttoo pprroovviiddee aauutthheennttiiccaattiioonn ooff tthhee wweebbssiittee aanndd ccaann aallssoo bbee uusseedd ttoo
ssuucccceessssffuullllyy aauutthheennttiiccaattee kkeeyyss uusseedd ffoorr ddaattaa eennccrryyppttiioonn..
148. What determines the strength of a secret key within a symmetric key cryptosystem?
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
43
A. A combination of key length, degree of permutation, and the complexity of the data-encryption
algorithm that uses the key
B. A combination of key length, initial input vectors, and the complexity of the data-encryption
algorithm that uses the key
C. A combination of key length and the complexity of the data-encryption algorithm that uses the key
D. Initial input vectors and the complexity of the data-encryption algorithm that uses the key
Answer: B
TThhee ssttrreennggtthh ooff aa sseeccrreett kkeeyy wwiitthhiinn aa ssyymmmmeettrriicc kkeeyy ccrryyppttoossyysstteemm iiss ddeetteerrmmiinneedd bbyy aa ccoommbbiinnaattiioonn ooff
kkeeyy lleennggtthh,, iinniittiiaall iinnppuutt vveeccttoorrss,, aanndd tthhee ccoommpplleexxiittyy ooff tthhee ddaattaa--eennccrryyppttiioonn aallggoorriitthhmm tthhaatt uusseess tthhee kkeeyy..
149. What process is used to validate a subject's identity?
A. Identification
B. Nonrepudiation
C. Authorization
D. Authentication
Answer: D
AAuutthheennttiiccaattiioonn iiss uusseedd ttoo vvaalliiddaattee aa ssuubbjjeecctt''ss iiddeennttiittyy..
150. What is often assured through table link verification and reference checks?
A. Database integrity
B. Database synchronization
C. Database normalcy
D. Database accuracy
Answer: A
DDaattaabbaassee iinntteeggrriittyy iiss mmoosstt oofftteenn eennssuurreedd tthhrroouugghh ttaabbllee lliinnkk vveerriiffiiccaattiioonn aanndd rreeffeerreennccee cchheecckkss..
151. Which of the following should an IS auditor review to determine user permissions that have been
granted for a particular resource? Choose the BEST answer.
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs
Answer: B
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
44
IISS aauuddiittoorrss sshhoouulldd rreevviieeww aacccceessss--ccoonnttrrooll lliissttss ((AACCLL)) ttoo ddeetteerrmmiinnee uusseerr ppeerrmmiissssiioonnss tthhaatt hhaavvee bbeeeenn
ggrraanntteedd ffoorr aa ppaarrttiiccuullaarr rreessoouurrccee..
152. What should IS auditors always check when auditing password files?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network
D. That password files are archived
Answer: B
IISS aauuddiittoorrss sshhoouulldd aallwwaayyss cchheecckk ttoo eennssuurree tthhaatt ppaasssswwoorrdd ffiilleess aarree eennccrryypptteedd..
153. Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer
Answer: C
UUsseerr aapppplliiccaattiioonnss oofftteenn eennccrryypptt aanndd eennccaappssuullaattee ddaattaa uussiinngg pprroottooccoollss wwiitthhiinn tthhee OOSSII sseessssiioonn llaayyeerr oorr
ffaarrtthheerr ddoowwnn iinn tthhee ttrraannssppoorrtt llaayyeerr..
154. When should systems administrators first assess the impact of applications or systems patches?
A. Within five business days following installation
B. Prior to installation
C. No sooner than five business days following installation
D. Immediately following installation
Answer: B
SSyysstteemmss aaddmmiinniissttrraattoorrss sshhoouulldd aallwwaayyss aasssseessss tthhee iimmppaacctt ooff ppaattcchheess bbeeffoorree iinnssttaallllaattiioonn..
155. Which of the following is the most fundamental step in preventing virus attacks?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users' desktop computers
C. Implementing antivirus content checking at all network-to-Internet gateways
D. Inoculating systems with antivirus code
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
45
Answer: A
AAddooppttiinngg aanndd ccoommmmuunniiccaattiinngg aa ccoommpprreehheennssiivvee aannttiivviirruuss ppoolliiccyy iiss tthhee mmoosstt ffuunnddaammeennttaall sstteepp iinn
pprreevveennttiinngg vviirruuss aattttaacckkss.. AAllll ootthheerr aannttiivviirruuss pprreevveennttiioonn eeffffoorrttss rreellyy uuppoonn ddeecciissiioonnss eessttaabblliisshheedd aanndd
ccoommmmuunniiccaatteedd vviiaa ppoolliiccyy..
156. Which of the following is of greatest concern when performing an IS audit?
A. Users' ability to directly modify the database
B. Users' ability to submit queries to the database
C. Users' ability to indirectly modify the database
D. Users' ability to directly view the database
Answer: A
AA mmaajjoorr IISS aauuddiitt ccoonncceerrnn iiss uusseerrss'' aabbiilliittyy ttoo ddiirreeccttllyy mmooddiiffyy tthhee ddaattaabbaassee..
157. What are intrusion-detection systems (IDS) primarily used for?
A. To identify AND prevent intrusion attempts to a network
B. To prevent intrusion attempts to a network
C. Forensic incident response
D. To identify intrusion attempts to a network
Answer: D
IInnttrruussiioonn--ddeetteeccttiioonn ssyysstteemmss ((IIDDSS)) aarree uusseedd ttoo iiddeennttiiffyy iinnttrruussiioonn aatttteemmppttss oonn aa nneettwwoorrkk..
158. Rather than simply reviewing the adequacy of access control, appropriateness of access policies,
and effectiveness of safeguards and procedures, the IS auditor is more concerned with effectiveness
and utilization of assets. True or false?
A. True
B. False
Answer: B
IInnsstteeaadd ooff ssiimmppllyy rreevviieewwiinngg tthhee eeffffeeccttiivveenneessss aanndd uuttiilliizzaattiioonn ooff aasssseettss,, aann IISS aauuddiittoorr iiss mmoorree ccoonncceerrnneedd
wwiitthh aaddeeqquuaattee aacccceessss ccoonnttrrooll,, aapppprroopprriiaattee aacccceessss ppoolliicciieess,, aanndd eeffffeeccttiivveenneessss ooff ssaaffeegguuaarrddss aanndd
pprroocceedduurreess..
159. If a programmer has update access to a live system, IS auditors are more concerned with the
programmer's ability to initiate or modify transactions and the ability to access production than with
the programmer's ability to authorize transactions. True or false?
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
46
A. True
B. False
Answer: A
IIff aa pprrooggrraammmmeerr hhaass uuppddaattee aacccceessss ttoo aa lliivvee ssyysstteemm,, IISS aauuddiittoorrss aarree mmoorree ccoonncceerrnneedd wwiitthh tthhee
pprrooggrraammmmeerr''ss aabbiilliittyy ttoo iinniittiiaattee oorr mmooddiiffyy ttrraannssaaccttiioonnss aanndd tthhee aabbiilliittyy ttoo aacccceessss pprroodduuccttiioonn tthhaann wwiitthh
tthhee pprrooggrraammmmeerr''ss aabbiilliittyy ttoo aauutthhoorriizzee ttrraannssaaccttiioonnss..
160. Organizations should use off-site storage facilities to maintain _________________ (fill in the
blank) of current and critical information within backup files. Choose the BEST answer.
A. Confidentiality
B. Integrity
C. Redundancy
D. Concurrency
Answer: C
RReedduunnddaannccyy iiss tthhee bbeesstt aannsswweerr bbeeccaauussee iitt pprroovviiddeess bbootthh iinntteeggrriittyy aanndd aavvaaiillaabbiilliittyy.. OOrrggaanniizzaattiioonnss
sshhoouulldd uussee ooffff--ssiittee ssttoorraaggee ffaacciilliittiieess ttoo mmaaiinnttaaiinn rreedduunnddaannccyy ooff ccuurrrreenntt aanndd ccrriittiiccaall iinnffoorrmmaattiioonn wwiitthhiinn
bbaacckkuupp ffiilleess..
161. The purpose of business continuity planning and disaster-recovery planning is to:
A. Transfer the risk and impact of a business interruption or disaster
B. Mitigate, or reduce, the risk and impact of a business interruption or disaster
C. Accept the risk and impact of a business
D. Eliminate the risk and impact of a business interruption or disaster
Answer: B
TThhee pprriimmaarryy ppuurrppoossee ooff bbuussiinneessss ccoonnttiinnuuiittyy ppllaannnniinngg aanndd ddiissaasstteerr--rreeccoovveerryy ppllaannnniinngg iiss ttoo mmiittiiggaattee,, oorr
rreedduuccee,, tthhee rriisskk aanndd iimmppaacctt ooff aa bbuussiinneessss iinntteerrrruuppttiioonn oorr ddiissaasstteerr.. TToottaall eelliimmiinnaattiioonn ooff rriisskk iiss
iimmppoossssiibbllee..
162. If a database is restored from information backed up before the last system image, which of the
following is recommended?
A. The system should be restarted after the last transaction.
B. The system should be restarted before the last transaction.
C. The system should be restarted at the first transaction.
D. The system should be restarted on the last transaction.
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
47
Answer: B
IIff aa ddaattaabbaassee iiss rreessttoorreedd ffrroomm iinnffoorrmmaattiioonn bbaacckkeedd uupp bbeeffoorree tthhee llaasstt ssyysstteemm iimmaaggee,, tthhee ssyysstteemm sshhoouulldd
bbee rreessttaarrtteedd bbeeffoorree tthhee llaasstt ttrraannssaaccttiioonn bbeeccaauussee tthhee ffiinnaall ttrraannssaaccttiioonn mmuusstt bbee rreepprroocceesssseedd..
163. An off-site processing facility should be easily identifiable externally because easy identification
helps ensure smoother recovery. True or false?
A. True
B. False
Answer: B
AAnn ooffff--ssiittee pprroocceessssiinngg ffaacciilliittyy sshhoouulldd nnoott bbee eeaassiillyy iiddeennttiiffiiaabbllee eexxtteerrnnaallllyy bbeeccaauussee eeaassyy iiddeennttiiffiiccaattiioonn
wwoouulldd ccrreeaattee aann aaddddiittiioonnaall vvuullnneerraabbiilliittyy ffoorr ssaabboottaaggee..
164. Which of the following is the dominating objective of BCP and DRP?
A. To protect human life
B. To mitigate the risk and impact of a business interruption
C. To eliminate the risk and impact of a business interruption
D. To transfer the risk and impact of a business interruption
Answer: A
AAlltthhoouugghh tthhee pprriimmaarryy bbuussiinneessss oobbjjeeccttiivvee ooff BBCCPP aanndd DDRRPP iiss ttoo mmiittiiggaattee tthhee rriisskk aanndd iimmppaacctt ooff aa
bbuussiinneessss iinntteerrrruuppttiioonn,, tthhee ddoommiinnaattiinngg oobbjjeeccttiivvee rreemmaaiinnss tthhee pprrootteeccttiioonn ooff hhuummaann lliiffee..
165. How can minimizing single points of failure or vulnerabilities of a common disaster best be
controlled?
A. By implementing redundant systems and applications onsite
B. By geographically dispersing resources
C. By retaining onsite data backup in fireproof vaults
D. By preparing BCP and DRP documents for commonly identified disasters
Answer: B
MMiinniimmiizziinngg ssiinnggllee ppooiinnttss ooff ffaaiilluurree oorr vvuullnneerraabbiilliittiieess ooff aa ccoommmmoonn ddiissaasstteerr iiss mmiittiiggaatteedd bbyy
ggeeooggrraapphhiiccaallllyy ddiissppeerrssiinngg rreessoouurrcceess..
166. Mitigating the risk and impact of a disaster or business interruption usually takes priority over
transference of risk to a third party such as an insurer. True or false?
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
48
A. True
B. False
Answer: A
MMiittiiggaattiinngg tthhee rriisskk aanndd iimmppaacctt ooff aa ddiissaasstteerr oorr bbuussiinneessss iinntteerrrruuppttiioonn uussuuaallllyy ttaakkeess pprriioorriittyy oovveerr
ttrraannssffeerrrriinngg rriisskk ttoo aa tthhiirrdd ppaarrttyy ssuucchh aass aann iinnssuurreerr..
167. Off-site data storage should be kept synchronized when preparing for recovery of time-sensitive
data such as that resulting from which of the following? Choose the BEST answer.
A. Financial reporting
B. Sales reporting
C. Inventory reporting
D. Transaction processing
Answer: D
OOffff--ssiittee ddaattaa ssttoorraaggee sshhoouulldd bbee kkeepptt ssyynncchhrroonniizzeedd wwhheenn pprreeppaarriinngg ffoorr tthhee rreeccoovveerryy ooff ttiimmee--sseennssiittiivvee
ddaattaa ssuucchh aass tthhaatt rreessuullttiinngg ffrroomm ttrraannssaaccttiioonn pprroocceessssiinngg..
168. What is an acceptable recovery mechanism for extremely time-sensitive transaction processing?
A. Off-site remote journaling
B. Electronic vaulting
C. Shadow file processing
D. Storage area network
Answer: C
SShhaaddooww ffiillee pprroocceessssiinngg ccaann bbee iimmpplleemmeenntteedd aass aa rreeccoovveerryy mmeecchhaanniissmm ffoorr eexxttrreemmeellyy ttiimmee--sseennssiittiivvee
ttrraannssaaccttiioonn pprroocceessssiinngg..
169. Off-site data backup and storage should be geographically separated so as to ________________
(fill in the blank) the risk of a widespread physical disaster such as a hurricane or earthquake.
A. Accept
B. Eliminate
C. Transfer
D. Mitigate
Answer: D
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
49
OOffff--ssiittee ddaattaa bbaacckkuupp aanndd ssttoorraaggee sshhoouulldd bbee ggeeooggrraapphhiiccaallllyy sseeppaarraatteedd,, ttoo mmiittiiggaattee tthhee rriisskk ooff aa
wwiiddeesspprreeaadd pphhyyssiiccaall ddiissaasstteerr ssuucchh aass aa hhuurrrriiccaannee oorr aann eeaarrtthhqquuaakkee..
170. Why is a clause for requiring source code escrow in an application vendor agreement important?
A. To segregate systems development and live environments
B. To protect the organization from copyright disputes
C. To ensure that sufficient code is available when needed
D. To ensure that the source code remains available even if the application vendor goes out of business
Answer: D
AA ccllaauussee ffoorr rreeqquuiirriinngg ssoouurrccee ccooddee eessccrrooww iinn aann aapppplliiccaattiioonn vveennddoorr aaggrreeeemmeenntt iiss iimmppoorrttaanntt ttoo eennssuurree
tthhaatt tthhee ssoouurrccee ccooddee rreemmaaiinnss aavvaaiillaabbllee eevveenn iiff tthhee aapppplliiccaattiioonn vveennddoorr ggooeess oouutt ooff bbuussiinneessss..
171. What uses questionnaires to lead the user through a series of choices to reach a conclusion?
Choose the BEST answer.
A. Logic trees
B. Decision trees
C. Decision algorithms
D. Logic algorithms
Answer: B
DDeecciissiioonn ttrreeeess uussee qquueessttiioonnnnaaiirreess ttoo lleeaadd tthhee uusseerr tthhrroouugghh aa sseerriieess ooff cchhooiicceess ttoo rreeaacchh aa ccoonncclluussiioonn..
172. What protects an application purchaser's ability to fix or change an application in case the
application vendor goes out of business?
A. Assigning copyright to the organization
B. Program back doors
C. Source code escrow
D. Internal programming expertise
Answer: C
SSoouurrccee ccooddee eessccrrooww pprrootteeccttss aann aapppplliiccaattiioonn ppuurrcchhaasseerr''ss aabbiilliittyy ttoo ffiixx oorr cchhaannggee aann aapppplliiccaattiioonn iinn ccaassee
tthhee aapppplliiccaattiioonn vveennddoorr ggooeess oouutt ooff bbuussiinneessss..
173. Who is ultimately responsible for providing requirement specifications to the software-
development team?
A. The project sponsor
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
50
B. The project members
C. The project leader
D. The project steering committee
Answer: A
TThhee pprroojjeecctt ssppoonnssoorr iiss uullttiimmaatteellyy rreessppoonnssiibbllee ffoorr pprroovviiddiinngg rreeqquuiirreemmeenntt ssppeecciiffiiccaattiioonnss ttoo tthhee ssooffttwwaarree--
ddeevveellooppmmeenntt tteeaamm..
174. What should regression testing use to obtain accurate conclusions regarding the effects of
changes or corrections to a program, and ensuring that those changes and corrections have not
introduced new errors?
A. Contrived data
B. Independently created data
C. Live data
D. Data from previous tests
Answer: D
RReeggrreessssiioonn tteessttiinngg sshhoouulldd uussee ddaattaa ffrroomm pprreevviioouuss tteessttss ttoo oobbttaaiinn aaccccuurraattee ccoonncclluussiioonnss rreeggaarrddiinngg tthhee
eeffffeeccttss ooff cchhaannggeess oorr ccoorrrreeccttiioonnss ttoo aa pprrooggrraamm,, aanndd eennssuurriinngg tthhaatt tthhoossee cchhaannggeess aanndd ccoorrrreeccttiioonnss hhaavvee
nnoott iinnttrroodduucceedd nneeww eerrrroorrss..
175. An IS auditor should carefully review the functional requirements in a systems-development
project to ensure that the project is designed to:
A. Meet business objectives
B. Enforce data security
C. Be culturally feasible
D. Be financially feasible
Answer: A
AAnn IISS aauuddiittoorr sshhoouulldd ccaarreeffuullllyy rreevviieeww tthhee ffuunnccttiioonnaall rreeqquuiirreemmeennttss iinn aa ssyysstteemmss--ddeevveellooppmmeenntt pprroojjeecctt ttoo
eennssuurree tthhaatt tthhee pprroojjeecctt iiss ddeessiiggnneedd ttoo mmeeeett bbuussiinneessss oobbjjeeccttiivveess..
176. Which of the following processes are performed during the design phase of the systems-
development life cycle (SDLC) model?
A. Develop test plans.
B. Baseline procedures to prevent scope creep.
C. Define the need that requires resolution, and map to the major requirements of the solution.
D. Program and test the new system. The tests verify and validate what has been developed.
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
51
Answer: B
PPrroocceedduurreess ttoo pprreevveenntt ssccooppee ccrreeeepp aarree bbaasseelliinneedd iinn tthhee ddeessiiggnn pphhaassee ooff tthhee ssyysstteemmss--ddeevveellooppmmeenntt lliiffee
ccyyccllee ((SSDDLLCC)) mmooddeell..
177. When should application controls be considered within the system-development process?
A. After application unit testing
B. After application module testing
C. After applications systems testing
D. As early as possible, even in the development of the project's functional specifications
Answer: D
AApppplliiccaattiioonn ccoonnttrroollss sshhoouulldd bbee ccoonnssiiddeerreedd aass eeaarrllyy aass ppoossssiibbllee iinn tthhee ssyysstteemm--ddeevveellooppmmeenntt pprroocceessss,, eevveenn
iinn tthhee ddeevveellooppmmeenntt ooff tthhee pprroojjeecctt''ss ffuunnccttiioonnaall ssppeecciiffiiccaattiioonnss..
178. What is used to develop strategically important systems faster, reduce development costs, and
still maintain high quality? Choose the BEST answer.
A. Rapid application development (RAD)
B. GANTT
C. PERT
D. Decision trees
Answer: A
RRaappiidd aapppplliiccaattiioonn ddeevveellooppmmeenntt ((RRAADD)) iiss uusseedd ttoo ddeevveelloopp ssttrraatteeggiiccaallllyy iimmppoorrttaanntt ssyysstteemmss ffaasstteerr,, rreedduuccee
ddeevveellooppmmeenntt ccoossttss,, aanndd ssttiillll mmaaiinnttaaiinn hhiigghh qquuaalliittyy..
179. Test and development environments should be separated. True or false?
A. True
B. False
Answer: A
TTeesstt aanndd ddeevveellooppmmeenntt eennvviirroonnmmeennttss sshhoouulldd bbee sseeppaarraatteedd,, ttoo ccoonnttrrooll tthhee ssttaabbiilliittyy ooff tthhee tteesstt
eennvviirroonnmmeenntt..
180. What kind of testing should programmers perform following any changes to an application or
system?
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
52
A. Unit, module, and full regression testing
B. Module testing
C. Unit testing
D. Regression testing
Answer: A
PPrrooggrraammmmeerrss sshhoouulldd ppeerrffoorrmm uunniitt,, mmoodduullee,, aanndd ffuullll rreeggrreessssiioonn tteessttiinngg ffoolllloowwiinngg aannyy cchhaannggeess ttoo aann
aapppplliiccaattiioonn oorr ssyysstteemm..
181. Which of the following uses a prototype that can be updated continually to meet changing user
or business requirements?
A. PERT
B. Rapid application development (RAD)
C. Function point analysis (FPA)
D. GANTT
Answer: B
RRaappiidd aapppplliiccaattiioonn ddeevveellooppmmeenntt ((RRAADD)) uusseess aa pprroottoottyyppee tthhaatt ccaann bbee uuppddaatteedd ccoonnttiinnuuaallllyy ttoo mmeeeett
cchhaannggiinngg uusseerr oorr bbuussiinneessss rreeqquuiirreemmeennttss..
182. What is the most common reason for information systems to fail to meet the needs of users?
Choose the BEST answer.
A. Lack of funding
B. Inadequate user participation during system requirements definition
C. Inadequate senior management participation during system requirements definition
D. Poor IT strategic planning
Answer: B
IInnaaddeeqquuaattee uusseerr ppaarrttiicciippaattiioonn dduurriinngg ssyysstteemm rreeqquuiirreemmeennttss ddeeffiinniittiioonn iiss tthhee mmoosstt ccoommmmoonn rreeaassoonn ffoorr
iinnffoorrmmaattiioonn ssyysstteemmss ttoo ffaaiill ttoo mmeeeett tthhee nneeeeddss ooff uusseerrss..
183. Who is responsible for the overall direction, costs, and timetables for systems-development
projects?
A. The project sponsor
B. The project steering committee
C. Senior management
D. The project team leader
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
53
Answer: B
TThhee pprroojjeecctt sstteeeerriinngg ccoommmmiitttteeee iiss rreessppoonnssiibbllee ffoorr tthhee oovveerraallll ddiirreeccttiioonn,, ccoossttss,, aanndd ttiimmeettaabblleess ffoorr
ssyysstteemmss--ddeevveellooppmmeenntt pprroojjeeccttss..
184. When should plans for testing for user acceptance be prepared? Choose the BEST answer.
A. In the requirements definition phase of the systems-development project
B. In the feasibility phase of the systems-development project
C. In the design phase of the systems-development project
D. In the development phase of the systems-development project
Answer: A
PPllaannss ffoorr tteessttiinngg ffoorr uusseerr aacccceeppttaannccee aarree uussuuaallllyy pprreeppaarreedd iinn tthhee rreeqquuiirreemmeennttss ddeeffiinniittiioonn pphhaassee ooff tthhee
ssyysstteemmss--ddeevveellooppmmeenntt pprroojjeecctt..
185. Above almost all other concerns, what often results in the greatest negative impact on the
implementation of new application software?
A. Failing to perform user acceptance testing
B. Lack of user training for the new system
C. Lack of software documentation and run manuals
D. Insufficient unit, module, and systems testing
Answer: A
AAbboovvee aallmmoosstt aallll ootthheerr ccoonncceerrnnss,, ffaaiilliinngg ttoo ppeerrffoorrmm uusseerr aacccceeppttaannccee tteessttiinngg oofftteenn rreessuullttss iinn tthhee
ggrreeaatteesstt nneeggaattiivvee iimmppaacctt oonn tthhee iimmpplleemmeennttaattiioonn ooff nneeww aapppplliiccaattiioonn ssooffttwwaarree..
186. Input/output controls should be implemented for which applications in an integrated systems
environment?
A. The receiving application
B. The sending application
C. Both the sending and receiving applications
D. Output on the sending application and input on the receiving application
Answer: C
IInnppuutt//oouuttppuutt ccoonnttrroollss sshhoouulldd bbee iimmpplleemmeenntteedd ffoorr bbootthh tthhee sseennddiinngg aanndd rreecceeiivviinngg aapppplliiccaattiioonnss iinn aann
iinntteeggrraatteedd ssyysstteemmss eennvviirroonnmmeenntt
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
54
187. Authentication techniques for sending and receiving data between EDI systems is crucial to
prevent which of the following? Choose the BEST answer.
A. Unsynchronized transactions
B. Unauthorized transactions
C. Inaccurate transactions
D. Incomplete transactions
Answer: B
AAuutthheennttiiccaattiioonn tteecchhnniiqquueess ffoorr sseennddiinngg aanndd rreecceeiivviinngg ddaattaa bbeettwweeeenn EEDDII ssyysstteemmss aarree ccrruucciiaall ttoo pprreevveenntt
uunnaauutthhoorriizzeedd ttrraannssaaccttiioonnss..
188. After identifying potential security vulnerabilities, what should be the IS auditor's next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the vulnerabilities
D. To immediately advise senior management of the findings
Answer: C
AAfftteerr iiddeennttiiffyyiinngg ppootteennttiiaall sseeccuurriittyy vvuullnneerraabbiilliittiieess,, tthhee IISS aauuddiittoorr''ss nneexxtt sstteepp iiss ttoo ppeerrffoorrmm aa
bbuussiinneessss iimmppaacctt aannaallyyssiiss ooff tthhee tthhrreeaattss tthhaatt wwoouulldd eexxppllooiitt tthhee vvuullnneerraabbiilliittiieess..
189. What is the primary security concern for EDI environments? Choose the BEST answer.
A. Transaction authentication
B. Transaction completeness
C. Transaction accuracy
D. Transaction authorization
Answer: D
TTrraannssaaccttiioonn aauutthhoorriizzaattiioonn iiss tthhee pprriimmaarryy sseeccuurriittyy ccoonncceerrnn ffoorr EEDDII eennvviirroonnmmeennttss..
190. Which of the following exploit vulnerabilities to cause loss or damage to the organization and its
assets?
A. Exposures
B. Threats
C. Hazards
D. Insufficient controls
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
55
Answer: B
TThhrreeaattss eexxppllooiitt vvuullnneerraabbiilliittiieess ttoo ccaauussee lloossss oorr ddaammaaggee ttoo tthhee oorrggaanniizzaattiioonn aanndd iittss aasssseettss..
191. Business process re-engineering often results in ______________ automation, which results in
_____________ number of people using technology. Fill in the blanks.
A. Increased; a greater
B. Increased; a fewer
C. Less; a fewer
D. Increased; the same
Answer: A
BBuussiinneessss pprroocceessss rree--eennggiinneeeerriinngg oofftteenn rreessuullttss iinn iinnccrreeaasseedd aauuttoommaattiioonn,, wwhhiicchh rreessuullttss iinn aa ggrreeaatteerr
nnuummbbeerr ooff ppeeooppllee uussiinngg tteecchhnnoollooggyy..
192. Whenever business processes have been re-engineered, the IS auditor attempts to identify and
quantify the impact of any controls that might have been removed, or controls that might not work as
effectively after business process changes. True or false?
A. True
B. False
Answer: A
WWhheenneevveerr bbuussiinneessss pprroocceesssseess hhaavvee bbeeeenn rree--eennggiinneeeerreedd,, tthhee IISS aauuddiittoorr sshhoouulldd aatttteemmpptt ttoo iiddeennttiiffyy aanndd
qquuaannttiiffyy tthhee iimmppaacctt ooff aannyy ccoonnttrroollss tthhaatt mmiigghhtt hhaavvee bbeeeenn rreemmoovveedd,, oorr ccoonnttrroollss tthhaatt mmiigghhtt nnoott wwoorrkk aass
eeffffeeccttiivveellyy aafftteerr bbuussiinneessss pprroocceessss cchhaannggeess..
193. When should an application-level edit check to verify that availability of funds was completed at
the electronic funds transfer (EFT) interface?
A. Before transaction completion
B. Immediately after an EFT is initiated
C. During run-to-run total testing
D. Before an EFT is initiated
Answer: D
AAnn aapppplliiccaattiioonn--lleevveell eeddiitt cchheecckk ttoo vveerriiffyy aavvaaiillaabbiilliittyy ooff ffuunnddss sshhoouulldd bbee ccoommpplleetteedd aatt tthhee eelleeccttrroonniicc
ffuunnddss ttrraannssffeerr ((EEFFTT)) iinntteerrffaaccee bbeeffoorree aann EEFFTT iiss iinniittiiaatteedd..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
56
194. ________________ (fill in the blank) should be implemented as early as data preparation to
support data integrity at the earliest point possible.
A. Control totals
B. Authentication controls
C. Parity bits
D. Authorization controls
Answer: A
CCoonnttrrooll ttoottaallss sshhoouulldd bbee iimmpplleemmeenntteedd aass eeaarrllyy aass ddaattaa pprreeppaarraattiioonn ttoo ssuuppppoorrtt ddaattaa iinntteeggrriittyy aatt tthhee
eeaarrlliieesstt ppooiinntt ppoossssiibbllee..
195. What is used as a control to detect loss, corruption, or duplication of data?
A. Redundancy check
B. Reasonableness check
C. Hash totals
D. Accuracy check
Answer: C
HHaasshh ttoottaallss aarree uusseedd aass aa ccoonnttrrooll ttoo ddeetteecctt lloossss,, ccoorrrruuppttiioonn,, oorr dduupplliiccaattiioonn ooff ddaattaa..
196. Data edits are implemented before processing and are considered which of the following?
Choose the BEST answer.
A. Deterrent integrity controls
B. Detective integrity controls
C. Corrective integrity controls
D. Preventative integrity controls
Answer: D
DDaattaa eeddiittss aarree iimmpplleemmeenntteedd bbeeffoorree pprroocceessssiinngg aanndd aarree ccoonnssiiddeerreedd pprreevveennttiivvee iinntteeggrriittyy ccoonnttrroollss..
197. In small office environments, it is not always possible to maintain proper segregation of duties
for programmers. If a programmer has access to production data or applications, compensatory
controls such as the reviewing of transaction results to approved input might be necessary. True or
false?
A. True
B. False
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
CIS
A M
OC
K E
XA
M
http://kaka-pakistani.blogspot.com
57
Answer: A
IInn ssmmaallll ooffffiiccee eennvviirroonnmmeennttss,, iitt iiss nnoott aallwwaayyss ppoossssiibbllee ttoo mmaaiinnttaaiinn pprrooppeerr sseeggrreeggaattiioonn ooff dduuttiieess ffoorr
pprrooggrraammmmeerrss.. IIff aa pprrooggrraammmmeerr hhaass aacccceessss ttoo pprroodduuccttiioonn ddaattaa oorr aapppplliiccaattiioonnss,, ccoommppeennssaattoorryy ccoonnttrroollss
ssuucchh aass tthhee rreevviieeww ooff ttrraannssaaccttiioonn rreessuullttss ttoo aapppprroovveedd iinnppuutt mmiigghhtt bbee nneecceessssaarryy..
198. Processing controls ensure that data is accurate and complete, and is processed only through
which of the following? Choose the BEST answer.
A. Documented routines
B. Authorized routines
C. Accepted routines
D. Approved routines
Answer: B
PPrroocceessssiinngg ccoonnttrroollss eennssuurree tthhaatt ddaattaa iiss aaccccuurraattee aanndd ccoommpplleettee,, aanndd iiss pprroocceesssseedd oonnllyy tthhrroouugghh
aauutthhoorriizzeedd rroouuttiinneess..
199. What is a data validation edit control that matches input data to an occurrence rate? Choose the
BEST answer.
A. Accuracy check
B. Completeness check
C. Reasonableness check
D. Redundancy check
Answer: C
AA rreeaassoonnaabblleenneessss cchheecckk iiss aa ddaattaa vvaalliiddaattiioonn eeddiitt ccoonnttrrooll tthhaatt mmaattcchheess iinnppuutt ddaattaa ttoo aann ooccccuurrrreennccee rraattee..
200. Database snapshots can provide an excellent audit trail for an IS auditor. True or false?
A. True
B. False
Answer: A
DDaattaabbaassee ssnnaappsshhoottss ccaann pprroovviiddee aann eexxcceelllleenntt aauuddiitt ttrraaiill ffoorr aann IISS aauuddiittoorr..
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com
Recommended