Sushil P.

question	a	b	c	d	answer	justification	ref	sn	toughmark	chapter
1. The KEY components of IT Infrastructure are ___________________	Users, Applications, DBMS, System Software, Network & Hardware	Computing systems, satellite dishes, ISDN lines, Radio towers	Concrete building, air conditioning, fire extinguishers, sprinklers	Large servers, desktop computers, laptops, tablets	a	All information systems will have these elements as common to them since interactions will take place between them in such systems. This is explained in para 1.2. B, C and D are incorrect since they are not speaking of the common elements of any information systems but are various types of equipment alone (B), physical infrastructure alone (C) or merely various types of computing devices	M1DISA	1	65	M1DISA
2. Auditors dealing with organizations deploying IT need to have ______________	Adequate working knowledge of IT hardware & software	Expertise in all areas of IT technology	Thorough knowledge on the financial aspects alone	Expertise both in financial and IT technology aspects	a	C.A.s knowledge of IT technology need not and cannot be complete and total. They only need adequate knowledge to effectively audit the IT functions of an organization. C.A.s cannot be expected to be experts in all areas of IT technology; this is not their role. Knowledge of financial aspects alone in a technology oriented function like IT will not facilitate effective auditing of the IT function. A C.A. cannot be expected to have thorough knowledge of both financial & IT technology aspects	M1DISA	2	165	M1DISA
3. People, the most import element of information systems, comprise ______________	Users of the system in the head office and branches	All users of the system and all information system personnel	All employees except information system personnel	Employees involved with maintenance of the information system	b	It does not exclude the people managing the IT system. As brought out in paragraph 1.2.1, the scope of IT covers both the actual users as well as those involved in managing the IT system. It includes the information system management personnel. The actual users of the system are also KEY to the IT system.	M1DISA	3	83	M1DISA
4. Application software is a collection of programs which ______________	Operates computer hardware & facilitates use of system software	Exclusively use for generating applications to govt. bodies	Addresses a real life problem for its end users	Helps users generate complaints to IT services dept. alone	c	It is system software which helps run hardware & facilitates use of application software. Options B & D are also wrong & are not generic definitions of application software. As explained in paragraph 1.2.2, application software are programs that help address business, scientific or other needs of its end users.	M1DISA	4	180	M1DISA
5. Hardware refers to___________________	All computer parts except those which are soft, made of glass or plastic	Devices performing Input, output, processing & data storage functions of a computer	All connecting tubes, hoses, joints, cables and pipelines carrying IT cables	All parts of the computer which are complex and hard to understand	b	A, C & D are clearly wrong answers which have no relation to the definition in paragraph 1.2.6. As defined clearly in paragraph 1.2.6.	M1DISA	5	187	M1DISA
6. The basic sequential steps of the machine cycle performed by the CPU are ______________	Fetch, Decode, Execute and Store	Decode, Execute, Store and Fetch	Store, Fetch, Decode and Execute	Execute, Fetch, Decode and Store	a	As defined clearly in paragraph 1.3.2. B, C & D are clearly wrong answers which contain the wrong sequence.	M1DISA	6	112	M1DISA
7. Cache memory ______________	Is a large, slow memory which is no longer used in computers	Helps bridge speed difference between Registers and Primary Memory	Is a virtual memory which is an image of another memory	Is a memory where only valuable, secret information is stored	b	Cache memory is a small & fast memory very much in use even today. As brought out in paragraph 1.3.3. It is not a virtual memory. It maintains copies of most frequently used data from main memories and not only for secret information.	M1DISA	7	67	M1DISA
8. Secondary Memory ______________	Is volatile memory with large storage capacities	Is non-volatile memory which is fast & responsive	Is non-volatile memory with large storage capacities	Involves higher cost per unit of information than RAM	c	Secondary memory is not volatile. It is not fast. As brought out in paragraph 1.3.3, secondary memory is non-volatile, with large storage capacities. It is, however, slower than registers or primary storage. Its cost per unit of information is lower than RAM.	M1DISA	8	45	M1DISA
9. One Megabyte is equal to ___________________	1024 x 1024 Bytes	1000 Kilobytes	1000 Bytes	1,000,000 Bytes	a	1 Megabyte equals 1024 Kilobytes or 1024 x 1024 Bytes. All the other answers are, therefore, obviously wrong.	M1DISA	9	115	M1DISA
10. Unicode _____________	Uses 16 Bytes for character coding & has replaced other major coding systems	Uses 7 bits for character coding	Uses 16 bits for character coding & has replaced other major coding systems	Uses 8 bits for character coding	c	Unicode uses 16 bits for character coding & has replaced other major coding systems as brought out in paragraph 1.4. A, B & D answers are, obviously wrong.	M1DISA	10	82	M1DISA
11. Implementing Hardware Monitoring Procedures ______________	Is expensive and not cost effective	Reduces Total Cost of Ownership & improves Return on Investment	Is cumbersome & time consuming	Leads to increased server downtime	b	Pra 1.5.3 establishes that the other options are wrong & it makes sense to implement hardware monitoring procedures. As brought out in paragraph 1.5.3	M1DISA	11	40	M1DISA
12. Some factors that affect the requirement & capacity of various hardware are ____________	Number of employees in the organization	Variety of markets in which operations happen	Nature of the products dealt with in the organization	Transaction volume, Computation complexity	d	As brought out in paragraph 1.5.4. This para also establishes that the other options are wrong.	M1DISA	12	135	M1DISA
13. A KEY issue in retirement of hardware is security & disposal of data. Robust policies need to be in place for hardware retirement cycles, archiving of data, closure of licensing and/or contracts.	FALSE	TRUE			b	As brought out in paragraph 1.5.5, this statement is factually correct	M1DISA	13	43	M1DISA
14. Hardware Auditing ________________	Is best carried out by the purchase department of the I.T. department	Primarily encompasses hardware acquisition & capacity management	Should be restricted to the financial aspects of hardware usage	Is not as critical as software auditing which can be a more vulnerable area	b	Hardware is a vulnerable area which needs to be closely reviewed by Audit. Hence, the other three options are not correct. Paragraph 1.6 elaborates on the criticality of hardware acquisition & capacity management as KEY Areas of Hardware auditing.	M1DISA	14	46	M1DISA
15. Software _________________	Software consists of clearly-defined instruction sets that upon execution, tell a computer what to do	Refers to all the soft parts of any computer system	Is not as important as hardware; a system can operate even without it	Are only those programs which convert machine language to English	a	Paragraph 2.1 incorporates this definition. While option B is obviously incorrect, C is wrong since it would be impossible to operate any computer without software. D, too, is wrong since software plays a role much beyond that of converting machine language to English	M1DISA	15	118	M1DISA
16. System Software _______________	Is specific to each application software and cannot be interchanged	Co-ordinates instructions between application software and hardware	Cannot be used for application development	Is not involved in I/O devices connectivity	b	Definition as per paragraph 2.1.1. It is actually generic and can be used with any application (option A). It can actually be the basis for development of application development (option C). It enables I/O devices connectivity	M1DISA	16	32	M1DISA
17. Application Software __________________	Microsoft Office is not an example of application software	Cannot be directly interacted with by end users	Is a set of software that performs a function directly for the end user	Can be directly used on a computer even without system software	c	As clearly defined in 2.1.2. Microsoft Office is, indeed, an example of application software. (option A). A KEY Aspect of application software is that it can be directly interacted with by end users (option B). Lastly, a computer cannot be run without system software as brought out in earlier notes	M1DISA	17	66	M1DISA
18. An Operating System is ______________	An intermediary agent that manages computer resources among various processes	An application software which is in operation in a computer network	A new type of software which has been introduced in the latest computers only	A computer system which has been switched on and is in proper operation	a	The definition is as per paragraph 2.2. As for the other options, an operating system is, obviously a system software and not an application software (option B). It is not a new type of software and has been an intrinsic part of all computer systems for long (option C). Though option D may not appear to be factually incorrect, this is not the sense in which the term Operating System is used in this context.	M1DISA	18	105	M1DISA
19. State True or False : Operating Systems can be single user / multi user, multi processing or real time.	FALSE	TRUE			b	This has been clearly elaborated in paragraph 2.2.1	M1DISA	19	204	M1DISA
20. Processor Management refers to _______________	Management of the various processors by the Systems Executive	Training of the end-user for optimal user of computer systems	Optimisation of use of application software on a personal computer	Process or task scheduling carried out by the Operating System	d	As brought out in paragraph 2.2.2, Processor Management is one of the KEY roles played by an Operating system. It enables process scheduling. The Operating system is part of the main computer system and one of its KEY roles is process scheduling. It has nothing to do with the management role of Systems Executives or with training of end users (options A & B). It is not relevant to application software optimisation (option C).	M1DISA	20	128	M1DISA
21. Which of the following is performed by the Operating System ________________	Supports virtual memory by carving out an area of hard disk	Supports virtual memory on external storage device	Supports secondary memory by allocating an area of hard disk	Supports end user in carrying out specific functions	a	The Operating System supports RAM by carving out an area of hard disk to create a virtual memory (option A). It does not do this on any external storage device (option B). The OS can only assist expansion of RAM space by carving out hard disk space, not secondary memory (option C). The OS is only an intermediary agent and does not interact directly with the end user (option D).	M1DISA	21	204	M1DISA
22. Which of the following is a role of the Operating System ______________	Helps manage Data bases of various types	Facilitates use of spread sheets by end users	Manages device communication with respective drivers	Helps programmers to create computer programs	c	One of the KEY functions of the Operating system is insulating the end user from the peculiarities of each hardware device (option C). OS are not directly involved in use of Data Bases or spread sheets; nor are they useful for writing programs. One would need program development software for that purpose (options A, B & D).	M1DISA	22	136	M1DISA
23. Fifth Generation programming language _________________	It comprises machine language & code	Is mainly used in Artificial intelligence	Cannot solve a problem without a programmer	It uses long instructions & is machine dependent	b	Fifth generation programming language is the most advanced of the languages & is used in artificial intelligence. It is, thus, not based upon primitive machine language and code. It is also pre-programmed with options in such a way that minimum intervention of a programmer is required. It is much simpler and platform independent as compared to first generation programming languages (options A, C & D).	M1DISA	23	162	M1DISA
24. What is the function of a Compiler ?	It translates Assembly language into Machine language	It translates statements of a program into machine code, line by line	A compiler translates a high level language program into a machine language program	It allows a user to create and edit files	c	A compiler basically translates a high level program into machine code. It does not operate at the level of converting Assembly language into machine code or, like an Interpreter, translate into machine code line by line (options A and B). It is also not an Editor program to create and edit files (D).	M1DISA	24	26	M1DISA
25. Which software controls, among other things, ownership assignment of all data for accountability ?	Access Control Software	Data Communications Software	Utility programs	Defragmenters	a	It is access control software which is vested with the responsibility for assigning ownership of all data for purposes of accountability (para 2.3.2). Data Communications software generally assists the OS for local and remote terminal access (option B). Utility programs and defragmenters basically help improve computer efficiency and performance and have nothing to do with ownership assignment of all data.	M1DISA	25	191	M1DISA
26. Access control lists in the OS manage OS Controls. The lowest level of control that can be exercised is, generally, up to :	The level of an individual directory	The level of a particular page in a file	The level of individual words in a file	The level of individual files	d	Most systems are designed to exercise access control only up to the level of a file and not below. Hence the choice of D as the right option above and the rejection of the other options.	M1DISA	26	91	M1DISA
27. State Yes or No In a newly formed organization, the System Administrator is faced with requests for access to particular files from multiple users. On closer scrutiny, he finds that though the users are different, he is able to detect a pattern whereby individuals handling particular functions all seek access to the same files. The System Administrator is aware that, while the individuals handling these functions may change, the actual functions, by and large, are permanent. He feels that it would be simpler to provide access control for files to particular functions and would like to know the feasibility of doing so in the Operating system. What is your view ? Is it possible to provide access to ‘Roles’ which could comprise multiple users, instead of creating individual access controls for each of the users ? :	Yes, it would be possible	No, it would not be possible			a	Access control lists are widely used with Roles comprising multiple users. The individual users can keep changing depending upon the roles they take up. Hence, Option A above is correct.	M1DISA	27	25	M1DISA
28. What is the first step in Software acquisition ?	Establish criteria for selecting and rejecting alternatives	Carry out Cost/Benefit analysis, including make or buy decision	Establish scope, objectives background & project charter	Determine supplier’s technical capabilities & support services	c	Without first establishing the scope and objectives, software acquisition may end up failing on fundamental aspects of meeting end user needs. This would be the starting point, therefore, for any acquisition exercise. The other options get ruled out by default.	M1DISA	28	191	M1DISA
29. What is an Endpoint device ?	A device used as a pointer during Power point presentations	The key-board or a mouse on a computer	A device which identifies the end of each software program	An internet-capable computer hardware device on a TCP/IP network	d	Endpoint devices can be computers, smart phones, thin clients, etc. which have connectivity to the internet as brought out in option D. The very fact that they have this connectivity raises concerns of security with respect to possible leakage of information to the outside world or vulnerability to virus or other malicious software which may attempt to enter the system from the internet.	M1DISA	29	31	M1DISA
30. What is Digital Rights Management ?	Management of binary digit codes in the system software	Technology used for preventing users from using the content in any manner other than that permitted by the content provider	Conversion of analog records to digital mode	Optimization of binary digit codes in application software	b	Digital Rights Management refers to the control on use of copyrighted / IPR material and, hence, option B is correct. The other options are wrong.	M1DISA	30	66	M1DISA
31. Does the Operating system need auditing ?	Yes; there is risk of the OS being compromised	No; the application software prevents direct access to the OS	No; the OS is a robust system which cannot be tampered with	No, it is adequate if the application software are audited	a	Though, in the normal course, end-users to do not have direct access to the OS, they could find ways of by-passing the application software and reaching out to the OS. Unlike the application software which has high security features to prevent end users tampering with data which is not open to them, the OS is relatively more vulnerable since it sees all data as simple bits/bytes & cannot even distinguish between different types of data of different criticality.	M1DISA	31	146	M1DISA
32. Which of the following is the correct sequence of data hierarchy?	File, Database, Record, Field, Characters	Database, Record, File, Field, Characters	Database, File, Record, Field, Characters	Database, File, Field, Character, Records	c	The sequence of hierarchy from higher to lower levels is clearly as per Option C and the sequence of hierarchy for the other options are, therefore, wrong.	M1DISA	32	141	M1DISA
33. What are Characters ?	Characters are a group of bytes	Characters are a collection of bits	Characters are a group of 8 records	Characters are a group of 16 records	b	Characters are at the lowest in the Data hierarchy and comprise a collection of bits (Option B). The other options are wrong.	M1DISA	33	12	M1DISA
34. What are some of the major outcomes of the non-existence of an efficient database ?	High redundancy and low data integrity	Improved data sharing	Reduced dependence between data and application software	Better linkages between data originating from different sources	a	An efficient data base can reduce redundancy and improve data integrity (option A). The absence of a database will hinder data sharing & increase dependence between data and application software. An efficiently configured database will provide excellent networking of data from different sources.	M1DISA	34	184	M1DISA
35. What is a Database Management System?	A set of pre-loaded data relating to specific industries	Customer profile data used for managing an organization	Software for creation, control & manipulation of a database	Hardware specifically designed to handle databases	c	A database management system is a software which assists in the process of managing a database as brought out in option C. It is not just a set of data or hardware as indicated in the other options.	M1DISA	35	14	M1DISA
36. What are the major risks of having a Database management system ?	Reduced speed of access to records	High redundancy & duplication	Reduced data integrity	Cost and data security threats	d	The major risks involved are the cost (including time for implementation of a new system) and increased vulnerability owing to centralisation of information as indicated in Option D. Contrary to what is stated in the other options, a database management system improves speed of access to records, reduces redundancy and improves data integrity.	M1DISA	36	113	M1DISA
37. Which of the following is the logic typical of a Relational Database Management System ?	Records have a one to many relationship in parent/child format	Collection of one or more relations in two dimensional table form	Records have many-to-many relationship in network form	Data is organized in a tree structure, in hierarchical format	b	The logic behind RDBMS is in table form with domain & entity constraints which ensure robustness of the system (Option B). The other options relate to the hierarchical and network types of database and are, hence, wrong.	M1DISA	37	166	M1DISA
38. Use of integrity constraints and normalisation is strongly typical of which type of software?	Relational Database Management System	Network Database Management System	Hierarchical Database Management System	Foxpro, Excel systems of spreadsheet	a	The use of integrity constraints and normalization is typical of RDBMS and not of the other three options.	M1DISA	38	157	M1DISA
39. Which of the following defines the logical structure of the database, its relations & constraints ?	Internal Schema	External Schema	Conceptual Schema	Logic unit in CPU	c	It is the Conceptual Schema which defines the logical structure of the database including its relations and constraints and not the other options indicated.	M1DISA	39	27	M1DISA
40. Which of the following is a database language used to define & describe data & relationships ?	Data Manipulation Language or DML	Data Control Language or DCL	Data Definition Language or DDL	Excel and Lotus 123	c	DDL is a collection of instructions and commands used to define and describe data and relationships (Option C). DML, DCL & the spread sheet softwares are not the appropriate answer.	M1DISA	40	196	M1DISA
41. Which of the following are typical features of Data Definition Language?	Not used by Database administrators or designers	SQL commands dealing with data	Generally used by a common user	Used to define both conceptual & internal schemas	d	DDL is a database language used by administrators and designers to define both conceptual & internal schemas. It does not deal with data but only with the structure. It is generally not used by the common user. Hence, only Option D is correct.	M1DISA	41	144	M1DISA
42. Which of the following are typical of Data Manipulation Language ?	Cannot be used for querying the database	Used to retrieve, insert, delete or modify data	SQL commands which do not allow changing of data	Application software will not be able to access it	b	DML is a database language used to query & manipulate data. Application software are able to meet user needs only by interacting with the DML. Hence, only Option B is correct.	M1DISA	42	128	M1DISA
43. What is a Data Dictionary ?	It provides a definition of terms and data elements	A dictionary which facilitates conversion of bytes into numbers	A software which helps convert machine language to English	A software which helps convert assembly language to English	a	It is the documentation of database providing detailed description of every data in the database. It provides a standard definition of terms and data elements (Option A). The other options are factually wrong.	M1DISA	43	29	M1DISA
44. What are Meta Data ?	Metadata refers to data of large sizes, millions, billions, etc.	Metadata is data about one or more aspects of data	Metadata is data relating to meteorological parameters	Metadata is data that is universal to different types of software	b	Metadata is data about data. It covers aspects like meaning, purpose, time & date of creation, etc. of data. Option B, obviously, is the correct choice. The other options are incorrect.	M1DISA	44	87	M1DISA
45. Centralised Deployment Strategy involves _______________	Centralized database & de-centralized decision making	De-centralized database and centralized decision making	Centralized database & centralized decision making	Multiple server usage	c	Centralized deployment strategy uses a central database with all user communication being directed to it. Decision making, too, therefore, gets centralized as a consequence (Option C). Such a strategy use of a single hardware/software platform & a single server; hence, the other options are not correct.	M1DISA	45	178	M1DISA
46. An important drawback of Centralised Deployment Strategy is _________________	Vulnerability to single point of failure	Resource sharing of reduced order	Poorer economies of scale	Reduced security	a	Centralized deployment strategy concentrates all its resources at one central point making it vulnerable to total system failure in the event of this central point being compromised in any manner (Option A). Resource sharing, in fact, is a strong plus point for centralized deployment. Similarly, this system has better economies of scale owing to use of large size hardware & larger number of software licences. Since everything is centralized, possibilities of leakages are reduced since the number of exposed points are lesser. Hence, the other options are not correct.	M1DISA	46	1	M1DISA
47. An important feature of Decentralized deployment strategy would be _______________	Information systems would be more compatible	Reduced duplication of records, processes	Business strategy based localization of database possible	Adequate centralized control through security implementation	c	The single major advantage of decentralized deployment strategy is its potential for tweaking the database to suit local requirements (Option C). However, compatibility of information systems may take a hit since multiple versions could be involved depending upon the geographic or business segment-wise spread of the organization. Risk of duplication of records is higher since multiple versions at different locations may be involved. Centralized control and security management would also be to a reduced extent. Hence, the other options are not correct.	M1DISA	47	29	M1DISA
48. A KEY disadvantage of Decentralised Deployment Strategy is ______________	Less flexibility to cope with internal/external changes	Potentially higher CAPEX requirement	Slower system development	Information systems could be mutually incompatible	d	A major disadvantage of decentralized deployment strategy is that, with de-centralized decision making, different tailor-made information systems may be created at different locations leading to potential incompatibility (Option D). On the other hand, given their de-centralized structure, they would have greater flexibility to cope with changes and can be developed/implemented quickly. Capex requirement could also be lesser owing ability to carry out changes in phases. Hence, the other options are not correct.	M1DISA	48	22	M1DISA
49. The IT components of a Core Banking Solution Data Centre would mainly depend upon ___________	Number of employees in the Bank	Type of services offered, risk management & control requirements	Annual Business volume	Nature of software applications used	b	The complexity of services offered including the response time, risk management objectives and control goals would drive the IT components of a CBS Data Centre (Option B). The elements in the other three options would have limited impact on the configuration of the data centre.	M1DISA	49	190	M1DISA
50. A near site facility is _______________	A data replication facility	Disaster recovery facility	Facility for storing data of secondary importance	Facility for storing employee data alone	a	A near-site facility is normally used as a data replication facility only (Option A). It would not be a prudent choice for a disaster recovery facility since, as a proximate location, the probability of its getting exposed to the same geographical risks is very high. In the usual course, no separate facility is created for secondary data or for employee data alone. Hence, the other options are not correct.	M1DISA	50	41	M1DISA
51. Configuration Identification involves ________________	Identification of all Information Systems components without reference to version	Identification of software components of Information Systems alone	Identification of all Information Systems components in a system	Identification of hardware components of Information Systems alone	c	Configuration identification involves identification of all versions & updates of both software and hardware. This facilitates continuous monitoring during the life cycle of the product & becomes useful at the time of any proposed changes in the components (Option C). Option A is wrong since it ignores the version, which is vital. B and D are incorrect since they are addressing either the software or hardware alone.	M1DISA	51	49	M1DISA
52. Hardening of Systems is _____________	A.Use of robust hardware to strengthen the system	B.Securely configuring systems to minimize security risks	C. Optimising configuration of hardware systems alone	D. Auditing configuration of software systems	b	Hardening of systems is the process of securely configuring computer systems to eliminate as many security risks as possible (Option B). It does not refer to use of robust hardware (Option A); nor does it limit itself to hardware alone (Option C) or software alone (Option D).	M1DISA	52	23	M1DISA
53. In IT, a network refers to ________________	A.Two or more devices which are able to exchange data between each other	B. Two or more computers which are able to exchange data between each other	C. Minimum of 8 computers which are able to exchange data between each other	D. Several computers separated over a minimum distance of 100 metres from each other	a	In IT, a network refers to two or more of any devices which are able to exchange data between each other; it includes devices like printers, computer terminals & other devices of communication (Option A). It is not limited to computers alone (Option B). A network could operate even out of the same building & there is no minimum stipulated distance between the devices (Options C & D)	M1DISA	53	186	M1DISA
54. In IT, a node refers to ______________	A. Every junction of cables in a computer network	B. Every computer in a computer network	C. Each component in a computer network	D. Every internet device in a computer network	c	In IT, a node refers to each component in a computer network (Option C). It does not refer to cable junctions (Option A). It is not restricted to computers alone but covers every type of device in the network (Option B). It is not restricted to internet devices in a network (Option D).	M1DISA	54	133	M1DISA
55. The main reason for networking computers is _______________	A. Reduce hardware cost	B. Reduce software cost	C. Resource sharing and communication	D. Essentially, to increase speed of computing	c	The main benefit of networking computers is sharing of resources and facilitating communications (Option C). Networking does not have the objective of reducing either hardware or software costs; nor does it have the advantage of improving speed of computing (Options A, B, & D).	M1DISA	55	159	M1DISA
56. One major benefit of networking computers is ________________	A. Facilitating user communication	B. Compartmentalisation of data	C. Reduced computing power	D. Reduced software costs	a	Facilitation of user communication is a major advantage of computer networking (Option A). Networking helps sharing of data and increases availability of computing power. It may not necessarily reduce software costs; in fact, they may increase on account of multiple licences being required for several terminals. Hence, the other options are not correct.	M1DISA	56	34	M1DISA
57. Protocol, in IT, is __________________	A. The basis for allotment of new computers	B. Arrangement of employee directories	C. A set of rules for Communication between systems	D. Proper behaviour while using computers	c	Protocol is a set of rules that makes communication possible (Option C). It does not refer to the basis for allotment of new computers, the arrangement of employee directories or behaviour while using computers (Options A,B, & D).	M1DISA	57	71	M1DISA
58. Data transmission _____________	A. Can be only through a voltage signal & not through radio or microwave	B. Is always digital in nature; one cannot transfer data in analog form	C. Ìs the physical transfer of data over a communication channel	D. Can happen only through a copper wire or optical fibre	c	Data transmission is the physical transfer of data. It can be through electrical, radio, microwave or infrared signals. It can be over copper wires, optical fibres, wireless channels or through a storage medium. It can be either digital or analog. Hence, only Option C is correct and the other options are wrong.	M1DISA	58	48	M1DISA
59. Simplex communication _________________	A. Always involves uni-directional transmission of data	B. Can involve uni-directional or multi-dimensional data transmission	C. Can handle two-way communication	D. facilitates return of error or control signals to the transmitter	a	In simplex communication data always flows from one node to another it is always uni-directional. It does not involve multi-dimensional transmission of data. It also cannot handle two-way communication or allow sending back of error or control signals to the transmitter. Hence, only Option A is correct & the other options are wrong.	M1DISA	59	124	M1DISA
60. Half Duplex communication ________________	A. has capability to send and receive simultaneously	B. is cheaper than the Simplex system	C. is costlier than the full Duplex system	D. has facilities to send and receive but only one operation can be performed at a time	d	Half Duplex communication has the capability to both send and receive but with the restriction that only one activity can be done at a time. It is more expensive than the Simplex system but cheaper than the full Duplex system. Hence, only Option D is correct.	M1DISA	60	161	M1DISA
61. Full Duplex communication __________________	A. Cannot handle two way communication	B. Is the most expensive method in terms of equipment cost	C. Cannot handle simultaneous two way communication	D. is cheaper than Simplex communication	b	Full Duplex communication has the capability to handle simultaneous two way communication. It is like two Simplex systems put together and, hence, is expensive. Hence, only Option B is correct.	M1DISA	61	35	M1DISA
62. Asynchronous transmission __________________	A. Is a communication technique where signal timing is not used for determining byte boundary	B. Does not require start and stop bits that provide byte timing	C. Is not suited for applications where messages are generated at irregular intervals	D. Is faster since it does not require insertion of start & stop bits into the bit stream	a	Asynchronous transmission involves the use of start and stop bits that provide byte timing. Hence, signal timing is not important & communication can happen between devices of dissimilar speed. However, speed is slower owing to the intervening start and stop bits. Hence, only Option A is correct.	M1DISA	62	136	M1DISA
63. Synchronous transmission _____________	A. Does not place the responsibility for grouping the bits on the receiver	B. Is a communication technique where start and stop bits are not used	C. Requires no synchronization between clocks of the sender & receiver	D. Is slow and can handle limited data rate	b	Synchronous transmission does away with the use of start and stop bits that provide byte timing. It shifts the responsibility for grouping of the bits to the receiver. It, however, requires synchronization of the clocks between sender and receiver. It is faster than asynchronous transmission and can support high data rates. Hence, only Option B is correct.	M1DISA	63	140	M1DISA
64. What are the features of a Local Area Network (LAN) ?	A. Connectivity is established only as and when required	B. Its security is low and error rates high	C. It interconnects devices within a limited geographical area	D. Installation and maintenance is cumbersome	c	LANs interconnect devices within a limited geographical area. Connectivity is ongoing and permanent. Its security is high and error rates low. Installation and maintenance are relatively easy. Hence, only Option C is correct.	M1DISA	64	95	M1DISA
65. What are the features of a Wide Area Network (LAN) ?	A. A WAN comprises interconnected switching nodes covering a wide area	B. Connectivity is established on a permanent basis	C. WANs use only private networks	D. All devices in a WAN will have the same network ID	a	WANs interconnect devices over a large geographical area using both private and public networks. The connected devices, therefore, could have different network Ids. Connectivity can be on demand or permanent. Hence, only Option A is correct.	M1DISA	65	40	M1DISA
66. A KEY characteristic of a Metropolitan Area Network (MAN) is __________	A. Can provide only for data transmission	B. Feasibility to service customers in a large city-wide area	C. Can handle only voice & video transmission	D. Higher cost than service from telephone company	b	MANs play a role in meeting the growing needs of an organization with lower costs and higher capacity. It can provide for both data and voice transmission. Its cost & efficiency are generally more favourable as compared to telephone company services. Hence, only Option B is correct.	M1DISA	66	129	M1DISA
67. Client Server architecture is characterized by ________________	A. Computational & interface-oriented logic are married together	B. Client process does not avail services of server	C. A dedicated server that provides resources to clients	D. Client executes in the same address space as the server	c	Client Server architecture is characterized by a dedicated file server that runs the network, granting other nodes or clients access to resources. The computational and interface-oriented logic are separated rather than the computers themselves. The client executes in a different address space from the server. Hence, only Option C is correct.	M1DISA	67	146	M1DISA
68. Peer-to-Peer Networking is characterized by _____________________	A. Sharing of resources without use of a separate server computer	B. Need for a network administrator in lieu of the server	C. Security and integrity of data is better than in client server configuration	D. Horizontal & vertical scalability of architecture feasible	a	Peer-to-Peer networking involves connection of two or more computers and sharing of resourced without any separate server. All the computers share equal responsibility for processing data. No network administrator is required. Security and integrity of data is more vulnerable as compared to client server architecture. Vertical scalability of architecture is not possible since no server is involved. Hence, only Option A is correct.	M1DISA	68	65	M1DISA
69. What are the features of Middleware ?	A. They manage all activities except transporting, queuing and scheduling	B. They can operate with devices/systems on a single platform alone	C. They control communication, leaving authentication/delivery to the server	D. They are software that help clients communicate with server applications	d	Middleware are programs which help clients communicate with server applications. They control communication, authentication as well as delivery. They manage transporting, queuing as well as scheduling. They have the capability to work with diverse platforms. Hence, only Option D is correct.	M1DISA	69	92	M1DISA
70. What are the features of a co-axial cable?	A. The axes of the two conductors in the co-axial cable are different	B. It comprises a core conductor enclosed by a plastic cladding, a wire mesh & plastic cladding	C. It is easy to install but has high attenuation loss	D. It is cheaper than twister pair cables but more expensive than optical fibre cable	b	Co-axial cables consist of a central core conductor surrounded by a plastic cladding, an outer wire mesh and a protective outer plastic cladding. The axis of both the conductors is the same & hence the name co-axial. It is easy to install and has low attenuation loss. It is moderately expensive but cheaper than optical fibre cable. Hence, only Option B is correct.	M1DISA	70	159	M1DISA
71. What are the characteristics of a Twisted pair cable ?	A. Comprises 2 separate insulated wires in a twisted pattern that run parallel to each other	B. Comprises 4 separate insulated wires in a twisted pattern run parallel to each other	C. Comprises 2 separate insulated wires in a twisted but non parallel pattern	D. It is a form of unguided transmission media	a	Twisted pair cables consist of 2 separate insulated wires in a twisted pattern run parallel to each other. It is a form of guided transmission media with reduced electro magnetic interference. Option A is the only correct option.	M1DISA	71	22	M1DISA
72. What are the characteristics of an Optical Fibre cable ?	A. It has high integrity and high attenuation over long distances	B. It has lower carrying capacity as compared to metallic conductors	C. It has an inner core which works through light based signalling	D. It consumes more power since signals degrade faster in the system	c	An Optic fibre cable consists of an inner core made of glass/plastic/polymer/ acrylic which uses light based signalling. It has high integrity as well as low attenuation over long distances. It has higher carrying capacity & consumes lesser power since signals do not degrade as fast as in other systems. Hence, Option C is the only correct option.	M1DISA	72	99	M1DISA
73. Which of the following are un-guided transmission media ?	A. Optical Fibre Cables	B. Co-axial cables	C. Twisted pair cables	D. Radio Waves	d	Options A, B, and C are all instances of guided transmission media wherein data signals are guided through a specific path. Radio waves, on the other hand, are transmitted without any cables and are un-guided. Hence, only Option D is correct.	M1DISA	73	66	M1DISA
74. In guided media transmission, signals are propagated through _____________	A. Ground wave propagation	B. Various types of cables	C. Ionospheric propagation	D. Line-of-sight propagation	b	Options A, C, and D are all instances of unguided transmission media wherein data signals are not guided through a specific path. Propagation through cables, on the other hand, is a form of guided media transmission wherein the data signals are guided along a specific path through the cable. Hence, only Option B is correct.	M1DISA	74	149	M1DISA
75. What is a Hub ?	A. It is a hardware device that provides multiport connectivity	B. It offers intelligence in interpreting data received by it	C. It is an expensive device for transport of data between devices	D. Hubs are exclusively passive & cannot do anything with the signal	a	A hub is a hardware device that contains multiple independent ports matching the cable type. It does not offer any intelligence in dealing with data received by it. However, an active hub can amplify/regenerate incoming signals before onward transmission. It is relatively inexpensive. The correct answer is Option A.	M1DISA	75	109	M1DISA
76. What is a Switch ?	A. It does not offer intelligence in interpreting data received by it	B. It increases congestion & slows up the network	C. It is a special type of hub with additional layer of intelligence which reads the MAC address	D. It is a type of network interface card operating without a switching table	c	A switch is a special type of hub with an additional layer of intelligence. It reads the MAC address of each frame received by it and, based upon the switching table, carries out onward transmission to the node to which the frame is addressed. It decreases congestion and speeds up the network. It is not a type of network interface card. The correct answer is Option C.	M1DISA	76	102	M1DISA
77. What are Bridges ?	A. Bridges are used to extend or segment networks	B. Bridges sit within a segment & manage incoming/outgoing data	C. Bridges cannot block or forward the data	D. Bridges can forward the data to the relevant address but not block it	a	A bridge is used to extend or segment networks. It sits between two physical segments & manages the flow of data. It can choose to either block or forward the data. The correct answer, hence, is Option A.	M1DISA	77	77	M1DISA
78. What is a typical feature of a Router ?	A. It is a networking device used to forward data packets along networks	B. It is always a dedicated hardware device & cannot be a computer	C. It copies the packets to all connected destinations without discrimination	D. It does not contain any database of network addresses or pathways	a	A router is a dedicated networking device or computer system with more than one network interface. It is used to forward data packets along networks utilizing its database of network addresses and alternate pathways. It selectively forwards data packets to the next hope in the route to the destination. The correct answer, hence, is Option A.	M1DISA	78	78	M1DISA
79. What is a typical feature of a Gateway ?	A. It is necessary for connecting networks with identical protocols	B. It is a device that translates one data format to another	C. It translates both the data format as well as the data itself	D. It is used to forward data packets along networks	b	A gateway is a device that translates one data format to another, e.g., Email gateways. It is useful in connecting networks with different protocols. It does not tinker with the actual data & only translates the data format. The correct answer is Option B.	M1DISA	79	29	M1DISA
80. What is typical of Bus topology ?	A. Bus topology contains a single hub connecting all nodes	B. Connects computers on a single circle of cable	C. Computers are connected on a single backbone cable	D. In this system, every node is connected to every other node	c	In Bus topology, all the computers in the network are connected on a single backbone cable. All the computers in the network receive incoming messages from any other computer; however, only the intended recipient accepts and processes the message. It is not on a single hub or circle of cable and each of the nodes are not connected to each other. The correct answer is Option C.	M1DISA	80	21	M1DISA
81. What is typical of Star topology ?	A. Contains a central hub or switch to which each node is connected	B. All the computers are connected to a single backbone hub	C. Connects computers on a single circle of cable	D. In this system, every node is directly connected to every other node	a	Star topology comprises a system of a central hub or switch to which each node is connected. Separate cables are drawn from each and every node to the central hub. It does not involve a single backbone hub or a single circle of cable. Every node is connected to the central hub or switch and not to each other. The correct answer, therefore, is Option A.	M1DISA	81	102	M1DISA
82. What are the features of Ring topology ?	A. All the computers are connected to a single backbone hub	B. Connects computers to a central hub or switch	C. In this system, every node is directly connected to every other node	D. It connects computers on a single ring of cable	d	In Ring topology, every computer is connected to two other neighbours for communication. Messages travel uni-directionally, either clockwise or anti-clockwise. It does not involve the use of a single backbone hub or a central hub/switch. The correct answer, therefore, is Option D.	M1DISA	82	79	M1DISA
83. What are the features of Mesh topology ?	A. All the computers are connected to a single backbone hub	B. Involves physical connection of every node with every other node	C. Connects computers to a central hub or switch	D. Ideally suited for systems with need for low degree of fault tolerance	b	Mesh topology involves physical connection of every node with every other node. It is rather complex and requires the maximum number of cables. However, it is ideally suited for large telecommunication companies or an internet service provider who cannot afford to have a high degree of fault tolerance. It is not connected to a single backbone or hub/switch. The correct answer, therefore, is Option B.	M1DISA	83	132	M1DISA
84. What are the features of Circuit switching ?	A. Involves temporary connection between 2 devices for transmission duration	B. Signal transmission can commence even without end-to-end connection establishment	C. Data transfer can be only through binary data & not through analog/digital voice	D. Special training/protocol required to handle data traffic	a	Circuit switching is a type of communication when a temporary physical connection is established between 2 devices for the duration of the transmission session. Signal transmission can commence only after the establishment of an end-to-end connection. Information transfer can be through binary data as well as analog/digital voice. No special training/protocol is required. The correct answer, therefore, is Option A.	M1DISA	84	24	M1DISA
85. What are the features of Packet switching ?	A. Requires point-to-point connection establishment for transmission	B. It breaks up a message into smaller packets for transmission	C. Packets in each message need to travel in the same path & sequence	D. Since sequential transmission happens, destination devices need not reassemble them	b	Packet switching involves the breaking up of a message into smaller packets for transmission. Since each packet has the destination address, packets need not travel in the same path or sequence; the destination device reassembles them into proper sequence. The correct answer, therefore, is Option B.	M1DISA	85	6	M1DISA
86. What are the features of Message switching ?	A. Data is stored at switching point & sent forward whenever pathway is available	B. Data is not stored at switching points & transmitted continuously	C. Data is transmitted in packets transmitted in the same path & sequence	D. Physical path establishment is a pre-requisite to transmission	a	Message switching or store-and-forward switching involves accumulation of data at switching points and onward transmission as and when the pathway is available. No physical path is established in advance between the sender and the receiver. Data is not transmitted in packets. The correct answer, therefore, is Option A.	M1DISA	86	175	M1DISA
87. What is multiplexing ?	A. Permits sequential transmission of multiple signals on a single carrier	B. Facilitates transmission of signals in sequence, one at a time	C. It is the simultaneous transmission of multiple signals on a single carrier	D. Refers to simultaneous transmission of multiple signals on multiple carriers	c	Multiplexing refers to simultaneous transmission of multiple signals on a single carrier (Option C). The other options are factually incorrect.	M1DISA	87	168	M1DISA
88. Frequency division multiplexing involves _________	A. Assigning non-overlapping frequency ranges to different signals/users	B. Assigning overlapping frequency ranges to different signals/users	C. Assigning non-overlapping frequency ranges to a single signal/user	D. Use of digital technology when the link bandwidth is greater than sum of signal bandwidths	a	FDM assigns non-overlapping frequency ranges to different signals/users. It is an analog technique that can be applied when the bandwidth of the link is greater than the combined bandwidth of the signals to be transmitted. Hence, only Option A is correct.	M1DISA	88	191	M1DISA
89. Time Division Multiplexing involves ________________	A. Primarily analog technology in which several signals/bitstreams are transferred apparently simultaneously	B. Combination of analog & digital technology in which several signal/ bitstreams are transferred simultaneously	C. Solely analog technology in which several signals/bitstreams are transferred simultaneously	D. Division of time domain into several concurrent time slots of fixed length, one for each sub-channel	d	TDM involves a type of digital technology (rarely analog) in which several signals/bitstreams are transferred apparently simultaneously. In actual practice, however, it uses sub channels & each signal takes turns on the channel. Hence, only Option D is correct.	M1DISA	89	119	M1DISA
90. Wavelength Division Multiplexing is _____________	A. Conceptually similar to Time Division Multiplexing but using various wavelengths of light	B. Conceptually similar to Frequency Division Multiplexing but uses a single wavelength of light	C. Conceptually similar to Frequency Division Multiplexing but using various wavelengths of light	D. Conceptually similar to Time Division Multiplexing and uses a single wavelength of light	c	WDM is conceptually like FDM and multiplexes multiple optical carrier signals on a single optical fibre by using different wavelengths of laser light. Hence, only Option C is correct.	M1DISA	90	150	M1DISA
91. Connection oriented networking involves ________________	A. Transmission of data prior to establishment of connection	B. Establishment of connection prior to data exchange	C. Simultaneous establishment of connection & data exchange	D. Networking arrangements based upon priority of connection nodes	b	Connection oriented networking involves establishment of connection prior to data exchange. The other options are factually incorrect and, hence, only Option B is correct.	M1DISA	91	165	M1DISA
92. Connection less networking involves ______________	A. Data is exchanged without any prior establishment of connection	B. Transmission of data after establishment of connection	C. Simultaneous establishment of connection & data exchange	D. Exchanged data has no contact information of recipient	a	Connectionless networking involves data exchange without any prior establishment of connection. The exchanged data has complete contact information of recipient. The other options are factually incorrect and, hence, only Option A is correct.	M1DISA	92	57	M1DISA
93. Hardware __________________	A. Includes the physical computer as well as all the software loaded on to it	B. Includes the physical computer as well as the operating system loaded on it	C. Refers to the tangible portion of a computer	D. Comprises the cables, the pipes, etc. which carry information in and out of the computer	c	Hardware refers to the tangible portion of a computer. It does not include software or operating systems loaded onto it, nor does it comprise cables or pipes. Hence, A, B & D are clearly wrong answers.	M1DISA	93	68	M1DISA
94. Input devices include ______________	A. Printer	B. Cathode ray tube or monitor	C. KEYboard	D. Speaker	c	Input devices include devices like keyboards which help in entering data into the computer system. The other options (A, B, D) are instances of output devices. Hence, A, B & D are clearly wrong answers.	M1DISA	94	88	M1DISA
95. Output devices include __________	A. Liquid Crystal Display	B. Microphone	C. KEYboard	D. Mouse	a	Output devices include devices like Liquid Crystal Displays (LCDs) which display or output information from the computer. The other options (B, C, D) are instances of input devices. Hence, B, C & D are clearly wrong answers.	M1DISA	95	113	M1DISA
96. The Arithmetical & Logical unit of the CPU _________________	A. Can also be Accumulators	B. Performs mathematical & logical operations	C. Can also be Address Registers	D. Controls flow of data & instructions to and from memory	b	The Arithmetic and Logical unit (ALU) of the CPU performs mathematical and logical operations. It does not function as accumulators or address registers, nor does it control flow of data and instructions. Hence, A, C & D are clearly wrong answers.	M1DISA	96	191	M1DISA
97. Storage Registers _____________	A. Can store memory addresses that tell the CPU where in memory an instruction is located	B. Can keep running totals of arithmetic values	C. Can temporarily store data coming from or being sent to system memory	D. Can help move data from one location in the computer to another	c	Storage Registers can temporarily store data coming from or being sent to system memory. They do not store memory addresses (handled by address registers), nor do they keep running totals of arithmetic values or move data between locations. Hence, A, B, & D are clearly wrong answers.	M1DISA	97	145	M1DISA
98. Open Systems Interconnection (OSI)_______________	A. Deals with interconnection of Open systems software	B. Is effective in dealing with Open-source software	C. Deals with communication process without truncation in managing internetwork	D. Splits communication process to small portions in managing internetwork	d	The OSI model splits communication processes into smaller portions to manage internetworking. It is not about open systems software, open-source software, or managing internetwork communication without truncation. Hence, only Option D is correct.	M1DISA	98	101	M1DISA
99. What is ARPANET ?	A. Network of computers in Arabia & Pakistan	B. New cloud computing network being set up by the U.S.	C. Computer network set up under auspices of U.S. dept. Of Defence in 1969	D. Network of the Association of Resource Planners	c	ARPANET was a computer network set up under the auspices of the U.S. Department of Defense in 1969, which eventually evolved into the modern internet. Options A, B, and D are incorrect descriptions. Hence, only Option C is correct.	M1DISA	99	101	M1DISA
100. The suite of network protocol TCP/ IP evolved from _______________	A. Conventions developed by ARPA	B. Pioneering work & norm developed by Intel	C. International conference of global IT experts	D. Norms developed by Indian IT developers	a	The TCP/IP protocol suite evolved from conventions developed by ARPA (Advanced Research Projects Agency) to facilitate communication across diverse computer networks. Options B, C & D are incorrect. Hence, only Option A is correct.	M1DISA	100	130	M1DISA
101. Which international body takes a lead role in developing common protocols for the World Wide Web to promote its evolution and ensure its inter-operability ?	A. The Internet Society (ISOC)	B. The Internet Architecture Board	C. World Wide Web Consortium (W3C)	D. The Internet Engineering Task Force (IETF)	c	The World Wide Web Consortium (W3C) leads in developing common protocols for the WWW to ensure its evolution and inter-operability. Options A, B, and D do not perform this specific role. Hence, only Option C is correct.	M1DISA	101	61	M1DISA
102. Which international body handles governance of generic Top Level Domain (gTLD) & other related responsibilities ?	A. The Internet Corporation for Assigned Names and Numbers (ICANN)	B. World Wide Web Consortium (W3C)	C. The Internet Society (ISOC)	D. The Internet Architecture Board (IAB)	a	ICANN governs generic Top Level Domains (gTLDs) and related responsibilities globally. Options B, C, and D do not have this specific role. Hence, only Option A is correct.	M1DISA	102	153	M1DISA
103. Which international body bears the responsibility for technical activities of the Internet, including writing specifications & protocols ?	A. World Wide Web Consortium (W3C)	B. The Internet Society (ISOC)	C. The Internet Engineering Task Force (IETF)	D. The Internet Architecture Board (IAB)	c	The Internet Engineering Task Force (IETF) is responsible for technical activities of the internet, including writing specifications and protocols. Options A, B, and D do not perform this specific role. Hence, only Option C is correct.	M1DISA	103	7	M1DISA
104. Networking Protocol ______________	A. Is a set of rules that governs what, how and when data is communicated over a network	B. Is the set of international norms laid down for country priority in communication over a network	C. Is the set of international norms laid down for voice data communication alone	D. Is the set of international norms laid down for use of hardware in a network	a	Networking protocol is a set of rules that govern what, how, and when data is communicated over a network. It does not prioritize countries, nor is it specific to voice data or hardware usage in a network. Hence, only Option A is correct.	M1DISA	104	32	M1DISA
105. Syntax in Protocol represents __________	A. How data is communicated	B. When data is communicated	C. What is communicated	D. What, When & How data is communicated	c	Syntax in protocol represents what is communicated. It does not cover how or when data is communicated. Hence, only Option C is correct.	M1DISA	105	67	M1DISA
106. Semantics in Protocol represents ________________	A. What is communicated	B. When data is communicated	C. What, When & How data is communicated	D. How data is communicated	d	Semantics in protocol represents how data is communicated. It does not cover what or when data is communicated. Hence, only Option D is correct.	M1DISA	106	154	M1DISA
107. Timing in Protocol represents _______________	A. When data is transmitted but not how fast	B. The global time zones when data can be transmitted	C. When data is communicated & how fast	D. What, When & How data is communicated	c	Timing in protocol represents when data is communicated and how fast. It does not cover only when data is transmitted without speed or global time zones. Hence, only Option C is correct.	M1DISA	107	133	M1DISA
108. The Open System Interaction (OSI) reference model ________________	A. Makes inter-operability across heterogeneous technology environments possible	B. Is a 5 layered model, each specifying particular network functions	C. Is a 9 layered model, each specifying particular network functions	D. Has layers which are not self-contained & hence, dependent upon other layers	a	The OSI reference model makes inter-operability across heterogeneous technology environments possible by standardizing network functions into layers. It is a 7-layered model that is self-contained and independent. Options B, C, and D are incorrect descriptions. Hence, only Option A is correct.	M1DISA	108	121	M1DISA
109. In an OSI model, interfaces _______________	A. Describe (horizontal) communication between adjacent layers	B. Describe (vertical) communication between any two layers	C. Describe (horizontal) communication between any two layers	D. Describe (vertical) communication between adjacent layers	d	In an OSI model, interfaces describe (vertical) communication between adjacent layers. They do not describe horizontal communication between any two layers. Hence, only Option D is correct.	M1DISA	109	185	M1DISA
110. In an OSI model, protocols _______________	A. Describe (vertical) communication between adjacent layers	B. Describe (vertical) communication between any two layers	C. Describe (horizontal) communication between layers	D. Describe (horizontal & vertical) communication between adjacent layers	c	In an OSI model, protocols describe (horizontal) communication between layers. They do not describe vertical communication between layers or both horizontal and vertical communication between adjacent layers. Hence, only Option C is correct.	M1DISA	110	98	M1DISA
111. The sequence of layers in a typical OSI model is ____________	A. Application, Presentation, Session, Transport, Network, Data link, Physical	B. Application, Presentation, Session, Transport, Network, Data link, Application	C. Application, Presentation, Session, Transport, Network, Presentation, Application	D. Physical, Application, Presentation, Session, Transport, Network, Application, Physical	a	In an OSI model, the sequence of layers is as in Option A. The answers falling in options B to D are factually incorrect & only Option A is correct.	M1DISA	111	192	M1DISA
112. TCP/IP protocol suite is a bundle of protocols that area segmented into ____________	A. Five layers	B. Seven layers	C. Nine layers	D. Six layers	a	TCP/IP protocol is segmented into Five layers & only Option A is correct.	M1DISA	112	61	M1DISA
113. The sequence of layers in a typical TCP/IP protocol suite is __________	A. Application, Presentation, Session, Transport, Network, Data link, Application	B. Application, Presentation, Session, Transport, Network, Data Link, Physical	C. Application, Transport, Internet, Data link, Physical	D. Physical, Application, Presentation, Session, Transport, Network, Physical	c	TCP/IP protocol is segmented into five layers, sequenced as shown in Option C. The answers falling in options A B and D are factually incorrect & only Option C is correct.	M1DISA	113	135	M1DISA
114. The protocol typically used for web browsing is _____________	A. Simple Mail Transfer Protocol	B. Hyper Text Transfer Protocol	C. Simple Network Management Protocol	D. Domain Name System	b	The protocol used for web browsing is HTTP and not the protocols indicated in Options A, C and D. Only Option B is correct.	M1DISA	114	44	M1DISA
115. The protocol typically used for sending messages to other computer users based on email addresses is _____________	A. Hyper Text Transfer Protocol	B. Simple Network Management Protocol	C. Simple Mail Transfer Protocol	D. Domain Name System	c	The protocol used for sending messages to other computers using email addresses is SMTP and not the protocols indicated in Options A, B and D. Only Option C is correct.	M1DISA	115	57	M1DISA
116. The protocol typically used for logging on to a remote server is ___________	A. Terminal Network or TELNET protocol	B. Simple Mail Transfer Protocol	C. Hyper Text Transfer Protocol	D. Domain Name System	a	The protocol used for logging on to a remote server is TELNET and not the protocols indicated in Options B to D. Only Option A is correct.	M1DISA	116	149	M1DISA
117. The protocol typically used for transferring files from one computer to another is _________________	A. Terminal Network or TELNET protocol	B. File Transfer Protocol	C. Simple Mail Transfer Protocol	D. Hyper Text Transfer Protocol	b	The protocol used for transferring files from one computer to another is FTP and not the protocols indicated in Options A, C and D. Only Option B is correct.	M1DISA	117	143	M1DISA
118. The protocol that allows images, audio & non-ASCII formats to be included in email messages is __________________	A. Post Office Protocol	B. Internet Message Access Protocol	C. Hyper Text Transfer Protocol	D. Multipurpose Internet Mail Extensions	d	The protocol that allows images, audio & non-ASCII formats to be included in email messages is MIME. The other protocols indicated in Options A, B and C are not appropriate. Only Option D is correct.	M1DISA	118	185	M1DISA
119. One type of protocol used for retrieving email is ______________	A. Multipurpose Internet Mail Extensions	B. Hyper Text Transfer Protocol	C. Post Office Protocol	D. Internet Message Access Protocol	c	One type of protocol used for retrieving email is POP. The other protocols indicated in Options A, B and D are not appropriate. Only Option C is correct.	M1DISA	119	191	M1DISA
120. One typical characteristic of Transmission Control Protocol is _______________	A. It is not responsible for recovery of packets lost during transmission	B. It is not responsible for re-assembling the message at the other end	C. It is responsible for recovery of packets lost during transmission	D. It is not responsible for re-sending anything that is lost in transit	c	TCP is responsible for recovery of packets lost during transmission as mentioned in Option C. The choices in other options are factually incorrect. Only Option C is correct.	M1DISA	120	62	M1DISA
121. Positive Acknowledgement with Re-transmission (PAR), the mechanism that sends data to a recipient repeatedly till it receives a Data OK signal, is an inherent part of _____________	A. Transmission Control Protocol	B. Internet Message Access Protocol	C. Simple Mail Transfer Protocol	D. Terminal Network Protocol	a	PAR is an inherent part of TCP and not the other protocols indicated in Options B to D. Hence, only Option A is correct.	M1DISA	121	68	M1DISA
122. The objective of Network Layer is _______________	A. To provide security by building in fail-safe protection	B. To decide which physical path the information should follow from source to destination	C. Accelerate the flow of data through encryption	D. To validate the data & ensure delivery is completed without errors	b	The objective of Network Layer is to decide which physical path the information should follow from source to destination. The answers given in the other options A, C and D are not correct. Hence, only Option B is correct.	M1DISA	122	195	M1DISA
123. What is Internet Control Message Protocol (ICMP) ?	A. A mechanism to ascertain the IP address given a physical address (MAC)	B. A method of ascertaining the physical address (MAC), given the IP address	C. A mechanism to send notification of datagram problems back to sender	D. A system by which new internet IP addresses can be created	c	ICMP is a mechanism to send notification of datagram problems back to sender. It cannot help locate the IP address or physical address, given the other element. Nor can it help create new IP addresses. Hence, only Option C is correct.	M1DISA	123	193	M1DISA
124. What is Address Resolution Protocol (ARP) ?	A. A method of ascertaining the physical address (MAC), given the IP address	B. A mechanism to ascertain the IP address given a physical address (MAC)	C. A mechanism to send notification of datagram problems back to sender	D. A system by which new internet IP addresses can be created	a	ARP is a method of ascertaining the physical address (MAC), given the IP address. It cannot help locate the IP address given a physical address. It is also not a mechanism to send notification of datagram problems back to sender. Nor can it help create new IP addresses. Hence, only Option A is correct.	M1DISA	124	98	M1DISA
125. What is Reverse Address Resolution Protocol (RARP) ?	A. A mechanism to ascertain the physical address (MAC), given an IP address	B. A mechanism to send notification of datagram problems back to sender	C. A method of ascertaining the IP address, given the physical address (MAC)	D. A system by which new internet IP addresses can be created	c	RARP is a method of ascertaining the IP address, given the physical address (MAC). It cannot help locate the physical address given an IP address. It is also not a mechanism to send notification of datagram problems back to sender. Nor can it help create new IP addresses. Hence, only Option C is correct.	M1DISA	125	49	M1DISA
126. The protocol data unit for Transport layer of TCP/IP is called __________	A. A Segment	B. A Packet	C. A Frame	D. A Bit	a	The protocol data unit for Transport Layer of TCP/IP is called a Segment; the others refer to names used for other layers. Hence, only Option A is correct.	M1DISA	126	111	M1DISA
127. The protocol data unit for Network Layer of TCP/IP is called ___________	A. A Segment	B. A Bit	C. A Packet	D. A Frame	c	The protocol data unit for Network Layer of TCP/IP is called a Packet; the others refer to names used for other layers. Hence, only Option C is correct.	M1DISA	127	141	M1DISA
128. The protocol data unit for Data Link Layer of TCP/IP is called _____________	A. A Segment	B. A Frame	C. A Packet	D. A Bit	b	The protocol data unit for Data Link Layer of TCP/IP is called a Frame; the others refer to names used for other layers. Hence, only Option B is correct. The protocol data unit (PDU) at this layer is called a frame. A Segment refers to the PDU at the Transport Layer. A Packet refers to the PDU at the Network Layer.	M1DISA	128	18	M1DISA
129. The protocol data unit for Physical Layer of TCP/IP is called ?	A. A Packet	B. A Frame	C. A Bit	D. A Segment	c	The protocol data unit for Physical Layer of TCP/IP is called a Bit; the others refer to names used for other layers. Hence, only Option C is correct. The Layer 4: transport layer PDU is the segment or the datagram. The Layer 3: network layer PDU is the packet. The Layer 2: data link layer PDU is the frame. The Layer 1: physical layer PDU is the bit or, more generally, symbol.	M1DISA	129	119	M1DISA
130. The Data Link Layer ____________	A. Performs the task of delivery over local networks and error detection	B. Enables us to find the best way from origin to destination	C. Runs application to access other layers’ services & defines protocols	D. Provides the path through which data moves among network devices	a	The Data Link Layer performs the task of delivery over local networks and error detection. The other options refer to functions of other layers of TCP/IP protocol. Hence, only Option A is correct.	M1DISA	130	132	M1DISA
131. The Application Layer __________	Performs the task of delivery over local networks and error detection	Provides the path through which data moves among network devices	Runs application to access other layers’ services & defines protocols	Enables us to find the best way from origin to destination	c	The Application Layer runs various applications which provide them the ability to access the services of the other layers and define the protocols that applications use to exchange data.	M1DISA	131	87	M1DISA
132. The Cyclic Redundancy Check ________________	Is a check conducted by Application Layer	Is a check carried out by the Physical Layer on each stream of bits	Is a calculated value of the Data Link Layer for error detection	Is a check carried out by the Network Layer to identify the shortest route	c	The Cyclic Redundancy Check is a calculated value that is place in the Data Link trailer that is added to the message frame. It helps detect errors.	M1DISA	132	122	M1DISA
133. One characteristic of the Physical Layer of TCP/IP is ____________	The sender and receiver need not be synchronized at the bit level	It deals in zeroes and ones and voltages	The bits need not be encoded into electrical/optical signals for purposes of transmission	Its data unit is called a segment	b	The Physical Layer deals in zeroes and ones and voltages.	M1DISA	133	64	M1DISA
134. Wi-Fi ____________	Is a wireless networking technology that uses radio waves	Has typical access range of about 130 metres	Can handle internet connectivity but not to other networks	Is a networking technology that requires physical cable connections	a	Wi-Fi is a wireless networking technology using radio waves that can handle both internet and other network connections.	M1DISA	134	29	M1DISA
135. Bluetooth Technology ____________	Has typical access range of about 200 metres	Can handle data but not voice transmission	Aims at unifying different platforms & devices	Has a major drawback, that of data security	c	Bluetooth technology, a wireless technology for exchange of data over short distances, aims at unifying different platforms and devices.	M1DISA	135	202	M1DISA
136. An IP Network ________________	Uses Internet Protocol to send/receive messages between computers	Can be implemented only in internet networks	Can operate even in the absence of an IP address	Is designed to function effectively without configuration of the hosts with the TCP/IP suite	a	An IP Network uses Internet Protocol to send/receive messages between two or more computers.	M1DISA	136	85	M1DISA
137. IP Addresses ________________	Are allocated to computer servers alone on the network	Are allocated to client devices alone on the network	Are given by IP Addressing Scheme for identifying hosts	For the destination host alone are contained in every IP packet	c	IP addresses are allocated by the IP Addressing Scheme for every host, whether client, server, or network device.	M1DISA	137	140	M1DISA
138. IP Version 4 _________________	Is an address which is 8-bits in length	Is an address which is 32-bits in length	Is an address which is 16-bits in length	Varies in address length depending upon the message	b	IP Version 4 addresses are invariably of 32-bit length.	M1DISA	138	77	M1DISA
139. IP Version 4 is written in the form of ______________	32 bytes separated by dots	16 bytes separated by dots	4 Octets or bytes separated by dots	4 bits separated by dots	c	IP Version 4 is written in the form of 4 Octets or bytes separated by dots.	M1DISA	139	181	M1DISA
140. An IP Version 4 address can have a value from ____________	to 11111111.11111111.11111111.11111111	to 99999999.99999999.99999999.99999999	to 88888888.88888888.88888888.88888888	to 32000000.32000000.32000000.32000000	a	An IP Version 4 can have a value from 00000000.00000000.00000000.00000000 to 11111111.11111111.11111111.11111111 since each bit is binary and can take either a 0 or 1 value.	M1DISA	140	175	M1DISA
141. Each Octet in an IP Version 4 address _______________	Could have as many as 32 values	Could have as many as 1 billion values	Could have only two values 0 or 1	Could have as many as 256 values	d	Each Octet in an IP Version 4 address could have a value ranging from 0000 to 1111 or 0 to 255 in binary language. Thus, 256 values in total are possible.	M1DISA	141	164	M1DISA
142. A Network IP has _______________	All zeros in the host bit	All ones in the network bit	All zeros in the network bit	All ones in the host bit	a	A Network IP has all zeros in the host bit whereas a Broadcast IP has all ones in the host bit.	M1DISA	142	163	M1DISA
143. A Broadcast IP has _____________	All zeros in the network bit	All ones in the host bit	All ones in the network bit	All zeros in the host bit	b	A Broadcast IP has all ones in the host bit whereas a Network IP has all zeros in the host bit.	M1DISA	143	132	M1DISA
144. The objective of the IP Classful Addressing Scheme is ___________	To Designate separate classes based upon software used	Designate separate classes based upon geographical location	Designate separate classes based upon year of allocation	improve efficiency in address allocation	d	The purpose of the IP Classful Addressing Scheme is to improve efficiency in address allocation.	M1DISA	144	78	M1DISA
145. The Octet decimal range of Class A of the IP Classful Addressing Scheme is _______________	1 to 126	0 to 126	155 to 201	224 to 239	a	The Octet decimal range of Class A of the IP Classful Addressing Scheme is 1 to 126.	M1DISA	145	28	M1DISA
146. The Octet decimal range of Class B of the IP Classful Addressing Scheme is _______________	138 to 191	201 to 239	128 to 191	205 to 255	c	The Octet decimal range of Class B of the IP Classful Addressing Scheme is 128 to 191.	M1DISA	146	164	M1DISA
147. The Octet decimal range of Class C of the IP Classful Addressing Scheme is _______________	201 to 223	1 to 126	205 to 255	192 to 223	d	The Octet decimal range of Class C of the IP Classful Addressing Scheme is 192 to 223.	M1DISA	147	158	M1DISA
148. The Octet decimal range of Class D of the IP Classful Addressing Scheme is _______________	224 to 239	201 to 239	1 to 126	205 to 255	a	The Octet decimal range of Class D of the IP Classful Addressing Scheme is 224 to 239.	M1DISA	148	107	M1DISA
149. The Octet decimal range of Class E of the IP Classful Addressing Scheme is _______________	240 to 256	240 to 254	1 to 126	205 to 255	b	The Octet decimal range of Class E of the IP Classful Addressing Scheme is 240 to 254.	M1DISA	149	161	M1DISA
150. The Higher Order bit in the first Octet of Class A of the IP Classful Addressing Scheme is ________	0	1	1111	0	d	The higher order bit in the first Octet of Class A of the IP Classful Addressing Scheme is 0.	M1DISA	150	85	M1DISA
151. The Higher Order bit in the first Octet of Class B of the IP Classful Addressing Scheme is ______________	A. 110	B. 11	C. 10	D. 1111	c	The higher order bit in the first Octet of Class B of the IP Classful Addressing Scheme is 10 as shown in Option C.	M1DISA	151	204	M1DISA
152. The Higher Order bit in the first Octet of Class C of the IP Classful Addressing Scheme is _____________________	A. 110	B. 30	C. 111	D. 1111	a	The higher order bit in the first Octet of Class C of the IP Classful Addressing Scheme is 110 as shown in Option A.	M1DISA	152	154	M1DISA
153. The Higher Order bit in the first Octet of Class D of the IP Classful Addressing Scheme is ___________________	A. 9999	B. 111	C. 1110	D. 1111	c	The higher order bit in the first Octet of Class D of the IP Classful Addressing Scheme is 1110 as shown in Option C.	M1DISA	153	93	M1DISA
154. The Higher Order bit in the first Octet of Class E of the IP Classful Addressing Scheme is ___________________	A. 9999	B. 1111	C. 1110	D. 1010	b	The higher order bit in the first Octet of Class E of the IP Classful Addressing Scheme is 1111 as shown in Option B.	M1DISA	154	175	M1DISA
155. The Network (N)/Host (H) id of Class A of the IP Classful Addressing Scheme is __________________	A. N.H.H.H	B. H.N.N.N	C. N.N.H.H.	D. H.H.N.N	a	The Network (N)/Host (H) id of Class A of the IP Classful Addressing Scheme is N.H.H.H as indicated in Option A.	M1DISA	155	102	M1DISA
156. The Network (N)/Host (H) id of Class B of the IP Classful Addressing Scheme is _________________	A. H.N.N.N	B. N.H.H.H.	C. H.H.N.N	D. N.N.H.H	d	The Network (N)/Host (H) id of Class B of the IP Classful Addressing Scheme is N.N.H.H as indicated in Option D.	M1DISA	156	139	M1DISA
157. The Network (N)/Host (H) id of Class C of the IP Classful Addressing Scheme is _________________	A. H.H.H.N	B. N.N.N.H	C. N.H.H.H.	D. H.H.N.N	b	The Network (N)/Host (H) id of Class C of the IP Classful Addressing Scheme is N.N.N.H as indicated in Option B.	M1DISA	157	179	M1DISA
158. The default sub-net mask of Class A of the IP Classful Addressing Scheme is _________________	A. H.H.H.N	B. N.H.H.H.	C. 255.255.0.0	D. 255.0.0.0	d	The default sub-net mask of Class A of the IP Classful Addressing Scheme is 255.0.0.0 as indicated in Option D.	M1DISA	158	154	M1DISA
159. The default sub-net mask of Class B of the IP Classful Addressing Scheme is _________________	A. 255.255.0.0	B. H.H.H.N	C. N.H.H.H.	D. 255.255.255.0	a	The default sub-net mask of Class B of the IP Classful Addressing Scheme is 255.255.0.0 as indicated in Option A.	M1DISA	159	195	M1DISA
160. The default sub-net mask of Class C of the IP Classful Addressing Scheme is _________________	A. 255.255.0.0	B. N.H.H.H.	C. 255.255.255.0	D. 256.256.256.0	c	The default sub-net mask of Class C of the IP Classful Addressing Scheme is 255.255.255.0 as indicated in Option C.	M1DISA	160	149	M1DISA
161. The number of networks that can be accommodated in Class A of the IP Classful Addressing Scheme is _________________	A. 255	B. 1 million	C. 365	D. 126	d	The number of networks that can be accommodated in Class A of the IP Classful Addressing Scheme is 126 as indicated in Option D.	M1DISA	161	186	M1DISA
162. The number of networks that can be accommodated in Class B of the IP Classful Addressing Scheme is _________________	A. 16,382	B. 126	C. 1 million	D. 255	a	The number of networks that can be accommodated in Class B of the IP Classful Addressing Scheme is 16,382 as indicated in Option A.	M1DISA	162	187	M1DISA
163. The number of networks that can be accommodated in Class C of the IP Classful Addressing Scheme is _________________	A. 16382	B. 1 million	C. 20,97,150	D. 255	c	The number of networks that can be accommodated in Class C of the IP Classful Addressing Scheme is 20,97,150 as indicated in Option C.	M1DISA	163	7	M1DISA
164. The number of hosts per network (usable addresses) that can be accommodated in Class A of the IP Classful Addressing Scheme is _________________	A. (224 -2) or 1,67,77,214	B. (210-2) or 1022	C. 126	D. 255	a	The number of hosts per network that can be accommodated in Class A of the IP Classful Addressing Scheme is (224-2) or 1,67,77,214 as indicated in Option A.	M1DISA	164	149	M1DISA
165. The number of hosts per network (usable addresses) that can be accommodated in Class B of the IP Classful Addressing Scheme is _________________	A. 126	B. 256	C. (224 -2) or 1,67,77,214	D. (216-2) or 65,534	d	The number of hosts per network that can be accommodated in Class B of the IP Classful Addressing Scheme is (216-2) or 65,534 as indicated in Option D.	M1DISA	165	136	M1DISA
166. The number of hosts per network (usable addresses) that can be accommodated in Class C of the IP Classful Addressing Scheme is _________________	A. 126	B. (216-2) or 65,534	C. (28-2) or 254	D. (224 -2) or 1,67,77,214	c	The number of hosts per network that can be accommodated in Class C of the IP Classful Addressing Scheme is (28-2) or 254 as indicated in Option C.	M1DISA	166	98	M1DISA
167. In IP Addressing, Unicast addressing mode involves _________________	A. Sending of data only to one destined host	B. Sending of data universally to all hosts on a network	C. Sending of data to all hosts on all networks	D. Configuration disabling sending of data to all except one host	a	Unicast addressing mode involves sending of data only to one destined host as indicated in Option A.	M1DISA	167	203	M1DISA
168. In IP Addressing, Broadcast addressing mode involves __________________	A. Sending of data to a single host on a network	B. Sending of data to all hosts on all networks	C. addressing of data packet to all hosts in a network segment	D. Configuration disabling sending of data to individual hosts	c	Broadcast addressing mode involves addressing of data packets to all hosts in a network segment, as indicated in Option C.	M1DISA	168	120	M1DISA
169. In IP Addressing, Multicast addressing mode involves addressing of data packets ____________________	A. Sending of data to a single host on a network	B. to hosts at special addresses in a network segment	C. Sending of data to all hosts on all networks	D. Configuration disabling sending of data to individual hosts	b	Multicast addressing mode involves addressing of data packets to hosts at special addresses in a network segment, as indicated in Option B.	M1DISA	169	144	M1DISA
170. In IP Addressing scheme, which of the following class / classes are defined for universal Unicast Addressing ?	A. Classes C alone	B. Class D	C. Classes A, B & C	D. Class E	c	Classes A, B and C are defined for Universal Unicast addressing as indicated in Option C.	M1DISA	170	137	M1DISA
171. In IP Addressing scheme, which of the following class / classes are reserved for Multicasting ?	Class D	Classes A & B	Class C	Class E	a	Class D alone is reserved for Multicast addressing as indicated in Option A. The information in the other options are not correct.	M1DISA	171	166	M1DISA
172. In IP Addressing scheme, which of the following class / classes are reserved for Experimental purposes ?	Classes D	Class A	Class E	Classes B & C	c	Class E alone is reserved for Experimental & research purposes as indicated in Option C. The information in the other options are not correct.	M1DISA	172	164	M1DISA
173. Which class/classes of networks are reserved for government agencies & huge companies ?	Classes D	Class E	Classes D & E	Class A	d	Class A alone is reserved for Government agencies and huge companies as indicated in Option D. The information in the other options are not correct.	M1DISA	173	72	M1DISA
174. A characteristic of a private address in an IP Network is ?	Hosts within the same local network can use the same private address	Its IP address will be unique in the internet network as a whole	A user in Company A cannot have the same address as a user in Company B	Its IP address should not be from the three blocks created by IANA	a	Multiple hosts within a specified network can use the same private address out of the three blocks spelt out by IANA. Their individual addresses need not be unique in the internet network as a whole; a user in one company can have the same IP address as another user in another company. Hence, Option A alone is correct.	M1DISA	174	73	M1DISA
175. A characteristic of a public address in an IP Network is ?	Hosts within the same local network cannot use the same public address	A user in Company A can have the same public address as a user in Company B	Its IP address will be unique in the internet network as a whole	Its IP address should be from the three blocks created by IANA	c	A public address is exposed to the internet network & is unique. Multiple hosts within a specified network cannot use the same public address. The public address should be one which is not out of the three blocks spelt out by IANA for use as private addresses. Hence, Option C alone is correct.	M1DISA	175	128	M1DISA
176. The start address for private networks with Class A addressing is ?	10.0.0.0	192.168.0.0	100.100.100.0	172.16.0.0	a	The start address for private networks with Class A addressing is 10.0.0.0 as indicated in Option A. The other options are not correct.	M1DISA	176	7	M1DISA
177. The start address for private networks with Class B addressing is ?	192.168.0.0	100.100.100.0	172.16.0.0	10.10.0.0	c	The start address for private networks with Class B addressing is 172.16.0.0 as indicated in Option C. The other options are not correct.	M1DISA	177	130	M1DISA
178. The start address for private networks with Class C addressing is ?	192.168.0.0	100.100.100.0	172.16.0.0	10.10.0.0	a	The start address for private networks with Class C addressing is 192.168.0.0 as indicated in Option A. The other options are not correct.	M1DISA	178	107	M1DISA
179. The finish address for private networks with Class A addressing is ?	999.999.999.000	10.255.255.255	172.31.255.255	000.000.000.000	b	The finish address for private networks with Class A addressing is 10.255.255.255 as indicated in Option B. The other options are not correct.	M1DISA	179	82	M1DISA
180. The finish address for private networks with Class B addressing is ?	10.255.255.255	000.000.000.000	999.999.999.000	172.31.255.255	d	The finish address for private networks with Class B addressing is 172.31.255.255 as indicated in Option D. The other options are not correct.	M1DISA	180	70	M1DISA
181. The finish address for private networks with Class C addressing is ?	192.168.255.255	172.31.255.255	101.255.255.255	999.999.999.000	a	The finish address for private networks with Class C addressing is 192.168.255.255 as indicated in Option A. The other options are not correct.	M1DISA	181	186	M1DISA
182. Private IP addresses ___________	are translated into public IP addresses through IANA process	cannot be translated into public IP addresses using NAT process	are translated into public IP addresses through NAT process	are translated into public IP addresses through SMTP	c	Private IP addresses are translated into public IP addresses through Network Address Translation or NAT. Thus, multiple hosts with private IP addresses are enabled to access using one or two public IP addresses as indicated by Option C above. The other options are not correct.	M1DISA	182	157	M1DISA
183. Dynamic Host Control Protocol is a software _____________	That can de-link particular hosts from a network during congestion	That allows definition of a range of dynamic IP addresses	That allows definition of a range of static IP addresses	That regulates host access to a network depending upon priority	b	Dynamic Host Control Protocol is a software that allows definition of a range of dynamic IP addresses for a specified period of time. Hence, Option B above is correct and the other options are incorrect.	M1DISA	183	190	M1DISA
184. What is the IP network address of a default gateway ?	1.1.1.1	255.255.255.255	0.0.0.0	255.255.255.000	c	As indicated in Option C above, the IP network address for a default gateway is 0.0.0.0. The other options are incorrect.	M1DISA	184	56	M1DISA
185. Which IP address is called a Loopback address ?	100.001.100.001	121.0.0.121	127.0.0.127	127.0.0.1	d	The Loopback address is 127.0.0.1 as indicated in Option D above. It is used to simplify programme testing and troubleshooting. The other options are incorrect.	M1DISA	185	75	M1DISA
186. A Loopback address ______________	Is used to simplify programme testing and troubleshooting	Helps communicate with local host using local address	Facilitates getting acknowledgement for delivery of messages	Helps catalogue errors in communication for future use	a	The Loopback address is used to simplify programme testing and troubleshooting. The other options are incorrect. Hence, Option A above alone is correct.	M1DISA	186	105	M1DISA
187. Which one of the following is a non-reserved address in IP networks ?	Broadcast address	Default gateway address	Loopback address	Dynamic IP addresses	d	The Broadcast, Default gateway, and Loopback addresses are all reserved addresses. The Dynamic IP address is not a reserved address and allows hosts to be allotted different IP addresses within a specified range. Hence, Option D above is alone correct.	M1DISA	187	99	M1DISA
188. A Subnet Mask is ?	Comprises 32 bits divided into 2 octets	Comprises 8 bits which are not divided further	Used for deriving network & host portions from an IP address	Comprises 16 bits which are divided into 2 octets	c	A subnet mask comprises 32 bits divided into 4 octets. It is used for deriving network and host portions from an IP address and helps minimize waste of IP addresses. The information in Options A, B, and D is erroneous. Hence, Option C above alone is correct.	M1DISA	188	187	M1DISA
189. IP version 6 ___________	Is a 64 bit addressing scheme	Is a 96 bit addressing scheme	Is a160 bit addressing scheme	Is a 128 bit addressing scheme	d	IP version 6 is a 128 bit version as against the 32 bit of the IP 4 version. The information in Options A to C is erroneous. Hence, Option D above alone is correct.	M1DISA	189	95	M1DISA
190. IP version 6 _____________	Can accommodate as many as 2128 addresses	Can handle as many as 264 addresses	Can handle as many as 232 addresses	Can handle only 216 addresses	a	As against IP version 4, IP version 6 is a 128 bit version which can thus accommodate as many as 2^128 addresses. The information in Options B to D is erroneous. Hence, Option A above alone is correct.	M1DISA	190	56	M1DISA
191. Migration from IP version 4 to IP version 6 ____________	Has not commenced in India yet; they are unwilling to do so	Is not possible until all devices are migrated globally	Has commenced in India under NASSCOM leadership	Is underway but many devices continue to be under version 4	d	Migration from version 4 to version 6 is underway & India is one of the countries undergoing the transition. The process is anchored by the Telecom Regulatory Authority of India. Till complete migration takes place, it is possible to have both systems in operation with appropriate mechanisms in place. Hence, Option D above alone is correct.	M1DISA	191	55	M1DISA
192. IP version 6 is in the form of _____________	Heptadecimals	Decimals	Hexadecimals	Octodecimals	c	As against IP version 4, IP version 6 is in Hexadecimal form. The information in Options A, B, and D are erroneous. Option C above alone is correct.	M1DISA	192	189	M1DISA
193. IP version 6 addresses are separated by _________________	Single Colons	Double Colons	Single Periods	Semi Colons	a	As against IP version 4 which uses periods for separation, IP version 6 uses single colons. The information in Options B to D is not correct. Option A above alone is correct.	M1DISA	193	181	M1DISA
194. A Port forms a socket along with an IP address. It is composed of __	8 bits	32 bits	16 bits	64 bits	c	A port comprises 16 bits. The information in Options A, B, and D is not correct. Option C above alone is correct.	M1DISA	194	182	M1DISA
195. The maximum number of ports possible per IP network address is ______	216	232	264	28	a	A port comprises 16 bits & hence the maximum number of ports possible is 2^16. The information in Options B to D is not correct. Option A above alone is correct.	M1DISA	195	136	M1DISA
196. Destination ports ______________	Are used to route packets from source to a destination host computer	Are used to route packets on a server to the appropriate network application	Are used only for HTTP traffic which are processed by a web server	Of numbers 0 to 1023 are used by vendors for proprietary applications	b	Destination ports are used to route packets on a server to the appropriate network application, as indicated in Option B. It is used for various purposes like HTTP, FTP & SMTP traffic. Hence, Option B above alone is correct.	M1DISA	196	198	M1DISA
197. Source ports ______________	Are assigned to clients & used for tracking user sessions	Are the ports through which data packets originate from the source	Are allocated numbers ranging from 49,152 to 68,568	Are allocated numbers ranging from 0 to 49,152	a	Source ports are assigned to clients and used for tracking user sessions as indicated in Option A. These can be any random number and no specific range is defined. Hence, Option A above alone is correct.	M1DISA	197	201	M1DISA
198. Domain Name System ________________	Has the host name in binary & heptadecimal form	When it is in non-generic category, can be used by any person/organization	Envisages that both the host name & IP address are a must for communication	Is a distributed database with host name & IP address for all domains	d	The Domain Name system is a distributed database with host name & IP address for all domains, as indicated in Option D. It has the host name in normal English and the IP address as per decimal format (IP Version 4) or hexadecimal format (IP Version 6). Only the generic category of domain names are available for use by any organization or person for any use. It is possible for us, through the Domain Name system, to identify the IP address, given the host name and vice versa. Hence, Option D above alone is correct.	M1DISA	198	45	M1DISA
199. On Demand Computing _______________	Is less economical for users with volatility in quality/volume of computing needs	Is not an issue in terms of privacy or security	Envisages provision of computing resources on as-needed/when-needed basis	Is ideally suited for users who have consistent quality & volume of computing needs	c	On Demand Computing envisages provision of computing resources on as-needed/when-needed basis & is best suited to users who have uncertain volume of demand for computing services. It helps them minimize capital expenditure & hire computing resources on need basis. The concept’s biggest concern is privacy and security of data. Hence, Option C alone is correct.	M1DISA	199	49	M1DISA
200. Firewall _____________	Can be only software programme designed to secure networks	Protects systems/networks of systems from network-based security threats	Can be only hardware devices designed to secure networks	Needs to be installed well within the perimeter of the network	b	Firewalls can be either software programmes or hardware devices designed to protect systems/networks of systems from network-based security threats. For best results they need to be installed at the entry point or perimeter of the network. Hence, only Option B is correct.	M1DISA	200	188	M1DISA
201. Role of Firewall _________	A. Burns malicious programmes entering the network	B. Allows users free access to external network but blocks entry of suspect programmes	C. Filters both in-bound and out-bound traffic from secured network	D. Blocks users from free access to external network but allows free entry from external network	c	Justification Firewalls play the dual role of filtering in-bound and out-bound traffic from a secured network. Only Option C above is correct.	M1DISA	201	204	M1DISA
202. The nature & scope of the Firewall depends upon ____________	A. The security policy laid down by the secured network’s organization	B. The rules laid down by TELNET protocol	C. Directives of the Internet Architecture Board (IAB)	D. Rules prescribed by the Internet Engineering Task Force (IETF)	a	Justification The nature & scope of Firewalls is determined by the security policy laid down by the secured network’s organization. It will vary from organization to organization depending upon their perception of the underlying risks, the economics of security software, etc. None of the internet bodies prescribe any rules regarding the firewalls to be erected by any organization. Hence, only Option A above is correct.	M1DISA	202	73	M1DISA
203. Firewall can filter _______________	A. Only incoming application software but not its data contents	B. Outgoing software but not block access to external networks	C. Incoming application software as well as its data contents	D. Only outgoing software but not its data contents	c	Justification A well designed firewall can filter both incoming software as well as its data contents for maliciousness. In respect of outgoing information, it can prevent access to undesirable or risky sites as also block sending out of sensitive data. Hence, only Option C above is correct.	M1DISA	203	82	M1DISA
204. Firewalls can be configured _______________	A. Cannot be configured for maintaining logs or issuing alerts on firewall policy	B. Can be configured to maintain logs but not for issuing alerts on firewall policy	C. Can be configured to maintain logs and issue alerts on firewall policy	D. Can be configured to issue alerts but not for maintaining logs	c	Justification A well designed firewall can be configured both to maintain logs as well as issuing alerts on firewall policy violations. Hence, only Option C above is correct.	M1DISA	204	59	M1DISA
205. Firewalls authenticate access ____________	A. Post establishment of connection	B. Prior to establishment of connection	C. Prior to establishment of connection &, thereafter, periodically during the session	D. Post establishment of connection &, thereafter, periodically during the session	b	Justification A robust firewall system will authenticate access prior to establishment of connection. Once authenticated, the user will no longer be prompted for authentication. Authentication post establishment of connection will not serve the purpose since security of the system could have been compromised by then. Hence, only Option B above is correct.	M1DISA	205	108	M1DISA
206. The Default Deny Access Control Policy _______________	A. Envisages denial of all traffic & selectively allowing certain traffic through the firewall	B. Prescribes allowing all traffic & selectively denying certain traffic through the firewall	C. Is frequently used for granting access from a trusted network to an external systems	D. Is also called Discretionary Access Control Policy	a	Justification The Default Deny Access Control Policy envisages denial of all traffic by default and selectively allowing certain traffic alone through the firewall. It is frequently used for granting access from an un-trusted source to a protected system. It is also called Mandatory Access Control Policy. Hence, only Option A above is correct.	M1DISA	206	104	M1DISA
207. The Allow All Access Control Policy _____________	A. Prescribes blocking of all traffic by default & allowing certain traffic alone selectively the firewall	B. Is frequently used for granting access from an un-trusted source to a protected system	C. Envisages allowing of all traffic & selectively denying certain traffic through the firewall	D. Is also called Mandatory Access Control Policy	c	Justification The Allow All Access Control Policy envisages allowing of all traffic by default and selectively denying certain traffic alone through the firewall. It is frequently used for granting access from a trusted network to external systems like the Internet. It is also called Discretionary Access Control Policy. Hence, only Option C above is correct.	M1DISA	207	14	M1DISA
208. Network Address Translation (NAT) ______________	A. Permits a single unique IP address to represent a group of computers & is now a function of most firewalls by concealing the internal network	B. Permits multiple unique IP addresses to represent a group of computers & is now a function of most firewalls	C. Provide firewall protection to systems behind the firewall by allowing connections that originate both from systems inside of the firewall as well as outside the firewall	D. Provide firewall protection to systems behind the firewall by transparently showing the internal network	a	Justification NAT systems allow a network to use one set of network addresses internally and another unique IP address when dealing with external networks. They, thus, conceal the internal network, thus protecting it from external access. They have thus become an important element of Firewall systems. Hence, only Option A above is correct.	M1DISA	208	154	M1DISA
209. A Network Based Firewall __________________	A. Is a device deployed within networks for restricting movement of selected traffic types within the networks	B. Is a device deployed on a single host within a network, thus restricting incoming/outgoing traffic for that host alone	C. Is a device deployed between networks for restricting movement of selected traffic types from one network to another	D. Is a device deployed between networks for protecting the network linkages but not the hosts on the network	c	Justification A Network based firewall, as stated in Option C above, is a device deployed between networks for restricting movement of selected traffic types from one network to another. It is not deployed on a single host within a network. Hence, only Option C above is correct.	M1DISA	209	109	M1DISA
210. A Host Based Firewall ______________	A. Is a device deployed between networks for restricting movement of selected traffic types from one network to another	B. Is a device deployed within networks for restricting movement of selected traffic types within the networks	C. Is a device deployed between networks for protecting the network linkages but not the hosts on the network	D. Is a device deployed on a single host within a network, thus restricting incoming/outgoing traffic for that host alone	d	Justification A Host based firewall, as stated in Option D above, is a device deployed on a single host within a network, thus restricting incoming/outgoing traffic for that host alone. It is not deployed between networks or within an entire network for restricting movement of selected traffic types. Hence, only Option D above is correct.	M1DISA	210	173	M1DISA
211. A Personal Firewall _____________	A. Controls traffic between a personal computer/workstation and the Internet/enterprise network	B. Can be used only on home computers but not in the corporate environment	C. Is typically a piece of hardware installed on a personal computer at home	D. Assumes that inbound traffic can be permitted and outbound traffic has to be inspected	a	Justification A Personal Firewall controls traffic between a personal computer or workstation on the one side and the Internet / enterprise network on the other. It is normally a piece of software and can be installed on a personal computer at home or even in a corporate environment. It assumes that outbound traffic can be freely permitted and inbound traffic has to be inspected & controlled. Hence, only Option A above is correct.	M1DISA	211	150	M1DISA
212. A Personal Firewall Appliance _______________	A. Envisages protection to a single computer through a hardware device installed on it	B. Envisages protection to multiple computers & is housed on a router connected to them	C. Is typically a hardware installed on a router which provides protection to a single SOHO computer	D. Is typically built into the operating system of individual computers	b	Justification A Personal Firewall Appliance refers to housing of firewall functionality on the router connected to multiple computers, generally in a SOHO environment. This is unlike the normal personal firewall which tends to be installed in the computer’s operating system. Hence, only Option B above is correct.	M1DISA	212	47	M1DISA
213. The Firewall term, Dual Homed ___________	A. Means two houses. It is a firewall system which serves two computers	B. Means two houses. It is a computer that has at least 2 computers with minimum 2 network interfaces, both of which are connected to insecure sides	C. Means a house with two doors. It is a computer that has at least 2 network interfaces one connected to a secure side and the other to an unsecure side	D. Means a house with two doors. It is a computer that has at least 2 network interfaces, both of which are connected to insecure sides	c	Justification The Firewall term, Dual Homed, means a house with two doors. It refers to a computer that has at least 2 network interfaces with one connected to a secure side and the other to an unsecure side. Hence, only Option C above is correct.	M1DISA	213	140	M1DISA
214. De-Militarized Zone (DMZ) ___________	A. Is the zone between computers which has firewalls on either side	B. Refers to the border between North & South Korea wherein no IT firewalls are installed	C. Houses the IT components which do not require public access	D. Houses the IT components which require public access like mail server, etc.	d	Justification A DMZ houses the IT components which require public access like mail server, etc as pointed out in Option D. The answers in the other options are incorrect.	M1DISA	214	46	M1DISA
215. Bastion Hosts ___________	A. Are computer systems that have Hardened systems	B. Are Hardened systems that are not exposed to the Internet	C. Are Hardened systems having non-essential services installed on them	D. Allow free access to all hosts since they have Hardened systems anyway	a	Justification Bastion Hosts are computer systems that have Hardened systems because they are vulnerable to attack & are exposed to the internet and are also a main point of contact for internal network users. They have essential services installed on them & restrict access to specific hosts alone. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	215	115	M1DISA
216. Bastion Hosts ______________	A. Cannot maintain detailed logs of all traffic	B. Are Hardened systems having non-essential services installed on them	C. Have each proxy independent of other proxies loaded on them	D. Allow free access to all hosts since they have Hardened systems anyway	c	Justification Bastion Hosts are computer systems that have Hardened systems because they are vulnerable to attack & are exposed to the internet and are also a main point of contact for internal network users. A Bastion Host has each proxy independent of other proxies loaded on it. It has essential services installed on it & restricts access to specific hosts alone. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	216	50	M1DISA
217. Packet Filtering Router Firewall ______________	A. Has no default parameter and drops any traffic whose header does not match firewall rules	B. Is deployed on a router within a private network	C. Matches the header content with the firewall rules to allow or block traffic	D. Is deployed on a router within a public network	c	Justification Packet Filtering Router Firewall is deployed on a screening router between a private and a public network. It operates by matching the header content of each packet with the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case the rule matches but does not permit, it blocks the traffic. If no match is found, the router goes by the default parameter. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	217	113	M1DISA
218. Packet Filtering Router Firewall _______________	A. Works at the Internet layer of the TCP/IP model	B. Works at the Internet Layer of the OSI model	C. Is deployed on a router within a private network	D. Is deployed on a router within a public network	a	Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is deployed on a screening router between a private and a public network. It operates by matching the header content of each packet with the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case the rule matches but does not permit, it blocks the traffic. If no match is found, the router goes by the default parameter. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	218	66	M1DISA
219. Packet Filtering Router Firewall ______________	A. Works at the Network Layer of the TCP/IP model	B. Works at the Network Layer of the OSI model	C. Has two main weaknesses speed and flexibility	D. Is one of the simplest but most expensive of firewalls	b	Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. Its strength lies in its speed and flexibility. It is deployed on a screening router between a private and a public network. It operates by matching the header content of each packet with the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case the rule matches but does not permit, it blocks the traffic. If no match is found, the router goes by the default parameter. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	219	176	M1DISA
220. Packet Filtering Router Firewall ______________	A. Mostly does not support advanced user authentication schemes	B. Works at the Network Layer of the TCP/IP model	C. Has two main weaknesses speed and flexibility	D. Have high impact on network performance	a	Justification Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. Its strengths lies in its speed and flexibility as also low impact on network performance. One major drawback of this type of firewall is that it does not support most advanced user authentication schemes. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	220	184	M1DISA
221. Packet Filtering Route Firewalls _______________	Have the advantage of ease of defining access criteria as also configuration	Has two main weaknesses speed and flexibility	Are ideal for high speed environments where logging & user authentication is not important	Have high impact on network performance	c	Packet Filtering Router Firewall are ideal for high speed environments where logging and user authentication is not important. One major drawback of this type of firewall is that it does not support most advanced user authentication schemes. It works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. Its strengths lies in its speed and flexibility as also low impact on network performance. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	221	95	M1DISA
222. Packet Filtering Route Firewalls _____________	Are not vulnerable to IP Address spoofing attack	Are not vulnerable to Source Routing attack	Are not very costly & have low impact on network performance	Have the advantage of ease of defining access criteria as also configuration	c	Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very simple and relatively inexpensive firewall model. It is vulnerable to attacks like the IP Address spoofing attack as also Source Routing Attack. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	222	111	M1DISA
223. What are Stateful Inspection Packet Filtering Firewall ______________	They ignore current connection while allowing traffic to pass through	They are packet filters that incorporate added awareness of OSI model data	They possess packet characteristics but ignore session status	They are less secure than Packet Filtering Router Firewall	b	Stateful Inspection Packet Filtering Firewall are packet filters (like Packet Filtering Firewalls) but incorporate added awareness of OSI model data. They keep track of current connection to ensure that only permitted traffic is allowed to pass. They keep track of both packet characteristics as well as session checks to make sure that a specific session is allowed. They are more secure because they track client ports individually rather than opening all ‘high numbered ports’ for external access. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	223	38	M1DISA
224. Stateful Inspection Packet Filtering Firewall ____________	They possess packet characteristics but ignore session status	They are less secure than Packet Filtering Router Firewall	Uses a ‘State Table’ to validate inbound traffic	They ignore current connection while allowing traffic to pass through	c	Stateful Inspection Packet Filtering Firewall are packet filters (like Packet Filtering Firewalls) but incorporate added awareness of OSI model data. They keep track of current connection to ensure that only permitted traffic is allowed to pass. They keep track of both packet characteristics as well as session checks to make sure that a specific session is allowed. They use a State Table to validate inbound traffic. They are more secure because they track client ports individually rather than opening all ‘high numbered ports’ for external access. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	224	4	M1DISA
225. Circuit Level Gateways ____________	Used when internal users cannot be trusted to decide what external devices to access	Validate connections before data is exchanged	Filter individual packets of data which pass through them	They do not hide information about the network they protect	b	Circuit Level Gateways validate connections before data is exchanged. They do not filter individual packets of data which pass through them; instead they merely decide which connections can be allowed. They do have the advantage of hiding information about the private network they protect. Hence, they are used when internal users can be trusted to decide what external devices to access. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	225	201	M1DISA
226. Circuit Level Gateways ____________	Function at the Session layer of the OSI	Are relatively expensive in usage	Filter individual packets of data which pass through them	Scrutinize the application-level content of packets relayed through them	a	Circuit Level Gateways operate at the Sessions layer of the OSI & validate connections before data is exchanged. They do not examine the application-level content / filter individual packets of data which pass through them; instead they merely decide which connections can be allowed. They do have the advantage of hiding information about the private network they protect. Hence, they are used when internal users can be trusted to decide what external devices to access. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	226	113	M1DISA
227. What is a characteristic of Application Level Gateway Firewall ?	It is not operated on hardened operating systems	Like Circuit level gateways, it ignores the content of traffic	It functions at the Application layer of the OSI	It authenticates devices and not individuals	c	Application Level Gateways operate at the Applications layer of the OSI. They are similar to Circuit gateways with the exception that they are application specific & monitor content of the application. They have the advantage of authenticating individuals rather than devices. They are operated on hardened operating systems. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	227	200	M1DISA
228. Application Level Gateway Firewalls ______________	It is not operated on hardened operating systems	Are implemented on hardened operating systems	Cannot control access based upon content or source address	Will result in compromising the entire network in the event of a break-in	b	Application Level Gateways operate at the Applications layer of the OSI. They are similar to Circuit gateways with the exception that they are application specific & monitor content of the application. Among other things, they can control access based upon content as also source address. They have the advantage of authenticating individuals rather than devices. They are operated on hardened operating systems. Any break-in will only compromise the firewall and not the entire network. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	228	71	M1DISA
229. Application Level Gateway Firewalls ____________	Are process intensive & can cause performance issues	Are not vulnerable to bugs in the running application / operating system	Cannot provide auditing & logging functions for future review	Will result in compromising the entire network in the event of a break-in	a	Application Level Gateways operate at the Applications layer of the OSI. They are similar to Circuit gateways with the exception that they are application specific & monitor content of the application. Among other things, they can control access based upon content as also source address. They have the advantage of authenticating individuals rather than devices. They are operated on hardened operating systems. Any break-in will only compromise the firewall and not the entire network. Their drawbacks include vulnerability to bugs in the running application / operating system as also performance issues arising out of process intensive nature. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	229	127	M1DISA
230. Application Level Gateway Firewalls ______________	Are not vulnerable to bugs in the running application / operating system	Cannot provide auditing & logging functions for future review	Will not result in compromising the entire network in the event of a break-in	Are less secure than Packet Filters and Stateful Inspection Firewalls	c	Any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection	M1DISA	230	14	M1DISA
231. One of the major drawbacks of Application Level Gateway Firewalls is	Compromise the entire network in the event of a break-in	Cannot provide auditing & logging functions for future review	Are less secure than Packet Filters and Stateful Inspection Firewalls	They are process intensive & cause performance issues	d	Application level gateway firewalls are process intensive and cause performance issues. However, any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Hence, answer in Option D is correct. The answers in the other options are incorrect.	M1DISA	231	129	M1DISA
232. One of the major drawbacks of Application Level Gateway Firewalls is	Compromise the entire network in the event of a break-in	They are vulnerable to bugs in the running application & operating system	Cannot provide auditing & logging functions for future review	Are less secure than Packet Filters and Stateful Inspection Firewalls	b	Application level gateway firewalls are process intensive and cause performance issues. However, any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	232	8	M1DISA
233. Application Level Gateway Firewalls _____________	Are also called proxies & are similar to circuit-level gateways but application-specific	Compromise the entire network in the event of a break-in	Cannot provide auditing & logging functions for future review	Are less secure than Packet Filters and Stateful Inspection Firewalls	a	Application level gateway firewalls are also called proxies and are similar to circuit-level gateways. However, they are application-specific & monitor the contents of applications before allowing traffic. However, any break-in will only compromise the firewall and not the entire network in the case of Application Level Gateway firewalls. They can provide auditing and logging functions. They are more secure than Packet Filters and Stateful Inspection Firewalls. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	233	79	M1DISA
234. Single Homed Firewalls _________________	Bypass the Packet Filtering router & allow packets directly to the proxy server	Have increased traffic and load on the proxy server despite the Packet Filtering router	Combines the Packet Filtering router with a separate, dedicated firewall	Screen only for applications and not content, making them more vulnerable	c	Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. They screen both for applications as well as content. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	234	32	M1DISA
235. One Single Homed Firewalls characteristic is that ____________	They screen only for applications and not content, making them more vulnerable	They do not allow traffic to flow directly between the internet and other hosts on the private network	Have increased traffic and load on the proxy server despite the Packet Filtering router	They ensure greater security than a packet filtering router or application level gateway firewall alone	d	Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. They screen both for applications as well as content. They are considered to be more secure than a packet filtering router or application level gateway firewall alone. A disadvantage is that traffic can flow directly between the internet and other hosts on the network if the packet filtering firewall is compromised. Hence, answer in Option D is correct. The answers in the other options are incorrect.	M1DISA	235	159	M1DISA
236. An advantage of a Single Homed Firewall is _________________	It screens only for applications and not content	It allows traffic to flow directly between the internet and other hosts on the private network if the packet filtering router is compromised	An intruder has to penetrate two systems before security of internal network is compromised	It has increased traffic and load on the proxy server despite the Packet Filtering router	c	Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. Also, an intruder has to penetrate two systems before the security of internal network is compromised. They screen both for applications as well as content. They are considered to be more secure than a packet filtering router or application level gateway firewall alone. A disadvantage is that traffic can flow directly between the internet and other hosts on the network if the packet filtering firewall is compromised. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	236	24	M1DISA
237. A Dual Homed Host Firewall is different from Single Homed Firewall in that	It has two NICs one connected to the external & the other connected to the internal network	It screens only for applications and not content	It does not allow traffic to flow directly between the internet and other hosts on the private network if the packet filtering router is compromised	It has increased traffic and load on the proxy server despite the Packet Filtering router	a	Single Homed Firewalls combine the Packet Filtering router with a separate dedicated firewall called a Bastion proxy server. The system envisages traffic passing through the Packet Filtering router first before crossing the proxy server. This reduces the traffic and the load on the proxy server. It has two NICs; one connected to the external and the other connected to the internal network. Also, an intruder has to penetrate two systems before the security of internal network is compromised. They screen both for applications as well as content. They are considered to be more secure than a packet filtering router or application level gateway firewall alone. A disadvantage is that traffic can flow directly between the internet and other hosts on the network if the packet filtering firewall is compromised. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	237	137	M1DISA
238. Screened Subnet Firewalls with DMZ ___________	Has four packet filtering routers, two each between bastion host/internet & bastion host/internal network	Screens only the applications but not the content, making their networks more vulnerable to attack	Are the best configuration for most secure environment	The private network is not invisible to the internet / unsecured network	c	Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between the bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	238	82	M1DISA
239. Screened Subnet Firewalls with DMZ ______________	Have two packet filtering routers, one each between bastion host/internet & bastion host/internal network	Are vulnerable in that Internet systems can see through the DMZ into the internal private network & initiate attacks	Permit internal users’ risky behaviour of bypassing the proxy server on the bastion system to access the Internet directly	Are the least robust of firewall systems, providing limited security to internal network systems	a	Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behaviour. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	239	55	M1DISA
240. Screened Subnet Firewalls with DMZ ______________	Have four packet filtering routers, two each between bastion host/internet & bastion host/internal network	Are robust in that Internet systems cannot see through the DMZ into the internal private network & initiate attacks	Are the least robust of firewall systems, providing limited security to internal network systems	Permit internal users’ risky behaviour of bypassing the proxy server on the bastion system to access the Internet directly	b	Screened Subnet firewalls are the best configuration for most secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behaviour. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	240	44	M1DISA
241. Screened Subnet Firewalls with DMZ _______________	Are vulnerable in that Internet systems can see through the DMZ into the internal	Ensure that internal users access the Internet via the proxy services residing on	Have four packet filtering routers, two each between bastion host/internet & bastion host/internal network	Are the least robust of firewall systems, providing limited security to internal	b	Screened Subnet firewalls are the best configuration for a secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behavior. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	241	183	M1DISA
242. Screened Subnet Firewalls with DMZ ___________	Are the least robust of firewall systems, providing limited security to internal	Have four packet filtering routers, two each between bastion host/internet & bastion host/internal network	Will need a Network Address Translator (NAT) to be installed on the bastion host to eliminate the need to re-number or re-subnet the private network	Are vulnerable in that Internet systems can see through the DMZ into the internal	c	Screened Subnet firewalls are the best configuration for a secure environment. They have two packet filtering routers, one each between the bastion host & internet and between bastion host & internal network. They screen both for application as well as content. Since the outside router advertises the DMZ to the external network or Internet, the internal private network becomes invisible to it. Similarly, the internal user is forced to go through the proxy server on the bastion system to access the Internet, minimizing risky behavior. Since the DMZ network is different from the private network, a NAT can be installed on the bastion host to eliminate the need to re-number or re-subnet the private network. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	242	200	M1DISA
243. In general, Firewalls ____________	Can enforce password policy and prevent misuse of passwords	Are very effective against non-technical security risks such as social engineering	Can block internal users from accessing websites with malicious codes	Cannot prevent users or attackers with modems from dialing into or out of the internal network, bypassing the firewall	d	Firewalls have limitations. They cannot prevent users or attackers with modems from dialing into or out of the internal network. They cannot enforce password policy or prevent misuse of passwords. They are not very effective against non-technical security risks like social engineering. They cannot block internal users from accessing websites with malicious codes. Hence, answer in Option D is correct. The answers in the other options are incorrect.	M1DISA	243	104	M1DISA
244. In general, Firewalls _________	Cannot enforce password policy and prevent misuse of passwords	Can prevent users or attackers with modems from dialing into or out of the internal network, bypassing the firewall	Can provide complete protection against viruses	Can block internal users from accessing websites with malicious codes	a	Firewalls have limitations. They cannot enforce password policy and prevent misuse of passwords. They cannot prevent users or attackers with modems from dialing into or out of the internal network. They cannot enforce password policy or prevent misuse of passwords. They are not very effective against non-technical security risks like social engineering. They cannot provide complete protection against viruses. They cannot block internal users from accessing websites with malicious codes. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	244	41	M1DISA
245. In general, Firewalls __________	Can enforce password policy and prevent misuse of passwords	Can prevent users or attackers with modems from dialing into or out of the internal network, bypassing the firewall	Cannot provide complete protection against viruses	Can block internal users from accessing websites with malicious codes	c	Firewalls have limitations. They cannot provide complete protection against viruses. They cannot enforce password policy and prevent misuse of passwords. They cannot prevent users or attackers with modems from dialing into or out of the internal network. They cannot enforce password policy or prevent misuse of passwords. They cannot block internal users from accessing websites with malicious codes. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	245	142	M1DISA
246. Appliance based firewall ___________	Is a firewall software installed on top of commercial operating systems	Is less secure than those deployed on top of commercial operating systems	Is scalable depending upon changing requirements of business	Refers to appliances with firewall software embedded as firmware	d	Appliance based Firewalls refer to appliances with firewall software embedded as firmware. They are more secure than those deployed on top of commercial operating systems since the latter are more vulnerable. Their major drawback is the limitation on scalability. Hence, answer in Option D is correct. The answers in the other options are incorrect.	M1DISA	246	66	M1DISA
247. Appliance based firewall ______________	Does not include appliances with firewall software embedded as firmware	Is more secure than those deployed on top of commercial operating systems	Is a firewall software installed on top of commercial operating systems	Are scalable depending upon changing requirements of business	b	Appliance based Firewalls refer to appliances with firewall software embedded as firmware. They are more secure than those deployed on top of commercial operating systems since the latter are more vulnerable. Their major drawback is the limitation on scalability. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	247	165	M1DISA
248. Appliance based firewall __________	Is less secure than those deployed on top of commercial operating systems	Does not include appliances with firewall software embedded as firmware	Suffers from scalability issues & inability to meet changed environmental needs	Is a firewall software installed on top of commercial operating systems	c	Appliance based Firewalls refer to appliances with firewall software embedded as firmware. They are more secure than those deployed on top of commercial operating systems since the latter are more vulnerable. Their major drawback is the limitation on scalability. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	248	58	M1DISA
249. Software Based Firewall __________	Suffers from scalability issues & inability to meet changed environmental needs	Is deployed on top of commercial operating systems	Is more secure than those deployed on top of commercial operating systems	Includes appliances with firewall software embedded as firmware	b	Software based firewalls are deployed on top of commercial operating systems. They are less secure than Appliance based Firewalls in view of the vulnerability of the operating system itself. Their major advantage, however, is scalability in the face of changes in the environment. They exclude appliances with firewall software embedded as firmware. Hence, answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	249	188	M1DISA
250. Software Based Firewall ____________	Enjoys the major advantage of scalability in the face of changed environment	Is never deployed on top of commercial operating systems	Is more secure than those deployed on top of commercial operating systems	Includes appliances with firewall software embedded as firmware	a	Software based firewalls are deployed on top of commercial operating systems. They are less secure than Appliance based Firewalls in view of the vulnerability of the operating system itself. Their major advantage, however, is scalability in the face of changes in the environment. They exclude appliances with firewall software embedded as firmware. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	250	8	M1DISA
251. Unified Threat Management ___________	Cannot operate on a simple plug and play architecture	Has increased technical training requirements owing to its complexity	Is the Evolution of the traditional firewall into an all-inclusive security product	Complicates installation of security products	c	Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. It can operate on a simple plug and play architecture. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	251	150	M1DISA
252. Unified Threat Management ___________	Is the Evolution of the traditional firewall into a compound security system with	Has increased technical training requirements owing to its complexity	Complicates installation of security products	Can support various functionalities like VPN, gate-way anti-virus/anti-spam, etc. apart from firewall	d	Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It can operate on simple plug and play architecture. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Answer in Option D is correct. The answers in the other options are incorrect.	M1DISA	252	24	M1DISA
253. Unified Threat Management ___________	Can support firewall but not various functionalities like VPN, gate-way anti-virus/anti-spam, etc.	Can provide centralized support with complete control for globalized operations	Is the Evolution of the traditional firewall into a compound security system with	Has increased technical training requirements owing to its complexity	b	Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Overall, it is very well suited to an organization with global operations wherein it can provide centralized support with complete control. Answer in Option B is correct. The answers in the other options are incorrect.	M1DISA	253	68	M1DISA
254. Unified Threat Management ___________	Can support firewall but not various functionalities like VPN, gate-way anti-virus/anti-spam, etc.	Is the Evolution of the traditional firewall into a compound security system with	Can also support data-loss prevention by blocking accidental or incidental loss of KEY data	Has increased technical training requirements owing to its complexity	c	Unified Threat Management is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It can also support data-loss prevention by blocking accidental or incidental loss of confidential, proprietary or regulated data. It has reduced technical training requirements since only one product has to be learnt and understood. Installation of security products is also easier and maintenance/vendor issues become simpler. Answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	254	160	M1DISA
255. A disadvantage of Unified Threat Management is ________	That it becomes a Single Point of Failure (SPOF) for network traffic	It cannot support various functionalities like VPN, gate-way anti-virus/anti-spam, etc.	Has increased technical training requirements owing to its complexity	It cannot support GUI interface for manageability	a	The single biggest disadvantage of Unified Threat Management (UTM) is the obvious risks of centralization; it becomes a Single Point of Failure (SPOF) for network traffic. The other major drawback is that its deployment may have an impact on latency and bandwidth when the UTM cannot keep up with the traffic. Apart from the firewall, it can indeed support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It has reduced technical training requirements since only one product has to be learnt and understood. It can comfortably support GUI interface for manageability. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	255	38	M1DISA
256. A disadvantage of Unified Threat Management is ________	It cannot support GUI interface for manageability	Has increased technical training requirements owing to its complexity	That it can have impact on latency and bandwidth when it cannot cope with the traffic	It cannot support various functionalities like VPN, gate-way anti-virus/anti-spam, etc.	c	A major drawback of UTM is that its deployment may have an impact on latency and bandwidth when the UTM cannot keep up with the traffic. Apart from the firewall, it can indeed support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It has reduced technical training requirements since only one product has to be learnt and understood. It can comfortably support GUI interface for manageability. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	256	112	M1DISA
257. Baseline Configuration of Firewall ________	Should have a default policy of allowing all traffic/connections unless not specifically permitted	Should not allow remote users access through VPN	Should be preceded by a general risk assessment & cost-benefit analysis	Should not allow deployment of Web & other publicly accessible servers on a DMZ in respect of multi-location organizations	c	Baseline configuration of a firewall should be preceded by a general risk assessment & cost-benefit analysis. It should have a default policy of not allowing any traffic/connections unless specifically permitted. It should permit remote users access through VPN. In respect of large multi-location organizations, it should ideally have the Web & other publicly accessible servers place on a DMZ for best security. Hence, answer in Option C is correct. The answers in the other options are incorrect.	M1DISA	257	91	M1DISA
258. Baseline Configuration of Firewall ________	Should have a default policy of not allowing any traffic/connections unless specifically permitted	Need not have an additional firewall for internal users since the main firewall would be adequate	Should not allow deployment of Web & other publicly accessible servers on a DMZ in respect of multi-location organizations	Should not allow remote users access through VPN	a	Baseline configuration should have a default policy of not allowing any traffic/connections unless specifically permitted. It should permit remote users access through VPN. In respect of large multi-location organizations, it should ideally have the Web & other publicly accessible servers place on a DMZ for best security. It should also ensure that internal users should be protected with an additional firewall. Hence, answer in Option A is correct. The answers in the other options are incorrect.	M1DISA	258	77	M1DISA
259. Personal Firewalls ____________________	Are based upon different methods & techniques as compared to an enterprise firewall	Are more complicated compared to an enterprise firewall & require technical expertise to operate	Are software installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet	Control incoming traffic from the Internet alone, based upon defined security policy	c	Personal Firewalls are software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. They are based upon the same methods and techniques as firewalls for enterprises. They are simpler and can be handled by less technically savvy persons too. Like the firewalls for enterprises, they, too, control and monitor both incoming as well as outgoing traffic based upon a defined security policy. Answer in Option C is correct whereas the other answers are obviously wrong.	M1DISA	259	89	M1DISA
260. Personal firewalls ___________________	Are hardware devices installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet	Need not be monitored as constantly as firewalls for enterprises	Control incoming traffic from the Internet alone, based upon defined security policy	Are based upon different methods & techniques as compared to an enterprise firewall	b	Personal Firewalls are software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. They are based upon the same methods and techniques as firewalls for enterprises. They are simpler and can be handled by less technically savvy persons too. Like the firewalls for enterprises, they, too, control and monitor both incoming as well as outgoing traffic based upon a defined security policy. They need not be monitored as constantly as enterprise firewalls. Answer in Option B is correct whereas the other answers are obviously wrong.	M1DISA	260	77	M1DISA
261. Personal Firewall ___________________	Cannot block or alert the user about outgoing connection attempts	Cannot provide information about destination server with which an application is trying to communicate	Is based upon security policy of the computer whereas enterprise firewall is based on enterprise security policy	Are hardware devices installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet	c	A Personal Firewall is based upon the security policy of the individual computer whereas enterprise firewall is based on enterprise security policy. It is a software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. Like the firewalls for enterprises, it controls and monitors both incoming as well as outgoing traffic based upon a defined security policy. It can block and alert the user about outgoing connection attempts too. It can go to the extent of providing information about a destination server with which an application is trying to communicate. Answer in Option C above is correct whereas the other answers are obviously wrong.	M1DISA	261	89	M1DISA
262. Personal Firewall ___________________	Can protect a computer from unwanted incoming connection attempts	Are hardware devices installed on a user’s computer protecting against unwanted intrusion & attacks from the Internet	Cannot provide information about destination server with which an application is trying to communicate	Cannot block or alert the user about outgoing connection attempts	a	A Personal Firewall is based upon the security policy of the individual computer whereas enterprise firewall is based on enterprise security policy. It is a software installed on a user’s computer for protection against unwanted intrusion and attacks from the Internet. Like the firewalls for enterprises, it controls and monitors both incoming as well as outgoing traffic based upon a defined security policy. It can protect a computer from unwanted incoming connection attempts. It can block and alert the user about outgoing connection attempts too. It can go to the extent of providing information about a destination server with which an application is trying to communicate. Answer in Option A above is correct whereas the other answers are obviously wrong.	M1DISA	262	84	M1DISA
263. State True or False One of the limitations of Personal Firewall is that many malwares can compromise the system, manipulate the firewall & even shut it down.	TRUE	FALSE			a	It is true that some malwares exist which can penetrate & compromise the firewall system, disarming it in the process, leaving the internal network exposed to security risks. Hence, answer in Option A above is correct.	M1DISA	263	55	M1DISA
264. State True or False Personal Firewalls could be impacted by vulnerabilities in the Operating System.	TRUE	FALSE			a	It is true that vulnerabilities in the Operating system itself could impinge on the security of the firewall system. Hence, answer in Option A above is correct.	M1DISA	264	108	M1DISA
265. State True or False These personal firewalls could sometimes generate false alerts which could irritate non tech-savvy users.	TRUE	FALSE			a	It is true that some could sometimes generate false alerts which could irritate non tech-savvy users. Hence, answer in Option A above is correct.	M1DISA	265	96	M1DISA
266. Windows 7 software _________________	Has no inbuilt firewall system; we would need to go in for a third party product for security	Has a network-based firewall system, not host-based system	Has an inbuilt stateful, host-based firewall that filters incoming and outgoing connections	Has a Firewall that cannot block or alert the user about outgoing connection attempts	c	Windows 7 software has an inbuilt, stateful, host-based Firewall system that can filter both incoming as well as outgoing connections. It can block or alert the user against outgoing connection attempts too. Answer in Option C above is correct whereas the other answers are obviously wrong.	M1DISA	266	48	M1DISA
267. Windows 7 software _________________	Has two network location types with advanced security	Has a network-based firewall system, not host-based system	Is a network location-aware host firewall	Has a Firewall that cannot block or alert the user about outgoing connection attempts	c	Windows 7 software is a network location-aware host firewall. It has three network location types with advanced security (Domain, public & private). It has a Firewall system that can filter both incoming as well as outgoing connections. It can block or alert the user against outgoing connection attempts too. Answer in Option C above is correct whereas the other answers are obviously wrong.	M1DISA	267	145	M1DISA
268. Windows 7 software _________________	Has a Firewall that cannot block or alert the user about outgoing connection attempts	Stores firewall properties based on location types or profiles	Has a network-based firewall system, not host-based system	Has two network location types with advanced security	b	Windows 7 software is a network location-aware host firewall. It stores firewall properties based on location types called profiles. It has three network location types with advanced security (Domain, public & private). It has a Firewall system that can filter both incoming as well as outgoing connections. It can block or alert the user against outgoing connection attempts too. Answer in Option B above is correct whereas the other answers are obviously wrong.	M1DISA	268	201	M1DISA
269. Intrusion Detection Systems (IDS) __	Like Firewalls, they are a method of preventive control	Monitors, alerts & corrects the problem	Cannot detect network scans, packet-spoofing & Denial of service	Will alert us if there are intruders in the host or the network	d	Intrusion Detection Systems (IDS) are a detective control system which will alert us post intrusion into the host or the network. They will monitor & alert the user about exceptions but will not correct the problem. They can, indeed, detect network scans, packet-spoofing & denial of service. Answer in Option D above is correct whereas the other answers are obviously wrong.	M1DISA	269	201	M1DISA
270. Network Intrusion Detection Systems (NIDS)	Are placed at choke points on the network & monitor traffic to & from devices on the network	Do not check the content of individual packets for malicious traffic	Create substantial system overhead	Does not inhibit the effectiveness of packet analysis even with encrypted payloads and high-speed networks	a	NIDS are placed at choke points like routers, switches, etc. within the network and they monitor to and from devices on the network. They do check the content of individual packets for malicious traffic. They do not create any significant system overhead. The effectiveness of packet analysis, however, is inhibited with encrypted payloads and high-speed networks. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	270	175	M1DISA
271. Host Intrusion Detection Systems (HIDS) _	Monitors all packets but does not alert the administrator when suspicious activity is detected	Involve lesser deployment and reduced maintenance cost	Monitors all packets to and fro the hosts only.	Are not implemented on individual hosts or network devices	c	HIDS are implemented on individual hosts or devices on the network and they monitor all packets to and from the hosts only. They alert the administrator when suspicious activity is detected. Since they are deployed on each computer, they involved higher deployment and proportionately higher maintenance cost. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	271	204	M1DISA
272. Signature based IDS ____________________	Monitors packets on network but does not validate them since they do not have a database for comparison	Will be able to detect attacks pre-emptively, even before the event	Can successfully handle even new attacks	Monitors packets on network and compares them against large databases of attack signatures	d	SIDS are signature based IDS that monitor packets on networks and compare them against large databases of attack signatures. They cannot, however, detect attacks preemptively and cannot handle new attacks since a comparable signature would not be available with them. Answer in Option D above is correct whereas the other answers are wrong. Signature-based IDs, or intrusion detection systems (IDS), use a database of known attack patterns to identify malicious activity.	M1DISA	272	36	M1DISA
273. Statistical Anomaly / Behaviour based IDS	Monitors packets on network and validates them by comparing the signature in the database	Assume that an intrusion can be detected by observing a normal behaviour of the system/users	Will not be able to detect attacks pre-emptively, before the event	Cannot handle effectively new attacks	b	SAB IDS monitor packet traffic on networks and compare them against an established baseline of behaviour. They can detect attempts to exploit new and unforeseen vulnerabilities. Their downside is that they generate a large number of false positives. Answer in Option B above is correct whereas the other answers are wrong.	M1DISA	273	180	M1DISA
274. Cryptography is _______________________	The process of transforming data into something that can be understood	The process of transforming data into something that cannot be understood with some additional information	The practice and study of hiding information	Cannot provide mechanisms for authenticating users on a network	c	Cryptography is the practice and study of hiding information. It involves the process of transforming data into something that cannot be understood without additional information. It provides mechanisms for authenticating users on a network. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	274	171	M1DISA
275. Cryptography __________________________	Involves use of encryption for transforming data into something that can be understood	Is the process of transforming data into something that cannot be understood even with some additional information	Cannot provide mechanisms for authenticating users on a network	Is the theory and practice of secure communication	d	Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. Answer in Option D above is correct whereas the other answers are wrong.	M1DISA	275	61	M1DISA
276. Cryptography __________________________	Provides mechanisms for preventing users from repudiating ownership of messages	Cannot provide mechanisms for authenticating users on a network	Is the process of transforming data into something that cannot be understood even with some additional information	Involves use of encryption for transforming data into something that is intelligible	a	Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	276	98	M1DISA
277. Cryptography __________________________	Helps assure the receiver about the integrity of the message	Does not help in preventing users from repudiating ownership of messages	Cannot provide mechanisms for authenticating users on a network	Is the process of transforming data into something that cannot be understood even with some additional information	a	Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. It helps the receiver in ensuring that the message received by him has not been altered in any fashion; ie, protect the integrity of the message. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	277	4	M1DISA
278. Cryptography __________________________	Does not help in preventing users from repudiating ownership of messages	Cannot provide mechanisms for authenticating users on a network	Ensures the privacy or confidentiality of the contents of the message	Involves use of encryption for transforming data into something that is intelligible	c	Cryptography ensures the privacy or confidentiality of a message i.e. it ensures that no one except the intended receiver of the message can read the message. Cryptography is the practice and study of hiding information with the objective of secure communication. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	278	196	M1DISA
279. Cryptography __________________________	Involves use of encryption for transforming data into something that is intelligible	Authenticates & convinces the receiver that the message has actually come from the sender	Does not help in preventing users from repudiating ownership of messages	Cannot provide mechanisms for authenticating users on a network	b	Cryptography authenticates & convinces the recipient that the message has actually come from the sender. It involves the use of encryption for transforming data into unintelligible form. The unintelligible form can be converted back into understandable information with the help of some additional information like a code or a key. It does provide mechanisms for authenticating users on a network. It also enables prevention of users from repudiating ownership of their messages. Answer in Option B above is correct whereas the other answers are wrong.	M1DISA	279	65	M1DISA
280. Any message that is intelligible is considered to be in ________	Encrypted form	Coded form	Plaintext form	Ciphertext form	c	Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. A ciphertext form would be in unintelligible form till it is decrypted into plaintext form. Hence, answer in Option C above is correct whereas the other answers are wrong.	M1DISA	280	9	M1DISA
281. Any message that is converted into un-intelligible form is considered to be in _________	Ciphertext form	Plaintext form	Understandable form	Coded form	a	A ciphertext form arises post encryption & would be in unintelligible form till it is decrypted into plaintext form. Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. Hence, answer in Option A above is correct whereas the other answers are wrong.	M1DISA	281	11	M1DISA
282. The process of converting a given plaintext into ciphertext form is called ___________	Decryption	Translation	Transcription	Encryption	d	The conversion of a given plaintext into ciphertext form is called encryption. This form would be in unintelligible form till it is decrypted into plaintext form through decryption. Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. Hence, answer in Option D above is correct whereas the other answers are wrong.	M1DISA	282	152	M1DISA
283. The process of converting ciphertext back into plaintext form is called _____________	Transcription	Encryption	Decryption	Translation	c	The conversion of a given plaintext into ciphertext form is called encryption. This form would be in unintelligible form till it is decrypted into plaintext form through decryption. Any message that is intelligible is considered to be in plaintext form. An encrypted form will not be intelligible without the use of additional information. Hence, answer in Option C above is correct whereas the other answers are wrong.	M1DISA	283	142	M1DISA
284. The mathematical function used for encryption & decryption is ________________.	Binomial analysis	Cryptographic Algorithm	Transcription Algorithm	Exponential function	b	The mathematical function used for encryption & decryption is called the cryptographic algorithm or Cipher. Answer in Option B above is correct whereas the other answers are wrong.	M1DISA	284	4	M1DISA
285. The mathematical function used for encryption & decryption is ________________.	Transcription Algorithm	Binomial analysis	Cipher	Exponential function	c	The mathematical function used for encryption & decryption is called the cryptographic algorithm or Cipher. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	285	150	M1DISA
286. A Cipher is also called ________________	A Cryptographic Algorithm	Transcription Algorithm	Binomial analysis	Exponential function	a	The mathematical function used for encryption & decryption is called the cryptographic algorithm or Cipher. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	286	118	M1DISA
287. A Cryptographic algorithm ______________	Must be difficult to use but easy to crack	Must be easy both to use and crack	Must be easy to use but difficult to crack	Must be difficult to use as well as to crack	c	An effective cryptographic algorithm must be easy to use but difficult to crack. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	287	124	M1DISA
288. A Cryptographic algorithm ______________	Can be used for one function encryption alone	Can be used for one function decryption alone	Can be used for one function creation of a key	Can be used for two functions encryption as well as decryption	d	A cryptographic algorithm can be used for encryption as well as decryption. Answer in Option D above is correct whereas the other answers are wrong.	M1DISA	288	75	M1DISA
289. KEYs ______________	Are not required in the encryption or decryption process	Should be difficult to use but easy to break	Are additional secret data in the cryptographic process	Should be easy to use as well as to break	c	KEYs are additional secret data which are used in the encryption or decryption process of cryptography. They need to be long enough to make breaking difficult but short enough to use and transmit. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	289	91	M1DISA
290. KEYs ______________	Should be difficult to use but easy to break	Should be easy to use as well as to break	Are not required in the encryption or decryption process	Prevent the message from being decoded even if the algorithm is known	d	KEYs are additional secret data which are used in the encryption or decryption process of cryptography. They need to be long enough to make breaking difficult but short enough to use and transmit. Without the keys, even if the mathematical algorithm of encryption were known, decryption into plaintext is not possible. Answer in Option D above is correct whereas the other answers are wrong.	M1DISA	290	190	M1DISA
291. The Caesar cipher was used to transmit messages during Roman wars. It was actually a ‘shift by 3’ rule wherein alphabet A is replaced by the third alphabet D, B by E and so on. In this case, the KEY is ___________	3	Alphabet A	Alphabet D	Alphabet B	a	KEYs are additional secret data which are used in the encryption or decryption process of cryptography. In this case, the recipient of the message needs to know the algorithm of shifting the alphabet by a few positions. However, in this specific instance, the shifting of the alphabet is by three positions. Hence, the KEY is 3. In another situation, the KEY can be changed to 5 or any other number depending upon security requirements without changing the basic algorithm. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	291	44	M1DISA
292. Symmetric KEY Cryptography _____________	Envisages the use of different keys for encryption and decryption	Envisages the use of a single KEY both for encryption as well as decryption	Suffers from no difficulty in terms of distribution of the key	Envisages the use of one KEY by the sender & another by the receiver	b	Symmetric KEY cryptography envisages the use of a single KEY both for encryption as well as decryption. Thus, the receiver uses the same KEY for decryption as was used by the sender for encryption. The difficulty lies in distribution of the key. Answer in Option B above is correct whereas the other answers are wrong.	M1DISA	292	81	M1DISA
293. The Digital Encryption Standard __________________	Is a NIST standard using 256 keys	Continues to be used by NIST even today	Is a NIST standard using 228 keys	Is not a Symmetric Encryption Standard	a	DES is a National Institute for Standards and Technology Symmetric Encryption Standard using 256 keys. It has been replaced by the Advanced Encryption standard which deploys 128, 192 and 256 bits and proportionately more keys for better security. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	293	78	M1DISA
294. The Advanced Encryption Standard _________________	Has been discontinued for use by NIST	Is a NIST standard using 228 keys	Is not a Symmetric Encryption Standard	Is a NIST standard using up to 256 bits or 2256 keys	d	AES is a National Institute for Standards and Technology Symmetric Encryption Standard using up to 256 bits or 2256 keys. It has replaced the DES in the interest of better security. Answer in Option D above is correct whereas the other answers are wrong.	M1DISA	294	109	M1DISA
295. Asymmetric or Public KEY Cryptography ___________	Involves the use of a single KEY both for encryption as well as decryption	Is inferior to Symmetric KEY since safe distribution of the KEY to the recipient is an issue	Involves the use of a pair of keys, one for encryption & the other for decryption	Involves the use of two pairs of keys, one each for encryption and decryption	c	Asymmetric or Public KEY cryptography involves the use of a pair of keys, one for encryption and the other for decryption. It overcomes the difficulty of KEY distribution faced in the case of symmetric KEY cryptography. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	295	203	M1DISA
296. Asymmetric or Public KEY Cryptography ____________	Involves the use of a public KEY of the individual in a private domain	Involves the use of a private KEY of the individual in a public domain	Is thousands of times slower than symmetric KEY cryptography	Involves the use of two pairs of keys, one each for encryption and decryption	c	Asymmetric or Public KEY cryptography involves the use of a pair of keys, one for encryption and the other for decryption. The public KEY of the individual would be in the public domain whereas the private KEY would remain secret and not revealed. It overcomes the difficulty of KEY distribution faced in the case of symmetric KEY cryptography. This process, however, is thousands of times slower than the symmetric KEY cryptography process. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	296	21	M1DISA
297. Asymmetric or Public KEY Cryptography ______________	Can be initiated by using either of the two keys first	Is not used for exchange of symmetric keys	Is not used for exchange of Digital signatures	Involves the use of two pairs of keys, one each for encryption and decryption	a	Asymmetric or Public KEY cryptography involves the use of a pair of keys, one for encryption and the other for decryption. Either of the two keys can be used, without any particular sequence. It overcomes the difficulty of KEY distribution faced in the case of symmetric KEY cryptography. Its use, therefore, is mainly in exchange of symmetric keys and digital signatures. Answer in Option A above is correct whereas the other answers are wrong.	M1DISA	297	119	M1DISA
298. Asymmetric or Public KEY Cryptography ___________________	Is not used for exchange of symmetric keys	Is not used for exchange of Digital signatures	Uses more computer resources compared to Symmetric KEY cryptography	Provides lesser security as compared to Symmetric KEY cryptography	c	Asymmetric or Public KEY cryptography involves the use of a pair of keys, one for encryption and the other for decryption. Either of the two keys can be used, without any particular sequence. It overcomes the difficulty of KEY distribution faced in the case of symmetric KEY cryptography. This process, however, is thousands of times slower than the symmetric KEY cryptography process and uses up more computer resources too. Its use, therefore, is mainly in exchange of symmetric keys and digital signatures. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	298	64	M1DISA
299. Asymmetric or Public KEY Cryptography ___________	Uses less computer resources compared to Symmetric KEY cryptography	Generally has larger KEY size as compared to Symmetric KEY cryptography	Provides lesser security as compared to Symmetric KEY cryptography	Is not used for exchange of symmetric keys	b	Asymmetric or Public KEY cryptography involves the use of a pair of keys, one for encryption and the other for decryption. Either of the two keys can be used, without any particular sequence. It overcomes the difficulty of KEY distribution faced in the case of symmetric KEY cryptography. This process, however, involves larger KEY sizes, is thousands of times slower than the symmetric KEY cryptography process and uses up more computer resources too. Its use, therefore, is mainly in exchange of symmetric keys and digital signatures. .Answer in Option B above is correct whereas the other answers are wrong.	M1DISA	299	147	M1DISA
300. RSA is _________________	A form of cryptography which uses 24096 keys	Not used in common software products	The most common form of Asymmetric KEY Cryptography in use	An acronym for its developers Robin Sharma, Sundararaman and Anjaneyulu	c	RSA was developed by Ronald Rivest, Adi Shamir and Leonard Adleman & hence its name. It is the most common form of Asymmetric KEY Cryptography in use. It currently uses 22048 keys for high security. It is used extensively in common software products for KEY exchange, digital signatures or encryption for small blocks of data. Answer in Option C above is correct whereas the other answers are wrong.	M1DISA	300	95	M1DISA
301. What are Message Hash Functions ?	They are algorithms involved in computing a fixed length hash value	They are algorithms from which the contents & length of the plaintext can be recovered	They are algorithms whose limitation is that they cannot guarantee message integrity	They are algorithms involved in computing a variable length hash value	a	Message Hash Functions are algorithms involved in computing a fixed length hash value. In lieu of a key, a fixed length hash value is computed based upon the plaintext that makes it impossible to recover the contents or length of the plaintext. The hash value is recalculated at the receiver’s end and matched with that generated by the sender. If they match, the message has not been altered during transmission. Hence, Option A alone is correct.	M1DISA	301	174	M1DISA
302. Message Hash Functions __________	Are algorithms involved in computing a fixed length hash value	Are algorithms from which the contents & length of the plaintext can be recovered	Are algorithms whose limitation is that they cannot guarantee message integrity	Are also called Message Digests and One-way hash functions	d	Message Hash Functions are algorithms involved in computing a fixed length hash value. They are also called Message Digests and One-way hash functions. In lieu of a key, a fixed length hash value is computed based upon the plaintext that makes it impossible to recover the contents or length of the plaintext. The hash value is recalculated at the receiver’s end and matched with that generated by the sender. If they match, the message has not been altered during transmission. Hence, Option D alone is correct.	M1DISA	302	128	M1DISA
303. What are Digital Signatures ?	Are data strings dependent only on a secret known only to the sender	Are data strings dependent on a secret known only to the sender & the message content	Are cryptography tools which depend upon use of Symmetric KEYs	They are algorithms whose limitation is that they cannot guarantee message integrity	b	Digital signatures are data strings dependent on a secret known only to the sender and, additionally, on the content of the message. They use Asymmetric KEYs and Hash. They meet the communication objectives of authentication, integrity and repudiation. Option B alone is correct.	M1DISA	303	137	M1DISA
304. What are Digital Signatures ?	They are algorithms whose limitation is that they cannot guarantee message integrity	Are data strings dependent on a secret built into the message content alone	Are cryptography tools which depend upon use of Asymmetric KEYs & Message Hash content	Are data strings dependent only on a secret known only to the sender	c	Digital signatures are data strings dependent on a secret known only to the sender and, additionally, on the content of the message. They use Asymmetric KEYs and Hash. They meet the communication objectives of authentication, integrity and repudiation. Option C alone is correct.	M1DISA	304	130	M1DISA
305. What are the characteristics of Digital Signatures ?	They achieve the communication objectives of confidentiality, authentication & integrity	They comply with the goals of authentication, access control and non-repudiation	They are algorithms whose limitation is that they cannot guarantee message integrity	They achieve the communication objectives of authentication, integrity & non-repudiation	d	Digital signatures are data strings dependent on a secret known only to the sender and, additionally, on the content of the message. They use Asymmetric KEYs and Hash & involve the use of private and public keys. They meet the communication objectives of authentication, integrity and repudiation. Option D alone is correct.	M1DISA	305	201	M1DISA
306. What are the characteristics of Public KEY Infrastructure (PKI) ?	They achieve the communication objectives of confidentiality & authentication alone	They achieve all the five basic communication objectives	They provide the infrastructure for generation, storage and security of public keys	They are algorithms which are not as effective as Digital signatures	b	PKI are advanced cryptographic tools which help achieve all the five basic communication objectives of confidentiality, authentication, integrity, non-repudiation and access control. It involves the use of a digital envelope, which, in turn, deploys both secret KEY and public KEY cryptography methods to send the secret KEY to the recipient. It thus combines public-KEY encryption and digital signature services to create a comprehensive system. Hence, Option B alone is correct.	M1DISA	306	22	M1DISA
307. What are characteristic of Public KEY Infrastructure (PKI) ?	Digital certificates are used with support from Certificate authority & LDAP directory	They provide the infrastructure for generation, storage and security of public keys	They achieve the communication objectives of confidentiality & authentication alone	They are algorithms which are not as effective as Digital signatures	a	PKI are advanced cryptographic tools which help achieve all the five basic communication objectives of confidentiality, authentication, integrity, non-repudiation and access control. It involves the use of a digital envelope, which, in turn, deploys both secret KEY and public KEY cryptography methods to send the secret KEY to the recipient. It thus combines public-KEY encryption and digital signature services to create a comprehensive system. The system leans heavily on a robust Certification authority and Lightweight Directory Access Protocol (LDAP) directory. Hence, Option A alone is correct.	M1DISA	307	92	M1DISA
308. What are the typical characteristics of a Digital Certificate ?	It is a digitally signed document used to verify that a private KEY belongs to an individual	It is a digitally signed document used to verify that a public KEY belongs to an individual	It is a digitally signed document which is permanent, without any validity/expiry date	It is a digitally signed document used to verify both public & private keys of an individual	b	A Digital certificate is a digitally signed document that associates a public KEY with a user. It will be signed by a Certification Authority. Its contents would include serial number, subject, signature, issuer, validity dates(valid from, expiry date), public key, thumbprint algorithm and thumbprint. Hence, Option B alone is correct.	M1DISA	308	162	M1DISA
309. Who are Certifying Authorities ?	In India, Certifying authorities are not regulated/ licensed & hence, certificates have no legal validity	They are not responsible for verification of registration, suspension and revocation requests	They are Trusted Third Parties to verify and vouch for the identities of entities in an electronic environment	In India, Certifying authorities are regulated/licensed by NASSCOM	c	Certifying Authorities (CAs) are Trusted Third Parties to verify and vouch for the identities of entities in an electronic environment. In India, the IT Act provides for the Controller of Certifying Authorities, a body under the Ministry of Communications & Information Technology, is responsible for the licensing and regulation of Certifying Authorities & to ensure that the IT Act provisions are complied with. The main role of a CA is to digitally sign and publish the public KEY bound to a given user. One of the major roles & responsibilities is verification of registration, suspension and revocation requests. Hence, answer in Option C is correct.	M1DISA	309	161	M1DISA
310. Who are Registering Authorities ?	They authenticate the identity of a person before the CA releases the digital certificate	They are independent of the CA and are responsible to NASSCOM	They are not responsible for verification of identity but only for formal registration	They are a Government department who register the Certifying Authority	a	Registering Authorities are work under the control of Certifying authorities (CAs) and are responsible for authenticating the identity of a person prior to issue of a digital certificate by the CA. They are also the body who interact with subscribers for providing CA services. The CAs themselves, who are independent entities, are licensed and regulated by the Controller of Certifying Authorities, a government body under the Ministry of Communications and Information Technology. Hence, only the answer in Option A is correct.	M1DISA	310	142	M1DISA
311. Certification Revocation Lists (CRLs) ______________	Are lists of Certifying Authorities who have been de-licensed by the CCA	Are issued by a Certifying Authority different from one that issued the original certificate	Are lists of serial numbers of certificates which have been revoked	Are issued by Registering Authorities and not signed by the Certifying Authority	c	Certificate Revocations Lists (CRLs) are lists of serial numbers of digital certificates which have been revoked along with reasons for revocation. These certificates are themselves signed by the Certifying Authority (CA) themselves. The CRL is always issued by the CA who issued the corresponding certificate. Entities presenting those certificates can no longer be trusted. Hence, only the answer in Option C is correct.	M1DISA	311	87	M1DISA
312. Certification Practice Statement is a statement of the practices which a Certification Authority employs in issuing and managing certificates.	TRUE	FALSE			a	Certification Practice Statement is a statement of the practices which a Certification Authority employs in issuing and managing certificates. It carries various types of information like policies, procedures & processes involved in certificate issue, policies for revocation, policies for renewal, certificate lifetime, etc. The answer in Option A is correct.	M1DISA	312	82	M1DISA
313. Which of the following is true off Cryptanalysis ?	Analysis of data for encryption using Symmetric key	Analysis of encryption/decryption records for audit purposes	Refers to methods of recovering plaintext from ciphertext without using the key	It is used to study strengths of a cryptosystem	c	Cryptanalysis refers to methods of recovering plaintext from ciphertext without using the key. In other words, it is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. It also deals with identifying weaknesses in the cryptosystem. The term cryptanalysis is also used to refer to attempts to break the security of other types of cryptographic algorithms and protocols, apart from encryption. The answer in Option C only is correct.	M1DISA	313	115	M1DISA
314. How does a Cryptanalyst manage to identify the KEY for launching a Known plaintext attack ?	He ascertains the KEY by compromising the Certifying Authority’s servers	He programs his computer to continuously check random keys till he finds the right one	He breaks into the sender’s system and identifies the private KEY for the transmission	He deduces the KEY by accessing both ciphertext as well as plaintext of several messages	d	The Cryptanalyst can deduce the KEY by accessing & comparing both the ciphertext as well as the plaintext of several messages. He can then launch a Known plaintext attack. The answer in Option D only is correct.	M1DISA	314	44	M1DISA
315. Secure Socket Layer (SSL) _____________	Cannot work with any program using TCP, even with modifications	Is a protocol that provides a secure communication channel between two machines	Has limited flexibility in choice of encryption used	Does not have built-in data compression capability	b	SSL is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. Any program using TCP can be modified to use SSL connection. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It does have in-built data compression capability. Hence, the answer in Option B only is correct.	M1DISA	315	96	M1DISA
316. Secure Socket Layer (SSL) __________	Subsequently became an internet standard known as Transport Layer Security	Does not have built-in data compression capability	Has limited flexibility in choice of encryption used		a	SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. Any program using TCP can be modified to use SSL connection. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It does have in-built data compression capability. It is the most widely used security protocol system in the world currently. Hence, the answer in Option A only is correct.	M1DISA	316	146	M1DISA
317. Secure Socket Layer (SSL) __________	Does not have built-in data compression capability	Has limited flexibility in choice of encryption used	Is the most widely deployed security protocol used today	Is not used for handling sensitive information like credit card/social security numbers, etc.	c	SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It does have in-built data compression capability. It is the most widely used system in the world currently. In particular, it is capable of handling sensitive information like credit card numbers, social security numbers and login credentials to be transmitted securely. Hence, the answer in Option C only is correct.	M1DISA	317	111	M1DISA
318. Secure Socket Layer (SSL) ______________	Has limited flexibility in choice of encryption used	Cannot work with any program using TCP, even with modifications	Does not have built-in data compression capability	Has the capability to handle sensitive information like credit card/social security numbers, etc.	d	SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. Any program using TCP can be modified to use SSL connection. It does have in-built data compression capability. It is the most widely used system in the world currently. In particular, it is capable of handling sensitive information like credit card numbers, social security numbers and login credentials to be transmitted securely. Hence, the answer in Option D only is correct.	M1DISA	318	174	M1DISA
319. Secure Socket Layer (SSL) ______________	Is a transparent protocol requiring little user interaction for establishing a secure session	Cannot secure cloud-based computing platforms	Has limited flexibility in choice of encryption used	Cannot secure connection between E-mail Client and E-mail Server	a	SSL was originally developed by Netscape and subsequently became the Internet standard known as Transport Layer Security (TLS). It is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. SSL is also flexible in choice of symmetric encryption, authentication and message digest that can be used. It is a transparent protocol requiring little end user interaction for establishing a secure session. Hence, the answer in Option A only is correct.	M1DISA	319	190	M1DISA
320. Secure Socket Layer (SSL) ______________	Alerts users to its presence by displaying an eagle’s head in the browser	Alerts users to its presence by displaying a padlock in the browser	Cannot secure system logins and any sensitive information exchanged online	Cannot secure connection between E-mail Client and E-mail Server	b	SSL is a protocol that provides a secure communication channel between two machines operating on the Internet or an internal network. It is a transparent protocol requiring little end user interaction for establishing a secure session. It alerts users to its presence by displaying a padlock in the browser. Among other things, it can secure system logins and other sensitive information normally exchanged online. It can also secure connection between E-mail Client and E-mail Server. Hence, the answer in Option B only is correct.	M1DISA	320	153	M1DISA
321. HTTP Secure _______________	Is used widely except for payment transactions & other sensitive transactions	Is an advanced version of HTTP which is superior to SSL/TLS protocol	Is basically layering of HTTP protocol over the SSL/TLS protocol	Requires both the client as well as the remote server to be authenticated compulsorily	c	HTTP Secure is basically layering of HTTP protocol over the proven Secure Sockets Layer (SSL) protocol. It is used widely, especially for payment transactions, emails, etc. While the SSL portion can comfortably authenticate both ends of a session, in the normal course only the server end is authenticated by the client. Hence, the answer in Option C only is correct.	M1DISA	321	187	M1DISA
322. HTTP Secure _____________	Is an advanced version of HTTP which is superior to SSL/TLS protocol	Requires both the client as well as the remote server to be authenticated compulsorily	Has a basic limitation of slowing down the web service	Is used widely except for payment transactions & other sensitive transactions	c	HTTP Secure is basically layering of HTTP protocol over the proven Secure Sockets Layer (SSL) protocol. It is used widely, especially for payment transactions, emails, etc. While the SSL portion can comfortably authenticate both ends of a session, in the normal course only the server end is authenticated by the client. Its one limitation is that it slows down the web service. Hence, the answer in Option C only is correct.	M1DISA	322	133	M1DISA
323. Virtual Private Network (VPN) _______________	Can operate between two private networks but not the Internet	Does not provide confidentiality & integrity over un-trusted intermediate networks	Not compatible for operations with IPSec	Can link two networks or individual systems providing privacy & strong authentication	d	VPNs can link two individual systems or networks providing privacy and strong authentication. The networks can be private networks or the Internet. They provide confidentiality & integrity over un-trusted intermediate networks. IPSec enables VPN and creates a virtual tunnel with encryption to ensure secure communication. Hence, the answer in Option D only is correct.	M1DISA	323	149	M1DISA
324. IPSec ___________	Protects application data across IP Networks	Requires applications to be specifically designed to work with it	Cannot be of help for implementation of VPN	Cannot be of help for remote user access through dial-up connection	a	IPSec protects application data across IP Networks. It is encrypted at the network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation of VPN as also for remote user access through dial-up connection. Hence, the answer in Option A only is correct.	M1DISA	324	72	M1DISA
325. IPSec ______________	Is encrypted at IP(Transport layer)	Is implemented at end routers/firewalls	Cannot be of help for implementation of VPN	Cannot be of help for remote user access through dial-up connection	b	IPSec protects application data across IP Networks. It is encrypted at the network layer of IP. Hence, it does not require applications to be specifically designed for use with it. It is useful for implementation of VPN as also for remote user access through dial-up connection. Hence, the answer in Option B only is correct.	M1DISA	325	141	M1DISA
326. IPSec _______________	Is encrypted at IP(Transport layer)	Can operate in transport mode with both data & packet header encrypted	Has as its basic goals authenticity and data integrity	Can operate in tunnel mode with entire IP packet encrypted & old header added	c	IPSec protects application data across IP Networks. It is encrypted at the network layer of IP. It has as its basic goals authenticity and data integrity. It can operate in two modes: transport mode, where both data and packet header are encrypted, and tunnel mode, where the entire IP packet is encrypted and a new header added. Hence, the answer in Option C only is correct.	M1DISA	326	38	M1DISA
327. Transport Mode of IPSec _____________	Involves encryption of data but not of the packet header	Involves encryption of the entire packet, for use in VPN	Can operate with entire IP packet encrypted & old header added	Provides secure connection between two points	d	IPSec protects application data across IP Networks. In transport mode, it provides a secure connection between two endpoints. In this mode, the data is encrypted, and the packet header is not encrypted. In tunnel mode, used for VPN, the entire IP packet is encrypted and a new header added to the packet for transmission. Hence, the answer in Option D only is correct.	M1DISA	327	187	M1DISA
328. Tunnel Mode of IPSec _____________	Is used to create Virtual Private Networks	Involves encryption of data but not of the packet header	Involves encryption of the entire packet, for use in non-VPN functions	Can operate with entire IP packet encrypted & old header added	a	IPSec protects application data across IP Networks. In tunnel mode, it is used to create Virtual Private Networks (VPNs). In this mode, the entire IP packet is encrypted and a new header added to the packet for transmission. Hence, the answer in Option A only is correct.	M1DISA	328	16	M1DISA
329. Secure Shell (SSH) is a protocol ____________	Which is basically VPN layered on SSL protocol	Which cannot operation in conjunction with Telnet	Used for secure remote login & for command execution over an insecure network	Works only for peer-to-peer mode	c	SSH is a protocol used for remote login and for executing commands over an insecure network. It is basically Telnet + SSL + some other features. It works well for client-server mode, with both ends authenticated using certificates. It is usually used on UNIX systems. Hence, the answer in Option C only is correct.	M1DISA	329	146	M1DISA
330. Secure Shell (SSH) is a protocol ____________	That cannot be used for remote login or command execution	Comprising Telnet+SSL+other features	Which is basically VPN layered on SSL protocol	Which cannot operation in conjunction with Telnet	b	SSH is a protocol used for remote login and for executing commands over an insecure network. It is basically Telnet + SSL + some other features. It works well for client-server mode, with both ends authenticated using certificates. It is usually used on UNIX systems. Hence, the answer in Option B only is correct.	M1DISA	330	199	M1DISA
331. Secure Shell (SSH) is a protocol ____________	Which cannot operation in conjunction with Telnet	Which is basically VPN layered on SSL protocol	That cannot be used for remote login or command execution	That is usually used on UNIX systems	d	SSH is a protocol used for remote login and for executing commands over an insecure network. It is basically Telnet + SSL + some other features. It works well for client-server mode, with both ends authenticated using certificates. It is usually used on UNIX systems. Hence, the answer in Option D.	M1DISA	331	115	M1DISA
332. Secure Electronic Transaction (SET) _____________	Was originally developed by Visa & Master card for secured electronic transactions	Uses a system involving three signatures	Uses a system involving two signatures, one each of the customer and the merchant	Uses a system involving three signatures, one each of the customer, the merchant & the bank	a	SET is a protocol originally developed by Visa & Master card for securing electronic transactions. It uses a system of Dual Signatures. The correct answer is as in Option A.	M1DISA	332	90	M1DISA
333. Secure Electronic Transaction (SET) ________________	Uses a system involving three signatures, one each of the customer, the merchant & the bank	Is basically a combination of Telnet+SSL	Used exclusively on UNIX based systems	Uses a system of Dual signature to link two messages intended for two different recipients	d	SET uses a system of Dual Signatures to link messages for different recipients. It uses RSA public key, DES private key, and digital certificates for security. It is not a Telnet+SSL combination or exclusive to UNIX. The correct answer is as in Option D.	M1DISA	333	107	M1DISA
334. Secure Electronic Transaction (SET) _______________	Uses a system involving three signatures, one each of the customer, the merchant & the bank	Used exclusively on UNIX based systems	Uses a cryptography combination of RSA public key, DES private key & digital certificates	Is basically a combination of Telnet + SSL	c	SET uses RSA public key, DES private key, and digital certificates for security. It is not exclusive to UNIX or a Telnet+SSL combination. The correct answer is as in Option C.	M1DISA	334	91	M1DISA
335. Secure Multipurpose Internet Mail Extension _________________	Uses the DES encryption system	Is a secure method for VPN access & remote log in	Is a secure method for Internet payment transactions	Is a secure method of sending emails and extensions	d	S/MIME is a secure method for sending emails and extensions, based on public key cryptography using RSA encryption. It does not use DES, nor is it used for VPN or internet payments. The correct answer is as in Option D.	M1DISA	335	34	M1DISA
336. Secure Multipurpose Internet Mail Extension _____________	Is based on public key cryptography & uses RSA encryption system	Is a secure method for Internet payment transactions	Is a secure method for VPN access & remote log in	Cannot handle emails and attachments	a	S/MIME is a secure method for sending emails and extensions, based on public key cryptography using RSA encryption. It does not handle attachments or provide VPN access. The correct answer is as in Option A.	M1DISA	336	12	M1DISA
337. The prime drivers of choice of network technology for a typical large bank will be ____________	Primarily Business Focus followed by Risk Management	Business Focus, Risk Management & Govt. / Compliance needs	Primarily Risk Management followed by Govt. / Compliance needs	Solely Business Needs	b	The prime drivers for choice of networking technology in a bank encompass Business Focus, Risk Management, and Govt. / Compliance needs. Option B is correct.	M1DISA	337	5	M1DISA
338. The architecture of an enterprise-wide network in a bank ________	Would be dual-layered, comprising Security & Internet	Would be dual-layered, comprising WAN Network Topology & Security	Would vary significantly, depending upon size, structure & goals of each bank	Would be multi-layered, comprising WAN Network Topology, Security & Interfaces to Service delivery & Internet	d	An enterprise-wide network architecture in a bank should ideally be multi-layered to address various needs including WAN, Security, and Service delivery. Option D describes this multi-layered approach correctly.	M1DISA	338	107	M1DISA
339. The most popular choice of backbone network technology is ______	IP core technology	IP/ATM technologies	Multi-Protocol Label Switching or MPLS technology	AT&T technology	c	MPLS technology is widely used as a backbone for its ability to handle data, voice, and video effectively. Option C correctly identifies MPLS as the popular choice.	M1DISA	339	37	M1DISA
340. One feature of WAN Network Topology is _______________________	The backbone is usually of optical fibre, with redundant routes	The last mile connects the central or head office to nearby Service Provider POP	The last mile primary links, in most cases, are VSATs	The Data Centre & the Disaster Recovery Centre are in the same safe seismic zone	a	WAN Network Topology typically features an optical fibre backbone with redundant routes for reliability. Option A correctly identifies this feature.	M1DISA	340	180	M1DISA
341. One feature of WAN Network Topology is ____________	The backbone is usually of traditional copper wire used for telephony	The Data Centre & the Disaster Recovery Centre are in different seismic zones	The last mile connects the central or head office to nearby Service Provider POP	The last mile primary links, in most cases, are VSATs	b	WAN Network Topology typically ensures that the Data Centre and Disaster Recovery Centre are in different seismic zones to prevent simultaneous impact. Option B correctly identifies this feature.	M1DISA	341	95	M1DISA
342. One feature of WAN Network Topology is ____________	The Near-site DC is normally located in a different room/floor within the same complex as the DC	The DC, Near-site DC and DRC are not connected, to prevent spread of malicious viruses, etc.	Banks maintain a Near-site Data Centre (Near DC) in addition to the Data centre (DC) & Disaster Recovery Centre (DRC)	The DC and the DRC are invariably located in the same seismically safe area	c	WAN Network Topology often includes a Near-site Data Centre (Near DC) along with the DC and DRC, all interconnected. Option C correctly identifies this feature.	M1DISA	342	43	M1DISA
343. One feature of WAN Network Topology is ________________	Data to & from the WAN to branches, DC, Near DC & DRC is in plaintext & not encrypted	The DC, Near-site DC and DRC are not connected, to prevent spread of malicious viruses, etc.	The DC and the DRC are invariably located in the same seismically safe area	Domain services are hosted in the Data centre (DC), Near-site Data Centre (Near DC) & Disaster Recovery Centre (DRC) in different De-Militarized Zones (DMZs)	d	WAN Network Topology ensures encrypted data transfer and hosts domain services in different DMZs. Option D correctly identifies this feature.	M1DISA	343	175	M1DISA
344. This is a feature of WAN Network Topology.	Redundancy is built in at DC, with links from minimum of two ISPs	The DC and the DRC are invariably located in the same seismically safe area	Data to & from the WAN to branches, DC, Near DC & DRC is in plaintext & not encrypted	The DC, Near-site DC and DRC are not connected, to prevent spread of malicious viruses, etc.	a	WAN Network Topology incorporates redundancy at the DC with links from multiple ISPs. Option A correctly identifies this feature.	M1DISA	344	89	M1DISA
345. Chartered Accountants are impacted by IT mainly in the following way _____________	The IT industry is becoming global	The IT industry is being dominated by India	Automation of their clients’ operations & their data going digital	The Institute of Chartered Accountants is going digital	c	Chartered Accountants are primarily impacted by IT through the automation of client operations and digitization of data. Option C correctly identifies this impact.	M1DISA	345	43	M1DISA
346. Chartered Accountants are impacted by IT mainly in the following way ___________	The Institute of Chartered Accountants is going digital	The IT industry is being dominated by India	CA firms themselves will need to use IT for servicing their customers	The IT industry is becoming global	c	Chartered Accountants are primarily impacted by IT through the automation of client operations and digitization of data. Option C correctly identifies this impact.	M1DISA	346	9	M1DISA
347. A Data Warehouse is a collection of decision-support data that is _____________	Volatile & updated on a daily basis	Exclusively relating to sales & marketing	Historical, supporting analysis & reporting functions	De-centralized with warehouses distributed over the country	c	A Data Warehouse is primarily historical, supporting analysis and reporting functions. Option C correctly identifies its purpose.	M1DISA	347	151	M1DISA
348. A Data Mart _____________	Contains detailed data relating to a single aspect of business in large companies	Refers to a data storage product marketed by a business intelligence company	Stores all marketing related data alone for a company	Is a software used by Data Warehouses	a	A Data Mart contains detailed data related to a specific aspect of business in large companies. Option A correctly identifies its purpose.	M1DISA	348	118	M1DISA
349. Data Mining ______________	Is the recovery of all hidden data	Refers to the automated extraction of hidden predictive information	Helps analyse historical data but has little predictive value	Helps summarize data for regular MIS reporting systems	b	Data Mining refers to the automated extraction of hidden predictive information. Option B correctly identifies its purpose.	M1DISA	349	74	M1DISA
350. Which are the business activities which are strong contenders for conversion to e-commerce ?	Those relating to software development	Those relating to the ‘electronic’ aspects of commerce	Those that are paper-based, time consuming & inconvenient for customers	Those that are not paper-based, speedy & convenient for customers	c	Business activities most suitable for e-commerce are those that are paper-based, time-consuming, and inconvenient for customers. Option C correctly identifies such activities.	M1DISA	350	140	M1DISA
351. Your daughter orders five salwar-kameez sets on the Myntra website for door delivery. She uses the Government wireless communication facility for carrying out this task. Which model of e-commerce would this fall in ?	Business-to-business	Consumer-to-consumer	Business-to-Government	Business-to-consumer	d	This scenario describes a transaction where a consumer (your daughter) purchases goods from an online retailer (Myntra). Hence, it falls under the business-to-consumer (B2C) model. Option D correctly identifies this model.	M1DISA	351	19	M1DISA
352. Cloud computing refers to ___________	On demand, networked access to a shared pool of computing resources	Computing carried out using software loaded on satellites	Strategic planning carried out through computerised simulations	Computing with light & minimal software	a	Cloud computing involves providing on-demand, networked access to a shared pool of computing resources. Option A accurately describes this definition.	M1DISA	352	157	M1DISA
353. The Front-end in Cloud computing refers to _________	The Client’s computer alone; the access software is available on the cloud	The various computers, servers & data storage systems in the cloud system	The software available on the cloud computing systems	The Client’s computer as well as the software required to access the cloud	d	The front-end in cloud computing includes both the client's computer and the software required to access the cloud services. Option D correctly identifies this aspect.	M1DISA	353	7	M1DISA
354. The Back-end in Cloud computing refers to ___________	The Client’s computer as well as the software required to access the cloud	The various computers, servers & data storage systems in the cloud system	The Client’s computer alone; the access software is available on the cloud	Solely, the software available on the cloud computing systems	b	The back-end in cloud computing comprises the infrastructure including servers, computers, and storage systems that provide cloud services. Option B accurately describes this component.	M1DISA	354	132	M1DISA
355. Which of the following falls outside the typical features of Cloud computing ?	Resource Pooling capability	Rapid elasticity in meeting changed client demands	A large, offsite, remotely accessible computing facility created by a large enterprise for self use	Measured services with pay per use facility for clients	c	Cloud computing typically involves resource pooling, rapid elasticity, and measured services with pay-per-use. Option C describes a traditional large enterprise computing facility, which is not a typical feature of cloud computing.	M1DISA	355	195	M1DISA
356. What is a Hybrid Cloud computing facility ?	It provides both hardware as well as software services to its clients	It combines analog as well as digital computing capabilities	It provides free services to certain clients while charging others	It provides both private & public Cloud computing services	d	A hybrid cloud provides both private and public cloud services, allowing flexibility in deployment options. Option D correctly identifies this model.	M1DISA	356	51	M1DISA
357. A Platform as a Service (PaaS) Cloud Computing model allows clients access to	Hardware & operating system on the cloud but not the underlying infrastructure	Hardware & operating system on the cloud and also the underlying infrastructure	A variety of software provided on the cloud	Infrastructure, in terms of processing, storage & other computer networks, alone	a	PaaS provides hardware and operating system access on the cloud without the need to manage the underlying infrastructure. Option A accurately describes this service model.	M1DISA	357	198	M1DISA
358. A Software as a Service (SaaS) Cloud Computing model allows clients access to	Hardware & operating system on the cloud but not the underlying infrastructure	Hardware & operating system on the cloud and also the underlying infrastructure	Infrastructure, in terms of processing, storage & other computer networks, alone	A variety of software applications made available by the provider on the cloud	d	SaaS allows clients access to software applications provided by the provider on the cloud. Option D correctly describes this model.	M1DISA	358	79	M1DISA
359. One of the major risks associated with Cloud computing is __________	Increased cost of operations	Greater dependency on third parties & vulnerability to risk	Increase in manpower requirements	Loss of competitive advantage	b	Cloud computing can increase dependency on third-party providers, posing risks related to service availability and data security. Option B correctly identifies this major risk.	M1DISA	359	125	M1DISA
360. What are the major perspectives in the role of a Chartered Accountant (CA) in the post implementation stage of Enterprise Resource Planning (ERP) software ?	Defining criticality of the business & applying priorities	Cost-benefit analysis of customization	Optimization & security of the software system	Reports required for monitoring and control	c	Post-implementation of ERP software, a CA focuses on optimizing the system's performance and ensuring its security. Option C accurately describes these roles.	M1DISA	360	191	M1DISA
361. What are some of the major challenges of using Enterprise Resource Planning (ERP) software ?	Reduced data access	Need for redundant legacy systems to be maintained in parallel	Expenses & time in implementation	Increased operating costs	c	The major challenges of ERP software include the high expenses and time required for implementation. Options A, B, and D are incorrect because ERP systems typically enhance data access, eliminate the need for legacy systems, and aim to reduce operating costs. Hence, Option C is correct.	M1DISA	361	174	M1DISA
362. Your client has a diversified business with manufacturing units & offices at multi-locations. He is now trying to streamline operations by opting for a centralized ERP system. You have assisted him in screening potential products & arriving at the one best suited to his needs. The next step which would be critical for optimizing the ERP software & aligning it to the business’s needs would be	Understanding business processes, identifying priorities & incorporating best practices	Eliminating legacy systems	Implementing the system immediately to save on time & reap the benefits quickly	Implementing the system in a part of the organization alone, to start with	a	Before implementing an ERP system, understanding business processes, identifying priorities, and incorporating best practices are crucial steps. Option A correctly identifies this critical phase. Options B, C, and D are incorrect as they do not address the initial optimization needed before ERP implementation. Hence, Option A is correct.	M1DISA	362	14	M1DISA
363. Which of the following is true of a typical Enterprise Resource Planning (ERP) system ?	Capable of operation only on batch processing basis; cannot be real-time based	At any point of time, the same data, on real-time basis, can be accessed by people in different parts of the organization	Capable of generating a balance sheet and P&L statement even on a daily basis	Implementation of a new ERP system can be done very quickly since it is modular	c	ERP systems are capable of generating financial statements like balance sheets and P&L statements on a daily basis, as mentioned in Option C. Options A, B, and D are incorrect as they do not correctly describe the capabilities of typical ERP systems. Hence, Option C is correct.	M1DISA	363	39	M1DISA
364. One of the major risks of Enterprise Resource Planning (ERP) systems is ?	Increased complexity of simply legacy processes	Increased manpower requirement, particularly in the accounting area	Risk of depending upon one ERP vendor for all the critical operations of the organization	Increased operating costs	c	One major risk of ERP systems is dependency on a single vendor for critical operations, as stated in Option C. Options A, B, and D do not accurately describe major risks associated with ERP systems. Hence, Option C is correct.	M1DISA	364	194	M1DISA
365. You are a budding entrepreneur running a Small & Medium Enterprise. The SME is on a rapid growth path & you have ambitious expansion plans. You have invested substantial sums in creating a robust IT system for the organization keeping in mind your future plans. You realize that the success of any system lies in checks and balances, including a proper auditing system & decide on appointing an auditor. The qualities you would pragmatically expect an ideal auditor to possess for this role would be	Expertise in all areas of IT technology	Thorough knowledge on the financial aspects alone	Adequate working knowledge of IT hardware & software	Expertise both in financial and IT technology aspects	c	An ideal auditor for IT auditing needs adequate working knowledge of IT hardware and software, as highlighted in Option C. Options A, B, and D are incorrect as they do not correctly identify the necessary qualities for an IT auditor. Hence, Option C is correct.	M1DISA	365	5	M1DISA
366. You are a Sales Manager in a consumer product company equipped with the latest laptop computer. You use the laptop for analysing territory-wise sales trends, customer preferences, etc. After a recent upgrade of software by your company’s IT department, you observe that you are no longer able to analyze historical sales trends. However, when you check the database in the computer, the historical sales data is very much available. The problem you are facing is probably due to	A bug or inadequacy in the operating system	A bug or inadequacy in the application software	Insufficient memory space in the computer	Defective hardware in the laptop	b	The inability to analyze historical sales trends after a software upgrade suggests a bug or inadequacy in the application software, as stated in Option B. Options A, C, and D are incorrect as they do not address the likely cause of the problem described. Hence, Option B is correct.	M1DISA	366	106	M1DISA
367. Following an orientation programme on Information Technology, four members from the group of participants are picked up and named Mr Fetch, Mr Decode, Ms Execute and Ms Store as representative parts of the CPUs machine cycle. In which sequence should these individuals queue up in order to accurately demonstrate the machine cycle performed by the CPU ?	Mr Decode, Ms Execute, Ms Store and Mr Fetch	Ms Store, Mr Fetch, Mr Decode and Ms Execute	Ms Execute, Mr Fetch, Mr Decode and Ms Store	Mr Fetch, Mr Decode, Ms Execute and Ms Store	d	The sequence Mr Fetch, Mr Decode, Ms Execute, and Ms Store accurately represents the CPU machine cycle, as stated in Option D. Options A, B, and C are incorrect as they do not follow the correct sequence of CPU operations. Hence, Option D is correct.	M1DISA	367	162	M1DISA
368. Your client’s business volume has been stagnating & he is keen to explore ways and means of growing it. With the objective of drawing up an appropriate strategy, you advise him to conduct a SWOT analysis for which he collects a lot of operational information related to marketing, manufacturing, etc.. He realizes that his information system is now faced with information overload & he needs to supplement his Secondary Memory capacity. Secondary memory	Is non-volatile memory with large storage capacities	Is volatile memory with large storage capacities	Is non-volatile memory which is fast & responsive	Involves higher cost per unit of information than RAM	a	Secondary memory is non-volatile memory with large storage capacities, as stated in Option A. Options B, C, and D are incorrect as they do not accurately describe the characteristics of secondary memory. Hence, Option A is correct.	M1DISA	368	75	M1DISA
369. You are auditing the recent purchase of IT hardware equipment in your client’s office. You study the Mean Time before failure (MTBF) as also Mean Time to Repair (MTTR) of the equipment. Ideally,	MTBF must be low and MTTR must be high	MTBF must be high and MTTR must be low	Both MTBF and MTTR must be high	MTBF and MTTR must be equal to each other	b	Ideally, the Mean Time Between Failures (MTBF) should be high, and the Mean Time To Repair (MTTR) should be low, as stated in Option B. Options A, C, and D are incorrect as they do not correctly define the ideal MTBF and MTTR scenarios. Hence, Option B is correct.	M1DISA	369	84	M1DISA
370. As a Chartered Accountant, you feel that Hardware Auditing	A. Is best carried out by the purchase department of the I.T. department	B. Should be restricted to the financial aspects of hardware usage	C. Primarily encompasses hardware acquisition & capacity management	D. Is not as critical as software auditing which can be a more vulnerable area	c	Paragraph 1.6 elaborates on the criticality of hardware acquisition & capacity management as KEY Areas of Hardware auditing. Hardware is a vulnerable area which needs to be closely reviewed by Audit. Hence, the other three options are not correct	M1DISA	370	178	M1DISA
371. Your client reports to you concern about security of the data in his organization and would like to install software which effectively manages ownership assignment of all data for accountability. What type of software would you recommend him to install ?	A. Data Communications Software	B. Access Control Software	C. Utility programs	D. Defragmenters	b	It is access control software which is vested with the responsibility for assigning ownership of all data for purposes of accountability (para 2.3.2). Data Communications software generally assists the OS for local and remote terminal access (option A). Utility programs and defragmenters basically help improve computer efficiency and performance and have nothing to do with ownership assignment of all data.	M1DISA	371	71	M1DISA
372. You are auditing a major software purchase transaction by your client. In your opinion, what should your client have done as a first step in acquiring the software ?	A. Establish scope, objectives background & project charter	B. Establish criteria for selecting and rejecting alternatives	C. Carry out Cost/Benefit analysis, including make or buy decision	D. Determine supplier’s technical capabilities & support services	a	Without first establishing the scope and objectives, software acquisition may end up failing on fundamental aspects of meeting end user needs. This would be the starting point, therefore, for any acquisition exercise. The other options get ruled out by default.	M1DISA	372	160	M1DISA
373. Your client is in the process of deploying IT in his business operations & seeks advice about the potential drawbacks of following a Centralised Deployment Strategy. Your answer would be that the major drawback of this strategy would be	A. Resource sharing of reduced order	B. Poorer economies of scale	C. Reduced security	D. Vulnerability due to single point of failure	d	Centralized deployment strategy concentrates all its resources at one central point making it vulnerable to total system failure in the event of this central point being compromised in any manner (Option D). Resource sharing, economies of scale, and reduced security are not the primary drawbacks as described in the justification.	M1DISA	373	133	M1DISA
374. Your client is in the process of deploying IT in his business operations & seeks advice about the potential drawbacks of following a De-centralised Deployment Strategy. Your answer would be that the major drawback of this strategy would be	A. Less flexibility to cope with internal/external changes	B. Potentially higher CAPEX requirement	C. Information systems could be mutually incompatible	D. Slower system development	c	A major disadvantage of decentralized deployment strategy is that, with decentralized decision making, different tailor-made information systems may be created at different locations leading to potential incompatibility (Option C).	M1DISA	374	99	M1DISA
375. A large private sector bank offering Core Banking Solutions has sought your assistance in auditing its Data centre operations. While drawing up your auditing approach to this bank, you would primarily focus upon	A. Number of employees in the Bank	B. Annual Business volume	C. Nature of software applications used	D. Type of services offered, risk management & control requirements	d	The complexity of services offered including the response time, risk management objectives and control goals would drive the IT components of a CBS Data Centre (Option D).	M1DISA	375	71	M1DISA
376. A large international airline has entered Indian airspace & is setting up IT and other infrastructure in a metro city in India. Its business is strongly dependent upon the internet & accuracy and prompt availability of data is critical to successful operations. It has already decided on backing up of all information as also storing of all transactional information at a remote site to overcome the contingency of any break-down of the infrastructure at its metro city office. As a Consultant to the business, what other measures of redundancy would you suggest to improve reliability, fault tolerance & accessibility, without, however, compromising on security?	A. A near-site data replication facility	B. A near-site Disaster recovery facility	C. Filing of hard copies of all transaction documents	D. Hiring cloud storage facilities as an additional back up	a	A near-site facility is normally used as a data replication facility only (Option A). It would not be a prudent choice for a disaster recovery facility since, as a proximate location, the probability of its getting exposed to the same geographical risks is very high.	M1DISA	376	76	M1DISA
377. You have been appointed as a Consultant to a SME which is slowly outgrowing its status & morphing into a large enterprise. The organization has invested in various types of software at different stages of its growth but now seeks to rationalize its IT infrastructure with an eye on future growth. Faced with the complexity of the existing Information System, you decide on first implementing a process of Configuration Identification (CI). This involves	A. Identification of all IS components without reference to version	B. Identification of software components of IS alone	C. Identification of all IS components in a system	D. Identification of hardware components of IS alone	c	Configuration identification involves identification of all versions & updates of both software and hardware. This facilitates continuous monitoring during the life cycle of the product & becomes useful at the time of any proposed changes in the components (Option C).	M1DISA	377	109	M1DISA
378. A SME which is slowly outgrowing its status & morphing into a large enterprise has appointed you as a Consultant. The organization has invested in various types of software & hardware at different points of time. You have realized that this disorganized and unplanned method of software & hardware acquisition has made it very vulnerable. Your considered view is that the first step towards securing the systems is to carry out Hardening of the Systems. This involves	A. Use of robust hardware to strengthen the system	B. Optimising configuration of hardware systems alone	C. Auditing configuration of software systems alone	D. Securely configuring systems to minimize security risks	d	Hardening of systems is the process of securely configuring computer systems to eliminate as many security risks as possible (Option D).	M1DISA	378	103	M1DISA
379. Your client asks you as to which type of Communication system facilitates simultaneous two way communication. You would then advise them to go in for	A. Half Duplex communication system	B. Full Duplex communication system	C. Simplex communication system	D. Combination of Simplex and Half Duplex systems	b	Full Duplex communication has the capability to handle simultaneous two way communication. It is like two Simplex systems put together.	M1DISA	379	193	M1DISA
380. You are being briefed by an accountant in your client’s office who has limited knowledge of cable technology. He speaks of the type of cable which has been chosen by his IT department for transmission of information. He explains that the cable’s positive features include high integrity, low attenuation over long distances, high carrying capacity & lesser power consumption. He also feels that it comprises an inner core made of glass or plastic type of material. What is your educated guess of the nature of this cable ?	A. Optical fibre cable	B. Co-axial cable	C. Twisted pair cable	D. Bi-metallic cable	a	An Optical fibre cable consists of an inner core made of glass/plastic/polymer/acrylic which uses light based signalling. It has high integrity as well as low attenuation over long distances.	M1DISA	380	58	M1DISA
381. You have recently taken on a Travel agency as your client. You are familiarizing yourself with the agency & its operations. You are told that they use a network of computers which are designed as per Bus topology. You realize then that the agency’s computer system involves	A. A single hub connecting all nodes	B. Connection of its computers on a single circle of cable	C. Connection of computers on a single backbone cable	D. Connection of every node to every other node	c	In Bus topology, all the computers in the network are connected on a single backbone cable.	M1DISA	381	96	M1DISA
382. You have signed on for an audit of an Internet service provider. What sort of network topology do you expect this organization to have adopted ?	A. Ring topology, involving connection of all the computers on a single ring of cable	B. Star topology, connecting all the computers to a central hub or switch	C. Mesh topology, involving physical connection of every node with every other node	D. Bus topology with all systems Ideally suited for systems with need for low degree of fault tolerance	c	This involves physical connection of every node with every other node. It is rather complex and requires maximum number of cables.	M1DISA	382	117	M1DISA
383. Your client has noted that a user with a particular IP address has been trying to access its server & wishes to identify the physical address (MAC) of the user. Which is the protocol which would have to be used for doing this ?	A. Internet Control Message Protocol (ICMP)	B. Transmission Control Protocl (TCP)	C. Simple Mail Transfer Protocol (SMTP)	D. Address Resolution Protocol or ARP	d	ARP is a method of ascertaining the physical address (MAC), given the IP address.	M1DISA	383	72	M1DISA
384. You observe that the first Octet of the IP address of one of your clients is 195 in decimal range. In which Class of the IPv4 Classful Addressing Scheme does this fall ?	A. C	B. D	C. A	D. E	a	The first Octet of Class C of the IPv4 Classful Addressing Scheme is any number ranging between 192 and 223 & the client’s number of 195 falls within this range.	M1DISA	384	90	M1DISA
385. Technology development by design from a strategic perspective by CA firms could	A. Be a promotional tool for CA firms, attracting more clients	B. Be a Growth Catalyst / KEY differentiator for current/new services to existing / new customers	C. Be an expensive proposition with doubtful long term benefits	D. Be a wasteful exercise since IT technology is very volatile & could become obsolete quickly	b	Technology development can be a growth catalyst and a key differentiator for firms offering new or enhanced services (Option B).	M1DISA	385	134	M1DISA
386. You have just taken on as your client, a huge international organization with a large presence on internet networks. To which class of IPv4 Classful Addressing Scheme do you expect its IP address to belong & within what range would the first Octet of its address fall ?	A. Class B, 128-191	B. Class C, 192-223	C. Class A, 1-126	D. Class E, 240-254	c	Large organizations with extensive presence on the internet are generally included in Class A of the IPv4 Classful Addressing scheme.	M1DISA	386	176	M1DISA
387. Your client company is involved in research & development on the internet. Which class of IPv4 Classful Addressing Scheme do you expect it to use & within what range would the first Octet of that address fall ?	A. Class A, 1-126	B. Class B, 128-191	C. Class C, 192-223	D. Class E, 240-254	d	Class E of the IPv4 Classful Addressing scheme is reserved for research & development / study.	M1DISA	387	117	M1DISA
388. You have just taken on as your client, a huge international organization with a large presence on internet networks. Which of the following types of Network (N)/Host (H) id of the IPv4 Classful Addressing Scheme would you expect the client to have ?	A. N.H.H.H	B. H.N.N.N	C. N.N.H.H.	D. H.H.N.N	a	Large organizations with extensive presence on the internet are generally included in Class A of the IPv4 Classful Addressing scheme.	M1DISA	388	133	M1DISA
389. Your new client advises you that its IP address falls under Class C of the IPv4 Classful Addressing Scheme. Which of the following types of Network (N)/Host (H) id would you expect the client to have ?	A. H.N.N.N	B. N.N.H.H.	C. N.N.N.H	D. H.H.N.N	c	Class C addresses have the first three octets for the network ID and the last octet for the host ID, hence Option C is correct.	M1DISA	389	6	M1DISA
390. If your client’s IT manager advises you that his company’s default sub-net mask under the IP Classful Addressing Scheme is 255.255.0.0, which of the following IP classes does his company’s network belong ?	A. Class A	B. Class C	C. Class B	D. Class E	c	The default sub-net mask of Class B of the IP Classful Addressing Scheme is 255.255.0.0.	M1DISA	390	141	M1DISA
391. You are with the IT Manager of your client, trying to understand their systems. The IT Manager is a person who revels in creating puzzles. When you ask him about his company’s IP address, he tells you that it belongs to an IPv4 class that can accommodate the least number of networks but the maximum number of hosts per network (usable addresses). To which IP class is he referring ?	A. Class A	B. Class B	C. Class C	D. Class D	a	The IP class A of IPv4 can handle the least number of networks (126) and maximum number of usable addresses (1,67,77,214). Hence, Option A is correct & the other options are incorrect.	M1DISA	391	48	M1DISA
392. You are with the IT Manager of your client, trying to understand their systems. The IT Manager is a person who revels in playing with puzzles. When you ask him about his company’s IP address, he tells you that it belongs to an IPv4 class that can accommodate nearly 21 lakh networks. He adds, however, that the flip side is that the number of usable addresses per network would be a measly figure of about 250. To which IP class is he referring ?	A. Class A	B. Class B	C. Class D	D. Class C	d	The IP class C of IPv4 can handle as many as 20,97,150 networks but number of usable addresses can be only 254. Hence, Option D is correct & the other options are incorrect.	M1DISA	392	96	M1DISA
393. As an experienced Chartered Accountant, you are addressing a group of freshers on the subject of the massive quantities of information available to any organization. In this background, what would you stress as most critical for successful business operations ?	A. Establishing hardware infrastructure to handle voluminous information	B. Recruiting more IT personnel to handle large volume of data	C. Building more storage space for the voluminous data	D. Capability to pick out the KEY Aspects which can help serve the customer better	d	The most critical factor for business success in the current information age is the capability to sift the grain from the chaff, pick out the exceptions & appreciate customer preferences & nuances of demand. The other options of creating infrastructure, adding people or storage space are, at best, short term measures for coping with dealing with ‘big data’ rather than means of identifying customer needs & satisfying them.	M1DISA	393	143	M1DISA
394. The store then decided to experiment with extended timings, up till midnight, for the stores in such markets & was delighted to find sales burgeoning. Which of the following best describes this initiative ?	A. Leveraging Business Intelligence to identify latent customer needs	B. Increasing investments in people for higher returns	C. Improved channel management	D. Cost saving experiment	a	This is a clear case of leveraging business intelligence to identify latent customer needs. But for the capability to collect, analyse data & draw insightful conclusions therefrom, this success could not have been achieved. Option A, therefore, is correct. The other answers may be the incidental outcomes of the action taken in the process of leveraging business intelligence and not the actual initiative per se.	M1DISA	394	106	M1DISA
395. You are a Consultant to a budding Small & Medium Enterprise which is aiming at growing into a large enterprise. You carry out a detailed study of the current state of the enterprise in terms of people, systems, procedures, etc. You decide to focus on systems and IT, in particular, as the backbone for the enterprise’s future growth plans. You observe that the existing system has limitations in terms of lack of uniformity of software, databases, delay in availability of analysed data, etc. Your recommended solution would be for ___________	A. Up-gradation of all the current versions of software	B. Installation of an Enterprise Resource Planning software	C. Up-gradation of the current versions of software & addition of fresh software	D. Installation of a new Database Management system	b	Answers at Options A, C & D could at best achieve partial solutions. A robust ERP software system, however, will help integrate all aspects of the business and support online recording as well as speedy analysis & decision support. This could help eliminate multiple legacy systems & help improve business processes. Hence, Option B would be the correct recommendation of the Consultant.	M1DISA	395	102	M1DISA
396. The Indian fertilizer industry depends heavily on Government subsidies since they are expected to sell their products to customers at prices far below the cost of production. The Government has evolved a complicated mechanism for deciding the subsidy level for each type of fertilizer depending upon various dynamic factors like the international price of the raw material / finished product, the Rupee/dollar exchange rate, conversion & added costs, etc. The industry association decides to set up a common cloud facility for helping the individual units manage the work of raising regular subsidy claims linked to the various cost factors as also sales elements, etc. Such a cloud facility would be deemed to be a ______________	A. Public Cloud facility	B. Private Cloud facility	C. Community Cloud facility	D. Hybrid Cloud facility	c	When several businesses share a common cloud computing resource, it is called a community cloud facility. Hence, Option C is correct whereas the other options are incorrect.	M1DISA	396	13	M1DISA
397. One of your client’s managers tells you that they have recently opted for some cloud computing facilities. Being a non-IT official, he says he does not understand what exactly is meant by the term but he has been told that they have opted for a model of Infrastructure as a Service (IaaS). With your own background knowledge of the subject, you explain to him that an IaaS model involves _____________	A. Provision of processing, storage networks & other basic computing resources	B. Provision of various types of software on the cloud which can be used by any client	C. Provision of hardware & operating system platform alone	D. Provision of manpower on remote access basis	a	The IaaS model involves provision of processing, storage networks & other basic computing resources as brought out in Option A. Hence, the other options are incorrect.	M1DISA	397	179	M1DISA
398. Your client hires the services of an e-auction platform for launching its reverse auction for purchase of various raw materials. The client accesses the platform through the internet. Several suppliers register themselves with the platform & participate in the reverse auction on the planned date. Which model of e-commerce would this fall in _____________	A. Business-to-Government	B. Business-to-consumer	C. Business-to-business	D. Consumer-to-consumer	c	This would obviously be a case of a business-to-business model &, hence, only Option C is correct.	M1DISA	398	136	M1DISA
399. The Tamil Nadu State Government has announced that payment of house taxes, electricity bills, etc. can be made by citizens through the respective portals using internet banking or credit / debit cards. Which model of e-commerce would this fall in ______________	A. Business-to-business	B. Business-to-Government	C. Consumer-to-consumer	D. E-Government	d	This would obviously be a case of E-Government, facilitating payment of taxes & bills through an Internet based facility. Hence, only Option D is correct.	M1DISA	399	125	M1DISA
400. You are a Google account holder. Google informs you that they have begun to offer cloud computing facilities to its users & that, as an existing user, you will be allowed up to 15 GB of data storage on the cloud free of cost & thereafter, a nominal $ 0.026 per GB per month. Delighted, you begin using the facility with your laptop. Soon, you receive an alert on the system that you have exhausted the 15 GB free storage space & would need to begin paying for securing more storage space. Which of the characteristics of Cloud computing does this demonstrate ?	A. Resource Pooling	B. Network access from any device	C. Measured services & on-demand self-service	D. Access to software & computing capabilities	c	In the given instance, the client is being offered measured services & on-demand self service as brought out in Option C. The example does not throw up any specific information about Resource pooling or facility for accessing the cloud through any device other than the laptop being used. It does not also speak of other Cloud computing services like access to software, etc. Hence, only Option C is correct.	M1DISA	400	191	M1DISA
401. The Bring Your Own Device (BYOD) concept _____________	A. Envisages permitting employees to use their own personal devices for official work	B. Envisages permitting employees to do their personal work on official devices	C. Is a risk free & beneficial system for corporate	D. Envisages storage of both official & personal information on the same device without any demarcation	a	The BYOD concept envisages permitting employees to use their own personal devices for official work. It has the advantage of saving IT infrastructure expenditure & convenience for employees. It does not envisage usage of company properties by employees for their personal work. While it has many advantages, it is vulnerable to some risks. In general, when the same device is used both for personal as well as official use, virtual demarcation is made of the information storage system & adequate firewalls incorporated. Thus, Option A alone is correct.	M1DISA	401	120	M1DISA
402. eXtensible Markup Language or XML _______________	A. Describes how data can be presented in the form of web pages	B. Involves use of pre-determined tags	C. Is a platform-independent, standard data exchange format	D. Is less powerful than Hypertext Markup Language or HTML	c	As indicated in Option A above, XML is a platform-independent, standard data exchange format. It performs presentation, communication & storage of data. It does not involve use of pre-determined tags; instead, users need to define their own tags. XML is more powerful than HTML since it facilitates automatic manipulation & interpretation of data. Thus, Option C alone is correct.	M1DISA	402	125	M1DISA
403. eXtensible Markup Language or XML _________________	A. Can handle data transfer only when the data is in a compatible format	B. Facilitates exchange of data even in incompatible formats	C. Is supported only by some of the major software products	D. Involves use of pre-determined tags	b	The main strength of XML is its ability to create data in a format which can be read by different applications. It is portable, supported by major software products & is in easily readable format. It does not involve use of pre-determined tags; instead, users need to define their own tags. Hence, Option B is correct.	M1DISA	403	71	M1DISA
404. A limitation of eXtensible Markup Language or XML is that it ___________	A. Software developers do not build their new products on it, limiting interoperability	B. Can handle data transfer only when the data is in a compatible format	C. Is less powerful than Hypertext Markup Language or HTML	D. Lacks inherent security; any means of validation, confidentiality or integrity	d	One weakness of XML is that it lacks inherent security, any means of validation, confidentiality or integrity. However, its main strength is its ability to create data in a format which can be read by different applications & can handle data even when it is not in compatible format. It is supported by major software products & is in easily readable format. XML is, in fact, more powerful than HTML since it facilitates automatic manipulation & interpretation of data. Hence, Option D is correct.	M1DISA	404	47	M1DISA
405. An advantage of eXtensible Business Reporting Language or XBRL over eXtensible Markup Language or XML is that the former ___________	A. Can help create data that can be read by different applications	B. Is portable and vendor neutral	C. Is a standard that has been accepted & adopted the world over	D. Provides a standard format for data exchange	c	As indicated in Option A above, XBRL has the advantage of being a standard that has been accepted and adopted the world over. The other answers in Options A B and D are equally applicable both to XML as well as XBRL. Hence, the correct answer is only in Option C.	M1DISA	405	164	M1DISA
406. An advantage of eXtensible Business Reporting Language or XBRL over eXtensible Markup Language or XML is that the former _______________	A. Is much faster and allows real-time preparation of reports	B. Provides a standard format for data exchange	C. Is portable and vendor neutral	D. Can help create data that can be read by different applications	a	As indicated in Option A above, XBRL has the advantage of facilitating faster and real-time preparation of business reports. The other answers in Options B to D are equally applicable both to XML as well as XBRL. Hence, the correct answer is only in Option A.	M1DISA	406	132	M1DISA
407. An advantage of eXtensible Business Reporting Language or XBRL over eXtensible Markup Language or XML is that the former ______________	A. Provides a standard format for data exchange	B. Is portable and vendor neutral	C. Can express more than one relationship amongst elements	D. Can help create data that can be read by different applications	c	As indicated in Option A above, XBRL has the advantage of being capable of expressing more than one relationship amongst elements, such as multiple hierarchies. This is because it defines relationships separately from elements, unlike XML. The answers in Options A B and D are equally applicable both to XML as well as XBRL. Hence, the correct answer is only in Option C.	M1DISA	407	78	M1DISA
408. A feature of eXtensible Business Reporting Language or XBRL which is not found in eXtensible Markup Language or XML is that the former _________	A. Uses Taxonomy & Instance documents	B. Uses XML standard	C. Can define elements & relationships for data used internally	D. Is supported by XML validation tools	a	As indicated in Option A above, XBRL uses Taxonomy (procedure for creating files with relevant business terminology, etc. along with the rules that they must follow) & Instance documents (documents containing the data in well-formed XML.) The answers in Options B to D are applicable equally both to XML as well as XBRL. Hence, the correct answer is only in Option A.	M1DISA	408	64	M1DISA
409. CAs need to be well versed with the benefits & control issues of eXtensible Business Reporting Language or XBRL because _____________	A. It uses XML standard	B. More and more countries are mandating the use of XBRL	C. It can define elements & relationships for data used internally	D. It is supported by XML validation tools	b	As indicated in Option B above, more and more countries are mandating the use of XBRL because it has been validated and declared as a standard. It also has the advantages of being able to ensure compatibility with regulatory standards, improved data quality & is faster in report preparation. The answers in Options A, C and D are applicable equally both to XML as well as XBRL &, hence, cannot account for the significant difference in importance of XBRL. Hence, the correct answer is only in Option B.	M1DISA	409	188	M1DISA
410. Which of the following is an example of Social Media _________	A. LinkedIn	B. Times of India newspaper	C. Society monthly magazine	D. National Geographic magazine	a	Social media is social interaction among people in which they create, share or exchange information & ideas in virtual communities and networks. LinkedIn as an example of social networking is an example of social media. The other instances are examples of magazines and newspapers which do not fall within the ambits of social media. Hence, the correct answer is only in Option A.	M1DISA	410	19	M1DISA
411. State True or False. In Social Media, content is supplied and managed by user himself through the use of tools and platforms supplied by social media sites.	A. TRUE	B. FALSE	-	-	a	Social media is social interaction among people in which they create, share or exchange information & ideas in virtual communities and networks. Social media sites like Facebook do allow users to supply & manage content using the tools and platform provided by the sites. Hence, the correct answer is as in Option A.	M1DISA	411	25	M1DISA
412. What is the major aspect of Social Media which is relevant to business, in general ____________	A. It helps sell more software related to tools of social media	B. It renders physical markets and direct contact with customers redundant	C. It facilitates a platform for business to interact with customers	D. It is relevant only to members of the higher income group in society	c	Social media provides businesses a platform to interact with customers to conduct market research, carry out sales promotion, reward campaigns, etc. The prospect of selling relevant software is not a generalized benefit but restricted to a narrow spectrum of business. While it does increase the importance of presence in social media, it does not, necessarily, reduce the importance of physical markets & direct customer contact. It is also not true to say that social media is more relevant only to members of the higher income group in society. Hence, the correct answer is as in Option C.	M1DISA	412	18	M1DISA
413. Breach of privacy, fear of legal action, potential for negative reputation, etc. are potential risks for business leveraging social media. What is the other major type of risk which a CA may have to address ______________	A. The risk of ignoring customers who are not members of the social media	B. The risk of development of new social media platforms	C. The risk of use of social media by employees on organization networks/devices	D. The risk of the collapse of all social media	c	The risk of use of social media by employees on organization networks and devices is the other major risk which CAs would have to be alert to. For, this could lead to intentional or accidental leak of organizational data as also provide a route for hackers to access the organization’s data base. The other risks outlined in Options A B and D are not significant enough to cause concern. Hence, the correct answer is as in Option C.	M1DISA	413	146	M1DISA
414. What is one of the important measures required for mitigating security concerns in using Social Media?	A. The organization avoiding use of Social media	B. Creation of & compliance with a robust, comprehensive Social Media policy	C. Banning employees from being members of social media	D. Creating firewalls blocking out potential hackers	b	The single major initiative that an organization can take is the creation of a robust & comprehensive Social Media policy. Avoiding use of social media is a sub-optimal & escapist solution which will not benefit the organization. Banning employees is too tyrannical a measure to take in an era when most people, particularly, from the younger generation, are members of some form or social media. This may actually deter potential employees from joining the organization. The use of firewalls is required as a matter of standard policy, whether the organization is using social media or not. Hence, the correct answer is as in Option B.	M1DISA	414	98	M1DISA
415. How is Geolocation different from Global Positioning System (GPS) ?	A. It is not different; it is just another term for GPS	B. Geolocation ascertains location of satellites rather than individuals/devices on the earth	C. Geolocation helps identify the ideal location for installation of disaster recovery systems	D. Geolocation focuses more on a meaningful location rather than mere geographical co-ordinates	d	Geolocation primarily focuses on locating individuals/devices on the earth, whereas GPS is used to ascertain the location of satellites and provide precise geographical coordinates. Hence, the correct answer is as in Option B.	M1DISA	415	50	M1DISA
416. State True or False. A major risk involved with the use of Geolocation services is the concern of source, ownership & misuse of data owing to involvement of multiple data controllers.	A. TRUE	B. FALSE	-	-	a	One of the major risks involved with the use of Geolocation services is, indeed, the concern regarding source, ownership & misuse of data arising from the involvement of multiple data controllers. Hence, the correct answer is as in Option A.	M1DISA	416	136	M1DISA
417. The Business Information System used for handling structured problems as also doing routine transactional jobs is _________________	A. Transaction Processing System or TPS	B. Decision Support System or DSS	C. Executive Support System or ESS	D. Structured Query Language or SQL	a	The Business Information System used for handling structured problems as also transactional jobs is the Transaction Processing System or TPS. DSS & ESS are higher level systems which aim more at problem solving & also address strategic concerns. Hence, the correct answer is as in Option A.	M1DISA	417	179	M1DISA
418. The Business Information System which provides answers to semi-structured problems used for handling structured problems & for validation of business decisions is ________________	A. Structured Query Language or SQL	B. Transaction Processing System or TPS	C. Decision Support System or DSS	D. Executive Support System or ESS	c	The Business Information System used for handling semi-structured problems & for validation of business decisions is the Decision Support System or DSS. TPS address lower level needs while ESS deals with higher level systems which aim more at problem solving & also address strategic concerns. Hence, the correct answer is as in Option C.	M1DISA	418	81	M1DISA
419. The Business Information System which provides answers to un-structured problems & supports Executive management in planning strategy & vision is ________________	A. Structured Query Language or SQL	B. Executive Support System or ESS	C. Transaction Processing System or TPS	D. Decision Support System or DSS	b	The Business Information System used for handling un-structured problems & for supporting Executive management in planning strategy & vision is validation of business decisions is the ESS. TPS & DSS address lower level needs. Hence, the correct answer is as in Option B.	M1DISA	419	141	M1DISA
420. In an inter school competition on Artificial Intelligence, four children develop software which perform the following different functions respectively. Which of them is a correct example of the use of basic Artificial Intelligence ?	A. A calculation software which arrives at the arithmetic total of figures keyed in	B. A password system which allows access based upon keying in of the correct password	C. Predictive & self learning word-processing software	D. A software which rejects invalid dates like 32nd March 2014	c	The word-processing software pops up suggested words based upon the first few words keyed in by the user. Also, when the user keys in a new word which is not available in its repertoire, it adds it to its collection & reflects it as an option the next time similar letters are initiated. In effect, the software is able to observe & record patterns and improves through ‘learning’. The other answers in Options A B and D involve the basic computing functions of a computer which is based on a ‘go / no-go’ logic which does not involve pattern recognition or further learning. Hence, the correct answer is only as in Option C which displays characteristics of artificial intelligence.	M1DISA	420	17	M1DISA
421. Artificial Intelligence works with the help of two concepts; one of them is Artificial neurons. The other is ?	A. ‘If-then’ statements and logics	B. ‘What-if’ scenarios	C. The four ‘W’s What, When, Where & Why	D. ‘How-Why’ statements	a	Artificial intelligence works with the help of Artificial neurons as also ‘If-then’ statements / logics. The answers in the other options are no correct. Hence, the correct answer is only as in Option A.	M1DISA	421	28	M1DISA
422. Artificial Intelligence works with the help of two concepts; one of them is Artificial neurons. The other is ?	A. ‘What-if’ scenarios	B. The four ‘W’s What, When, Where & Why	C. ‘If-then’ statements and logics	D. ‘How-Why’ statements	c	Artificial intelligence works with the help of Artificial neurons as also ‘If-then’ statements / logics. The answers in the other options are no correct. Hence, the correct answer is only as in Option C.	M1DISA	422	171	M1DISA
423. An Expert System _____________	A. Is a software that supersedes the operation of other software	B. Is a panel of software experts who are consulted for solving security threats	C. Is a computer hardware that manages other hardware in a computer system	D. Is a software that comprises specialized human knowledge in a specific, narrow domain	d	As indicated in Option A above, an Expert system is a software that contains a significant portion of the specialized knowledge of one or more human experts in a specific, narrow domain. The answers given in the other options are not correct . Hence, the correct answer is only as in Option D.	M1DISA	423	155	M1DISA
424. A characteristic of Expert Systems is ______________	A. They cannot be used in embedded systems	B. They will have either a knowledge base or a set of rules for application, not both	C. They are used for structured logic like if- then-else	D. They are best suited to situations not requiring precision & error-free operations	c	As indicated in Option A above, Expert systems are used for structured logic like if- then-else. They are best suited to situations requiring precision and error-free operations & hence, are best suited for use in embedded systems, atomic power plants, space stations, etc. They will have both a knowledge base as well as a set of rules for application. Hence, the correct answer is only as in Option C.	M1DISA	424	26	M1DISA
425. You have received an alert about the due date for payment of your post paid mobile phone charges. You log on to the service provider’s website and attempt to transfer the payment through net banking. However, while you were able to complete the formalities involved at your bank’s portal, the system hangs later on and a message is flashed saying that there is a problem with the service provider’s system & asking users to try later. This is an issue with the service provider’s ___________	A. Transaction Processing System	B. Expert systems	C. Decision Support systems	D. Executive Support systems	a	The service provider’s transaction processing system has obviously failed & hence the difficulty the user is facing in completing the payment process for his bill. The answers in the options B to D are incorrect. Hence, the correct answer is only as in Option A.	M1DISA	425	50	M1DISA
426. You are an active player on the stock market & place buy / sell orders for shares throughout the working day with your broker. In the middle of a day characterised by particularly volatile movements in share prices & potential risk of losses, you wish to make an assessment of your positions. However, when you speak to your broker and ask him for a report of the transactions carried out on that day till that point of time, the broker responds saying that you would be able to access an online report by the end of the day, for all the transactions of the day at one go. This is an example of ____________________.	A. Online Transaction Processing system	B. Online Expert System	C. Batch Transaction Processing System	D. Online Executive Support systems	c	The service provider’s transaction processing system obviously operates on a batch process & reports are run at the end of a particular period, in this case, one day. The answers in Options A, B and D are wrong. Hence, the correct answer is only as in Option C.	M1DISA	426	117	M1DISA
427. You are an active player on the stock market & place buy / sell orders for shares throughout the working day with your broker. In the middle of a day characterised by particularly volatile movements in share prices & potential risk of losses, you wish to make an assessment of your positions. You speak to your broker and ask him for a report of the transactions carried out on that day till that point of time. The broker responds saying that you could access their website & be able to generate a report at any point of time in the day & get a report for all the transactions of the day at one go. This is an example of _______________	A. Online Transaction Processing system	B. Online Executive Support systems	C. Online Expert System	D. Batch Transaction Processing System	a	The service provider’s transaction processing system obviously operates on online transaction processing system since transactions are reflected in their reports at any point of time in the day. Hence, the answers in Options B to D are wrong. The correct answer is only as in Option A.	M1DISA	427	43	M1DISA
428. Your client is in the process of growing his business from the level of a Small & Medium Business into a larger organization. His operations have been computerized & customer transactions are being managed reasonably well. However, in order to take the next leap forward, he would like to get more insights into his business, appreciate customer needs better and would like data from his systems help him take business decisions which would propel him towards his goal of an enlarged business. You realize that his existing computer systems are basically Transaction Processing Systems (TPS) and he needs to transform them into Decision Support Systems (DSS) to enable him achieve his objective. One of the major advantages of DSS over TPS is _________________.	A. It can handle huge amounts of data from various sources	B. It responds rapidly	C. It is reliable	D. It provides information which helps the manager assess alternatives & choose the best	d	DSS have as their primary role the provision of information which can help a manager take a decision. The answers in Options A ,B and C are applicable to TPS too and are not exclusive to DSS. Hence, the answers in Options A, B to C are wrong. The correct answer is only as in Option D.	M1DISA	428	39	M1DISA
429. State TRUE or FALSE. ‘Decision Support Systems can support both semi-structured as well as structured problems; they can be useful both to operational as well as strategic decision-making’	A. TRUE	B. FALSE			a	DSS have the capability to support both semi-structured as well as structured problems. Their configuration is such that they can be used by managers as an aid to both operational as well as strategic decision-making. Hence, the above statement is true and Option A is correct.	M1DISA	429	59	M1DISA
430. A KEY differentiator for a Decision Support System over a Transaction Processing System is _______________.	A. It can handle large amounts of data in batch as well as online mode	B. It is more interactive & model-driven, performing mathematical & qualitative analysis	C. It has a larger database as compared to the transaction processing system	D. It can more reliably handle large volume of information relating to transactions	b	Decision support systems are far more interactive and model-driven, as brought out in Option A above. The answers in Options A,C and D are not correct and probably relate more to Transaction processing systems. They are surely not KEY differentiators. Hence, the correct answer is only as in Option B.	M1DISA	430	201	M1DISA
431. The type of software support system which would generally be suited for top-level decision-making, like spinning-off a portion of the company, acquiring another company, entering a new business, etc. is ____________	A. Decision Support System	B. Data Base Management System	C. Executive Support System	D. Delphi system	c	Executive support systems are the appropriate choice for such top-level decision making support, as brought out in Option C above. The answers in Options A, B and D are not correct. The correct answer is only as in Option C.	M1DISA	431	78	M1DISA
432. Executive Support Systems address ______________	A. External, un-structured and uncertain information through a structured approach	B. Internal & structured information through a un-structured approach	C. Day-to-day information for operational control & monitoring	D. Analysis of routine transactional data	a	Executive support systems are the appropriate choice for top-level decision making support. They are futuristic and deal with the macro world & potential changes in the environment & changed times. Hence, intrinsically, it deals with uncertain information substantially into the future but through a structured, well thought out approach. Hence, the answer in Option A above is correct. The answers in Options B to D are not correct.	M1DISA	432	3	M1DISA
433. Big Data refers to ____________	A. Data connected to the top few companies in each industry	B. Trillions of records from various sources with potentially high value	C. Data related to space research, involving great distances in the galaxy	D. Data relating to the largest selling products of each organization	b	Big Data refers to a large collection of data from various sources with potentially high value. The high value emanates from the insights which it is possible to derive from a careful analysis of the available data. Hence, the answer in Option B above is correct. The answers in Options A, C and D are not correct.	M1DISA	433	173	M1DISA
434. The main value of Big Data arises from ____________	A. Having more data than the competition	B. Having comprehensive information about all aspects of the business	C. Insights that can be gleaned about niche customers from large data	D. Its ability to cover all transactions with customers	c	Data collection in large quantities, per se, carries limited value. It is the careful analysis of humongous volumes of data to elicit patterns of customer behaviour, market trends, etc. that are the major prize won through Big Data. Such exercises help companies to tap new markets, implicit demand, etc. and thus, be one up on the competition. Hence, the answer in Option C above alone is correct. The answers in Options A, B and D are not correct.	M1DISA	434	52	M1DISA
435. What is the major control aspect of dealing with Big Data which a Chartered Accountant needs to be aware of ?	A. Privacy, security & legal aspects of dealing with customer & other parties’ information	B. Providing adequate storage space for the large volumes of data	C. Instituting adequate steps for collection & collation of the data	D. Ensuring adequate storage security through redundancy	a	There are potential risks involved in collecting, storing & utilising customer data. There is a need for ensuring the entire process is carried out in a legal manner without causing dis-comfort or loss of faith with the customer. Protecting information passed on by a customer based upon trust, is another KEY Aspect. Thus, the answer in Option A above is correct & the other answers are wrong.	M1DISA	435	106	M1DISA
436. Returning from school one day, your daughter cannot wait to talk about what they taught her on that day regarding environmental degradation & global warming. She tells you that electricity is generated by power plants to meet our energy needs but they are, at the same time, releasing greenhouse gases like Carbon dioxide which contribute to global warming, leading to cascading effects. An impact of this sort, created by an organization, individual or activity is referred to as _________	A. Carbon credits	B. Carbonification	C. Carbon footprint	D. Oxidisation	c	The level of green house gases generated by activities & actions of an individual or organization is referred to as a ‘carbon footprint’. Hence, the girl’s description of her learnings at school refer to the carbon footprint of setting up a power plant. Thus, the answer in Option C above is correct & the other answers are wrong.	M1DISA	436	46	M1DISA
437. Apart from the conscious choices of minimising the carbon foot print & networking hardware, Green Information Technology involves ______________	A. Use or organic products in the organization	B. Minimizing use of water in the organization	C. Avoiding air conditioning, utilising natural cooling and light	D. Minimization of computer devices’ energy consumption	d	The third of the choices to be made in Green Information technology is minimization of computer devices’ energy consumption over their life cycle, as indicated in Option D above. The answers in the other options are not correct.	M1DISA	437	71	M1DISA
438. One of following actions could be an intrinsic part of Green Information Technology implementation ______________	A. Moving back storage & processing capacity from the cloud	B. Replacing a single server system with multiple servers	C. Installation of automatic shutdown/power-up processes	D. Avoiding replacement of old equipment with new ones	c	The answers in Options A, B and D would act, by and large, counter to the goals of Green information technology. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate the benefits of retaining the old equipment. The answer in Option C, however, is relevant & will make a meaningful contribution to the goals of Green IT. Hence, only Option C is the correct answer.	M1DISA	438	95	M1DISA
439. One of the initiatives in Green Information Technology implementation could be ______________	A. Using single power efficient server combined with virtualization	B. Avoiding replacement of old equipment with new ones	C. Replacing a single server system with multiple servers	D. Moving back storage & processing capacity from the cloud	a	The answers in Options B to D would act, by and large, counter to the goals of Green information technology. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate the benefits of retaining the old equipment. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. The answer in Option A, however, is relevant & will make a meaningful contribution to the goals of Green IT. Hence, only Option A is the correct answer.	M1DISA	439	156	M1DISA
440. Effective Green Information Technology implementation could involve ______________	A. Replacing a single server system with multiple servers	B. Avoiding replacement of old equipment with new ones	C. Using power efficient hardware & thin clients	D. Moving back storage & processing capacity from the cloud	c	The answers in Options A, B and D would act, by and large, counter to the goals of Green information technology. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate the benefits of retaining the old equipment. The answer in Option C, however, is relevant & will make a meaningful contribution to the goals of Green IT. Hence, only Option C is the correct answer.	M1DISA	440	64	M1DISA
441. An useful step in Green Information Technology implementation could be ______________	A. Setting of clear goals for power reduction, decreased carbon footprint, etc.	B. Replacing a single server system with multiple servers	C. Avoiding replacement of old equipment with new ones	D. Moving back storage & processing capacity from the cloud	a	The answers in Options B to D would act, by and large, counter to the goals of Green information technology. Moving to cloud computing helps improved utilisation of resources; similarly, a single server system is probably more energy efficient than multiple servers. Though it may appear worthwhile continuing to sweat old equipment, new equipment are generally more energy efficient and can more than compensate for the benefits of retaining the old equipment. The answer in Option A, however, is relevant & will make a meaningful contribution to the goals of Green IT. The setting of clear goals helps direct focus to the effort. Hence, only Option A is the correct answer.	M1DISA	441	163	M1DISA
442. What is characteristic of Web 2.0 ?	A. Communication from one person/unit to many	B. HTML Web pages & email newsletters	C. Facilitates collaboration & information sharing online	D. Two-way communication not possible	c	The Web 2.0 version is a two-way communication facility covering blogs, wikis and social networking sites. It facilitates collaboration & information sharing online, as indicated in Option C. It is not a case of communication from only one person to many. It is also an improvement over the Web 1.0 version which comprised HTML web pages & email newsletters. Hence, Option C is the correct answer.	M1DISA	442	19	M1DISA
443. What is a distinguishing feature of Web 3.0 ?	A. Communication from one person/unit to many	B. Facilitates convergence of mobile phones, smartphone apps, etc.	C. HTML Web pages & email newsletters	D. Two-way communication not possible	b	The Web 3.0 version is an evolving system which is an improvement over Web 2.0. It facilitates convergence of mobile phones, smart phone apps, tablets, etc. It is not a case of communication from only one person to many. Like Web 2.0, it is also an improvement over the Web 1.0 version which comprised HTML web pages & email newsletters. Hence, Option B is the correct answer.	M1DISA	443	46	M1DISA
444. What is one of the controls that can be practically established for overcoming the risks of Web 2.0 without compromising on operational efficiencies ?	A. Blocking social networking sites like Facebook	B. Restricting access to blog sites	C. Blocking access to forums	D. Using extended validation, SSL certification for websites	d	Blocking out features like social networking, forums, blogs, etc. would prevent utilization of some of the KEY features of Web 2.0 and, hence, would be a sub-optimal approach. It would be better to build in preventive measures like website validation, as brought out in Option D. Hence, Option D is the correct answer.	M1DISA	444	86	M1DISA
445. One practical control that can be established for overcoming the risks of Web 2.0 without compromising on operational efficiencies is ?	A. To develop & implement internal policies for safeguarding against risks	B. Restricting access to blog sites	C. Blocking access to forums	D. Blocking social networking sites like Facebook	a	Blocking out features like social networking, forums, blogs, etc. would prevent utilization of some of the KEY features of Web 2.0 and, hence, would be a sub-optimal approach. It would be better to draw up a robust policy which addresses all the potential risks of Web 2.0 and the preventive measures required to minimizing them. Hence, only answer in Option A is correct.	M1DISA	445	88	M1DISA
446. What is an example of Click jacking ?	A. Malicious take-over of a computer on remote basis	B. Stealing files in a computer from a remote location	C. Stealing of keyed in credentials information	D. Resolution of software issues on a device from remote location	c	Click jacking is the malicious stealing of keyed in credentials information through a transparent second layer. The answers in Options A, B and D are incorrect; only the answer in Option C is correct.	M1DISA	446	151	M1DISA
447. What is the Web of Everything ?	A. Coverage of all theoretical concepts by the Internet	B. Encompasses the Internet as well as all forms of telecommunication	C. Comprises the Internet, all telecommunication as well as satellites	D. Expansion of Internet to objects like cars, refrigerators, etc.	d	The Web of Everything or the Internet of Everything is the integration of objects like cars, refrigerators, etc. into the internet. It basically merges the physical world with the digital world. The answers in Options A, B and C are incorrect; only the answer in Option D is correct.	M1DISA	447	39	M1DISA
448. What is 3D printing ?	A. Printing of a 3 dimensional video or movie on to paper	B. Technology for printing images on paper in 3-dimensional form	C. An additive manufacturing process for printing 3-dimensional objects	D. Technology which permits printing of images incorporating movement/change	c	3D printing in an exciting development in printing technology which permits the use of various types of materials, including metals, to create 3 dimensional objects. This is done through a process of additive manufacturing (AM) and can be used for creating virtually any 3 dimensional object. Answer at Option C is, hence, correct whereas the other answers are wrong.	M1DISA	448	49	M1DISA
449. Which is one of the major areas of emerging technology wherein CAs need to play a KEY role ?	A. Management of social media & the risks associated with it	B. Development of new software technology	C. New techniques of marketing of products	D. Developments in the field of integrated circuits	a	One major area of importance to CAs in the changing global environment is that of management of social media & the risk associated with it. For, organizations are increasingly shifting their marketing focus from the physical to the virtual market, exploiting the strengths of the Internet. As more and more products get linked to the Internet, the value of social media will increase tremendously as will the risks associated with it. Hence, Option A is the correct answer. The other answers from Options B to D are not correct.	M1DISA	449	50	M1DISA
450. Which one of the following is a KEY Area to be focussed upon by CAs in the current era of emerging technologies ?	A. New techniques of marketing of products	B. Developments in the field of integrated circuits	C. Security of Systems and Data	D. Development of new software technology	c	Apart from social media, the other major area of importance to CAs in the changing global environment is security of systems and data. With the explosion of the Internet & connected devices and expanded use of the Internet, the number of interfaces between an organization & its customers / stake holders has grown exponentially. As a consequence, security risks have mushroomed & the CA would have to focus on this as a KEY element driving not just the success of an organization but also in preventing failures in the organization. Thus, the answer in Option C is the correct answer. The other answers from Options A, B and D are not correct.	M1DISA	450	5	M1DISA
451. Information System Audit encompasses independent review & evaluation of ___________	A. Automated information systems, related manual systems & their interfaces	B. All computerised information systems alone	C. All financial information stored in computers	D. All financial & regulatory information stored in computers	a	IS Audit encompasses all automated information systems (containing both financial as well as non-financial information), related manual systems and the interfaces between them. Hence, Answer at Option A is correct & the other answers are incorrect.	M1DISA	451	170	M1DISA
452. In COBIT 5 enablers are factors that influence that something will work in governance & management of enterprise IT. How many such categories of enablers does the COBIT 5 system identify ?	A. 7 categories of enablers	B. 5 categories of enablers	C. 8 categories of enablers	D. 10 categories of enablers	a	COBIT5 identifies 7 categories of enablers that facilitate governance & management of enterprise IT. Hence, the answer in Option A is correct and the other options are wrong.	M2DISA	452	95	M2DISA
453. Guidance on evaluating and assessing the internal controls implemented in an enterprise is available in _________________	A. MEA 02 of COBIT 5	B. ITAF 1200 series	C. IS/IEF 27001	D. ITAF 1400 series	a	MEA 02 of COBIT 5 provides guidance on evaluating and assessing internal controls implemented in an enterprise. Hence, the answer in Option A is correct and the other options are wrong.	M2DISA	453	100	M2DISA
454. You have been engaged as a Consultant to carry out IS Audit of a large organization. What is the first step you would take while commencing your work ?	A. Commence auditing of the financials	B. List all the software and hardware used in the organization	C. Peruse financials for the previous three years	D. Identify all risks present in the IT environment of the organization	d	The first step in an audit engagement is to identify all risks present in the IT environment of the organization. Hence, the answer in Option D is correct and the other options are wrong.	M2DISA	454	125	M2DISA
455. What is the minimum frequency of risk assessment to be carried out as per ISACA guidelines ?	A. Once in 6 months	B. Once in 3 years	C. Once a year	D. Once in 2 years or whenever any major change in systems takes place	c	The minimum frequency of risk assessment as per ISACA guidelines is once a year. Hence, the answer in Option C is correct and the other options are wrong.	M2DISA	455	116	M2DISA
456. State TRUE or FALSE. As per ISACA guidance, the IS auditor can complete the risk assessment process and present the final findings to the stake holders. The auditor needs to maintain his independence and does not need to seek the specific approval of the stake holders for the findings.	A. FALSE	B. TRUE			a	As per ISACA guidance, the IS auditor needs to seek approval of the risk assessment from the audit stakeholders and other appropriate parties. Hence, the statement is false, and the answer in Option A is correct.	M2DISA	456	138	M2DISA
457. State True or False. Standards on Risk assessment pertaining to IS Audit are different from those prescribed by ICAI under SA315. IS Audit follow a different set of standards laid down by ISACA.	A. TRUE	B. FALSE			b	The standards on risk assessment for IS audit as prescribed by ICAI under SA315 are also applicable. Hence, the statement is false, and the answer in Option B is correct.	M2DISA	457	196	M2DISA
458. For effective risk assessment, auditors should ideally supplement the regular risk assessment procedures with _______________	A. Observation, inspection & analytical procedures	B. Interviews with client’s competitors	C. Intensive analysis of historical data	D. Interviews with client’s suppliers	a	Observation, inspection & analytical procedures help to zero in on risk areas specific to the business or period. Hence, the answer in Option A is correct.	M2DISA	458	52	M2DISA
459. The ideal risk assessment technique _____________	A. Is a computerized scoring system based upon evaluation of risk factors	B. Is judgmental, based upon the auditor’s personal assessment	C. Depends upon the complexity level & detail appropriate for the organization	D. Is a combination of computerized scoring & judgmental system	c	The ideal risk assessment technique depends on the complexity and detail appropriate for the organization. Hence, the answer in Option C is correct.	M2DISA	459	164	M2DISA
460. An IS Auditor carries out a preliminary visit to his client’s site to get a feel of the operations and identify risks, if any, missed out during his initial study of the records of the organization. In the server room, he feels uncomfortable and realizes that the humidity level as well as the ambient temperature are quite high. On further probing, he discovers that the air conditioning equipment had failed & the original supplier had ceased operations. The administration manager was struggling to find an alternate agency to set the problem right. Also, no fallback system was in place. The IS Auditor is wondering whether this would fall within the purview of his IT General Controls Review. What is your view ?	A. Yes, it would fall within the purview of IT General Control Review	B. No, it would not fall within the purview of IT General Control review			a	A general control review includes infrastructure and environment controls. Hence, the answer in Option A is correct.	M2DISA	460	93	M2DISA
461. As part of his exploratory trips to his client’s office, an IS Auditor meets up with the Server Manager. The manager is despondent and the auditor learns it is because of his network cable supervisor’s resignation and impending relief. The manager is unable to find a substitute immediately and dreads the thought of managing any network cabling issues in the interim. The auditor discusses the matter with the manager who feels that the incumbent supervisor is virtually indispensable and he has no subordinate who could step into his shoes. The auditor probes further and also visits some of the locations wherein cable inspection slots were located. He discovers that the cabling junctions had been done in a very haphazard fashion and were not even labelled. Nor was there any manual or chart identifying the network of cables, their junctions/ports, etc. He realizes that the incumbent supervisor had become indispensable on account of this disorganized cabling system as also the absence of any manual. Ideally, the cabling should have been carried out more scientifically, there should have been a ready-reckoner or manual showing the details of the network and a second-in-line should have been in place to stand in for the supervisor in the event of his short term absence or resignation. Would the auditor be well within his rights to include this aspect as a lacuna in the general controls review?	A. No, he would not be right to include this as a lacuna in his general controls review	B. Yes, he would be right in including this aspect as a lacuna in his general controls review			b	A general control review would include infrastructure and environment controls too. Hence, the answer in Option B is correct.	M2DISA	461	173	M2DISA
462. Is segregation of duties useful as an Organizational control? Why?	A. Yes, it reduces employee cost	B. Yes, it reduces fraud risk & facilitates accuracy check of one person’s work by another	C. No, it is not an advantage; it increases employee cost	D. No, it complicates the role of the manager who has to manage more employees	b	Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality. This may increase head-count and, hence, manpower cost but, employed judiciously, the higher manpower cost can be more than compensated by the reduced risks to the organization. Hence, the answer in Option B is correct.	M2DISA	462	162	M2DISA
463. A newly appointed Senior executive in an organization, who happened to be a close relative of the promoter, is miffed when the IT Manager refuses access to him to the Server room citing policy guidelines. The executive shares with you, the Auditor of the organization, what he perceives to be insulting behaviour by the IT Manager. You question him about the purpose of the visit and learn that the executive just wanted to have a tour of the facility, as part of his induction. Do you agree or disagree with the executive? Why?	A. Yes, I would agree. As a close relative of the promoter, he would surely have the organization’s best interests at heart.	B. No, I would not agree. As a new employee, he should not be given access to the server room	C. Yes, I would agree. The server, in any case, would be password protected & no harm can be done	D. No, I would not agree. Physical access control to the server is an important control mechanism	d	Physical access control to the server room is an important part of IT General controls in any organization. The server is a sensitive equipment with certain commands & settings being exclusive to it. Un-authorized access to it could compromise the security of the IT system & the organization, obviously, has a clearly defined access policy which has to be respected. Relationship to the promoter cannot be an excuse for breaking the policy; if, indeed, he had genuine need to visit the server room, he could have got the necessary clearances. Denial of access cannot be owing to the newness of the employee. Lastly, any robust system operates at different levels of redundancy & the mere existence of password protected access to the server does not prevent a second level of defence, in the form of access control, being done away with. Hence, the answer in Option D is correct.	M2DISA	463	55	M2DISA
464. As a measure of IT General control, an organization decides to separate those who can input data from those that can reconcile or approve data. Is this a good move? Why?	A. No, it is not a good move; the person who inputs the data is the best person to approve the data too	B. Yes, it is a good move; it can help prevent unauthorised data entry	C. Yes, it is a good move; inputting data & reconciling data requires different skills	D. No, it is not a good move; data entry errors would be compounded	b	Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality Hence, the answer in Option B is correct.	M2DISA	464	126	M2DISA
465. As a measure of IT General control, an organization decides to separate those who can test programs (e.g. Users) from those who can develop programs (e.g. Application programmers). Is this a good move? Why?	A. No, it is not a good move; the person who develops the program is the best person to test it too	B. Yes, it is a good move; program testing and program development require different skills	C. Yes, it is a good move; it can help prevent unauthorised programs from being run	D. No, it is not a good move; significant time would be lost in the process	c	Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an independent accuracy check of one person’s work by another person becomes a built-in reality. In this case, conflict in roles is clearly existing. Time savings could, perhaps, be gained by using the same person but this would mean paying the expensive price of potentially unauthorised programs being run. Hence, the answer in Option C is correct.	M2DISA	465	117	M2DISA
466. As a measure of IT General control, an organization decides to separate those who can run live programs (e.g. Operations department) from those who can change programs (e.g. programmers). Is this a good move? Why?	A. Yes, it is a good move; it can help prevent unauthorised programs from being run	B. No, it is not a good move; the user dept. knows best & should be allowed to change programs	C. Yes, it is a good move; since the programmers would have no work to do otherwise	D. No, it is not a good move; significant time would be lost in the process & potential savings lost	a	Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input of another, an DISA Review Questions, Answers Manual 188 independent accuracy check of one person’s work by another person becomes a built-in reality. In this case, conflict in roles is clearly existing. Also, while the user dept. may have the need for a change, it is up to the programmer to devise an appropriate method of programming logic to satisfy the user’s requirement. Time savings could, perhaps, be gained by using the same person but this would mean paying the expensive price of potentially unauthorised & defective programs being run. Hence, the answer in Option A is correct.	M2DISA	466	97	M2DISA
467. Thanks to its growing popularity, a family-run fast food restaurant is transforming itself into a chain of branded restaurants & has created a formal organization structure to manage the growing organization. Having identified young and upcoming IT industry employees as their core base of customers, the family decides to build a strong backbone of IT to facilitate online ordering of food, creation of customer database, etc. Since the immediate primary purpose is to enable online payments for the purchases by customers, the trustworthy family retainer & Junior Accountant is given the responsibility of installing and maintaining the IT system. As an IS Auditor, do you think the family was right in giving the Junior Accountant the responsibility? Why?	A. No. A senior management representative should take responsibility in the interest of IT General Control	B. Yes, since the accountant is the main beneficiary of the IT system	C. No. The Senior Accountant in the chain should have been given the responsibility	D. Yes, this role requires a trustworthy person & the family retainer is the best fit	a	Responsibility for IT systems should lie with the top management with appropriate delegation to lower levels. This would not only ensure that the highly vulnerable IT systems are properly controlled at the highest levels in the company but also ensure that appropriate IT policies are framed, keeping in mind organizational objectives and goals. The perspective of an accountant, whether junior or senior, would be rather limited to his area of operations and responsibility; it may lack the breadth of vision which would be essential at the top management level as also the interfaces between various functions in the business. In any professional organization, no positive bias can be allowed for the dominance of so-called ‘family retainers’ however trustworthy they may be. The operations have to be system driven & not personality driven. Hence, the answer in Option A is correct.	M2DISA	467	186	M2DISA
468. An important element of Management Control for the Information System in an organization is the Information Technology Steering Committee. The Committee_________	A. Will be exclusively representatives from the IT division	B. Will cover core IT alone, excluding telecommunication, automation systems, etc.	C. Will handle operational issues only; overall goals & strategies would be outside its purview	D. Will include members from all areas of business, apart from IT personnel	d	The IT Committee in an organization would drive IT in line with organizational goals, vision & mission. It will be manned by senior officials from all areas of the business, apart from IT professionals. Its scope will include all types of IT related operations including telecommunication, automation systems, manufacturing processing systems, etc. Hence, the answer in Option D is correct.	M2DISA	468	69	M2DISA
469. A leading exporter of cut & polished diamonds has a specially designed vault for storing its raw as well as processed diamonds. At any point of time, the material stored in the vault is worth several crores of rupees. The exporter has laid down a clear procedure for operation of the vault. It can be opened or closed using two different keys which are held by the Operations Head and the Finance Head respectively. These officials cannot pass on their individual KEY to the other official or any other official. They have to be necessarily present and operate their KEY themselves. Both at the time of every opening the vault as also every closing of the vault, a vault register is signed by both these officials after filling in relevant information. The vault is also sealed with individual unique seals of these officials & checked every time before the vault is opened afresh. Thus, the vault can be opened only when both these officials are present & a record is also maintained of every transaction. These officials carry their individual keys home but never travel together while coming to the office or while leaving it. What type of control is being exercised by this Diamond exporter through this process ?	A. Dual Finance Control	B. Physical Access Control	C. Operating System Control	D. Management Control	a	This is a dual control system which falls under Finance control mechanism since it entails two people simultaneously accessing an asset. Hence, the answer in Option A is correct.	M2DISA	469	101	M2DISA
470. What is the first step for an Auditor in an Application software review ?	A. Ascertain the creator of the application software	B. Ascertain the validity of the user licence for the software	C. Ascertain the business function or activity that the software performs	D. Identify the users who have been granted access to the software	c	The first step for an Auditor is to ascertain the business function or activity that the software performs. The auditor needs to understand the intricacies of the business and the way in which the software facilitates the business. Hence, the answer in Option C is correct.	M2DISA	470	98	M2DISA
471. As an IS Auditor reviewing Application software in your new client’s organization, you have started by thoroughly understanding the nature of the business and the manner in which the Application software meets the business requirements. What is the next step which you would take in the process of the Application software review ?	A. Identify the users who have been granted access to the software	B. Ascertain the creator of the application software	C. Ascertain the validity of the user licence for the software	D. Check how the software handles the risks associated with the particular area of business dealt with by it	d	The next important step for an Auditor is to identify the potential risks associated with the business activity/function served by the software & see how the risks are handled by the software. Hence, the answer in Option D is correct.	M2DISA	471	14	M2DISA
472. State True or False. IT Application controls are controls which are in-built in the software application itself.	A. FALSE	B. TRUE			b	IT application controls are, indeed, controls which are in-built in the software application itself. Hence, the answer in Option B is correct.	M2DISA	472	98	M2DISA
473. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ?	A. List of authorised users of the software	B. Adherence to business rules in the flow & processing accuracy	C. Validity of software licence	D. Cost of the software & availability of cheaper alternatives	b	One of the KEY Areas to be covered is the software’s adherence to business rules in the flow and processing accuracy. The other answers in Options A, C and D are not of immediate relevance or urgency. The answer in Option B is correct.	M2DISA	473	196	M2DISA
474. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ?	A. Cost of the software & availability of cheaper alternatives	B. List of authorised users of the software	C. Validations of various data inputs	D. Validity of software licence	c	One of the KEY Areas to be covered is the validation of various data inputs. The other answers in Options A, B and D are not of immediate relevance or urgency. The answer in Option C is correct.	M2DISA	474	86	M2DISA
475. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ?	A. Logical access control and authorization	B. Validity of software licence	C. Cost of the software & availability of cheaper alternatives	D. List of authorised users of the software	a	One of the KEY Areas to be covered is logical access control and authorization. The other answers in Options B to D are not of immediate relevance or urgency. The answer in Option A is correct.	M2DISA	475	25	M2DISA
476. Which of the following are one of the KEY Areas that should be covered during an IS Audit of Application software ?	A. Validity of software licence	B. Cost of the software & availability of cheaper alternatives	C. Exception handling and logging	D. List of authorised users of the software	c	One of the KEY Areas to be covered is exception handling and logging. The other answers in Options A, B and D are not of immediate relevance or urgency. The answer in Option C is correct.	M2DISA	476	187	M2DISA
477. Audit Sampling _____________	A. Involves application of audit procedures to less than 100 % of the population	B. Can be carried out only through rigorous statistical sampling	C. Can be applied only for compliance and not for substantive testing	D. Involves use of Auditing standard SA 350 in the auditing process	a	When it is not practically feasible to check every one of the elements in a population & the population is reasonably random, sampling is resorted to as an indication of the nature of the population as a whole. It can be carried out both through statistical sampling as well as non-statistical sampling. It can be applied both for compliance as well as substantive testing. Auditing standard SA 530 is the relevant one applicable to use of sampling in the auditing process. Hence, the answer in Option A is the correct one.	M2DISA	477	82	M2DISA
478. Audit Sampling _______________	A. Involves use of Auditing standard SA 350 in the auditing process	B. Can be carried out only through rigorous statistical random sampling	C. For IS Audit can be done using ISACA’s guidelines	D. Can be applied only for compliance and not for substantive testing	c	When it is not practically feasible to check every one of the elements in a population & the population is reasonably random, sampling is resorted to as an indication of the nature of the population as a whole. It can be carried out both through statistical sampling as well as non-statistical sampling. The statistical sampling could be either random or systematic. It can be applied both for compliance as well as substantive testing. Auditing standard SA 530 is the relevant one applicable to use of sampling in the auditing process. ISACA guidelines in this regard can also be followed. Hence, the answer in Option C is the correct one.	M2DISA	478	7	M2DISA
479. In IS Audit, sample design would be driven by ________________	A. Resource availability & auditor’s convenience	B. Type of sampling whether statistical or haphazard/judgemental	C. The advice of the auditee, based upon his past experience	D. Objectives of test & attributes of the population	d	Sample design would be driven by test objectives and attributes of the population. The sample size & complexity cannot be compromised owing to resource constraint on the part of the auditor; the outcome could be sub-standard. The sampling type chosen would not have that significant impact on the sample size. The auditee’s advice will not be the basis for sample design for obvious reasons. Hence, the answer in Option D is the only correct answer.	M2DISA	479	158	M2DISA
480. What are CAATs ?	A. Computer Assisted Audit Tools	B. Council for Association of Auditors & Trainers	C. Chartered Accountants’ Audit Tools	D. Corporate Audit & Accounting Tools	a	CAATs are basically computer assisted audit tools which help auditors sift through large volumes of information to identify control issues, defaults, etc. They can greatly enhance the efficiency and effectiveness of IS auditors. The answer in Option A is the correct one.	M2DISA	480	154	M2DISA
481. What are some of the KEY reasons for establishing controls and auditing in a computerized environment ?	A. Computers are more prone to make errors in handling subjective big data	B. There is more scope for fraud & error in a computerized environment	C. Data may be entered into the system without supporting documents	D. There is no choice since most operations are computerized	c	A KEY vulnerability of computerized systems is the fact that, at times, data may be entered into the system without supporting documents. This is a fundamental principle of accounting which we cannot afford to ignore. Hence, the answer in Option C is the correct one. The others are incorrect: Computers are not more prone than humans in making errors, and one cannot say that there is increased scope for fraud & error in a computerized environment.	M2DISA	481	42	M2DISA
482. What are some of the KEY reasons for establishing controls and auditing in a computerized environment ?	A. Transaction trail may be partly in machine language & retained only for a limited period	B. There is more scope for fraud & error in a computerized environment	C. Computers are more prone to make errors in handling subjective big data	D. There is no choice since most operations are computerized	a	A KEY vulnerability of computerized systems is the fact that, at times, data may be entered into the system without supporting documents. Another aspect is the fact that transaction trails may not be visible; they may be partly in machine language & retained only for a limited period. Hence, the answer in Option A is the correct one. The others are incorrect: Computers are not more prone than humans in making errors, and one cannot say that there is increased scope for fraud & error in a computerized environment.	M2DISA	482	95	M2DISA
483. What is one of the KEY tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ?	A. Projections on future trends for specific parameters	B. Carrying out employees’ reference checks	C. Identification of exceptional transactions based upon set criteria	D. Carry out employee appraisals	c	One of the many Key tests that can be carried out by CAATs is identification of exceptional transactions based upon set criteria. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, B, and D above. Hence, the answer at Option C alone is correct.	M2DISA	483	86	M2DISA
484. What is one of the Key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ?	A. Carry out employee appraisals	B. Identify potential areas of fraud	C. Projections on future trends for specific parameters	D. Carrying out employees’ reference checks	b	One of the many Key tests that can be carried out by CAATs is identification of potential areas of fraud. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, C, and D above. Hence, the answer at Option B alone is correct.	M2DISA	484	106	M2DISA
485. What is one of the Key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ?	A. Carry out employee appraisals	B. Projections on future trends for specific parameters	C. Identify data which is inconsistent or erroneous	D. Carrying out employees’ reference checks	c	One of the many KEY tests that can be carried out by CAATs is identification of data which is inconsistent or erroneous. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, B, and D above. Hence, answer at Option C alone is correct.	M2DISA	485	91	M2DISA
486. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ?	A. Carry out employee appraisals	B. Projections on future trends for specific parameters	C. Carrying out employees’ reference checks	D. Perform various types of statistical analysis	d	One of the many key tests that can be carried out by CAATs is the carrying out of various types of statistical analysis which could throw up areas of inconsistencies, defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A to C above. Hence, answer at Option D alone is correct.	M2DISA	486	31	M2DISA
487. What is one of the KEY tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ?	A. Establishing whether the set controls are working as prescribed	B. Carry out employee appraisals	C. Projections on future trends for specific parameters	D. Estimation of competitor activity	a	One of the many KEY tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M2DISA	487	127	M2DISA
488. What is one of the KEY tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs) ?	A. Carry out market surveys for a new product launch	B. Projections on future trends for specific parameters	C. Establishing relationship between two or more areas & identify duplicate transactions	D. Estimation of competitor activity	c	One of the many KEY tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, B, and D above. Hence, answer at Option C alone is correct.	M2DISA	488	16	M2DISA
489. What is Compliance testing ?	A. Testing any activity in compliance with Government rules and regulations	B. Checking whether the organization has remitted employee provident fund into the relevant account	C. Checking whether the office employees are checking into and leaving the office as per approved working hours	D. Checking whether controls are operated in compliance with management policies/procedures	d	Compliance testing deals with checking the controls which have been established in the organization rather than checking compliance of any specific activity per se. Hence, answer at Option D alone is correct. The answers in other options deal with the actual activity rather than the controls and, hence, are not correct.	M2DISA	489	175	M2DISA
490. What are Substantive tests ?	A. Tests which validate the internal controls exercised over financial transactions	B. Tests which are done only by choice, if required, rather than by default	C. Tests to evaluate the integrity of individual transactions, data, etc.	D. Tests which are not used for checking for monetary errors affecting financial parameters	c	Substantive testing tests to evaluate the completeness, accuracy, etc. or the integrity, in general, of individual transactions, data, information, etc. They are carried out in most audits & are often called default procedures. They are often used for checking for monetary errors affecting financial statement balances. Hence, answer at Option C alone is correct. The answers in other options are obviously not correct.	M2DISA	490	100	M2DISA
491. How can design effectiveness for compliance for a process be evaluated ?	A. By a walkthrough of the business process and the risk controls	B. By carrying out substantive testing	C. By carrying out compliance testing	D. By checking the financials for errors & inconsistencies	a	Design effectiveness for compliance for a process can be evaluated by a walkthrough of the business process. This will help identify the existence of controls, the design of the risk controls as well as the accuracy of process documentation. Compliance testing deals with checking the established controls, while substantive testing evaluates completeness and accuracy of transactions, not design effectiveness. Checking financials for errors does not directly evaluate design effectiveness. Hence, answer at Option A alone is correct.	M2DISA	491	69	M2DISA
492. In IS Audit, Operational Effectiveness ______________	A. Refers to effectiveness of the organization’s operations	B. Refers to effectiveness of the IS Audit	C. Refers to actual performance of the Control in IT environment	D. Refers to achievements in line with overall organizational strategy	c	In IS Audit, Operational Effectiveness refers to the actual performance of the Control in IT environment. This is in contrast with the intended design or goal. Answer at Option C alone is correct.	M2DISA	492	29	M2DISA
493. In IS audit, for manual controls, documented evidence substantiating control performance as per design is ______________	A. Through physical records created when the controls have been operated	B. Through appropriate reports and screen shots from the system	C. Through records of interviews with operational staff	D. Through software trail of the various components of the control process	a	For manual controls, documented evidence substantiating control performance as per design is through physical records created when the controls have been operated. This provides tangible evidence of control execution. Answer at Option A alone is correct.	M2DISA	493	175	M2DISA
494. Audit evidence in IS Audit ____________	A. Excludes IS Auditor observations, notes from interviews etc.	B. Is not subject to the usual audit rules of sufficiency & competency	C. Is information substantiating alignment with objectives & supporting audit conclusions	D. That which would stand scrutiny in a court of law	c	Audit evidence in IS Audit is any information that substantiates alignment with objectives and supports audit conclusions. Answer at Option C alone is correct.	M2DISA	494	123	M2DISA
495. In IS Audit, when is evidence said to be competent ?	A. When it is given by an individual who is competent	B. When it is both valid and relevant	C. When the evidence is backed by senior management of the organization	D. When the evidence has been historically demonstrated	b	In IS Audit, evidence is said to be competent when it is both valid and relevant. Answer at Option B alone is correct.	M2DISA	495	173	M2DISA
496. In IS Audit, how is sufficiency of evidence assessed ?	A. Through Audit judgement	B. When the evidence is valid at the two standard deviation level	C. When the evidence is valid at the three standard deviation level	D. When more than 90 % of the relevant transactions can be explained	a	In IS Audit, sufficiency of evidence is assessed through Audit judgement. This involves the auditor's professional judgment based on the specific circumstances of the audit. Answer at Option A alone is correct.	M2DISA	496	41	M2DISA
497. Which is the ICAI standard on auditing which deals with the Auditor’s responsibility to prepare audit documentation for financial statements ?	A. SA 500	B. SA 580	C. SA 230	D. SA 1205	c	The ICAI standard on auditing which deals with the Auditor’s responsibility to prepare audit documentation for financial statements is SA 230. Answer at Option C alone is correct.	M2DISA	497	150	M2DISA
498. Which is the ICAI standard on auditing which deals with what constitutes audit evidence in an audit of financial statements as also with the Auditor’s responsibility to design and perform audit procedures ?	A. SA 230	B. SA 500	C. SA 1205	D. SA 580	b	SA 500 is the ICAI standard on auditing which deals with what constitutes audit evidence in an audit of financial statements as well as with the Auditor’s responsibility to design and perform audit procedures. Answer at Option B alone is correct.	M2DISA	498	114	M2DISA
499. Which is the ICAI standard on auditing which deals with the Auditor’s responsibility to obtain written representations from the management as also those charged with governance ?	A. SA 580	B. SA 230	C. SA 1205	D. SA 500	a	SA 580 is the ICAI standard on auditing which deals with the Auditor’s responsibility to obtain written representations from the management as well as those charged with governance. Answer at Option A alone is correct.	M2DISA	499	203	M2DISA
500. Which is the ISACA standard on evidence which IS auditors are required to comply with?	A. 230	B. 1206	C. 500	D. 1205	d	The ISACA standard on evidence which IS auditors are required to comply with is 1205. Answer at Option D alone is correct.	M2DISA	500	57	M2DISA
501. What are Test working papers in IS Audit Documentation ?	A. Draft of the final IS audit report prepared for the Board of Directors	B. Those prepared or obtained as a result of compliance/testing procedures	C. Draft of the preliminary IS audit report submitted to senior management for comments	D. IS audit team’s answers to test questions on the auditee’s business & environment	b	Test working papers in IS Audit documentation are those prepared or obtained as a result of compliance/testing procedures. Hence, the answer at Option B alone is correct.	M2DISA	501	203	M2DISA
502. Which is the ISACA standard relating to use of services of external experts ?	A. 1206	B. 230	C. 1205	D. 500	a	The ISACA standard relating to use of services of external experts is 1206. Hence, the answer at Option A alone is correct.	M2DISA	502	203	M2DISA
503. Which is the tool used in IS audit for assessing the proper level of controls ?	A. ISACA method 230	B. Random sampling of transactions	C. A control matrix, comparing known types of errors with known type of controls	D. ICAI guidelines on the appropriate level of controls	c	The tool used in IS audit for assessing the proper level of controls is the control matrix. This involves comparison of known types of errors with known types of controls. Hence, the answer at Option C alone is correct.	M2DISA	503	100	M2DISA
504. Prior to reporting a control weakness, an IS auditor ______________	A. Should carry out random sampling of transactions	B. Should check whether there are 2 or more weak controls	C. Should check for a minimum of 3 strong controls	D. Should look for compensating controls	d	Prior to reporting a control weakness, an IS auditor should look for compensating controls. Hence, the answer at Option D alone is correct.	M2DISA	504	120	M2DISA
505. State True or False. Materiality of an IS auditor’s findings will not be different for different levels of management. The auditor will have to report his findings impartially & consistently whether it be to the lower echelons of management or senior management.	A. FALSE	B. TRUE			a	Materiality of an IS auditor’s findings to different levels of management would depend upon its significance to each level. Thus, what may be material to a lower level of the management may not be so for the higher level and vice versa. Hence, the cited statement is false & the answer at Option A alone is correct.	M2DISA	505	149	M2DISA
506. What is Forensic Audit ?	A. Audit specializing in discovering, disclosing and following up on frauds and crimes	B. Audit relating to the Chemical and Pesticide industry	C. Audit relating to environmental matters, including pollution	D. Audit relating to hospitals and healthcare facilities	a	Forensic audit specializes in discovering, disclosing and following up on frauds and crimes. Answer at Option A alone is correct.	M2DISA	506	7	M2DISA
507. What are Control Self-Assessments ?	A. These are self- assessments of the auditing process adopted by auditors	B. These are self- assessments by business process owners independent of auditors	C. These are conducted by business process owners but facilitated by auditors	D. These are compliance audits carried out by auditors	c	Control Self-Assessments are those that are conducted by business process owners on their own but facilitated by auditors. Answer at Option C alone is correct.	M2DISA	507	62	M2DISA
508. Protective / Preventative controls and Detective controls are two of the three fundamental types of controls. Which is the third type of control ?	A. Forensic Controls	B. Security Controls	C. Reactive / Corrective Controls	D. Legislative Controls	c	The third type of Controls is Reactive/Corrective Control. Answer at Option C alone is correct.	M2DISA	508	21	M2DISA
509. Reactive / Corrective Controls and Detective controls are two of the three fundamental types of controls. Which is the third type of control ?	A. Protective / Preventative controls	B. Security Controls	C. Forensic Controls	D. Legislative Controls	a	The third type of Controls is Protective / Preventative Control. Answer at Option A alone is correct.	M2DISA	509	189	M2DISA
510. Reactive / Corrective Controls and Protective / Preventative controls are two of the three fundamental types of controls. Which is the third type of control ?	A. Legislative Controls	B. Detective controls	C. Security Controls	D. Forensic Controls	b	The third type of Controls is Detective Control. Answer at Option B alone is correct.	M2DISA	510	60	M2DISA
511. What is Cyber fraud ?	A. A fraud that involves use of computers and computer networks	B. A fraud committed exclusively through the internet	C. A fraud exceeding U.S. $ 1 million in value	D. A fraud involving software alone	a	Cyber fraud is a fraud that involves use of computers and computer networks. Answer at Option A alone is correct.	M2DISA	511	177	M2DISA
512. Which standard of auditing defines fraud & the management’s responsibility ?	A. SIA 2	B. SIA 17	C. SIA 11	D. SIA 21	c	SIA 11 defines fraud & lays the responsibility on the management for prevention & detection of frauds. Answer at Option C alone is correct.	M2DISA	512	97	M2DISA
513. A holistic approach to deterrence & prevention of fraud would be ?	A. Focussing on integrity of new recruits	B. Establishing severe punishment for fraud	C. Compensating employees adequately to minimize temptation	D. Strengthening of Governance and management framework	d	A holistic approach to deterrence and prevention of fraud would require strengthening of governance and management framework. Options A to C address the issue partially and are not comprehensive solutions. Answer at Option D alone is correct.	M2DISA	513	182	M2DISA
514. State True or False. Computer Forensics deals only with digital evidence acceptable to a court of law; non-digital evidence would not fall under this category.	A. TRUE	B. FALSE			a	Computer Forensics is the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally admissible in legal proceedings. Hence, answer at Option A is correct.	M2DISA	514	10	M2DISA
515. Evidence loses its value in legal proceedings in the absence of _______________	A. Recency of information	B. Validation by the I.T. dept. of the police	C. Professional maintenance of the chain of custody	D. Authenticated hard copies	c	Evidence loses its value in legal proceedings in the absence of professional maintenance of the chain of custody. Hence, answer at Option C is correct.	M2DISA	515	76	M2DISA
516. Demonstrating integrity & reliability of evidence are KEY for it to be acceptable to law enforcement enforcers. This can be done through identification of evidence, preservation of evidence including documentation of chain of custody, analysis & interpretation of data and _______________.	A. Recency of information	B. Validation by the I.T. dept. of the police	C. Use of authenticated hard copies	D. Presentation to relevant parties for acceptance of evidence	d	Demonstrating integrity & reliability of evidence includes presentation to relevant parties for acceptance of evidence. Hence, answer at Option D is correct.	M2DISA	516	140	M2DISA
517. Which is one of the most effective tools and techniques to combat fraud ?	A. Computer Assisted Audit Techniques (CAAT)	B. Threats of severe punishment	C. Validation by the I.T. dept. of the police	D. Use of authenticated hard copies	a	Computer Assisted Audit Techniques (CAAT) is a time-tested tool required for combating fraud. Answer at Option A is correct.	M2DISA	517	171	M2DISA
518. Distinguish between Enterprise Governance and Corporate Governance.	A. Corporate governance is applying the principles of enterprise governance to the corporate structure of enterprises	B. Corporate governance relates to principles applying to the top management of a company whereas enterprise governance relates to all the employees of the company or enterprise	C. Corporate governance relates to compliance related to regulatory mechanisms whereas enterprise governance relates to protection of shareholders’ interests	D. Corporate governance pertains to conformance whereas enterprise governance relates to performance	a	Corporate governance is applying the principles of enterprise governance to the corporate structure of enterprises. Option A correctly defines this relationship.	M3DISA	518	140	M3DISA
519. Which of the following provides for mandatory Internal Audit and reporting on Internal financial controls for companies in India?	A. Companies Act, 2013	B. IT Act, 2008	C. Sarbanes Oxley Act, 2002	D. Shops and Establishments Act	a	The Companies Act, 2013, under section 138, provides for mandatory Internal Audit and reporting on internal financial controls. Answer at Option A is correct.	M3DISA	519	91	M3DISA
520. Which of the following provides for compliance requirements & maintenance of privacy of information for companies in India?	A. IT Act, amended 2008	B. Companies Act, 2013	C. Sarbanes Oxley Act, 2002	D. Shops and Establishments Act	a	The IT Act amended during 2008 provides for maintaining privacy of information & compliance requirements on management, including penalties for non-compliance. Answer at Option A is correct.	M3DISA	520	17	M3DISA
521. Which of the following prescribes mandatory audit covering corporate governance as per clause 49 ?	A. IT Act, amended 2008	B. Companies Act, 2013	C. SEBI, for listed companies	D. Sarbanes Oxley Act, 2002	c	SEBI has provided for mandatory audit as per clause 49 of the equity listing agreement. The audit primarily covers governance. Answer at Option C is correct.	M3DISA	521	179	M3DISA
522. As per Clause 49 V (C) and (D) of the SEBI Equity listing agreement, which of the following are held responsible for establishment and maintenance of internal controls for financial reporting ?	A. Managing Director of listed companies	B. The Board of Directors of listed companies	C. Audit Committee of the Board of Directors of listed companies	D. CEO/CFO of listed companies	d	As per Clause 49 V (C) and (D) of the SEBI Equity listing agreement, the CEO/CFO are held responsible for establishment and maintenance of internal controls for financial reporting. Answer at Option D is correct.	M3DISA	522	72	M3DISA
523. Good governance alone cannot make an organization successful. Governance should ideally be implemented with the right balance in two dimensions of conformance and a second element. What is the second element ?	A. Risk protection	B. Internal Audit	C. Performance	D. Trust	c	Good governance should ideally be balanced with performance for organizational success. Option C correctly identifies this balance.	M3DISA	523	126	M3DISA
524. Which is one of the major oversight mechanisms available to the Board of Directors to ensure that corporate governance processes are effective ?	A. Incentive schemes for Directors	B. The company’s annual report	C. Committees like audit committee comprising independent non-executive Directors	D. Quarterly Board meetings	c	Committees like the audit committee comprising independent non-executive Directors are a major oversight mechanism for ensuring effective corporate governance. Answer at Option C is correct.	M3DISA	524	84	M3DISA
525. State TRUE or FALSE. ‘Unlike the conformance dimension of Corporate Governance, which is backed by an audit committee manned by independent directors, the performance dimension has no dedicated oversee mechanism.’	A. TRUE	B. FALSE			a	It is true that the performance dimension of Corporate governance has no dedicated oversight mechanism, unlike the conformance dimension. Answer at Option A is correct.	M3DISA	525	25	M3DISA
526. There are oversight mechanisms for the Performance and Conformance dimensions of business governance. One other KEY Aspect of business conformance that is often left out is _____________	A. Profitability	B. Information Technology	C. Strategy	D. Capital investments	c	Strategy is a key aspect of business conformance that is often overlooked. Answer at Option C is correct.	M3DISA	526	119	M3DISA
527. What is the key benefit of Governance of Enterprise IT (GEIT) ?	A. It ensures the efficiency of the IT system	B. It facilitates the Balance Score card system	C. It facilitates capital investment decision making	D. It provides a consistent approach integrated & aligned with enterprise governance	d	The key benefit of GEIT is providing a consistent approach integrated & aligned with enterprise governance. Answer at Option D is correct.	M3DISA	527	191	M3DISA
528. State True or False. With reference to Governance of Enterprise IT, the Reserve Bank of India issues guidelines covering various aspects of secure technology deployment. These guidelines are prepared based on various global practices such as COBIT & ISO 27001.	A. TRUE	B. FALSE			a	Yes, the RBI does issue guidelines covering various aspects of secure technology deployment based on global practices such as COBIT & ISO 27001. Answer at Option A is correct.	M3DISA	528	106	M3DISA
529. Benefit realization & Risk optimization are two of the three areas of focus of Governance of Enterprise IT as specified under COBIT 5. What is the third area of focus ?	A. The third area of focus is Personnel Policies	B. The third area of focus is Information Technology	C. The third area of focus is Resource optimization	D. COBIT 5 specifies only two areas of focus	c	The third area of focus under COBIT 5 is Resource optimization. Answer at Option C is correct.	M3DISA	529	165	M3DISA
530. Resource optimization & Risk optimization are two of the three areas of focus of Governance of Enterprise IT as specified under COBIT 5. What is the third area of focus ?	A. The third area of focus is Information Technology	B. The third area of focus is Personnel Policies	C. The third area of focus is Benefit realization	D. COBIT 5 specifies only two areas of focus	c	The third area of focus under COBIT 5 is Benefit realization. Answer at Option C is correct.	M3DISA	530	151	M3DISA
531. Which of the following could be a recommended framework for internal controls & risk management ?	A. COSO 2013 (Council of Sponsoring Organizations of the Treadway Commission)	B. ISO 17001	C. ITAF 1200 series	D. COBIT 5	a	COSO 2013 framework would be ideal for internal controls and risk management. Answer at Option A is correct.	M3DISA	531	109	M3DISA
532. GEIT involves both Conformance as well as Performance perspectives. What would be the KEY Areas of focus of GEIT from the Conformance perspective ?	A. Strategic decision making and value creation	B. Best practices, tools and techniques	C. Board Structure, Roles and Remuneration	D. Balanced Score Card	c	The Board Structure, Roles and Remuneration would be the KEY focus areas of GEIT from the Conformance perspective. Answer at Option C is correct.	M3DISA	532	186	M3DISA
533. GEIT involves both Conformance as well as Performance perspectives. What would be the KEY Areas of focus of GEIT from the Performance perspective ?	A. Board Structure, Roles and Remuneration	B. Standards and Codes	C. Strategic decision making and value creation	D. Audit Committee	c	From the Business performance angle, strategic decision making and value creation would be the KEY focus areas for GEIT. Answer at Option C is correct.	M3DISA	533	105	M3DISA
534. Operations and reporting are two of the three categories of objectives of the COSO 2013 framework. What is the third category of objectives ?	A. Information Technology	B. Security	C. Compliance	D. Risk Management	c	Compliance is the third category of objectives of the COSO 2013 framework. Answer at Option C is correct.	M3DISA	534	75	M3DISA
535. Reporting and Compliance are two of the three categories of objectives of the COSO 2013 framework. What is the third category of objectives ?	A. Information Technology	B. Security	C. Operations	D. Risk Management	c	Compliance is the third category of objective of the COSO 2013 framework. Answer at Option C is correct.	M3DISA	535	55	M3DISA
536. Control environment, risk assessment, control activities and information & communication are four of the five integrated components of internal control in COSO. What is the fifth component ?	A. Risk Management	B. Information Technology	C. Security	D. Monitoring activities	d	Monitoring activities is the fifth component of internal controls in COSO. Answer at Option D is correct.	M3DISA	536	102	M3DISA
537. Control environment, control activities, information & communication and monitoring activities are four of the five integrated components of internal control in COSO. What is the fifth component ?	A. Risk Management	B. Information Technology	C. Risk assessment	D. Security	c	Risk assessment is the fifth component of internal controls in COSO. Answer at Option C is correct.	M3DISA	537	103	M3DISA
538. Risk assessment, control environment, control activities and monitoring activities are four of the five integrated components of internal control in COSO. What is the fifth component ?	A. Information & communication	B. Risk Management	C. Information Technology	D. Security	a	Information and communication is the fifth component of internal controls in COSO. Answer at Option A is correct.	M3DISA	538	128	M3DISA
539. State True or False. The COSO 2013 framework prescribes the controls to be selected, developed and deployed for effective internal control. The management is not left with any choice in the matter and has to rigorously comply with the COSO 2013 framework.	A. FALSE	B. TRUE			a	The COSO 2013 framework does not prescribe the controls to be selected, developed and deployed; it requires management judgment based on entity-specific factors. Answer at Option A is correct.	M3DISA	539	177	M3DISA
540. State True or False. What COSO 2013 is to internal controls, COBIT 5 is to governance in Governance of Enterprise Information Technology.	A. FALSE	B. TRUE			b	In GEIT, COBIT 5 is the business framework of governance and management of IT, while COSO 2013 focuses on internal controls. Answer at Option B is correct.	M3DISA	540	60	M3DISA
541. COBIT 5 ______________	A. Is best suited for large corporates	B. Is best suited for small and medium enterprises	C. Is a set of globally accepted principles, practices, analytical tools and models	D. Is not ideally suited for non-profit and government enterprises	c	COBIT 5 is a set of globally accepted principles, practices, analytical tools and models for governance. It can be used by all types and sizes of organizations, whether profit-oriented or otherwise. Answer at Option C is correct.	M3DISA	541	83	M3DISA
542. Meeting stakeholder needs, Covering the enterprise end-to-end, Applying a single integrated framework and Enabling a holistic approach are 4 of the 5 KEY principles of COBIT 5. Which is the fifth principle ?	A. Separating Governance from Management	B. Risk management	C. Human resources management	D. Strategic and long term planning	a	The fifth principle of governance of COBIT 5 is Separating Governance from Management. Answer at Option A is correct.	M3DISA	542	194	M3DISA
543. Covering the enterprise end-to-end, Applying a single integrated framework, Enabling a holistic approach and Separating Governance from Management are 4 of the 5 KEY principles of COBIT 5. Which is the fifth principle ?	A. Risk management	B. Human resources management	C. Meeting Stakeholder needs	D. Strategic and long term planning	c	The fifth principle of governance of COBIT 5 is Meeting Stakeholder needs. Answer at Option C is correct.	M3DISA	543	140	M3DISA
544. Meeting Stakeholder needs, Covering the enterprise end-to-end, Applying a single integrated framework, and Separating Governance from Management are 4 of the 5 KEY principles of COBIT 5. Which is the fifth principle ?	A. Enabling a holistic approach	B. Human resources management	C. Risk management	D. Strategic and long term planning	a	The fifth principle of governance of COBIT 5 is Enabling a holistic approach. Answer at Option A is correct.	M3DISA	544	67	M3DISA
545. Which is the ISO standard for corporate governance ?	A. ISO 31000	B. ISO 27001	C. ISO 20100	D. ISO 38500	d	The ISO standard for corporate governance is ISO 38500. Answer at Option D is correct.	M3DISA	545	164	M3DISA
546. Which is the ISO standard for IT risk management ?	A. ISO 31000	B. ISO 38500	C. ISO 27001	D. ISO 20100	a	The ISO standard for IT risk management is ISO 31000. Answer at Option A is correct.	M3DISA	546	31	M3DISA
547. Which is the ISO standard for Risk management ?	A. ISO 38500	B. ISO 27001	C. ISO 31000	D. ISO 20100	c	The ISO standard for Risk management is ISO 31000. Answer at Option C is correct.	M3DISA	547	169	M3DISA
548. A company has developed a mobile phone which is unique for its simplicity and ease of use. During laboratory tests, it finds that the product is really robust and rarely fails. The industry norm is that mobile phone manufacturers invariably offer customers the comfort of prompt and efficient after sales service, including repair. After a lot of introspection, the company decides that the probability of failure of their product was so low and it would not be worth their while to invest in a network of servicing facilities. They decided, instead to offer a free replacement in the event of failure of their product. In fact, they decided to leverage this itself as a marketing strategy for their product and it turned out to be a roaring success. What type of risk management strategy has the company adopted in this case ?	A. Terminate/eliminate the risk	B. Transfer/share the risk	C. Tolerate/accept the risk	D. Treat/mitigate the risk	c	The company has chosen to tolerate/accept the risk due to the low probability of product failure and the potential lower cost of accepting it. Answer at Option C is correct.	M3DISA	548	175	M3DISA
549. A company markets agro chemicals on a pan India basis. Farmers use agro chemicals, typically, only when they perceive a pest attack and would like to act immediately then to save their crop. Hence, prompt and speedy availability is the main driver for sales of this product. The company, which had its manufacturing facility located in South India, found that it invariably lost out in meeting the demand from the Northern States owing to their inability to reach their product in time to meet such unpredictable demand. Since the market size being lost out was substantial as compared to the cost of setting up a new plant, they ultimately decide to set up a new manufacturing facility in Punjab which could ensure availability of product in a timely fashion. What type of risk management strategy has the company adopted in this case ?	A. Terminate/eliminate the risk	B. Tolerate/accept the risk	C. Transfer/share the risk	D. Treat/mitigate the risk	a	The company has chosen to terminate/eliminate the risk by setting up a new manufacturing facility to meet market demand in a timely manner. Answer at Option A is correct.	M3DISA	549	57	M3DISA
550. Section 49 C of the Listing Agreement of SEBI addresses the need for _________________	A. Minimum public shareholding percentage	B. Creation of a board sub-committee for auditing	C. Board disclosures related to risk management & states	D. Compliance with government regulations	c	Section 49 C of the Listing Agreement of SEBI addresses the need for Board disclosures related to risk management & states. Answer at Option C is correct.	M3DISA	550	133	M3DISA
551. Section 49 V of the Listing Agreement of SEBI deals with _________	A. Board disclosures related to risk management & states	B. Minimum public shareholding percentage	C. Creation of a board sub-committee for auditing	D. CEO/CFO certification, among other things, of internal controls	d	Section 49 V of the Listing Agreement of SEBI deals with CEO/CFO certification, among other things, of internal controls. Answer at Option D is correct.	M3DISA	551	27	M3DISA
552. Section 49 (VII) of the Listing Agreement of SEBI deals with ____________	A. Creation of a board sub-committee for auditing	B. Compliance aspects & certificate of compliance	C. Minimum public shareholding percentage	D. Compliance with government regulations	b	Section 49 (VII) of the Listing Agreement of SEBI deals with compliance aspects and the need for certificate either from the auditors or the company secretary regarding compliance of conditions of corporate governance. Answer at Option B is correct.	M3DISA	552	39	M3DISA
553. How can a Governance-Risk-Compliance (GRC) program be enhanced from merely ensuring compliance to ensuring performance too ?	A. Reward compliance at all levels	B. Ensure Risk-Reward ratio is commensurate with the cost/investment	C. Implement GRC program using GEIT (Governance of Enterprise IT) framework	D. Implement GRC utilising external resource like auditor	c	Implementing a GRC program using the GEIT framework will help achieve both compliance and performance objectives by focusing on benefit realization, risk optimization, and resource optimization. Answer at Option C is correct.	M3DISA	553	188	M3DISA
554. Apart from Clause 49 of the SEBI Listing agreement, which is based upon SOX provisions, which other mandatory provision exists on internal controls for corporate in India ?	A. The Indian Companies Act, The Companies (Auditor’s Report) Order 2003	B. Information Technology Act 2008	C. Sarbanes Oxley Act, 2003	D. COBIT 5	a	Mandatory provisions on internal controls exist under The Indian Companies Act, The Companies (Auditor’s Report) Order 2003 as mentioned in Option A. Answer at Option A is correct.	M3DISA	554	33	M3DISA
555. State True or False. Under GRC (Governance, Risk and Compliance) norms, compliance refers exclusively to compliance with statutory Laws and Regulations; compliances with internal policies of an organization are not a part of it.	A. TRUE	B. FALSE			b	Compliance under GRC refers to both external compliances with statutory laws and regulations, and internal compliances with organizational policies. Hence, the statement is false, and Option B is correct.	M3DISA	555	179	M3DISA
556. Principles, policies & framework, (b) Processes, (c) Organization structure, (d) Roles, responsibilities & risks of IT department, (e) Information and (f) Services, infrastructure & applications are six of the seven enablers of COBIT 5. Which is the 7th enabler ?	A. Planning & communication	B. Delegation of authority	C. Compliance with statutory regulations	D. Culture, ethics & behaviour	d	Culture, Ethics & Behaviour is the 7th enabler under COBIT 5. Answer at Option D is correct.	M3DISA	556	184	M3DISA
557. Principles, policies & framework, (b) Processes, (c) Organization structure, (d) Roles, responsibilities & risks of IT department, (e) Culture, ethics & behaviour and (f) Services, infrastructure & applications are six of the seven enablers of COBIT 5. Which is the 7th enabler?	A. Information	B. Planning & communication	C. Delegation of authority	D. Compliance with statutory regulations	a	Information is the 7th enabler under COBIT 5. Answer at Option A is correct.	M3DISA	557	156	M3DISA
558. What is the purpose of Principles, policies and framework in an organization ?	A. To control the employees	B. To arrive at the business strategy of the organization	C. To convey the management’s direction & instruction	D. To comply with statutory regulations	c	The purpose of Principles, policies and framework in an organization is to convey the management’s direction and instruction, reflecting the culture, ethics, and values of the organization. Answer at Option C is correct.	M3DISA	558	174	M3DISA
559. Apart from being effective and efficient, what other characteristic should a good policy possess ?	A. To control the employees	B. Making sense & appearing logical to those who have to comply with them	C. To arrive at the business strategy of the organization	D. To comply with statutory regulations	b	A good policy should make sense and appear logical to those who are required to comply with them, ensuring buy-in and practical implementation. Answer at Option B is correct.	M3DISA	559	147	M3DISA
560. Processes are one of the 7 enablers of Governance of Enterprise IT under COBIT 5. What are the types of processes distinguished under COBIT 5 ?	A. Strategy processes and action processes	B. Group processes versus individual processes	C. Governance processes and management processes	D. Macro versus micro processes	c	COBIT 5 distinguishes between governance processes and management processes, with governance focused on direction and oversight, and management focused on implementation and execution. Answer at Option C is correct.	M3DISA	560	71	M3DISA
561. How does the RACI (Responsible, Accountable, Consulted, Informed) model help in an organization ?	A. Helps clarify roles and responsibilities	B. Facilitates documentation of processes	C. Basis for development of organization chart	D. Accelerates decision-making process	a	The RACI model helps clarify roles and responsibilities, particularly in cross-departmental projects and processes. Answer at Option A is correct.	M3DISA	561	31	M3DISA
562. In Governance of Enterprise IT, the IT Strategy Committee should include ___________	A. Board members alone, considering the strategic content	B. Non-Board members alone, considering the need for implementation support	C. Both Board as well as non-Board members	D. Board members and IT managers alone	c	The IT Strategy Committee should include representation from both Board and non-Board members to ensure comprehensive governance and strategic oversight. Answer at Option C is correct.	M3DISA	562	150	M3DISA
563. Which of the following has primary responsibility for implementation of Governance of Enterprise IT ?	A. The Managing Director or CEO of the Organization	B. The CIO of the organization	C. The IT Strategy Committee	D. The IT Steering Committee	c	The primary responsibility for implementing Governance of Enterprise IT lies with the IT Strategy Committee, while the Board of Directors retains accountability. Answer at Option C is correct.	M3DISA	563	78	M3DISA
564. Which of the 7 enablers of COBIT 5 is considered the most important ?	A. Organization structure	B. Principles, policies & framework	C. Processes	D. Information	d	Information is considered the most important enabler of COBIT 5. Answer at Option D is correct.	M3DISA	564	37	M3DISA
565. What is most important in developing a performance management system ?	A. Deciding on incentive schemes	B. Identifying enterprise goals & their linkage to operating environment	C. Developing clear organization structure	D. Benchmarking with industry	b	The most important aspect in developing a performance management system is identifying enterprise goals and linking them to the operating environment to ensure alignment and effectiveness. Answer at Option B is correct.	M3DISA	565	17	M3DISA
566. A good performance management system assesses performance against goals through Key Goal Indicators. Simultaneously, it monitors performance of process through _________	A. Work flow indicators	B. Moving average indicators	C. KEY Process Indicators	D. Industry benchmarks	c	A good performance management system monitors performance of processes through KEY Process Indicators. Answer at Option C is correct.	M3DISA	566	198	M3DISA
567. The approach of using lead indicators for performance measurement is called _________	A. Reactive approach	B. Retroactive approach	C. Proactive approach	D. Retrospective approach	c	The approach of using lead indicators for performance measurement is called Proactive approach. Answer at Option C is correct.	M3DISA	567	91	M3DISA
568. The approach of using lag indicators for performance measurement is called ?	A. Proactive approach	B. Reactive approach	C. Retroactive approach	D. Retrospective approach	b	The approach of using lag indicators for performance measurement is called Reactive approach. Answer at Option B is correct.	M3DISA	568	74	M3DISA
569. Where is the Capability Maturity framework of Performance Management Systems generally used?	A. Hardware Development Company	B. Research & Development institution	C. Software Development Company	D. Educational institutions	c	The Capability Maturity framework of Performance Management Systems is generally used in Software Development Companies. Answer at Option C is correct.	M3DISA	569	119	M3DISA
570. Mr Johnson has just taken charge as Head of a fledgling educational institution which has not had a good track record. He feels that he has his task cut out for him he needs to focus more on the lead parameters rather than lag indicators so that he can create sustainable results. Which of the following would be an example of lead indicators ?	A. Number of passes by students in the Matriculation examination	B. Number of all-India rank holders from the school in the Matriculation examination	C. Number of failures in the Matriculation examination	D. Number of hours of refresher courses attended by teachers	d	Number of hours of refresher courses attended by teachers would be an example of lead indicators for improving educational outcomes. Answer at Option D is correct.	M3DISA	570	164	M3DISA
571. In Governance, value creation happens through Benefits Realisation, Risk optimization & Resource Optimization decisions taking into account _________	A. All Stakeholders’ needs	B. All Shareholders’ needs	C. Organizational goals	D. Organizational vision, mission	a	In Governance, value creation involves considering all stakeholders’ needs while making decisions related to benefits realization, risk optimization, and resource optimization. Answer at Option A is correct.	M3DISA	571	133	M3DISA
572. Which framework specifically enables users to relate their enterprise’s current business & IT environment to specific objectives & relevant processes ?	A. Quality management system	B. Six Sigma approach	C. COBIT 5 framework	D. Blue Ocean framework	c	COBIT 5 framework specifically enables users to relate their enterprise’s current business and IT environment to specific objectives and relevant processes. Answer at Option C is correct.	M3DISA	572	23	M3DISA
573. The Balanced Score Card is an invaluable management tool that helps translate strategy into action and also for ________________	A. Balancing shareholders’ needs with employee needs	B. Bringing non-financial indicators into better focus	C. Balancing needs of multiple functions within an organization	D. Balancing lead and lag indicators	b	The Balanced Score Card helps in bringing non-financial indicators into better focus, balancing financial and non-financial parameters. Answer at Option B is correct.	M3DISA	573	201	M3DISA
574. The Balanced Score Card is designed to ensure that performance metrics and strategic themes are balanced with financial & non-financial, operational & financial, lead & lag indicators. Financial, Customer & Internal Business process perspectives are three of the four perspectives of BSC. The fourth perspective is _______________.	A. Learning & Growth	B. Shareholders versus Employees	C. Short term versus Long term	D. Lead and lag indicators	a	The fourth perspective of the Balanced Score Card is Learning & Growth. Answer at Option A is correct.	M3DISA	574	92	M3DISA
575. The Balanced Score Card ____________	A. Is meant for the use of only the senior level executives	B. Cannot be linked to the IT goals & objectives	C. Cannot be the basis for performance incentives	D. Can be cascaded down to all levels of the organization	d	The Balanced Score Card can be cascaded down to all levels of the organization. Answer at Option D is correct.	M3DISA	575	39	M3DISA
576. What is the most important aspect of the CIMA Strategic Score Card approach ?	A. Focuses exclusively on strategy matters	B. Focuses exclusively on IT governance & strategy aspects	C. Addresses conformance as well as performance, focusing on strategic issues	D. Unlike the Balanced Score card, it focuses on lead indicators alone	c	The CIMA Strategic Score Card approach addresses both conformance and performance, focusing on strategic issues. Answer at Option C is correct.	M3DISA	576	150	M3DISA
577. Strategic position, Strategic options and Strategic implementation are three of the four basic elements of the CIMA Strategic Score card. What is the fourth element ?	A. Strategic Risks	B. Strategic Conformance	C. Strategic Performance	D. Strategic IT	a	The fourth element of the CIMA Strategic Score Card approach is Strategic Risks. Answer at Option A is correct.	M3DISA	577	173	M3DISA
578. What is fundamental to the Capability Maturity Model Integration (CMMI) ?	A. Used universally, except in the I.T. industry	B. Is superior to COBIT 5 which does not have process capability	C. It is a process improvement approach	D. Focuses on internal process alone	c	Capability Maturity Model Integration (CMMI) is a process improvement approach used across various industries, including IT. Answer at Option C is correct.	M3DISA	578	81	M3DISA
579. What is the essence of Total Quality Management strategy ?	A. Focus exclusively on products & services rather than processes	B. Producing best quality products	C. Focus on exclusively on processes as a means to an end	D. Achieving long term success through customer satisfaction	d	The essence of Total Quality Management strategy is achieving long term success through customer satisfaction, focusing on quality management at all levels. Answer at Option D is correct.	M3DISA	579	204	M3DISA
580. State True or False. The guidelines for specific processes and procedures in COBIT 5 have been designed robustly with the latest best practices incorporated. While implementing the framework, these processes / procedures need to be kept intact and not tweaked or tinkered with.	A. FALSE	B. TRUE			a	The guidelines for processes and procedures in COBIT 5 should be tailored to suit the enterprise’s culture, management style, and IT environment, hence they do not need to be kept intact without adaptation. Answer at Option A is correct.	M3DISA	580	158	M3DISA
581. One of the primary reasons for implementing Governance of Enterprise IT (GEIT) is to alleviate pain points in the organization. Another major reason is ______________	A. Ensure up-to-date technology	B. Trigger events like merger/acquisition, new regulations, etc.	C. Achieve stakeholder satisfaction	D. Higher vulnerability of IT compared to other functions	b	Another major reason for implementing GEIT is trigger events like mergers, acquisitions, or new regulations, which necessitate changes in the environment. Answer at Option B is correct.	M3DISA	581	84	M3DISA
582. Which one of the following could be a Critical Success factor in GEIT implementation ?	A. The project is handled exclusively & in isolation to day-to-day business	B. Execution authority & responsibility is retained at the highest levels	C. Top management provides direction and mandate	D. Trigger events like merger/acquisition, new regulations, etc.	c	Top management providing direction and mandate is a critical success factor in GEIT implementation. Answer at Option C is correct.	M3DISA	582	195	M3DISA
583. Which one of the following could be a Critical Success factor in GEIT implementation ?	A. Trigger events like merger/acquisition, new regulations, etc.	B. The project is handled exclusively & in isolation to day-to-day business	C. Focus on quick wins to demonstrate benefit & build confidence	D. Execution authority & responsibility is retained at the highest levels	c	Focus on quick wins to demonstrate benefit and build confidence is a critical success factor in GEIT implementation. Answer at Option C is correct.	M3DISA	583	54	M3DISA
584. What should be the first phase of GEIT implementation ?	A. Forming an implementation team	B. Communication desired vision	C. Enable operation & use	D. Establish desire to change, stressing pain points, trigger events	d	The first phase of GEIT implementation should focus on establishing the desire to change, stressing pain points and trigger events. Answer at Option D is correct.	M3DISA	584	106	M3DISA
585. What should be the final phase of GEIT implementation ?	A. Establish desire to change, stressing pain points, trigger events	B. Communication desired vision	C. Sustain changes through conscious reinforcement	D. Enable operation & use	c	The final phase of GEIT implementation should focus on sustaining changes through conscious reinforcement. Answer at Option C is correct.	M3DISA	585	180	M3DISA
586. In line with ISO/IEC 38500, Governance processes under COBIT 5 are based upon the principles of ______________	A. Evaluate, Direct, Monitor	B. Align, Plan & Organize	C. Monitor, Evaluate & Assess	D. Build, Acquire and Implement	a	Governance processes under COBIT 5 are based upon the principles of Evaluate, Direct, Monitor. Answer at Option A is correct.	M3DISA	586	24	M3DISA
587. The most critical factor in implementing GEIT is ______________	A. Taking a bottom-up perspective	B. Identifying implementation scope & objectives, prioritization of processes	C. Availability of trained individuals to spearhead the project	D. Organization chart combined with Delegation of Authority	b	The most critical factor in implementing GEIT is identifying implementation scope and objectives, prioritization of processes. Answer at Option B is correct.	M3DISA	587	71	M3DISA
588. How is alignment of strategic IT Plans with business done?	A. Holding regular meetings with IT department participation	B. Having an IT department nominee in non-IT meetings	C. Clearly communicating the objectives & accountabilities	D. Taking a bottom-up perspective	c	Alignment of strategic IT Plans with business is done by clearly communicating the objectives & accountabilities. Answer at Option C is correct.	M3DISA	588	199	M3DISA
589. Which one of the following is a KEY management practice for aligning IT strategy with enterprise strategy ?	A. Identify gaps between current & target environments	B. Taking a bottom-up perspective	C. Holding regular meetings with IT department participation	D. Having an IT department nominee in non-IT meetings	a	Identifying gaps between the current & target environments is a KEY management practice for aligning IT strategy with enterprise strategy. Answer at Option A is correct.	M3DISA	589	162	M3DISA
590. How is Value Optimization of IT achieved ?	A. Going in for low cost IT equipment	B. Replacing full time IT employees with outsourced personnel	C. Taking a bottom-up perspective	D. Value Optimization of business processes, IT services & assets	d	Value Optimization of IT is achieved through value optimization of business processes, IT services & IT assets. Answer at Option D is correct.	M3DISA	590	81	M3DISA
591. Which of the following metrics could be used for evaluation of value optimization ?	A. Number of low cost IT equipment procured during a financial year	B. Replacing full time IT employees with outsourced personnel	C. Percentage of IT enabled investments where claimed benefits were met or exceeded	D. Wage cost reduction through non-filling of some vacant IT positions	c	A metric used for evaluation of value optimization is the percentage of IT enabled investments where claimed benefits were met or exceeded. Answer at Option C is correct.	M3DISA	591	188	M3DISA
592. COBIT 5 has a resource governance process to ensure that resources needs of the enterprise are met in an optimal manner. Which one of the following is KEY governance process to be followed ?	A. Evaluate, Direct and Monitor resource management	B. Build, Acquire and Implement	C. Align, Plan & Organize	D. Monitor, Evaluate & Assess	a	The KEY governance process to be followed is Evaluate, Direct and Monitor resource management, as stated in Option A.	M3DISA	592	69	M3DISA
593. Which one of the following is an important tool used for managing & monitoring service providers ?	A. Regular meetings	B. Third party inspection arrangements	C. Service Level Agreements (SLAs)	D. Cost comparison through industry benchmarking	c	Service Level Agreements (SLAs) are a critical tool used for managing & monitoring service providers, as noted in Option C.	M3DISA	593	125	M3DISA
594. The success of capacity management would depend most upon which one of the following factors ?	A. Historical trend of capacity expansions	B. Availability of precise and timely business forecasts	C. Cost comparison through industry benchmarking	D. Availability of adequate funds for procurement	b	The success of capacity management depends significantly on the availability of precise and timely business forecasts, as highlighted in Option B.	M3DISA	594	169	M3DISA
595. With reference to Capex & Opex, how can valuation of any business be improved ?	A. Increasing Capex & proportionately reducing Opex	B. Reduction in Opex irrespective of impact on day-to-day operations	C. With Capex constant, reduction in Opex without hurting day-to-day operations	D. Increasing both Capex & Opex with the objective of increased profits	c	Valuation of any business can be improved by reducing Opex without hurting day-to-day operations, as stated in Option C.	M3DISA	595	107	M3DISA
596. What is Information ?	A. It is a collection of data which need not necessarily have meaning for its user	B. It is restricted to data in the form of numbers	C. It is data which is not necessarily specific & organized	D. It is all data processed in a meaningful context	d	Information is defined as all data processed in a meaningful context, encompassing various forms like numbers, text, images, etc., as per Option D.	M3DISA	596	4	M3DISA
597. State TRUE or FALSE. When the Information System Auditor delegates work to others, he will continue to be responsible for forming and expressing his opinion on auditee environment as per the scope and objectives of the audit.	A. TRUE	B. FALSE			a	When the Information System Auditor delegates work, he remains responsible for forming and expressing his opinion on the auditee environment as per the audit's scope and objectives, making Option A true.	M3DISA	597	109	M3DISA
598. Are Audit professionals considered to be the most appropriate professionals to audit Information Systems (rather than IT professionals) ?	A. No; since they do not have adequate expertise in Information Technology	B. Yes; since it involves the evaluation of internal controls in computerized business processes	C. No; since Information systems have built-in safeguards and an audit would be superfluous	D. Yes; but only to the extent of regulatory matters about which they are proficient	b	Audit professionals are considered the most appropriate for auditing Information Systems due to their focus on evaluating internal controls in computerized business processes, aligning with Option B.	M3DISA	598	160	M3DISA
599. Risk in Information Technology ____________	A. Can be depicted as hierarchically dependent upon other risk categories	B. Does not impact on long term strategy	C. Can also be defined as Threat exploiting Vulnerabilities	D. Is not considered operational in financial industry as per Basel II framework	c	Risk in Information Technology can be defined as a Threat exploiting Vulnerabilities, aligning with Option C.	M3DISA	599	16	M3DISA
600. What is the Risk Universe ?	A. Is restricted to selected components of the business	B. Is restricted to the enterprise & excludes suppliers, service providers, clients	C. It needs to be defined & frozen for a reasonable period of time of about 5 years	D. It defines the overall environment & provides a structure for managing the IT risk	d	The Risk Universe defines the overall environment and provides a structure for managing IT risk, as per Option D.	M3DISA	600	11	M3DISA
601. During 2009, the Satyam Computers scandal broke out. The Company’s Chairman admitted to falsification of accounts to the tune of U.S. $ 1.47 billion. The auditors for this company were mainly exposed to what type of risk ?	A. Audit Risk	B. Financial Risk	C. Procedural Risk	D. IT Risk	a	The auditors were mainly exposed to Audit Risk, which refers to the risk of issuing an unqualified report due to failure to detect material misstatement, as per Option A.	M3DISA	601	71	M3DISA
602. Audit risk is _______________	A. A product of control risk & detection risk	B. A product of inherent risk, control risk & detection risk	C. Sum of inherent risk, control risk & detection risk	D. A product of inherent risk and detection risk	b	Audit risk is defined as a product of inherent risk, control risk, and detection risk, aligning with Option B.	M3DISA	602	134	M3DISA
603. In the case of IS Audit, materiality is _____________	A. Based upon value and volume of transactions	B. Based on impact of non compliance	C. Consequence of risk in terms of potential loss	D. A product of inherent risk and detection risk	c	In IS Audit, materiality is a consequence of risk in terms of potential loss, as stated in Option C.	M3DISA	603	143	M3DISA
604. In the case of Financial audit, materiality is ______________	A. Based upon value and volume of transactions	B. Based on impact of non compliance	C. Consequence of risk in terms of potential loss	D. A product of inherent risk and detection risk	a	In Financial audit, materiality is based upon value and volume of transactions, according to Option A.	M3DISA	604	37	M3DISA
605. In the case of Regulatory audit, materiality is _________________	A. Based upon value and volume of transactions	B. Consequence of risk in terms of potential loss	C. Based on impact of non-compliance	D. A product of inherent risk and detection risk	c	In Regulatory audit, materiality is based on the impact of non-compliance with regulations, as per Option C.	M3DISA	605	97	M3DISA
606. Internal Controls _______________	A. Are restricted to tools for prevention of risks alone	B. Focus exclusively on financial rather than non-financial risks	C. Are driven exclusively by automated computerised systems	D. Facilitate achievement of business objectives & management of risks	d	Internal Controls are designed to facilitate achievement of business objectives and management of risks, encompassing prevention, detection, and correction, as in Option D.	M3DISA	606	170	M3DISA
607. Internal Controls ________________	A. Target risk management rather than achievement of business objectives	B. Comprise Preventive, Detective & Corrective controls	C. Are driven exclusively by automated computerised systems	D. Focus exclusively on financial rather than non-financial risks	b	Internal Controls comprise Preventive, Detective & Corrective controls and aim to achieve business objectives while managing risks, as stated in Option B.	M3DISA	607	180	M3DISA
608. Internal Controls _______________	A. Are the sum total of IT General controls and IT Application Controls	B. Focus exclusively on prevention of errors or irregularities	C. Are driven exclusively by automated computerised systems	D. Focus exclusively on financial rather than non-financial risks	a	Internal Controls encompass IT General controls and IT Application Controls, not exclusively focused on prevention but also on detection and correction, as per Option A.	M3DISA	608	82	M3DISA
609. The authority, scope and responsibility of the Information System Audit function is ________________	A. Defined by the I.T. Head of the organization, as the expert in the matter	B. Defined by the various functional divisions, depending upon criticality	C. Defined by the audit charter approved by the senior management/Board	D. Generated by the Audit division of the organization	c	The authority, scope, and responsibility of IS Audit function are defined by the audit charter approved by senior management/Board, aligning with Option C.	M3DISA	609	149	M3DISA
610. Audit objectives, in general _____________	A. Are not concerned with substantiation of internal controls	B. Refer to the specific goals that must be met by audit	C. Are not concerned with how internal controls function	D. Are derived & stated at the end of the audit process	b	Audit objectives refer to the specific goals that must be met by audit, set at the beginning of the audit process, according to Option B.	M3DISA	610	131	M3DISA
611. The major purpose of Information Systems Audit is whether _____________	A. Internal control system design is robust & operated effectively	B. Financials are properly reflected in the books of the organization	C. All the hardware in the organization have appropriate warranties	D. All the software in the organization have valid licences	a	The major purpose of Information Systems Audit is to ensure the internal control system design is robust and operated effectively, according to Option A.	M3DISA	611	99	M3DISA
612. A Request for Proposal (RFP) _______________	A. Is sent by prospective supplier to buyer, seeking information	B. Will help identify the lowest-priced bidder as the successful bidder	C. Is used for acquiring services &, sometimes, goods	D. Is used exclusively for buying goods and not services	c	A Request for Proposal (RFP) is primarily used for acquiring services and, occasionally, goods, aligning with Option C.	M3DISA	612	28	M3DISA
613. You are advising your client on the selection & appointment of an IT service provider. You suggest that the client should go through a Request for Proposal (RFP) process for best results. Your client is happy with your suggestion but requests that not all aspects of the selection process be publicised up-front. For, the client had faced situations in the past wherein, openness in such matters had lead to issues of disputes with suppliers who were rejected in the selection process. The client’s argument is that, in any case, the selection will be on a fair and equitable basis & the idea is just to avoid giving too much information to the bidders and create the potential for nuisance attacks by mischievous, unsuccessful bidders. As a Chartered Accountant, would your suggestion be to clearly spell out the selection criteria or leave it ambiguous ?	A. Clearly spell out the selection criteria	B. Leave the selection criteria ambiguous			a	It would be advisable to clearly spell out all the selection criteria to ensure transparency and fairness, as per Option A.	M3DISA	613	124	M3DISA
614. What are the elements common to both the Audit Charter and Audit Engagement Letter ?	A. Responsibility, Authority & Professional Fees payable	B. Responsibility, Authority & Travel expenses budget for auditors	C. Responsibility, Authority & Accountability	D. -	c	The elements common to both the Audit Charter and Audit Engagement Letter are Responsibility, Authority & Accountability, aligning with Option C.	M3DISA	614	104	M3DISA
615. Based upon scope, objectives, etc. drawn up in consultation with the senior management of an organization, an experienced audit team which has sound knowledge of I.T. has completed & filed its preliminary audit report of the I.T. department of the organization. On receiving the draft report, the officials in the I.T. department react negatively to the report. They argue that the bulk of the conclusions drawn in the report, the information reported, etc. are erroneous. They question the validity of the findings. In your view, which one of the following could be the likely major cause for this situation ?	A. Lack of adequate technical IT knowledge of the auditing team	B. Poor quality of audit by the team	C. Malafide intentions of the auditee team	D. In-effective communication with Auditee & buy-in	d	The likely major cause for the negative reaction from the I.T. department is ineffective communication with the Auditee and lack of buy-in, as suggested in Option D.	M3DISA	615	87	M3DISA
616. You have just taken on the Audit of a large, established multinational company with operations spread geographically across continents. You need to draw up detailed scope of the proposed audit of the organization in consultation with its top management. Your approach would be to focus upon _____________	A. Areas identified to be high risk &/or high significance to the organization	B. Sample audit of each and every geographical unit of the organization	C. Sample audit of each and every function in the organization	D. Areas related to I.T. software and hardware alone	a	The approach would be to focus on areas identified as high risk and/or high significance to the organization, as per Option A.	M3DISA	616	38	M3DISA
617. You have just taken on the Audit of a large, established company with diverse businesses involving manufacturing as well as trading. You are now at the planning stage & need to draw up your draft audit plan for clearance by the top management. What is the most important planning activity involved at this stage of the exercise ?	A. Historical financial for the organization	B. Cost of carrying out the audit	C. Thorough understanding of the nature of each of the businesses & nuances	D. Number of people required for carrying out the auditing exercise	c	The most important planning activity at this stage would be to gain a thorough understanding of the nature of each of the businesses & their nuances, as in Option C.	M3DISA	617	105	M3DISA
618. Which are the three major categories of IS Controls ?	A. Fiduciary, Quality & Security	B. Financial, Quality & Security	C. Audit, Quality & Security	D. Economic, Financial & Quality	a	The three major categories of IS Controls are Fiduciary, Quality & Security, aligning with Option A.	M3DISA	618	176	M3DISA
619. The basic principles of Fiduciary Controls in Information Systems are _____________	A. Efficiency & Effectiveness of process, service or activity	B. Reliability of information & Compliance with laws, regulations, etc.	C. Confidentiality & Integrity of information	D. Confidentiality, Integrity & Availability of information	b	The basic principles of Fiduciary Controls in IS are reliability of information & compliance with laws, regulations, etc., as per Option B.	M3DISA	619	44	M3DISA
620. The basic principles of Quality Controls in Information Systems are ____________	A. Reliability of information & Compliance with laws, regulations, etc.	B. Confidentiality & Integrity of information	C. Efficiency & Effectiveness of process, service or activity	D. Confidentiality, Integrity & Availability of information	c	The basic principles of Quality Controls in IS are efficiency & effectiveness of processes, services or activities, as in Option C.	M3DISA	620	3	M3DISA
621. The basic principles of Security Controls in Information Systems are _____________	A. Confidentiality, Integrity & Availability of information	B. Reliability of information & Compliance with laws, regulations, etc.	C. Efficiency & Effectiveness of process, service or activity	D. Confidentiality & Integrity of information	a	The basic principles of Security Controls in IS are Confidentiality, Integrity & Availability of information, as per Option A.	M3DISA	621	192	M3DISA
622. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ?	A. Thorough understanding of the business of the entity	B. Efficiency & Effectiveness of process, service or activity	C. Sales turnover & employee strength of the entity	D. Status of entity whether government or private	a	One of the KEY Areas which have to be understood by Information System Auditors is thorough understanding of the business of the entity, aligning with Option A.	M3DISA	622	46	M3DISA
623. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ?	A. Status of entity whether government or private	B. Efficiency & Effectiveness of process, service or activity	C. Organization structure, roles, responsibilities, policy framework, etc.	D. Sales turnover & employee strength of the entity	c	One of the KEY Areas which have to be understood by Information System Auditors is the organization structure, roles, responsibilities, policy framework, etc., as per Option C.	M3DISA	623	53	M3DISA
624. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ?	A. Status of entity whether government or private	B. Efficiency & Effectiveness of process, service or activity	C. Sales turnover & employee strength of the entity	D. IT infrastructure including capacities, age of software/hardware, etc.	d	One of the KEY Areas which have to be understood by Information System Auditors is the IT infrastructure including capacities, age of software/hardware, etc., as per Option D.	M3DISA	624	45	M3DISA
625. Which of the following is one of the four KEY Areas which have to be understood by Information System Auditors prior to commencement of audit ?	A. Statutory regulations, standards, frameworks	B. Status of entity whether government or private	C. Efficiency & Effectiveness of process, service or activity	D. Sales turnover & employee strength of the entity	a	One of the KEY Areas which have to be understood by Information System Auditors includes statutory regulations, standards & frameworks, aligning with Option A.	M3DISA	625	21	M3DISA
626. Section 7A of the Information Technology Act 2000 (as amended in 2008) addresses which of the following issues ?	A. Damage liability to a corporate negligent handling of personal data	B. Identity theft by corporate or individual	C. Extension of audit coverage to documents, etc. in electronic form	D. Publishing or transmission of obscene material	c	Section 7A of the IT Act 2000 addresses extension of audit coverage to documents, records or information stored in electronic form, as in Option C.	M3DISA	626	188	M3DISA
627. Recently, there were reports of some criminal hacking of Facebook accounts and theft of passwords and other personal information. You, as a Facebook account holder, apprehend personal loss/damage and would like to proceed legally against the Facebook organization. You would like to issue a notice to them, to start with. Which Indian Act and which section of the Indian Act would you cite in your notice alleging violations ?	A. Information Technology Act, 2000, Section 7A	B. Right to Information Act, 2006, Section 43A	C. Information Technology Act, 2000, Section 43 A	D. Right to Information Act, 2006, Section 7A	c	Allegations of violations related to negligent handling of personal information can be cited under Section 43 A of the IT Act, 2000, aligning with Option C.	M3DISA	627	18	M3DISA
628. A famous cinema actor has learnt that his password and personal information on a social networking website have been compromised owing to suspected breach of the security of the relevant networking website. The actor is furious and feels that the potential for damage to his image and reputation is great. The actor is convinced that there has been negligence involved & is particular that the website needs to be taught a lesson and made to understand that such breaches in security leading to violation of privacy are not acceptable. He proceeds, therefore, to sue the website and seeks damages of the seemingly steep amount of Rs. 1000 crores. Is there any Indian Act which would cover this situation ? If so, which Act and which clause of the Act, do you think, the actor would be able to cite for claiming such a large quantum of damages ?	A. Information Technology Act, 2000, Section 7A, damages limited to proven loss suffered	B. Information Technology Act, 2000, Section 43 A	C. Right to Information Security Act, 2006, Section 43A	D. No Indian Act covers this situation &, hence, the actor’s claim may not be enforceable	b	The situation of negligence leading to breach of personal information is covered under Section 43A of the IT Act, 2000, which allows for compensation without specifying an upper limit, as per Option B.	M3DISA	628	143	M3DISA
629. An employee of an organization is caught using his official computer for sending offensive messages to one of his colleagues in the organization. Which Indian Act and which clause of the Act would cover this violation of the law ?	A. Sarbanes Oxley Act, 2002, Sections 401 to 403	B. Information Technology Act 2000, Sections 7A, B and C	C. Information Technology Act 2000, Sections 66 to 66F and 67	D. Right to Information Security Act, 2006, Section 7A	c	Sending offensive messages through electronic media is covered under Sections 66 to 66F and 67 of the Information Technology Act 2000, aligning with Option C.	M3DISA	629	169	M3DISA
630. A small scale industry has developed an effective, organic mosquito repellent which shows great promise. Since they had limitations in terms of resources, capability to scale up operations & marketing, they decided to join hands with a large marketing company. They signed off on a contract for marketing of their product, working capital funding and long term product development in the larger company’s R& D laboratories. They also built in protective clauses on non-disclosure of manufacturing formula, secret ingredients, etc. which were provided to them as encrypted soft copies. After a few months, the small scale industry learns that the larger company has begun marketing a me-too product abroad, manufactured by another unit, utilising the knowledge obtained while manufacturing the small scale industry’s unique product. Since informal discussions on the subject failed to make progress, the small scale industry has decided to proceed legally against the larger company. Which Indian Act and which clause of the Act would support the small scale industry in their legal battle ?	A. Sarbanes Oxley Act, 2002, Sections 401 to 403	B. Information Technology Act 2000, Sections 43A	C. Right to Information Security Act, 2006, Section 7A	D. Information Technology Act 2000, Section 72A	d	Intentional disclosure of information, without consent and in breach of lawful contract, is covered under Section 72A of the Information Technology Act 2000, aligning with Option D.	M3DISA	630	70	M3DISA
631. A small scale industry has developed an effective, organic mosquito repellent which shows great promise. Since they had limitations in terms of resources, capability to scale up operations & marketing, they decided to join hands with a large marketing company. They signed off on a contract for marketing of their product, working capital funding and long term product development in the larger company’s R& D laboratories. They also built in protective clauses on non-disclosure of manufacturing formula, secret ingredients, etc which were provided to them as encrypted soft copies. After a few months, the small scale industry learns that the larger company has begun marketing a me-too product abroad, manufactured by another unit, utilising the knowledge obtained while manufacturing the small scale industry’s unique product. Under the Information Technology Act 2000, what is the potential punishment & penalty for such intentional disclosure of information, without the consent of the person concerned and in breach of lawful contract ?	A. Fine of Rs. 3 lacs alone, no imprisonment	B. Imprisonment up to 3 years and fine up to Rs. 5 lacs	C. Imprisonment up to 5 years and fine up to Rs. 10 lacs	D. Fine of Rs. 5 lacs alone, no imprisonment	b	Under Section 72A of the IT Act 2000, intentional disclosure of information in breach of lawful contract is punishable with imprisonment up to 3 years and fine up to Rs. 5 lacs. Option B is correct.	M3DISA	631	28	M3DISA
632. In addition to giving opinion on the fair presentation of the organization’s accounts, an independent auditor of an organization is expected to opine on the effectiveness of internal control over financial reporting as per a particular Act. This is mandatory as per which Act and which section of the Act ?	A. Information Technology Act 2000, Section 43A	B. Information Technology Act 2000, Section 7A	C. Sarbanes Oxley Act 2002, Section 404	D. Gramm Leach Bliley Act or the Financial Services Modernisation Act 1999, Section 14A	c	Opining on the effectiveness of internal control over financial reporting is mandatory under Section 404 of the Sarbanes Oxley Act 2002. Option C is correct.	M3DISA	632	196	M3DISA
633. What does Auditing Standard 5 of the Public Company Accounting Oversight Board (PCAOB) relate to ?	A. Independence & performance of statutory auditors	B. Appointment, removal & terms of the Chief Internal Auditor	C. Audit of Internal control over financial reporting integrated with audit of financial statements	D. Implementation of enterprise risk management system in the organization	c	Auditing Standard 5 of PCAOB relates to audit of internal control over financial reporting integrated with audit of financial statements. Option C is correct.	M3DISA	633	136	M3DISA
634. Corporate governance, including internal controls, enterprise risk management, etc. are covered under the provisions of ______________	A. Clause 49 of the Listing agreement of SEBI	B. Section 43A of the Information Technology Act 2000	C. Section 126A of the Sarbanes Oxley Act 2002	D. Section 14A of the Gramm Leach Bliley Act or the Financial Services Modernisation Act 1999	a	Corporate governance, including internal controls, enterprise risk management, etc. are covered under Clause 49 of the Listing agreement of SEBI. Option A is correct.	M3DISA	634	179	M3DISA
635. ISO/IEC 27000 is basically a/an ______________	A. Information security standard	B. Auditing related standard	C. Standard for quality in auditing	D. Generic standard for quality in accounting	a	ISO/IEC 27000 is an Information security standard. Option A is correct.	M3DISA	635	103	M3DISA
636. Which is the International system which has laid down standards for information security & information security management system ?	A. IS 21000	B. GAAP 2014	C. IS / IEC 27001	D. IS /IEC 24007	c	ISO/IEC 27001 has laid down standards for information security management system. Option C is correct.	M3DISA	636	66	M3DISA
637. Information Technology Assurance Framework (ITAF) ___________	A. Is a good-practice-setting reference standard for audit & assurance	B. Standards are divided into two categories	C. Standards are divided into four categories	D. Is not recognized by ISACA	a	ITAF is a good-practice-setting reference standard for audit & assurance. Option A is correct.	M3DISA	637	149	M3DISA
638. Information Technology Assurance Framework (ITAF) standards comprise three categories, viz. ______________	A. General, IT and non IT standards	B. General, industry specific and non-financial standards	C. General, performance and reporting standards	D. Macro, micro and non-financial standards	c	ITAF standards comprise General, Performance and Reporting standards. Option C is correct.	M3DISA	638	57	M3DISA
639. General standards under Information Technology Assurance Framework (ITAF) ______________	A. Fall under the 1100 series of ITAF standards	B. Are the guiding principles under which IS assurance profession operates	C. Relate to the non-financial aspects of audit & assurance	D. Are yet to be validated & approved by ISACA	b	General standards under ITAF are the guiding principles under which IS assurance profession operates. Option B is correct.	M3DISA	639	88	M3DISA
640. Performance standards under Information Technology Assurance Framework (ITAF) _______________	A. Deal with the minimum performance standards expected of installed software	B. Deal with conduct of the assignment & exercising of professional judgement & due care	C. Relate to the minimum level of quality of audit to be carried out by IS auditors	D. Fall under the 1400 series of ITAF	b	Performance standards under ITAF deal with conduct of the assignment & exercising of professional judgement & due care. Option B is correct.	M3DISA	640	96	M3DISA
641. Reporting standards under Information Technology Assurance Framework (ITAF) _______________	A. Deal with report types, communication means & communicated information	B. Deal with the minimum performance standards expected of installed software	C. Relate to the minimum level of quality of audit to be carried out by IS auditors	D. Fall under the 1200 series of ITAF	a	Reporting standards under ITAF, falling under the 1400 series, deal with report types, communication means & communicated information. Option A is correct.	M3DISA	641	18	M3DISA
642. COBIT 5 _____________	A. Is a framework for governance & management of enterprise IT, excluding risk aspects	B. Operates through 7 principles	C. Is a framework for governance & management of enterprise IT	D. Can be useful only for large organizations with ERP systems	c	COBIT 5 is a framework for governance & management of enterprise IT, applicable to organizations of any size or nature. Option C is correct.	M3DISA	642	191	M3DISA
643. COBIT 5’s KEY principles _____________	A. Are 3 in number & focus on shareholders’ needs	B. Are 7 in number and applies multiple frameworks to cover the whole organization	C. Are 5 in number & Include meeting stakeholders’ needs	D. Marries the management & governance, creating shared goals & objectives	c	COBIT 5 has 5 KEY principles, including meeting stakeholders’ needs. Option C is correct.	M3DISA	643	202	M3DISA
644. COBIT 5’s KEY principle of meeting stakeholders’ needs creates value by _____________	A. Maximizing dividend payout to shareholders	B. Balancing benefits and the optimization of risk & use of resources	C. Reducing costs to the minimum	D. Eliminating risks & avoiding wasteful expenditure	b	COBIT 5's principle of meeting stakeholders’ needs creates value by balancing benefits against the optimization of risk and resource use. Option B is correct.	M3DISA	644	137	M3DISA
645. In order to protect its critical data from virus attacks an organisation decides to limit internet access to its employees. What type of risk response has the organisation exercised?	A. Mitigate	B. Avoid	C. Accept	D. Transfer	a	Option A, "Mitigate," is correct. Mitigation involves implementing controls to prevent incidents due to risk materialization, such as limiting internet access to protect against virus attacks.	M4DISA	645	59	M4DISA
646. A production company decides to insure against production loss due to natural calamities. What type of response is this classified as?	A. Mitigate	B. Accept	C. Transfer	D. Avoid	c	Option C, "Transfer," is correct. By insuring against production loss, the company transfers the risk to the insurance company.	M4DISA	646	11	M4DISA
647. Implementation of Information system control in an organisation ensures that:	A. Risk is transferred to another entity	B. Desired Outcome from business process is not affected	C. Losses are avoided	D. Incidents due to risk materialisation are avoided	b	Option B is correct. Information system controls ensure that the desired outcomes from business processes are not affected.	M4DISA	647	21	M4DISA
648. Which of the following leads to destruction of information Assets such as hardware, software and critical data?	A. Data error during data entry	B. Non maintenance of privacy with respect to sensitive data	C. Unauthorised access to computer systems	D. Using systems that do not meet user requirements	c	Option C is correct. Unauthorized access to computer systems can lead to destruction of information assets.	M4DISA	648	36	M4DISA
649. Maintenance of privacy in relation to data collected by an organisation is very important because:	A. Errors committed during entry would cause great damage	B. It has an impact on the infrastructure and business competitiveness	C. It can be easily accessed by third parties	D. It contains critical and sensitive information pertaining to a customer	d	Option D is correct. Privacy maintenance is crucial due to the critical and sensitive nature of customer information contained in data.	M4DISA	649	108	M4DISA
650. The role of an internal auditor in Information Systems auditing includes:	A. Safeguarding data integrity	B. Attesting management objectives	C. Attesting System effectiveness and system efficiency objectives	D. Implementing control procedures	c	Option C is correct. Internal auditors attest system effectiveness and system efficiency objectives in addition to management objectives.	M4DISA	650	110	M4DISA
651. What does an external Information Systems auditor focus on?	A. Attesting objectives that focus on asset safeguarding and data integrity	B. Attesting system effectiveness	C. Attesting system efficiency	D. Implementing control procedures	a	Option A is correct. External auditors focus on attesting objectives related to asset safeguarding and data integrity.	M4DISA	651	162	M4DISA
652. By auditing the characteristics of the system to meet substantial user requirements, which control objective does an IS Auditor attest?	A. Data integrity objectives	B. System Effectiveness Objectives	C. Asset safeguarding objectives	D. System efficiency objectives	b	Option B is correct. Auditing system characteristics to meet substantial user requirements pertains to system effectiveness objectives.	M4DISA	652	75	M4DISA
653. A statement of purpose achieved by implementing control procedures in a particular IT process is defined as:	A. IS Control framework	B. Internal Controls	C. Control Objective	D. Preventive Controls	c	Option C is correct. A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT process or activity.	M4DISA	653	171	M4DISA
654. Which of the following is an example of technical implementation of Internal Control?	A. Outlining policies that safeguard information assets	B. Installing a security guard in the premises to restrict entry of unauthorised persons	C. Locking the room containing sensitive documents	D. Investing in tools and software to restrict unauthorised access to information	d	Option D is correct. Investing in tools and software to restrict unauthorized access is an example of technical implementation of internal control.	M4DISA	654	196	M4DISA
655. What are preventive controls?	A. those mechanisms which refer unlawful activities to the appropriate person/group	B. those controls which attempt to predict potential problems before they occur	C. those mechanisms which modify the processing system to minimise error occurrences	D. those controls which corrects the error arising from a problem	b	Option B is correct. Preventive controls attempt to predict potential problems before they occur and make necessary adjustments.	M4DISA	655	165	M4DISA
656. What are detective controls?	A. Provision for control of probable threats from materializing	B. Those controls that are designed to detect errors and omissions of malicious acts	C. Those controls which assess probable threats	D. Those controls which minimise the impact of threat	b	Option B is correct. Detective controls are designed to detect errors, omissions, or malicious acts that have occurred.	M4DISA	656	186	M4DISA
657. What are corrective controls?	A. Those controls that correct an error once it has been detected	B. Those mechanisms which provide a clear understanding of the vulnerabilities of an asset	C. Surprise checks by an administrator	D. Those mechanisms by which the management gets regular reports of spend to date against a profiled spend	a	Option A is correct. Corrective controls are designed to reduce the impact or correct an error once it has been detected.	M4DISA	657	46	M4DISA
658. An organisation decides to control the access to a software application by segregating entry level and updation level duties. What type of internal control does this amount to?	A. Preventive Control	B. Detective Control	C. Corrective Control	D. Physical implementation of a control	a	Option A is correct. Segregating duties in software application access is an example of preventive control.	M4DISA	658	181	M4DISA
659. Under which type of control mechanism does taking a back up of everyday activity classify as?	A. Detective Control	B. Preventive control	C. Corrective control	D. Administrative Implementation of Control	c	Option C is correct. Taking a backup of everyday activity is an example of a corrective control.	M4DISA	659	133	M4DISA
660. As an IS auditor, how would you rate a computerised detective control which is moderately efficient and with corresponding corrective action?	A. High	B. Low	C. Moderate	D. Blank	a	Option A is correct. A computerized detective control that is moderately efficient with corresponding corrective action would be rated as "High."	M4DISA	660	168	M4DISA
661. As an IS auditor, how would you rate a least effective and inefficient manual detective control without corrective action?	A. High	B. Low	C. Blank	D. Moderate	c	Option C is correct. A least effective and inefficient manual detective control without corrective action is rated as "Blank" because it lacks effectiveness and efficiency in addressing risks.	M4DISA	661	152	M4DISA
662. Which of the following describes the role of a risk owner?	A. Ensuring that all control objectives that focus on asset safeguarding and data integrity are attested	B. Ensuring that the risk response is effective enough and is translated into actions that will prevent and/or detect the risk.	C. Ensuring that all system effectiveness and system efficiency objectives are attested	D. Ensuring that risk associated with a certain activity is mitigated either by reducing likelihood or reducing impact	b	Option B is correct. The role of a risk owner includes ensuring that the risk response is effective and translated into actions to prevent or detect risks.	M4DISA	662	22	M4DISA
663. The process of Information Security does not end with implementation of risk responses. The next step is to:	A. Facilitate to conduct risk assessment workshops	B. Ensure that KEY business risks are being managed appropriately	C. Plan the audit cycle according to the perceived risk	D. Ensure that the identified risk stays within an acceptable threshold	d	Option D is correct. After implementing risk responses, the next step is to monitor and ensure that identified risks stay within acceptable thresholds.	M4DISA	663	126	M4DISA
664. What process must an organisation follow to ensure that the identified risk stays within the acceptable limits?	A. Evaluate the efficiency of the objectives of controls	B. Designing an effective internal control framework	C. Periodic review of the risk assessment exercise and proactive review of possible risks	D. Optimise the use of various information resources	c	Option C is correct. To ensure risks stay within acceptable limits, organizations should periodically review risk assessments and proactively manage possible risks.	M4DISA	664	94	M4DISA
665. How does an IS auditor prioritise the controls that need to be tested?	A. By reviewing the control catalogue (which is a collective record of all controls implemented)	B. By reviewing control procedure documents	C. By facilitating risk assessment workshops	D. Planning the audit cycle according to the risks perceived	a	Option A is correct. IS auditors prioritize controls for testing by reviewing the control catalogue to ensure associated risks are mitigated effectively.	M4DISA	665	13	M4DISA
666. In case of control self-assessment, who does the actual testing of controls?	A. The owner of the identified risk for which the control has been implemented	B. Internal auditor, during the audit cycle as planned	C. Staff whose day-to-day role is within the area of the organisation	D. External auditor, while reviewing the management of KEY risks	c	Option C is correct. In control self-assessment, actual testing of controls is performed by staff familiar with the area being assessed.	M4DISA	666	84	M4DISA
667. Of the below mentioned roles, which one should an auditor refrain from performing?	A. Giving assurance that the risks are being evaluated correctly	B. Implementing risk response on management’s behalf.	C. Evaluating the risk management process	D. Reviewing the management of KEY risks	b	Option B is correct. Auditors should not implement risk responses on management's behalf; their role is to evaluate and provide assurance.	M4DISA	667	99	M4DISA
668. Of the below mentioned roles, which one of the following should be performed by an IS auditor?	A. Set the risk appetite	B. Impose risk management process	C. Evaluate Risk Management process	D. Take decision on risk responses	c	Option C is correct. IS auditors should evaluate the risk management process to ensure effectiveness.	M4DISA	668	80	M4DISA
669. A data centre housing about 200 employees is involved in handling business processes of multinational companies. For security reasons, it decides to shift its network server and mail server to a secluded room with restricted entry. What kind of internal control is this?	A. Manual Preventive Control	B. Manual Detective Control	C. Computerised Preventive Control	D. Computerised Corrective Control	a	Option A is correct. Moving servers to a secluded room with restricted entry is a manual preventive control to protect against unauthorized access.	M4DISA	669	137	M4DISA
670. Company depends on an MIS given to it by an outsourced vendor to identify payment defaulters and fine them. On further investigation about the correctness of data supplied, he finds that though at the entry level, a lot of mistakes are prone to happen, there are computerised controls at the vendor's end and also the company’s end at processing level to minimise these. As an IS auditor, how would you rate efficiency of these controls?	A. Blank	B. Low	C. Moderate	D. High	d	Option D is correct. Computerised controls at both ends to minimize mistakes indicate high efficiency in controlling data accuracy and reliability.	M4DISA	670	142	M4DISA
671. The HR department of a company pays its employees medical claims subject to a maximum limit per employee per year. For this, it relies on data pertaining to a full year downloaded through the appropriate software. However, it does not have a proper backup or restoration procedure in place. How will an IS auditor rate this?	A. High control	B. Low Control	C. Blank Control	D. Moderate Control	b	Option B is correct. Without a backup or restoration procedure, the control over data reliability and availability is low.	M4DISA	671	152	M4DISA
672. A data centre handling outsourced operations decides to set up a parallel facility for its critical activities at some place other than its present place of operations. This is done with an intention to facilitate return of business to normal levels in case of impact of natural disasters or unforeseen events. Under what security policy is this categorized?	A. Business Continuity Management Policy	B. Acceptable use of Information Assets policy	C. Physical Access and Security Policy	D. Asset Management Policy	a	Option A is correct. Setting up a parallel facility for critical activities relates to Business Continuity Management, ensuring business continuity in the face of disasters.	M4DISA	672	55	M4DISA
673. What are the three KEY objectives of Information Security Management (CIA Triad)?	A. Compliance, Integrity and Availability	B. Confidentiality, Information Security and Availability	C. Confidentiality, Integrity and Availability	D. Confidentiality, Integrity and Asset Management	c	Option C is correct. The CIA Triad consists of Confidentiality, Integrity, and Availability as the key objectives of Information Security Management.	M4DISA	673	110	M4DISA
674. What does “Integrity” mean with respect to Information Security Management?	A. No data/information or programs shall be allowed to be modified by anyone without proper authority.	B. No data or information is made available to any person within or outside the organization, other than the persons who are authorized to use that data.	C. All Information Systems including hardware, communication networks, software applications and the data they hold, is available to authorized users to carry out business activities.	D. Executive management endorsement of intrinsic security requirements to ensure that security expectations are met at all levels of the enterprise	a	Option A is correct. Integrity ensures that data or programs are not modified without proper authority.	M4DISA	674	42	M4DISA
675. What provides the basis for ensuring that information security expectations are met at all levels of an enterprise?	A. Adopting an internationally recognized reference framework to establish an Information Security framework	B. Successful establishment and endorsement of intrinsic security measures by the senior management	C. Prioritizing expenditures to mitigate risks and avoid spending more resources in assessing risks	D. Ensuring that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organizational culture.	b	Option B is correct. Senior management support establishes the basis for meeting information security expectations at all enterprise levels.	M4DISA	675	44	M4DISA
676. How does an enterprise ensure that the information present in any of its business processes is protected and secure?	A. By ensuring that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organizational culture.	B. By adopting an internationally recognized reference framework to establish an Information Security framework	C. By spending resources widely and transparently	D. By establishing and enforcing an Information Security Program	d	Option D is correct. An Information Security Program ensures protection and security of information across business processes.	M4DISA	676	45	M4DISA
677. How does an enterprise demonstrate to staff, customers and trading partners that their data is safe?	A. By establishing and enforcing an Information Security Program	B. By ensuring that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organizational culture.	C. Adopting an information security standard	D. By spending resources widely and transparently	c	Option C is correct. Adopting an information security standard demonstrates to stakeholders that data is safe with independent verification.	M4DISA	677	59	M4DISA
678. The IS policy of an enterprise that talks about protecting non-public personal information from unauthorized use, corruption, disclosure and distribution is:	A. Acceptable usage policy or Fair Use policy	B. Data classification and Privacy Policy	C. Physical Access and Security policy	D. Asset Management Policy	b	Option B is correct. Data classification and Privacy Policy protects non-public personal information from unauthorized use and disclosure.	M4DISA	678	165	M4DISA
679. The policy which restricts the ways in which the network, website or system may be used by a user of an enterprise is termed as:	A. Acceptable usage policy or Fair Use policy	B. Physical Access and Security policy	C. Asset Management Policy	D. Business Continuity Management Policy	a	Option A is correct. Acceptable Usage Policy (AUP) restricts the ways in which the network, website, or system may be used by users.	M4DISA	679	46	M4DISA
680. The IS policy which talks about protecting personnel and physical property from damage or harm is termed as:	A. Asset Management policy	B. Business Continuity Management policy	C. Physical access and security policy	D. Password policy	c	Option C is correct. Physical Access and Security policy protects personnel and physical property from damage or harm.	M4DISA	680	180	M4DISA
681. What is the IS policy that defines the requirements for Information Assets protection?	A. Business Continuity Management Policy	B. Asset Management Policy	C. Network Security Policy	D. Password policy	b	Option B is correct. The Asset Management Policy defines the requirements for protecting Information Assets including servers, desktops, software, etc., owned or leased by the organization.	M4DISA	681	95	M4DISA
682. The characteristics of a strong password that protects information assets should be:	A. Maximum 8 characters, case specific	B. Minimum 8 characters, only alphanumeric	C. Minimum 8 characters, only alphabets and easy to remember	D. Minimum 8 characters, case specific and containing special characters	d	Option D is correct. A strong password includes complexity with uppercase, lowercase, numeric, and special characters, enhancing security.	M4DISA	682	62	M4DISA
683. What should be done to ensure that security policies are in tune with the management’s intent?	A. Change passwords regularly	B. Restrict unauthorized access to facilities	C. Review the security policies periodically	D. Hold non-public personal information in strict confidence	c	Option C is correct. Regular review of security policies ensures alignment with management's intent and evolving security needs.	M4DISA	683	113	M4DISA
684. Policies are generic and sometimes cannot be enforced in specific situations. Can there be a relaxation of adherence to policy in such cases?	A. Yes. But, it is necessary to ensure that there are suitable compensating controls	B. Yes. Policies can be relaxed in case of such situations unconditionally	C. No. Under no circumstances can an Information Security policy be relaxed	D. Yes. Adherence to the policy can be relaxed for an indefinite period for the specific activity only.	a	Option A is correct. Relaxation of policy may be allowed with compensating controls to mitigate risks within acceptable limits.	M4DISA	684	178	M4DISA
685. Standards, Guidelines and Procedures are the three elements of policy implementation. In what order should they be followed for proper implementation?	A. Guidelines, Procedures and Standards	B. Procedures, Standards and Guidelines	C. Standards, Guidelines and Procedures	D. Guidelines, Standards and Procedures	c	Option C is correct. Standards precede guidelines and procedures in policy implementation to ensure uniformity and effectiveness.	M4DISA	685	184	M4DISA
686. With respect to Information Security, what does ‘Segregation of Duties’ mean?	A. No individual, of whatever seniority in the organization, should have the ability to carry out every step of a sensitive business transaction.	B. The responsibility of powerful and KEY access to the system should not be carried out by one person alone.	C. No person should be kept in one particular post for too long	D. Organizations should avoid situations where an individual becomes indispensable to the business	a	Option A is correct. Segregation of Duties prevents individuals from having complete control over sensitive transactions, reducing risks of fraud.	M4DISA	686	86	M4DISA
687. In a bank, the chest in which cash is kept has to be opened with two keys, one which is in the control of the manager and the other which is in the control of the accountant/sub manager. Under what security rule does this aspect classify?	A. Segregation of Duties	B. The ‘Four Eyes’ or ‘Two Person’ principle	C. Rotation of Duties	D. ‘KEY Man’ policies	b	Option B is correct. The practice of requiring two persons (manager and accountant) to open the chest aligns with the 'Two Person' principle for security.	M4DISA	687	15	M4DISA
688. An organization which is IS compliant requires its employees to take two weeks consecutive mandatory leave. Under which security rule does this feature classify as?	A. Rotation of duties	B. ‘KEY Man’ policies	C. Two-person principle	D. Segregation of duties	a	Option A is correct. Mandatory leave ensures roles are rotated, preventing continuous control over critical functions, a security measure against fraud.	M4DISA	688	96	M4DISA
689. Every corporate asset, building, item of equipment, bank account and item of information should have a clearly defined ‘owner’. What are the responsibilities of the owner of such assets?	A. Adding and deleting user identifiers from the system	B. Defining security responsibilities for every person in the organization	C. Ensuring that the asset is well maintained, accurate and up to date	D. Establishing and Implementing an effective IS program	c	Option C is correct. Asset owners are responsible for ensuring assets are maintained, accurate, and up to date.	M4DISA	689	50	M4DISA
690. When an owner is not able to manage a particular asset on a day-to-day basis, the responsibility is passed on to a custodian. Which of the following is an example of a custodian?	A. a vendor responsible for an outsourced activity	B. data center controlling access to production data	C. a subordinate doing the function of an owner during his absence	D. an auditor auditing the effectiveness of an asset	b	Option B is correct. A data center controlling access to production data acts as a custodian for that information asset.	M4DISA	690	131	M4DISA
691. The actual security mechanism has its application in certain KEY tasks of security systems. What are these called as?	A. Organisational control	B. Backup data	C. Control points	D. Operating System	c	Option C is correct. Control points are where the actual security mechanisms are applied in security systems.	M4DISA	691	166	M4DISA
692. Name the participant which ensures that all stakeholders impacted by security considerations are involved in the Information Security Management process.	A. Steering committee	B. Information Owner	C. Information Custodian	D. System Owner	a	Option A is correct. The steering committee ensures involvement of all stakeholders in the Information Security Management process.	M4DISA	692	133	M4DISA
693. Name the participant who ensures that security controls have been implemented in accordance with the information classification.	A. Information Custodian	B. Information Owner	C. System Owner	D. Process Owner	b	Option B is correct. The Information Owner ensures security controls are aligned with information classification.	M4DISA	693	49	M4DISA
694. Name the participant who ensures safekeeping of information on behalf of the information owner.	A. System Owner	B. Process Owner	C. Information Custodian	D. System Administrator	c	Option C is correct. An Information Custodian ensures safekeeping of information as per security procedures.	M4DISA	694	14	M4DISA
695. Whose responsibility is it to ensure that adequate security is built once the applications and systems have been acquired and are ready for use in the production department?	A. System Owner	B. Process Owner	C. System Administrator	D. User Manager	a	Option A is correct. The System Owner ensures security is built into acquired applications and systems for production use.	M4DISA	695	151	M4DISA
696. Who is the person responsible for creating new system user accounts and changing permissions of existing user accounts?	A. User Manager	B. System Administrator	C. Super User	D. Security Manager	b	Option B is correct. The System Administrator handles user account creation and permissions management.	M4DISA	696	116	M4DISA
697. Who holds the ultimate responsibility for all user IDs and information assets owned by the company’s employees?	A. Super User	B. Security Manager	C. Steering Committee	D. User Manager	d	Option D is correct. The User Manager has ultimate responsibility for user IDs and information assets owned by company employees.	M4DISA	697	79	M4DISA
698. Who is responsible for defining security strategy and policies for an organization?	A. Steering Committee	B. Information Owner	C. Security Manager	D. Information Custodian	c	Option C is correct. The Security Manager defines security strategy and policies for the organization.	M4DISA	698	21	M4DISA
699. What is the role of Human Resources Security when the employment of a person is terminated?	A. Ensure that access to sensitive data is revoked immediately	B. Define appropriate access to sensitive information for another person	C. Send regular updates in an effort to safeguard the data which was in their possession	D. Educate the terminated employee to prevent data disclosure to 3rd parties	a	Option A is correct. HR Security ensures immediate revocation of access to sensitive data upon employee termination.	M4DISA	699	160	M4DISA
700. What is ‘Acknowledge Policy’ with regard to Security Awareness training program?	A. All employees are required to undergo security awareness training	B. All employees and third parties having access to sensitive information have to complete training at least once a year	C. All employees are required to acknowledge that they have read and understood the organization's information security / acceptable use policy.	D. All employees have to go through a formal induction process designed to introduce the organization's security policies	c	Option C is correct. The Acknowledge Policy ensures employees acknowledge understanding of the organization's security policies.	M4DISA	700	110	M4DISA
701. What is the primary goal of configuration management?	A. Ensuring that changes to the system do not unintentionally diminish security	B. Mitigate the impact that a change might have on the security of other systems	C. Configuring systems to meet the security requirement of the organisation	D. Updating the software with the latest versions of all applications	a	Option A is correct. The primary goal of configuration management is to ensure changes do not diminish security.	M4DISA	701	59	M4DISA
702. What is the objective of a non-disclosure agreement?	A. Identify functional and physical characteristics of each configuration setting	B. Impose limitations on like organisations that operate in the same competitive space	C. Creates a confidential relationship between parties to protect any type of confidential information	D. Follow a checklist to address whether any of the security holes remain unplugged	c	Option C is correct. An NDA creates a confidential relationship to protect shared confidential information.	M4DISA	702	69	M4DISA
703. What is the primary cause for lack of integration in system and security design?	A. Inadequacy of checklists as a means to address security concerns	B. Limitations imposed on like organizations that operate in its competitive space	C. The challenge of finding the right balance between protecting the organization’s core assets and processes and enabling them to do their job	D. Systems and security design are undertaken in parallel rather than in an integrated manner	d	Option D is correct. Lack of integration is primarily due to systems and security design happening in parallel.	M4DISA	703	57	M4DISA
704. What is a Denial-of-Service attack?	A. An attempt to make a machine or network unavailable to its intended users.	B. Unauthorized access to an organisation’s internal network.	C. Illegal copying of software.	D. Creation of Internet Protocol (IP) packets with a forged source IP address	a	Option A is correct. A Denial-of-Service attack attempts to make a machine or network unavailable to its users.	M4DISA	704	185	M4DISA
705. What is ‘Phishing’?	A. Unauthorized real-time interception of a private communication	B. Attempting to obtain otherwise secure data by conning an individual into revealing secure information	C. Trying to obtain information like user ID and password for bank accounts, credit card pin etc. using electronic communication means	D. Exploiting vulnerabilities of a system to gain unauthorized access to system or resources	c	Option C is correct. Phishing involves attempting to obtain sensitive information using electronic means.	M4DISA	705	27	M4DISA
706. What are ‘botnets’?	A. Underground network established by hackers by sending malware	B. Targeted attack that continues for a sustained period for about a year or more	C. Attacks that are specifically targeted to selected organization	D. Changing of data before or during entry into the computer system	a	Option A is correct. Botnets are underground networks created using malware by hackers.	M4DISA	706	3	M4DISA
707. What should be done to minimize damage from security incidents and to recover from them?	A. Report an incident to an appropriate authority to know what action should be taken	B. Handle the incident independently and follow it up if required	C. Establish a formal incident response capability and centralize it with the KEY roles and responsibilities	D. Plan and prepare a response system proactively in case of the occurrence of an incident	c	Option C is correct. Establishing a formal incident response capability minimizes damage and aids recovery.	M4DISA	707	190	M4DISA
708. Generating a higher level of compliance by creating realistic workable policies is one way of increasing compliance to security policies. Which guideline of implementation does this fall under?	A. Simplify enforcement	B. Increase Awareness	C. Communicate Effectively	D. Integrate Security with corporate culture	a	Option A is correct. Creating realistic policies increases compliance by simplifying enforcement.	M4DISA	708	175	M4DISA
709. As part of auditing Information Security of a multinational bank, an auditor wants to assess the security of information in ATM facilities. Under which privacy policy should he look for details pertaining to security guards and CCTV surveillance of ATMs?	A. Acceptable use of Information Assets Policy	B. Physical Access and Security Policy	C. Asset Management Policy	D. Business Continuity Management Policy	b	Option B is correct. Details about security guards and CCTV surveillance are covered under Physical Access and Security Policy.	M4DISA	709	146	M4DISA
710. You work in a company which has strict Information Security Procedures. One of the requirements which you have to adhere to is setting a strong login password. Which of the following is an example of a strong password?	A. Abcde	B. Rosy98	C. 31567	D. qqbRqs$W	d	Option D is correct. 'qqbRqs$W' meets the criteria of a strong password with its complexity and length.	M4DISA	710	102	M4DISA
711. The customer data for the loyalty card issued by a retail store is picked from a form filled by the customer. The data from the form is entered into software by data entry operators who report to a manager. In order to protect customer data, segregation of duties are built in the software in such a way that the operators have permission only to enter data. Any editing or modification can be done only by the manager. It so happens that the manager quits his employment and the store elevates the position of one of the operators to that of a manager. Who do you think is responsible for removing the permission of the exiting manager and changing that of the new manager?	A. Information Owner	B. New Manager	C. System Administrator	D. Information Owner	a	Option A is correct. The Information Owner typically oversees permissions and security configurations through a System Administrator.	M4DISA	711	99	M4DISA
712. The retail store (mentioned in question 3) has branches in locations across India and the same process for collecting customer data for loyalty programs is followed in all the branches. This data is then consolidated into one database and is accessible across all branches. The persons who are assigned responsibilities with respect to this database are as follows: Management as Information Owners, General Manager – Marketing as custodian for the data, General Manager – Operations as owner of the process, System Administrator, Branch Manager, Data Entry Operator. Who, do you think, is responsible for processing the information that is received from the branches, checking it and circulating it?	A. Management	B. General Manager, Marketing	C. General Manager, Operations	D. Branch Manager	c	Option C is correct. The General Manager, Operations is responsible for processing and circulating information received from branches as the process owner.	M4DISA	712	58	M4DISA
713. In the same case as mentioned in Questions 3 and 4, who, do you think is responsible for ensuring that the customer data is secure and running regular backups?	A. General Manager, Marketing	B. General Manager, Operations	C. Data Entry Operator	D. System Administrator	a	Option A is correct. The General Manager, Marketing, as the custodian of the data, ensures security and backups are maintained.	M4DISA	713	68	M4DISA
714. You are an Information Systems Security Awareness Training Manager employed in a Multinational Bank. You have been part of a team that has created a security training program including classroom, online and web based trainings which is mandatory for all employees and third parties who have access to the bank’s sensitive information. How would you ensure that employees and third parties are continually updated on latest issues?	A. By introducing them to the bank’s expectations with respect to Information Security	B. By making Security Awareness training mandatory for the management	C. By getting a written acknowledgement from employees that they have read and understood the policy	D. By giving security awareness training to employees and third parties at least once a year	d	Option D is correct. Regular security awareness training at least annually ensures ongoing awareness of latest issues.	M4DISA	714	49	M4DISA
715. A bank has outsourced certain processes related to its personal loans unit to a third party vendor. As an IS auditor of the bank, what would you look for to assure yourself that non-public business information accessed by the third party vendor is protected and not misused?	A. A non-disclosure agreement signed by the vendor	B. Check if all employees of the vendor are given enough training	C. Verify if there are instances of data being misused earlier	D. Check for a written acknowledgement from the vendor that they have read and understood the company’s policy	a	Option A is correct. A signed non-disclosure agreement protects non-public business information from misuse.	M4DISA	715	198	M4DISA
716. Organisations have to identify the information that needs various levels of protection and put them in the appropriate ‘bucket’. Why can’t the entire information within an organisation be protected uniformly?	A. There is a great dependence on information by organizations	B. It provides a systematic approach to protecting information consistently	C. Maintaining security in a network environment is complex	D. It will be a massive task to protect all information uniformly	b	Option B is correct. Information varies in sensitivity, requiring different protection levels for a systematic approach.	M4DISA	716	140	M4DISA
717. How must an organisation ensure that its information is adequately protected, i.e., neither over protected nor under protected?	A. By training its employees who are using the information	B. By ensuring that its information is not shared in any network	C. By classifying its information and placing it in the appropriate bucket	D. By not sharing information with third parties	c	Option C is correct. Classification ensures appropriate protection levels for information assets.	M4DISA	717	136	M4DISA
718. Information classification ensures that security controls are only applied to information that requires such protection. What is the benefit of such an exercise?	A. Reduces operational costs of protecting information	B. Helps the management access sensitive information	C. Ensures that such information is not shared with third parties	D. Ensures that such information is not accessible to employees	a	Option A is correct. Classification reduces costs by focusing security measures where needed.	M4DISA	718	74	M4DISA
719. How does an organisation ensure that appropriate users gain access to appropriate files?	A. By classifying users to groups	B. By classifying and labeling information	C. By not sharing information in the general network	D. By having a supervisor for groups who controls access	b	Option B is correct. Classification and labeling ensure access control based on information sensitivity.	M4DISA	719	173	M4DISA
720. What are the factors to be considered for determining the level of confidentiality of information?	A. Relevancy to a business transaction	B. Meeting particular compliance requirements	C. Changes to the content and external conditions of information	D. Appropriate User groups	c	Option C is correct. Changes in content and external conditions affect information confidentiality levels.	M4DISA	720	104	M4DISA
721. An Information classification policy determines the accountability of Information Owners, custodians and users. Who is responsible for assigning classifications to information assets?	A. System Owner	B. Information Owner	C. System administrator	D. Process Owner	b	Option B is correct. The Information Owner assigns classifications and ensures security controls are in place.	M4DISA	721	160	M4DISA
722. Under what information category does widely distributed product brochures fall?	A. Sensitive Information	B. Client Confidential Information	C. Unclassified/Public Information	D. Company Confidential Information	c	Option C is correct. Product brochures typically fall under unclassified/public information as they do not require special protection.	M4DISA	722	39	M4DISA
723. Under what category does Company developed software codes fall?	A. Sensitive Information	B. Client Confidential Information	C. Company Confidential Information	D. Unclassified/Public Information	a	Option A is correct. Software codes are sensitive and require special protection to maintain integrity and confidentiality.	M4DISA	723	102	M4DISA
724. Under what category does information received from clients fall?	A. Client Confidential Information	B. Company Confidential information	C. Unclassified/Public Information	D. Sensitive Information	a	Option A is correct. Information received from clients is typically classified as client confidential information.	M4DISA	724	97	M4DISA
725. What is Personally Identifiable Information (PII)?	A. Personal Information of any person who needs to provide this to the organisation	B. Information held by an organisation which can identify a stakeholder	C. Personal Information pertaining to the employees of an organisation	D. Personal Information pertaining to the third parties associated with the organisation	a	Option A is correct. PII refers to personal information provided to an organization by individuals.	M4DISA	725	64	M4DISA
726. What is the standard that must be complied with by all those deals with credit/debit cards?	A. PCIDSS	B. Electronic Communications Privacy Act	C. Information Technology Act 2000	D. Regulations mandated by Reserve Bank	a	Option A is correct. PCIDSS is the standard for handling cardholder information securely.	M4DISA	726	82	M4DISA
727. What is the Act which mandates how financial institutions must deal with the private information of individuals?	A. Information technology Act 2000	B. Video Privacy Protection Act	C. Gramm-Leach-Bliley Act	D. Electronic Communications Privacy Act	c	Option C is correct. The Gramm-Leach-Bliley Act mandates privacy standards for financial institutions.	M4DISA	727	102	M4DISA
728. Which of the following does not classify under Personally identifiable Information?	A. Company advertisement information	B. Medical information of patients	C. Location information of clients	D. Information collected by websites	a	Option A is correct. Company advertisement information typically does not contain PII.	M4DISA	728	75	M4DISA
729. How is information classification applied for information contained in a critical database?	A. at the file or data level	B. to the entire database	C. to each individual document	D. at column level at the discretion of the information owner	d	Option D is correct. Classification for critical databases can be applied at column level as decided by the information owner.	M4DISA	729	12	M4DISA
730. How can critical data be protected during transmission, processing and storing?	A. By keeping the information physically secured	B. By encrypting	C. By controlling access	D. By taking a backup	b	Option B is correct. Encryption protects critical data during transmission, processing, and storage.	M4DISA	730	104	M4DISA
731. What are the solutions referred to under DLP (Data Leak Prevention)?	A. Protecting data based on the rule set and classification	B. Expecting creator of data file to choose who shall access data	C. Authenticating users out of the organisation	D. Working at data base level and managing the access rights	a	Option A is correct. DLP solutions focus on protecting data based on rules and classification.	M4DISA	731	195	M4DISA
732. What is the prerequisite for successful implementation of data protection tools like DLP, DRM and DAM?	A. Identifying information resources	B. Creating an information risk profile	C. Creating appropriate rule set and classification based on impact of risks	D. Establishing a process for data classification	c	Option C is correct. Successful implementation requires creating rules and classifications based on risk impact.	M4DISA	732	144	M4DISA
733. Which of the following is a risk associated with Portable Devices?	A. Users can access Company’s internal information from anywhere	B. It is prone to physical security problems because of availability within the workplace	C. Unauthorised users may access hard copy of electronic data	D. Its overall security is dependent on the physical security of the work stations	a	Option A is correct. Portable devices pose a risk by allowing access to internal information from anywhere.	M4DISA	733	39	M4DISA
734. What are network devices?	A. Device in which all data in a network is placed	B. Devices deployed for establishing communication	C. Devices installed by telecom companies to facilitate mobile communication	D. Devices that facilitate accessing data from anywhere	b	Option B is correct. Network devices are used for establishing communication within a network.	M4DISA	734	188	M4DISA
735. In order to ensure the privacy of personal information of an individual, a company has to:	A. Write policies and procedures	B. Define roles and responsibilities	C. Implement an effective privacy program	D. Define incident response plans	c	Option C is correct. Implementing an effective privacy program ensures personal information privacy.	M4DISA	735	147	M4DISA
736. An auditor need not involve in one of the following while evaluating an organisation’s privacy framework. Which is it?	A. Liaise with in-house legal counsel to understand legal implications	B. Design Incident response plans	C. Liaise with information technology specialists to understand security implications	D. Understand internal policies and guidelines	b	Option B is correct. Incident response plans are typically designed by the organization's governing body, not the auditor.	M4DISA	736	98	M4DISA
737. An insurance company is in the process of classifying its information according to its sensitivity. If you formed a part of the team responsible for this classification, how would you classify personal information pertaining to insurance holders as?	A. Unclassified/Public Information	B. Sensitive Information	C. Client Confidential data	D. Company Confidential data	c	Option C is correct. Personal information of insurance holders is typically classified as client confidential data.	M4DISA	737	6	M4DISA
738. You head a data processing center which handles an outsourced activity of employee medical reimbursements of a multinational. Under which of the following would you classify the software codes?	A. Client Confidential Data	B. Company Confidential Data	C. Sensitive Information	D. Unclassified data	c	Option C is correct. Software codes used for processing employee medical reimbursements are classified as sensitive information.	M4DISA	738	71	M4DISA
739. The personal loans department of a bank maintains a database of personal information of its customers who have availed loans. Under what Act would the company be liable?	A. PCIDSS	B. Information Technology Act 2000	C. Gramm Leach Bliley Act	D. Video Privacy Protection Act	b	Option B is correct. The Information Technology Act 2000 mandates security measures for personal information.	M4DISA	739	105	M4DISA
740. As an employee of the HR department of a multinational company, you are required to send through email, sensitive data pertaining to the employees of your organisation to a data centre for processing. What precautionary measure should you take while transmitting this data?	A. Encrypting the data before sending	B. Taking a back up before sending	C. Sending information only on a need to know basis	D. Setting strong access controls at the vendors site	a	Option A is correct. Encrypting the data ensures it is protected during transmission.	M4DISA	740	171	M4DISA
741. Which of the following is not a part of Physical Access Control?	A. Preventing unauthorized physical access to resources	B. Protection of information in stored, transit and processing stages	C. Control entry during and after normal business hours	D. Identification checks	b	Option B is correct. Protection of information in stored, transit, and processing stages falls under Logical Access Control.	M4DISA	741	80	M4DISA
742. Which of the following is an information asset that need not be included in physical access control?	A. Information in transit through mail	B. Primary computer facilities	C. Micro computers	D. Printers	a	Option A is correct. Information in transit through mail cannot be physically restricted.	M4DISA	742	86	M4DISA
743. Which of the following is not a physical access control?	A. Manual doors or cipher KEY locks	B. Protecting data with passwords	C. Controlling the reception area	D. Logging in visitors	b	Option B is correct. Protecting data with passwords is part of Logical Access Control.	M4DISA	743	8	M4DISA
744. Threats to Information Assets like computing equipment, media and people are known as:	A. Cyber threats	B. Environmental Threats	C. Physical Threats	D. Logical Access Threats	c	Option C is correct. Physical threats encompass risks to computing equipment, facilities, media, and personnel.	M4DISA	744	61	M4DISA
745. “Preventing modification of data by unauthorised personnel” falls under which core principle of Information Safety?	A. Integrity	B. Confidentiality	C. Availability	D. Security	a	Option A is correct. Integrity ensures data is not modified by unauthorized individuals.	M4DISA	745	74	M4DISA
746. Under what category of Physical Security threat does poor handling and cabling of electronic equipment fall?	A. Electrical	B. Environmental	C. Maintenance	D. Hardware	c	Option C is correct. Poor handling and cabling of electronic equipment are categorized under Maintenance threats.	M4DISA	746	21	M4DISA
747. Which of the following is not a source of Physical Security threat?	A. Uncontrolled/Unconditioned Power, Low voltage	B. Physical Access to IS resources by unauthorized personnel	C. Discontented or disgruntled employees	D. Interested or Informed outsiders	a	Option A is correct. Uncontrolled/unconditioned power and low voltage are Environmental threats, not Physical Security threats.	M4DISA	747	67	M4DISA
748. In an organisation, there are instances of employees using the internet for personal purposes. Under what threat is this classified?	A. Logical access threat	B. Environment threat	C. Improper physical access threat	D. Electrical threat	c	Option C is correct. Employees using the internet for personal purposes is an example of improper physical access.	M4DISA	748	65	M4DISA
749. Viewing or copying of sensitive information by visitors who have gained unauthorized access to the same is:	A. An Improper Physical Access Exposure	B. An Unintentional or Accidental Exposure	C. A Deliberate Exposure	D. An Environmental Exposure	a	Option A is correct. Unauthorized viewing or copying of sensitive information is an improper physical access exposure.	M4DISA	749	169	M4DISA
750. If windows exist in a data centre, they must be translucent and shatterproof. Why?	A. To avoid data leakage through electromagnetic radiation	B. To prevent anyone from peeping and viewing data	C. To avoid environmental threats to physical systems	D. To avoid theft of physical assets	a	Option A is correct. Windows in a data centre should be translucent and shatterproof to prevent data leakage through electromagnetic radiation.	M4DISA	750	201	M4DISA
751. Why audit trials and control are logs important for Security Management?	A. To know where access attempts occurred and who attempted them	B. To reduce unauthorized access to sensitive information	C. To prevent modification or deletion of file content	D. To prevent unintentional physical access	a	Option A is correct. Audit trails and access control logs are crucial for knowing where and by whom access attempts occurred in physical security.	M4DISA	751	201	M4DISA
752. What is the first step once an unauthorized event is detected?	A. Process owner should investigate and take action	B. The incident should be reported to the appropriate authority	C. Security administrator should effect modifications to the security policy	D. Should be effectively handled to mitigate losses	b	Option B is correct. The first step upon detecting an unauthorized event is to report it to the appropriate authority.	M4DISA	752	123	M4DISA
753. Which of the following is not a Human Resource Control?	A. Providing identity cards	B. Providing training in Physical Security	C. Locking system screens when not in seat	D. Monitoring behavior	c	Option C is correct. Locking system screens when not in seat is a part of Logical Access Control.	M4DISA	753	48	M4DISA
754. The most important human resource control is:	A. Providing access cards to employees	B. Assigning responsibilities to employees	C. Provide training to employees	D. Escort terminated or resigned/retired employees	a	Option A is correct. Providing access cards is crucial for physical security control over access to facilities.	M4DISA	754	32	M4DISA
755. Which of the following is a perimeter security?	A. Screen savers	B. Passwords	C. Access cards	D. Guards	d	Option D is correct. Guards are a form of perimeter security, providing physical presence and monitoring.	M4DISA	755	56	M4DISA
756. Which of the following is not a perimeter security?	A. Compound walls and Fencing	B. Lighting exteriors	C. Encrypting data in transit	D. Bolting door locks	c	Option C is correct. Encrypting data in transit is related to logical access security, not perimeter security.	M4DISA	756	50	M4DISA
757. What perimeter security is used to reduce the risk of piggybacking?	A. Dead man doors	B. Bolting door locks	C. Combination or Cipher locks	D. Compound walls	a	Option A is correct. Dead man doors (Mantrap systems) reduce the risk of piggybacking by allowing only one person at a time.	M4DISA	757	24	M4DISA
758. The advantages of Electronic door locks do not include:	A. Distinguishing between various categories of users	B. Most secure locks since they enable access based on individual features such as fingerprints	C. Restricting individual access through the special internal code	D. Deactivation of card entry from a central electronic control mechanism	b	Option B is correct. Biometric door locks specifically distinguish between users based on biometric features, not electronic door locks.	M4DISA	758	125	M4DISA
759. Which of the following is a disadvantage of a Biometric Door lock?	A. Easy duplication	B. Is not as sophisticated as electronic door locks	C. High cost of acquisition, implementation and maintenance	D. They are not very secure	c	Option C is correct. High cost of acquisition, implementation, and maintenance is a disadvantage of biometric door locks.	M4DISA	759	40	M4DISA
760. A device which creates a grid of visible white light or invisible infrared light, which when broken activates an alarm is:	A. Photoelectric sensors	B. Dry contact switches	C. Video cameras	D. Identification badges	a	Option A is correct. Photoelectric sensors create grids of light that, when disrupted, trigger alarms, making them effective for perimeter security.	M4DISA	760	119	M4DISA
761. The process requiring all visitors to sign a visitors log at the time of entry/exit is known as	A. Electronic logging	B. Manual logging	C. Controlled visitor access	D. Controlled single point access	b	Option B is correct. Manual logging involves visitors signing a log at entry/exit to record details.	M4DISA	761	124	M4DISA
762. A card reader that senses the card in possession of a user in the general area and enables faster access is:	A. Wireless proximity readers	B. Motion detectors	C. Cable locks	D. Identification Badges	a	Option A is correct. Wireless proximity readers detect cards in proximity, enabling quick access without direct contact.	M4DISA	762	178	M4DISA
763. Lockable switches that prevent a KEY board from being used is:	A. Switch controls	B. Biometric Mouse	C. Laptop security	D. Peripheral switch controls	d	Option D is correct. Peripheral switch controls prevent keyboard use with a lockable switch.	M4DISA	763	171	M4DISA
764. A smart card used for access control is also called a security access card. Which of the following is not a type of smart card?	A. Identification cards	B. Photo Image Cards	C. Digital coded cards	D. Wireless proximity readers	a	Option A is correct. Identification cards are not considered smart cards typically used for access control.	M4DISA	764	182	M4DISA
765. Which of the following is not a biometric characteristic?	A. Finger prints	B. Retina scans	C. Passport photo	D. Palm scans	c	Option C is correct. A passport photo does not constitute a biometric characteristic.	M4DISA	765	172	M4DISA
766. Name the performance measure in biometrics which is the percentage of invalid subjects that are falsely accepted.	A. False Rejection Rate (FRR)	B. False Acceptance Rate (FAR)	C. Crossover Error Rate (CER)	D. Throughput rate	b	Option B is correct. False Acceptance Rate (FAR) measures the percentage of invalid subjects falsely accepted.	M4DISA	766	60	M4DISA
767. With respect to biometrics evaluation, how is the time taken to register with a system referred as?	A. Enrolment time	B. Throughput rate	C. Acceptability	D. Registration time	a	Option A is correct. Enrolment time refers to the time taken to register biometric data in a system.	M4DISA	767	102	M4DISA
768. With respect to audit of physical access controls, what does controls assessment mean?	A. Ensuring that the risk assessment procedure adequately covers periodic and timely assessment of all assets	B. Evaluating whether physical access controls are in place	C. Examining relevant documentation such as the security policy and procedures, premises plans, building plans, etc	D. Reviewing physical access controls for their effectiveness.	b	Option B is correct. Controls assessment involves evaluating the presence and adequacy of physical access controls.	M4DISA	768	183	M4DISA
769. The review of physical access controls by an auditor need not include:	A. Observing safeguards and Physical access procedures	B. Interviewing personnel to get information of procedures	C. Authorising special access	D. Touring organisational facilities	c	Option C is correct. Authorizing special access is not typically within the auditor's role.	M4DISA	769	133	M4DISA
770. What should an auditor check for in case of employee termination?	A. The employee's tenure and his conduct during the same	B. Withdrawal and deactivation of access rights	C. Whether appropriate rights have been granted to the replacement	D. Whether there is any due from the employee to the organisation	b	Option B is correct. An auditor should verify withdrawal and deactivation of access rights upon employee termination.	M4DISA	770	103	M4DISA
771. What is the review procedure that should be adopted by an auditor to ensure that there is adequate security at entrance and exits?	A. Review physical layout diagrams, risk analysis, procedure for removal and return of storage media, knowledge and awareness of emergency procedures by employees	B. Inspect guard procedures and practices, and facility surveillance system apart from assessing vehicle and pedestrian traffic around high risk facility	C. Review security policies and procedures at enterprise level and system level are aligned with business stated objectives	D. Review employee and visitor entry logs, entry/exit procedures used by management, documentation of logs	d	Option D is correct. Auditors should review entry/exit logs and procedures to ensure security at entrances/exits.	M4DISA	771	28	M4DISA
772. From the perspective of environmental exposures and controls, how are computer rooms, server rooms and printer rooms categorised?	A. Information System supporting infrastructure or facilities	B. Hardware and Media	C. Documentation	D. Supplies	a	Option A is correct. These rooms are categorised under Information Systems Supporting Infrastructure or Facilities.	M4DISA	772	167	M4DISA
773. Which of the following is a natural environmental threat?	A. War action and Bomb threats	B. Air conditioning failure	C. Earthquakes	D. Undesired activities in computer facilities such as smoking	c	Option C is correct. Earthquakes are natural environmental threats.	M4DISA	773	125	M4DISA
774. Which of the following is a man-made environmental threat?	A. Extreme variations in temperature	B. Static Electricity	C. Humidity, vapors, smoke and suspended particles	D. Fire due to negligence and human action	d	Option D is correct. Fire due to negligence and human action is a man-made environmental threat.	M4DISA	774	173	M4DISA
775. Given below are some examples of exposures. Which of these do not pertain to violation of environmental controls?	A. The possibility of a fire destroying valuable computer equipment due to use of inflammable material for construction of server cabin	B. The possibility of Unauthorised access to sensitive data through hacking	C. The possibility of a fire due to poor cabling	D. The possibility of damage of keyboards and other devices due to accidental dropping of beverages	b	Option B is correct. Unauthorized access through hacking is not related to environmental controls.	M4DISA	775	79	M4DISA
776. What is a sudden rise in in voltage in the power supply known as?	A. Surge	B. Blackout	C. Sag/dip	D. Transient	a	Option A is correct. A sudden rise in voltage is known as a surge.	M4DISA	776	21	M4DISA
777. Which of the following need not be considered while choosing a safe site?	A. Probability of natural disasters	B. Transportation	C. Proximity to other like companies	D. External services like police, fire, hospital etc	c	Option C is correct. Proximity to other like companies is not typically a consideration for choosing a safe site.	M4DISA	777	84	M4DISA
778. While designing a site, it is important that the location of media libraries is:	A. Fungi Resistant and heat resistant	B. Easily accessible	C. Not easily accessible	D. Outside the work area	a	Option A is correct. Media libraries should be located in a fungi-resistant and heat-resistant area.	M4DISA	778	80	M4DISA
779. The organisation should consider newer environmental threats like generator installation by a neighbor or sudden changes in climate as part of:	A. Facilities planning	B. Choosing a site	C. Designing a site	D. Documentation	a	Option A is correct. These considerations fall under facilities planning when assessing environmental threats.	M4DISA	779	67	M4DISA
780. New employee induction programs should be conducted as part of:	A. Documentation	B. Facilities planning	C. People Responsibility and training	D. Emergency plan	c	Option C is correct. Induction programs are conducted as part of People Responsibility and training to educate employees on environmental control procedures.	M4DISA	780	12	M4DISA
781. An effective emergency plan of an organisation should include:	A. Detailed analysis of third party and outsourced vendors/suppliers	B. Evaluation of effectiveness and efficiency of environmental facilities	C. Preventive maintenance plans	D. Control Action, Evacuation plan and paths	d	Option D is correct. An emergency plan should include control actions, evacuation plans, and clearly marked evacuation paths.	M4DISA	781	131	M4DISA
782. How can an organisation reduce Mean Time to Repair/recover/respond/restore (MTTR)?	A. By stocking spare parts on site	B. By planning for environmental controls	C. By identifying, parameterizing and documenting risks of utility failure	D. By evaluating alternatives with low MTBF	a	Option A is correct. Stocking spare parts on site can reduce MTTR by enabling quicker repairs.	M4DISA	782	150	M4DISA
783. Listed below are some of the controls to ensure uninterrupted supply of clean power. Out of these which is the equipment which cleanses the incoming power supply of problems such as spikes, sags, etc.?	A. Generators	B. Electrical surge protectors/line conditioners	C. Uninterruptible power supply (UPS)	D. Power leads from two substations	b	Option B is correct. Surge protectors/line conditioners cleanse the incoming power supply of issues like spikes and sags.	M4DISA	783	134	M4DISA
784. How does a smoke/fire detector function?	A. Activate audible alarms on sensing a particular degree of smoke or fire	B. Activate audible alarms and are linked to monitoring stations within and outside the organisation	C. Activate an audible alarm on detecting water	D. Switches off power in case of emergency situations like fire etc.	a	Option A is correct. Smoke/fire detectors activate audible alarms upon sensing smoke or fire.	M4DISA	784	193	M4DISA
785. How are fires caused by flammable liquids and gases suppressed?	A. Water or soda acid	B. Dry powder	C. Carbon dioxide, soda acid or FM200	D. Gas based systems	c	Option C is correct. Fires caused by flammable liquids and gases are suppressed using Carbon dioxide, soda acid, or FM200.	M4DISA	785	43	M4DISA
786. Which of the following is a gas based fire suppression system?	A. Wet pipe sprinklers	B. FM 200	C. Dry pipe sprinklers	D. Pre action	b	Option B is correct. FM 200 is a gas based fire suppression system.	M4DISA	786	154	M4DISA
787. How does an auditor ensure that there are safeguards against the risks of heating, ventilation and air-conditioning systems?	A. Review heating, ventilation and air-conditioning design	B. Review any shielding strategies	C. Verify critical systems and emergency power supplies	D. Interview officials and review planning documents	a	Option A is correct. Auditors review HVAC designs to ensure safeguards against associated risks.	M4DISA	787	88	M4DISA
788. How does an auditor ensure that adequate environmental controls have been implemented?	A. Interview security personnel to ensure their awareness and responsibilities	B. Verify critical systems and emergency power supplies	C. Interview staff, determine humidity, temperature and voltage are within acceptable levels	D. Interview officials and review planning documents and review training records and documentation	c	Option C is correct. Auditors verify environmental controls by checking humidity, temperature, and voltage levels.	M4DISA	788	178	M4DISA
789. Which of the following is not a component in the information systems infrastructure between the user and the Data Base?	A. Network operating systems	B. Application software	C. Physical documents	D. Data Base Management System	c	Option C is correct. Physical documents are not part of the information systems infrastructure between users and databases.	M4DISA	789	129	M4DISA
790. What is the task of an auditor when evaluating the risks associated with hardware components?	A. Consider vulnerabilities of different communication channels and devices like workstations, peripherals etc.	B. Ensure that logical access to system software are controlled to detect changes in system configuration	C. Evaluate the access security enforced by the DBMS	D. Focus on the effectiveness of boundary controls and I/O controls	a	Option A is correct. Auditors evaluate hardware risks by considering vulnerabilities in communication channels and devices.	M4DISA	790	5	M4DISA
791. What are the tasks of an auditor while evaluating the vulnerabilities of a Data Base Management System (DBMS)?	A. Evaluate access permissions configured in software	B. Evaluating the access security enforced by the DBMS	C. Ensure that logical access to system software are controlled to detect changes in system configuration	D. Focus on the effectiveness of boundary controls and I/O controls	b	Option B is correct. The auditor evaluates the access security enforced by the DBMS to ensure proper schema definitions, data access controls, and directory services.	M4DISA	791	13	M4DISA
792. What is Masquerading?	A. Disguising or Impersonation	B. Using an unattended terminal	C. Tapping a communication cable	D. Flooding Memory buffers and communication ports	a	Option A is correct. Masquerading involves disguising or impersonation to gain unauthorized access to a system or network.	M4DISA	792	94	M4DISA
793. What is Phishing?	A. Requesting personal details over phone posing as an originator	B. Sending a mail posing as an originator (ex. bank) requesting to provide information by clicking a link	C. Installing software that captures user information like login id and password	D. Specially design programs that captures and transmits information	b	Option B is correct. Phishing involves sending deceptive emails that appear legitimate, tricking users into providing sensitive information.	M4DISA	793	58	M4DISA
794. What are malicious codes that attaches to a host program and propogates when an infected program is executed?	A. Worms	B. Trojan Horses	C. Viruses	D. Logic Bombs	c	Option C is correct. Viruses attach to host programs and replicate when the infected program is executed.	M4DISA	794	172	M4DISA
795. What is a macro virus?	A. A virus that infects Microsoft Word or similar applications	B. A virus that hides itself from anti virus software	C. A virus which encrypts itself and is very hard to detect	D. Software that tracks the internet activities of the user	a	Option A is correct. A macro virus infects applications like Microsoft Word by embedding malicious macros.	M4DISA	795	200	M4DISA
796. Which of the following is not a characteristic of Logic Bombs?	A. This blows up on the occurrence of a logical event	B. These are programmed to open specific ports to allow access for exploitation	C. This checks whether a particular condition has been met to execute the logic code	D. These are very difficult to detect as its destructive information set is known only after it is executed	b	Option B is correct. Logic bombs do not open ports; that characteristic describes Trojan Horses.	M4DISA	796	27	M4DISA
797. Which of the following is not a characteristic of a Macro Virus?	A. When executed unwittingly by a user, it copies itself to the applications start up files	B. Its infection spreads to other machines on a network	C. These are relatively harmless	D. This can assume over two billion two billion different identities	d	Option D is correct. Assuming over two billion identities is a characteristic of polymorphic viruses, not macro viruses.	M4DISA	797	11	M4DISA
798. User Registration is generally approved by:	A. User himself	B. IS Auditor	C. User Manager	D. System Administrator	c	Option C is correct. User registration is typically approved by the user's manager based on job responsibilities.	M4DISA	798	97	M4DISA
799. On what basis are access privileges assigned to a user?	A. Seniority level	B. Expertise and qualification	C. Job requirements and responsibilities	D. There is no basis. It is randomly assigned	c	Option C is correct. Access privileges should be assigned based on the user's job requirements and responsibilities.	M4DISA	799	61	M4DISA
800. In password management, how can misuse of passwords by system administrators be prevented?	A. Force change on first login by the user	B. Secure communication of password to user	C. By generating hash while storing	D. By taking an undertaking from the system administrator	a	Option A is correct. Requiring a password change on first login helps prevent misuse by system administrators.	M4DISA	800	59	M4DISA
801. Which of the following is not mandatory for good password management?	A. All passwords should be authenticated	B. Password expiry must be managed as per policy	C. Every user’s password should be known to the user manager	D. Users have to be educated and made responsible for their password	c	Option C is correct. It is not necessary for user managers to know all user passwords.	M4DISA	801	157	M4DISA
802. How is it possible to detect excess rights due to changes in responsibilities, emergencies etc.?	A. By assigning access privileges	B. By getting the password of the user	C. By a person who has administrative privileges	D. By Periodic review of user’s access rights	d	Option D is correct. Periodic review of user access rights helps detect excess rights due to changes.	M4DISA	802	178	M4DISA
803. What must an IS auditor ensure while reviewing access controls related to user id and passwords of default users with administrative privileges?	A. They can remain but it should be known to the organisation	B. These user ids should be disabled and passwords changed	C. Default users cannot have a user id or password	D. Default users should be educated about their responsibility	b	Option B is correct. IS auditors must ensure default user IDs have their passwords changed or are disabled.	M4DISA	803	13	M4DISA
804. What is segregation of networks with respect to network access control?	A. Isolation of network from internet usage service availability	B. Aligning internet service requirements with the business need policy	C. Restriction of traffic between networks	D. Specifying the exact path or route connecting the network	a	Option A is correct. Segregation of networks involves isolating them from certain types of network traffic.	M4DISA	804	151	M4DISA
805. Name the control which helps in auditing and tracking of transactions along with date and time?	A. Segregation of Networks	B. Network connection and routing control	C. Clock synchronisation	D. Enforced path	c	Option C is correct. Clock synchronisation helps in auditing and tracking transactions with accurate timestamps.	M4DISA	805	37	M4DISA
806. A user is allowed to access only those items he is authorised to access. How is access to information prevented in an application?	A. By application specific menu interfaces	B. System Access is monitored	C. By Event logging	D. By monitoring system use	a	Option A is correct. Access to information is controlled in applications through specific menu interfaces.	M4DISA	806	21	M4DISA
807. In operation system control, what is the use of system utilities?	A. Ensures that a particular session can be initiated from a particular location	B. Help manage critical functions of the operating system	C. Provides means to alert authorities if users are forced to execute instructions	D. Prevents unauthorised access by limiting time slot	b	Option B is correct. System utilities help manage critical functions of the operating system.	M4DISA	807	165	M4DISA
808. Methods like Biometric Authentication or digital certificates are employed for which aspect of operating system control?	A. Password Management	B. Terminal log on procedures	C. User identification and authentication	D. Automated terminal identification	c	Option C is correct. Biometric authentication and digital certificates are used for user identification and authentication.	M4DISA	808	124	M4DISA
809. What are ‘Audit Trails’?	A. History of transactions	B. Record of system activities enabling examination of a transaction	C. Attempts to gain unauthorised access to system	D. Unauthorised privileges granted to users	b	Option B is correct. Audit trails are records of system activities that enable examination of transactions.	M4DISA	809	105	M4DISA
810. What is authentication with regard to Access Control Mechanism?	A. Process by which user provides a claimed identity	B. Process by which a user is allowed to perform a pre determined set of actions	C. Prevention of unauthorised access by a user	D. Mechanism through which user’s claim is verified	d	Option D is correct. Authentication verifies a user's claim to an identity.	M4DISA	810	80	M4DISA
811. A physical/biometric comparison falls under which category of authentication factor?	A. Something the user is	B. Something the user knows	C. Something the user has	D. Two factor authentication	a	Option A is correct. Physical/biometric comparisons are categorized under "something the user is."	M4DISA	811	107	M4DISA
812. Which is the authentication technique which allows the password to be based on changing input rather than just time?	A. Passwords	B. Challenge response	C. PIN’s	D. One time passwords	b	Option B is correct. Challenge response authentication allows passwords based on changing input.	M4DISA	812	27	M4DISA
813. What is the attacking technique in which the attacker uses a malicious software to steal passwords and other information?	A. Trojan attack	B. Brute force	C. Dictionary attack	D. Spoofing attack	a	Option A is correct. Trojan attacks involve malicious software used to steal information.	M4DISA	813	122	M4DISA
814. Automatic log out after a predetermined period of inactivity is a technique used against which type of attack?	A. Spoofing attacks	B. Dictionary attacks	C. Piggy backing	D. Trojan attack	c	Option C is correct. Automatic log out counters piggybacking attacks.	M4DISA	814	12	M4DISA
815. Which of the following is the feature of a Smart token only?	A. Contains information such as name, identification no, photograph etc	B. Contains a magnetic strip which stores information	C. The user is required to KEY in remembered information	D. Contains a processor chip which enables storing dynamic information	d	Option D is correct. Smart tokens have a processor chip for dynamic storage.	M4DISA	815	8	M4DISA
816. In which of the following tokens does the card contain a bar code which is read when brought in proximity to the reader device?	A. Processor based proximity reader	B. Smart tokens	C. Static proximity reader	D. Memory tokens	c	Option C is correct. Static proximity readers use bar codes for proximity reading.	M4DISA	816	174	M4DISA
817. In Biometrics, what is the Crossover Error rate (CER)?	A. A very low FRR	B. The point at which FRR equals FAR	C. A very high FAR	D. The point at which FAR and FRR are zero	b	Option B is correct. CER is where False Rejection Rate (FRR) equals False Acceptance Rate (FAR).	M4DISA	817	99	M4DISA
818. Which of the following is not a function of the operating system?	A. Provides independent user and access privilege management mechanism	B. Supports execution of applications and enforces and security constraints defined at that level	C. Isolates processes from each other and protects permanent data stored in its files	D. Provides controlled access to shared resources	a	Option A is correct. User and access privilege management is typically handled by applications, not the OS.	M4DISA	818	190	M4DISA
819. The flexibility of a Pluggable authentication module allows to:	A. Execute applications and support any security constraints	B. Use multiple authentications for a given service	C. Provide controlled access to shared resources	D. Use physiological and behavioral characteristics to identify user	b	Option B is correct. PAM allows using multiple authentication mechanisms for a service.	M4DISA	819	168	M4DISA
820. Most operating systems have at least three types of file permissions: read, write and execute. The least access that have to be given to users is:	A. Write	B. Execute	C. Read	D. Read and Write	c	Option C is correct. Users should have at least read access to system files.	M4DISA	820	68	M4DISA
821. When a system receives a request, how does it determine access rights for the particular request?	A. By authenticating the password entered by the user	B. By using the access matrix	C. By consulting a hierarchy of rules in the Access Control List	D. By a challenge response	c	Option C is correct. Access rights are determined by rules in the ACL hierarchy.	M4DISA	821	46	M4DISA
822. What does an Access Control Entry in an ACL consist of?	A. Name of the database and its path	B. Name of the user and his reporting structure	C. Name of the user and his group or role	D. Name of users and their access privileges	d	Option D is correct. An ACE in an ACL consists of user names/groups and their access privileges.	M4DISA	822	134	M4DISA
823. The core objective of an IdM system in a corporate setting is:	A. One identity per individual	B. One user per database	C. One role per individual	D. One user one group	a	Option A is correct. The primary goal of IdM is one identity per individual.	M4DISA	823	196	M4DISA
824. Which of the following does not form a part of Identity Management?	A. Controls User Access Provisioning Lifecycle	B. Maintains the identity of a user and actions they are authorised to perform	C. Determines which user can access which resource	D. Manages descriptive information about the user	c	Option C is correct. Access control policies, not identity management, determine resource access.	M4DISA	824	68	M4DISA
825. System administrators/Network Administrators who have the powers to create or amend user profiles are:	A. Privileged users	B. Administrative users	C. Special users	D. Maintenance users	a	Option A is correct. System administrators with such powers are privileged users.	M4DISA	825	135	M4DISA
826. A privileged user can use the user account that has privileged access for only:	A. Normal business use	B. Non privileged activities	C. Privileged activities	D. Logging in to a system	c	Option C is correct. Privileged users should use privileged accounts only for specific activities.	M4DISA	826	132	M4DISA
827. What is a ‘back door’ or ‘trap door’?	A. Flaw that allows data to circumvent the encryption process	B. Bypass which is a means of access for authorised access	C. Flaw that allows an attacker to circumvent security mechanisms	D. Mechanism put in place by an attacker	b	Option B is correct. A back door is an intentional bypass for authorized access.	M4DISA	827	150	M4DISA
828. What are the rows of an access control matrix called?	A. Access Control lists	B. Subjects	C. Objects	D. Capability lists	d	Option D is correct. Rows in an access control matrix are termed capability lists.	M4DISA	828	24	M4DISA
829. What is the major concern of using group/generic ids?	A. Fixing accountability of actions to individual	B. It needs special approval	C. It is not allowed in ERP packages	D. It is not wise to share user id with others	a	Option A is correct. Accountability is a major concern when using group/generic IDs.	M4DISA	829	193	M4DISA
830. What is the specialty of a Single Sign On session?	A. User ids and passwords are shared among select users	B. A single user id and password to log on to all required applications	C. Verifies that the users are whoever they claim to be	D. Verifies that the network components used by the users are within their permission profile	b	Option B is correct. SSO allows logging in once for access to multiple applications.	M4DISA	830	123	M4DISA
831. What is the function of Active Directory (AD) domain controller?	A. Accesses and maintains distributed directory information services over an Internet Protocol network	B. Plays an important role in developing intranet and internet applications by allowing the sharing of information by users	C. Authenticates and authorises all users and computers in a Windows domain type network	D. Verifies that users are who they claim to be and the network components they use are within their profile	c	Option C is correct. AD domain controllers handle authentication and authorization in Windows domains.	M4DISA	831	117	M4DISA
832. Which authentication mechanism issues ‘tickets’ which have a limited life span and are stored in the users credential cache?	A. AD	B. LDAP	C. Kerberos	D. DNS	c	Option C is correct. Kerberos issues tickets with limited lifespan for authentication.	M4DISA	832	49	M4DISA
833. Which of following is an advantage of Single Sign On?	A. Easier administration of changing or deleting passwords	B. It can avoid a potential single point of failure issue	C. Maintaining SSO is easy as it is not prone to human errors	D. It protects network traffic	a	Option A is correct. SSO simplifies password administration.	M4DISA	833	147	M4DISA
834. In a SSO system, once a user’s identity and authentication is established, on what basis are access criteria determined?	A. All identified users are granted access	B. Based on Roles, groups or network location	C. All authenticated users are granted access	D. It is not necessary to establish identity or authenticity	b	Option B is correct. Access criteria in SSO are determined based on roles, groups, or network location.	M4DISA	834	121	M4DISA
835. In a Single Sign On system, all access criteria should default to:	A. No access	B. Full access	C. Granting access to all identified users	D. Granting access to all authenticated users	a	Option A is correct. Access criteria in SSO should default to "no access".	M4DISA	835	159	M4DISA
836. What should an access control mechanism ensure?	A. Subjects should be identified before they are granted access	B. All subjects that are authenticated should be authorised to access objects	C. All Objects can be accessed by authorised subjects	D. Subjects gain access to objects only if they are authorised to	d	Option D is correct. Access control ensures subjects access objects only if authorized.	M4DISA	836	178	M4DISA
837. This is a multi-level secure access control which defines a hierarchy of levels of security.	A. Discretionary Access Control	B. Mandatory Access Control	C. Role Based Access Control	D. Database Access Control	b	Option B is correct. Mandatory Access Control defines security levels hierarchy.	M4DISA	837	65	M4DISA
838. Which of the following is a feature of Role Based Access Control?	A. Multilevel secure access control mechanism	B. The Matrix defines the whole state of the system	C. Systems are centrally administered and are nondiscretionary	D. Access control lists are used to store the rights with object	c	Option C is correct. RBAC features centrally administered, nondiscretionary systems.	M4DISA	838	134	M4DISA
839. Access to database can be controlled through permission settings. On what basis is this permission system designed?	A. Principle of least privileges	B. Permissible values or limits	C. Approval by data owner	D. Access levels	d	Option D is correct. Database permission systems are based on access levels.	M4DISA	839	162	M4DISA
840. What permissions does a user with ‘Manage’ access level have with regard to a database?	A. View, Edit, Add and delete	B. View, add, edit and delete (only information added by them)	C. View, Edit, Add, Delete and change database design	D. Only view	c	Option C is correct. 'Manage' access allows full control over database and design changes.	M4DISA	840	128	M4DISA
841. When access to database is controlled through application software, how is maintenance of database done?	A. Users are granted access for maintenance	B. Direct access is granted to DBA	C. Direct access is granted to system administrator	D. User managers are granted access	b	Option B is correct. Only DBAs typically have direct access for database maintenance.	M4DISA	841	149	M4DISA
842. What is user access to applications with respect to their job responsibilities or logical access control called?	A. User Password Management	B. Equipment Management	C. Privilege Management	D. Network Management	c	Option C is correct. Privilege management deals with user access based on job responsibilities.	M4DISA	842	145	M4DISA
843. Which of the following operating system access control ensures a particular session is initiated from a particular location or computer terminal?	A. Automated Terminal Identification	B. Terminal Log On Procedures	C. Password Management Stem	D. User identification and Authentication	a	Option A is correct. Automated terminal identification restricts sessions to specific locations.	M4DISA	843	104	M4DISA
844. Which of the following is a process by which a user provides a claimed identity to access a system?	A. User Authorisation	B. User Registration	C. User Identification	D. User logging	c	Option C is correct. Identification is the process of claiming identity to the system.	M4DISA	844	182	M4DISA
845. What are the three steps in the process of access control mechanism?	A. Authorisation, information and identification	B. Synchronisation, verification and authentication	C. Identification, authentication and authorisation	D. Synchronisation, identification and authentication	c	Option C is correct. The three steps are identification, authentication, and authorization.	M4DISA	845	80	M4DISA
846. In _________ authentication techniques, the system authenticates the user and enables access to resources based on the authorisation matrix.	A. Token or smart card	B. Password	C. Biometric comparison	D. Personal Identification Number (PIN)	b	Option B is correct. Password authentication uses an authorization matrix for access.	M4DISA	846	23	M4DISA
847. Which of the following is the weakness of the password logon mechanism?	A. Periodic changing of password	B. Encrypted password	C. Repeated use of the same password	D. One user one password	c	Option C is correct. Repeated use of the same password weakens security.	M4DISA	847	81	M4DISA
848. _________________ is defined as automated mechanism, which uses physiological and behavioral characteristics to determine or verify identities.	A. Biometrics	B. Plastic cards	C. Logon/password systems	D. Smart Cards	a	Option A is correct. Biometrics verifies identities based on physical traits.	M4DISA	848	94	M4DISA
849. What is/are the error(s) caused by biometrics due to the complexity of data?	A. False Rejection Rate (FRR)	B. False Acceptance Rate (FAR)	C. Crossover Error Rate (CER)	D. FRR and FAR	d	Option D is correct. Biometrics errors include FRR and FAR due to data complexity.	M4DISA	849	91	M4DISA
850. Facial scan, iris and retina scanning are used in _______________.	A. Biometric security	B. Smart tokens	C. Bio direct security	D. Backup security	a	Option A is correct. Facial, iris, and retina scanning are biometric security measures.	M4DISA	850	30	M4DISA
851. Which of the following provides system administrators the ability to incorporate multiple authentication mechanisms into an existing system using pluggable modules?	A. Personal Authentication Module	B. Password Processing Module	C. Pluggable Authentication Module	D. Login identification Module	c	Option C is correct. Pluggable Authentication Module (PAM) allows integration of multiple authentication mechanisms.	M4DISA	851	44	M4DISA
852. Access privileges of a user for two entities, A and B for read and write are maintained in the _____________ within an application.	A. Actual access control list	B. Access control list	C. Acquired control entry	D. Secret policy entry	b	Option B is correct. Access Control List (ACL) maintains user access privileges within an application.	M4DISA	852	118	M4DISA
853. The characteristic of network that improves reliability and performance due to dynamic routings between two end points is better known as:	A. Anonymity	B. Automation	C. Routing diversity	D. Opaqueness	c	Option C is correct. Routing diversity enhances network reliability and performance through dynamic routing paths.	M4DISA	853	39	M4DISA
854. Network establishes communication among disperse users/machines. Which of the following is a disadvantage of this characteristic of networks?	A. Risks like impersonation, intrusion, tapping	B. Very fast communication speed	C. Physically far end points	D. Humans cannot tell the location of the remote site	a	Option A is correct. Network communication introduces risks such as impersonation and intrusion.	M4DISA	854	168	M4DISA
855. What is the program that an attacker uses which reports to him which ports responds to messages and the vulnerabilities present in each port?	A. Social Engineering	B. Dumpster diving	C. Port Scan	D. Malware	c	Option C is correct. A Port Scan identifies open ports and vulnerabilities on a system.	M4DISA	855	156	M4DISA
856. What does Social Engineering involve?	A. Gathering bits of on formation from various sources	B. Using social skills to persuade a victim	C. Looking through items that have been discarded	D. Eavesdropping	b	Option B is correct. Social Engineering uses social skills to manipulate individuals into divulging confidential information.	M4DISA	856	66	M4DISA
857. ‘Dumpster Diving’ is a commonly used ________________ technique.	A. Reconnaissance	B. Social Engineering	C. Documentation	D. Application fingerprint	a	Option A is correct. Dumpster diving involves searching through discarded items for information.	M4DISA	857	55	M4DISA
858. The process by which an attacker comes to know about the commercial server on which an application is running, the version and operating system for the same is known as:	A. Biometrics	B. Protocol flaws	C. Wiretapping	D. OS and Application Fingerprinting	d	Option D is correct. OS and Application Fingerprinting identifies server details including OS and application versions.	M4DISA	858	67	M4DISA
859. How does an attacker use Malware to gather information?	A. Investigate a product that can be the target of an attack	B. Search for additional information on systems, applications or sites	C. Scavenge the system and receive information over network	D. Post latest exploits and techniques	c	Option C is correct. Malware gathers information by secretly sending data over a network.	M4DISA	859	175	M4DISA
860. The process by which an attacker picks off the content of a communication passing in an unencrypted form is known as:	A. Eavesdropping	B. Wiretapping	C. Microwave signal tapping	D. Satellite signal interception	a	Option A is correct. Eavesdropping intercepts unencrypted communications passively.	M4DISA	860	39	M4DISA
861. What is active wiretapping?	A. Listening to communications intentionally	B. Overhearing without extra effort	C. Injecting something into the communication stream	D. Placing an illegitimate antenna to intercept communication	c	Option C is correct. Active wiretapping involves injecting something into the communication stream.	M4DISA	861	171	M4DISA
862. The costs of intercepting satellite communications are very high because:	A. All traffics passing through a node have to be monitored	B. Neither the sender nor receiver should know that contents have been intercepted	C. Satellite communications are heavily multiplexed	D. Cost of placing an illegitimate antenna is more	c	Option C is correct. Satellite communications are costly to intercept due to heavy multiplexing.	M4DISA	862	67	M4DISA
863. A wireless signal can be picked up easily within 60 meters. Why?	A. The signal is strong up to 60 meters	B. The signal is weak up to 60 meters	C. There is no signal up to 60 meters	D. The signal is strong after 60 meters	a	Option A is correct. Wireless signals are strong within 30-60 meters, making them easy to pick up.	M4DISA	863	104	M4DISA
864. It is not possible to tap an optical system without detection. Why?	A. Optical fiber carries electricity but does not emanate a magnetic field	B. Optical fiber carries light energy which does not emanate a magnetic field	C. An optical signal is not very strong and hence cannot be picked up	D. An antenna needs to be placed to intercept which is detectible	b	Option B is correct. Optical fibers carry light energy without emitting a magnetic field, making tapping detectable.	M4DISA	864	148	M4DISA
865. A term used for a virtual network of zombies used to launch attack on a system is:	A. BOTnets	B. Spam	C. Malware	D. Spoofing	a	Option A is correct. BOTnets refer to virtual networks of compromised machines used for attacks.	M4DISA	865	49	M4DISA
866. An employee who is on leave reveals his authentication details to another in order to allow access to carry out urgent activities in his absence. It so happens that these details are passed on without encryption. How is the employee making his authentication information vulnerable to an impersonator?	A. The impersonator can guess the identity by using common passwords	B. The impersonator can exploit flaws and weaknesses of the operating system	C. The attacker can circumvent or disable the authentication mechanism	D. These details can be rescued by an impersonator by eavesdropping or wiretapping	d	Option D is correct. Passing authentication details without encryption exposes them to interception by an impersonator.	M4DISA	866	170	M4DISA
867. An organisation purchases 10 new systems which are installed by the seller using a test account without any password. However, authentications are put in place and users access information after proper authentication. But the test account has not been deleted. How can an impersonator foil authentication in this case?	A. Information can be accessed through session hijacking	B. Information can be hijacked by intruding between two authenticated users	C. Information becomes vulnerable through well-known test password	D. Information can be accessed through spoofing or masquerading	c	Option C is correct. Leaving a test account with a default or no password exposes the system to exploitation.	M4DISA	867	72	M4DISA
868. Not only is the message itself sensitive but the fact that a message exists is also sensitive. How can an attacker infer that sensitive messages exist between two confidential parties?	A. Traffic flow analysis	B. Using exposures as part of attack	C. By modifying a destination address	D. Taking advantage of mis-delivery due to congestion at network elements	a	Option A is correct. Traffic flow analysis can reveal the existence of sensitive messages.	M4DISA	868	190	M4DISA
869. Which of the following amounts to compromising the integrity of messages?	A. Mistyping an address so that it reaches the wrong recipient	B. Mis-delivery of messages due to some flaw in the network hardware or software	C. Exposure of messages in temporary buffers	D. Combining pieces of different messages into one false message	d	Option D is correct. Combining pieces of messages compromises their integrity.	M4DISA	869	112	M4DISA
870. It is easy for an attacker to obtain information necessary to attack the website. How?	A. Website codes are downloaded and executed in the browser from which the information can be obtained	B. The attacker exploits vulnerabilities in multiple machines and uses them to attack the target simultaneously.	C. An attacker can monitor the communication between a browser and a server to see how changing a web page entry affects what the browser sends and reacts.	D. Attackers execute scripts in the victim’s browser which can hijack user sessions	a	Option A is correct. Attacking website involves downloading and executing its code in the browser.	M4DISA	870	164	M4DISA
871. What is ‘Ping of Death’?	A. Sending more data that what a communication system can handle, thereby preventing receipt of legitimate data	B. Crashing a large number of systems by sending a ping of certain size from a remote machine	C. Corrupting the routing so that traffic can disappear	D. corrupting a name server or causing it to cache spurious entries, thereby redirect the routing of any traffic	b	B is correct - Ping of death: It is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a remote machine. This is a serious problem, mainly because this can be reproduced very easily, and from a remote machine. Ping is an ICMP protocol which requests a destination to return a reply, intended to show that the destination system is reachable and functioning. Since ping requires the recipient to respond to the ping request, all the attacker needs to do is send a flood of pings to the intended victim. A is incorrect – Connection Flooding: This is the oldest type of attack where an attacker sends more data than what a communication system can handle, thereby preventing the system from receiving any other legitimate data. Even if an occasional legitimate packet reaches the system, communication will be seriously degraded. C is incorrect - Traffic Redirection: A router is a device that forwards traffic on its way through intermediate networks between a source host’s network and a destination’s. So if an attacker can corrupt the routing, traffic can disappear. D is incorrect - DNS Attacks: DNS attacks are actually a class of attacks based on the concept of domain name server. A domain name server (DNS) is a table that converts domain names like www.icai.org into network addresses like 202.54.74.130, a process called resolving the domain name or name resolution. By corrupting a name server or causing it to cache spurious entries, an attacker can redirect the routing of any traffic, or ensure that packets intended for a particular host never reach their destination.	M4DISA	871	72	M4DISA
872. What are the multiple machines that are used by an attacker for DdS attacks called?	A. Cookies	B. Routers	C. Zombies	D. FTP	c	C is correct - In distributed denial of service (DDoS) attack more than one machine are used by the attacker to attack the target. These multiple machines are called zombies that act on the direction of the attacker and they don’t belong to the attacker. A is incorrect - Cookies are data files created by the server that can be stored on the client machine and fetched by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving a cookie can impersonate the cookie’s legitimate owner. B is incorrect – A router is a networking device, commonly specialized hardware, that forwards data packets between computer networks. D is incorrect - FTP is an application known to transmit communication including user id and password in plain text.	M4DISA	872	5	M4DISA
873. A code which can cause serious damage to a system because it is not screened for safety when it is downloaded and runs with the privileges of its invoking user is called:	A. Hostile applet code	B. Cookies	C. Scripts	D. Active X	a	A is correct - A hostile applet is downloadable code that can cause harm on the client’s system. Because an applet is not screened for safety when it is downloaded and because it typically runs with the privileges of its invoking user, a hostile applet can cause serious damage. B is incorrect - Cookies are data files created by the server that can be stored on the client machine and fetched by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving a cookie can impersonate the cookie’s legitimate owner. C is incorrect - Clients can invoke services by executing scripts on servers. A malicious user can monitor the communication between a browser and a server to see how changing a web page entry affects what the browser sends and then how the server reacts. D is incorrect – The popular types of active code languages are Java, JavaScript, VBScript and ActiveX controls.	M4DISA	873	148	M4DISA
874. A virus that is difficult to detect because it modifies itself and changes its identity thus hiding itself from antivirus software:	A. MBR Virus	B. Stealth Virus	C. Polymorhic virus	D. Macro Virus	c	C is correct - Polymorphic Viruses: Polymorphic viruses are difficult to detect because they can modify themselves and change their identity thus able to hide themselves from antivirus software A is incorrect - Master Boot Record (MBR) Viruses: Affects the boot sector of storage device and further infects when the storage is accessed. B is incorrect – Stealth viruses hide themselves by tampering the operating system to fool antivirus software into thinking that everything is functioning normally. D is incorrect – Macro viruses are the most prevalent computer viruses and can easily infect many types of applications, such as Microsoft Excel and Word.	M4DISA	874	134	M4DISA
875. What is a Trojan Horse?	A. Virus that affects the boot sector of storage device	B. Virus that affects applications like Microsoft Word and Excel	C. Stand- alone viruses that are transmitted independently	D. Malicious codes hidden under a legitimate program	d	D is correct. A Trojan horse is a malicious code hidden within a legitimate program, allowing unauthorized access or causing harm once executed. A is incorrect - MBR virus B is incorrect – Macro viruses C is incorrect – Worms	M4DISA	875	179	M4DISA
876. Malicious codes added to an existing application to be executed at a later date is known as:	A. Logic bomb	B. Trojan Horse	C. Polymorphic virus	D. Stealth virus	a	A is correct - Logic bombs are malicious code added to an existing application to be executed at a later date. These can be intentional or unintentional. For example Year2000 problem was an unintentional logic bomb. Every time the infected application is run, the logic bomb checks the date to see whether it is time to run the bomb. If not, control is passed back to the main application and the logic bomb waits. If the date condition is correct, the rest of the logic bomb’s code is executed and the result can be anything from a harmless message to a system crash. B, C and D are incorrect – These are different types of viruses.	M4DISA	876	148	M4DISA
877. What is the method used by most of the antivirus software to identify virus infections in a system?	A. Monitoring traffic	B. Signature detection	C. Repair or quarantine	D. Scan processes	b	B is correct - Most of the antivirus software utilizes a method known as signature detection to identify potential virus infections on a system. Essentially, they maintain an extremely large database that contains the known characteristics (signatures) of all viruses. Depending upon the antivirus package and configuration settings, it can scan storage media periodically, check for any files that contain data matching those criteria. A, C and D are incorrect - these are the types of controls of antivirus tools	M4DISA	877	192	M4DISA
878. When do injection flaws occur?	A. When untrusted data is sent to an interpreter as part of a command or query	B. When application functions related to authentication and session management are not implemented correctly	C. When an application takes untrusted data and sends it to a web browser without proper validation	D. When a developer exposes a reference to an internal implementation object	a	A is correct - Injection (SQL Injection): Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. B is incorrect - Broken Authentication and Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. C is incorrect - Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. D is incorrect - Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.	M4DISA	878	200	M4DISA
879. What is a Cross Site Request Forgery Attack?	A. It forces a logged on victim’s browser to send a forged HTTP request	B. It forges request in order to access functionality without proper authorisation	C. It helps steal or modify weakly protected data	D. It facilitates serious loss or data takeover	a	A is correct - Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. B is incorrect - Missing Function Level Access Control: Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. C is incorrect - Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. D is incorrect – Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.	M4DISA	879	104	M4DISA
880. In case of advanced persistent threat why is an antivirus unable to detect the malware?	A. The attack is on an identified subject	B. Social engineering methods are used	C. Malware is specifically written for this purpose	D. The attack continues for a longer duration	c	C is correct - In case of Advanced Persistent threat, since the malware is specifically written for this purpose, it cannot be detected by an antivirus A, B and D are incorrect – These are the other characteristics of advanced persistent threat	M4DISA	880	183	M4DISA
881. In order to limit the amount of damage a single vulnerability can allow, it is important to:	A. All servers reside on a single segment	B. There should be different segments for different servers	C. Having a single web server	D. Eliminating single points of failure	b	B is correct - Segmentation / Zoning: Segmentation / Zoning can limit the potential for harm in a network in two important ways. Segmentation reduces the number of threats, and it limits the amount of damage a single vulnerability can allow. A web server, authentication server, applications and database are residing on a single server or segment for facilitating electronic commerce transactions are a very insecure configuration. A more secure design will use multiple segments. Since the web server has to be exposed to the public, that server should not have other more sensitive, functions on it or residing on the same segment such as user authentication or access to the database. Separate segments and servers reduce the potential harm should any subsystem be compromised. A is incorrect – for the same reason as mentioned above C is incorrect – This is a redundancy vulnerability D is incorrect – This does not relate to segmentation	M4DISA	881	9	M4DISA
882. Where does encryption occur when data is encrypted in link encryption?	A. Data link layer of the receiving host	B. Network layer	C. Data link layer in the OSI model	D. In transit between two computers	c	C is correct - In link encryption, data are encrypted just before the system places them on the physical communications link, that is, encryption occurs at the Data Link layer in the OSI model. A, B and D are incorrect – decryption occurs at the Data Link layer of the receiving host. Link encryption protects the message in transit between two computers, but the message is in plaintext inside the hosts (above the data link layer). Headers added by the network layer (which includes addresses, routing information and protocol) and above are encrypted, along with the message/data. The message is, however, exposed at the Network layer and thus all intermediate nodes through which the message passes can read the message. This is because all routing and addressing is done at the Network layer. Link encryption is invisible to user and appropriate when the transmission line is the point of greatest vulnerability. Link encryption provides protection against traffic analysis.	M4DISA	882	203	M4DISA
883. Business application system/software is designed to support a specific organisational service, function or process, such as inventory management, payroll, market analysis or e-commerce. What is the goal of such a business application?	A. To enhance the targets and goals of an organisation	B. To deal with problems relating to business processes	C. To enhance quality of services	D. To turn data into information	d	D is correct - The goal of an application system is to turn data into information. A, B and C are incorrect – These are situations under which the need for business development or acquisition of new applications may arise	M5DISA	883	160	M5DISA
647. What is the intent of SDLC?	A. To process data of relevant business processes	B. To enhance the targets and goals of an organisation	C. To improve the quality of services	D. To examine a business situation and improve it	d	D is correct - SDLC refers to the process of examining a business situation with the intent of improving it through better procedures and methods. This is required when there is need to change business processes due to requirements arising out of customers/stakeholders expectations and business strategy. A, B, and C incorrect – These are situations under which the need for business development or acquisition of new applications may arise	M5DISA	884	116	M5DISA
884. Which of the following is the role of an IS Auditor in Phase 3 (System Analysis) of SDLC?	A. Review cost justification/ benefits	B. Review detailed requirement definition documents	C. Verify that the management has approved the initiation and cost of the project	D. Review existing data flow diagrams and other related specifications	c	C is correct - Role of IS Auditor in system analysis phase: Verify that management has approved the initiation of the project and the cost. In case of acquisition, determine that an appropriate number of vendors have been given proposals to cover the true scope of the project and requirements of the users. Determine whether the application is appropriate for the user of an embedded audit routine and if so request may be made to incorporate the routine in conceptual design of the system. A is incorrect – This is the role of an IS Auditor in the feasibility phase B and D are incorrect – These are the roles of an IS auditor in the System Analysis phase	M5DISA	885	127	M5DISA
885. Which of the following is the role of an IS Auditor in the detailed design phase of SDLC?	A. Analyse the justification for going in for a development or acquisition	B. Review input, processing and output controls	C. Ensure that the documentation is complete	D. Review QA report on adopting coding standards by developers.	b	B is correct - Role of IS Auditor in detailed design phase: Review system flowcharts for adherence to the general design. Review input, processing and output controls have been appropriately included in the system. Assess adequacy of the audit trails which provide traceability and accountability. Verify key calculations and processes for correctness and completeness. Interview users to ascertain their level understanding of the system design, input to the system, screen formats and output reports. Systems Development – Acquisition, Maintenance and Implementation 371 Verify that system can identify erroneous data correctly and can handle invalid transactions. Review conceptual design to ensure the existence of appropriate controls. Review quality assurance and quality control results of programs are developed. Verify the design for its completeness and correctness and it meets the defined requirements. Verify that functional data created during requirement phase is complete and test plans are developed. A is incorrect – This is the role of an IS Auditor in the feasibility phase C and D are incorrect – These are the roles of an IS Auditor in the development phase	M5DISA	886	122	M5DISA
886. What are the characteristics of a very well coded application program?	A. Good coding standards, Accuracy and Speed	B. Reliability, Robustness, Accuracy, Efficiency, Usability, Readability	C. Flexibility, Speed, Coding Standards	D. Reliability, Flexibility and Speed	b	B is correct - A very well coded application program should have the following characteristics: Reliability: It refers to the consistency with which a program operates over a period of time. However, poor setting of parameters and hard coding of some data subsequently could result in the failure of a program after some time. Robustness: It refers to the applications’ strength to perform operations in adverse situations by taking into account all possible inputs and outputs of a program considering even the least likely situations. Accuracy: It refers not only to ‘what program is supposed to do’, but also the ability to take care of ‘what it should not do’. The second part is of great interest for quality control personnel and auditors. Efficiency: It refers to the performance per unit cost with respect to relevant parameters and it should not be unduly affected with the increase in input values. Usability: It refers to a user-friendly interface and easy-to-understand internal/external documentation. Readability: It refers to the ease of maintenance of program even in the absence of the program developer. A, C and D are incorrect – These are not the major characteristics of a well coded application program	M5DISA	887	99	M5DISA
887. What is the role of an IS Auditor in the testing phase of SDLC?	A. Review the test plan for completeness and correctness	B. Ensure test plans, test data nd test results are maintained for reference	C. Verify that the system has been installed according to the organisation’s change control procedures.	D. Review programmed procedure used for scheduling and running the system along with the system parameters are used in executing the production schedule.	a	A is correct - Role of IS Auditor in testing phase: Review the test plan for completeness and correctness. Review whether relevant users have participated during testing phase. Review error reports for their precision in recognizing erroneous data and for resolution of errors. Verify cyclical processes for correctness( example: year-end process, quarter-end process) Interview end-users of the system for their understanding of new methods, procedures and operating instructions. Review the system and end-user documentation to determine its completeness and correctness. Review whether reconciliation of control totals and converted data has been performed to verify the integrity of the data after conversion. Review all parallel testing results. Test the system randomly for correctness. Review unit test plans and system test plans to determine that tests for internal control are addressed. Verify that the system security is functioning as designed by developing and executing access tests. Ensure test plans and rest results are maintained for reference and audit B, C and D are incorrect – These are the roles of an IS Auditor in the UAT or final testing phase	M5DISA	888	76	M5DISA
888. What are the security steps involved in the development phase of SDLC?	A. To identify possible attacks and design controls	B. To train developers on security coding practices.	C. To ensure security requirements are tested during testing.	D. To perform security scan of application after implementation.	b	B is correct - Security steps involved during the development phase are: To develop and implement security coding practices such as input data validation and avoiding complex coding. To train developers on security coding practices. A, C and D are incorrect – These are security steps involved during the design, testing and implementation phases.	M5DISA	889	178	M5DISA
889. Which of the following is a mitigation plan for risk associated with compromising on quality and testing?	A. Understand organisation baseline for infrastructure and incorporate in design.	B. Ensure standard coding practices are adopted.	C. Ensure completion of documentation along with design and development.	D. Ensure documentation experts and technical writers are part of team.	b	B is correct - The following are the mitigation plans for risk associated with compromising on quality and testing: Ensure standard coding practices are adopted. Provide enough time for building test cases to cover all function, performance and security requirements. Build test cases along with design. A is incorrect – This is a mitigation plan associated with the risk of inappropriate selection of platform C and D are incorrect – These are mitigation plans for risk associated with missing or inadequate documentation	M5DISA	890	29	M5DISA
890. What is the mitigation plan for risk associated with absence of skilled resources?	A. Consider outsourcing or hiring skilled resources on contract.	B. Develop and implement standard coding practices	C. Perform scope base lining.	D. Introduce change management process to evaluate and adopt changes in requirements	a	A is correct - Mitigation plan for risk associated with absence of skilled resources is to consider outsourcing or hiring skilled resources on contract B, C and D are incorrect – these are mitigation plans for risks associated with poor coding techniques and lack of proper change control	M5DISA	891	155	M5DISA
891. Who is responsible for delivery of a project within the time and budget?	A. Module/Team leader	B. System Analyst	C. Project Manager	D. Database Administrator	c	C is correct - A project manager is normally responsible for more than one project and liaisons with the client or the affected functions. This is a middle management function. The Project manager is responsible for delivery of the project within the time and budget. A is incorrect – A project is divided into several manageable modules and the development responsibility for each module is assigned to module leaders. B is incorrect - The system analyst also has a responsibility to understand existing problem/system/data flow and new requirements. System analysts convert the user’s requirements in the system requirements to design new system. D is incorrect – The data in a database environment has to be maintained by a specialist in database administration so as to support the application program. The database administrator handles multiple projects; and ensures the integrity and security of information stored in the database.	M5DISA	892	6	M5DISA
892. Which of the following is the role of a programmer?	A. Approve, supervise and direct IT projects	B. Convert design into programs by coding	C. Checking compliance with SDLC standards	D. Testing programs and sub programs	b	B is correct - Programmers convert design into programs by coding using programming language. They are also referred to as coders or developers A is incorrect - This is the role of a steering committee C is incorrect – this is the role of the quality assurance team D are incorrect – This is the role of testers	M5DISA	893	24	M5DISA
893. The technical feasibility study for automating a business process using information technology includes which of the following?	A. Is the cost of hardware and software for the class of applications being considered.	B. Are the benefits derived from new application such as improved efficiency, reduced costs, business growth, and customer and user satisfaction.	C. Is the cost of conducting a full systems development/acquisition, implementation and operation.	D. Is system scalable and can it handle the expected business and data growth?	d	D is correct - The technical feasibility includes evaluation of the following factors: • Can the solution work on existing infrastructure or does organisation need to acquire new hardware or software? If currently the organisation is not using an automated solution, they may have to invest in acquiring technology and solution. • Will the proposed system provide adequate responses to inquiries, regardless of the number or location of users? Currently there are many organisations that have deployed such solutions and hence we can conclude that the technical solutions can be made available to meet the response requirements. • Is system scalable and can it handle the expected business and data growth? There are multiple training courses and those can be deployed using scalable infrastructure. • Does the technology offer adequate security? Those requirements need to be considered while developing or acquiring solution. However since many organisations have already implemented similar solution, the required security can be embedded. A, B, C are incorrect – These factors are evaluated by the study of economic feasibility.	M5DISA	894	198	M5DISA
894. The business case is a KEY element of the decision making process throughout the life cycle of project. What information does a business case provide to an organisation?	A. decide whether the SDLC project should be undertaken	B. Explore solutions and make a recommendation	C. Develop a new application system	D. Outline and calculate of benefits	a	A is correct - A business case is normally derived from the benefit realization plan and feasibility study. A business case provides the information required for an organisation to decide whether the SDLC project should be undertaken and if approved, becomes the basis for a project execution and assessment. B is incorrect – this is the objective of a feasibility study C and D are incorrect – these are also the objectives of a feasibility study	M5DISA	895	203	M5DISA
895. What does study of history, structure and culture of information involve?	A. Identifying stakeholder expectations	B. Types of useful systems, issues that have not been addressed and require attention	C. Identifying how the system needs to interact with its environment	D. Study of business processes, underlying activities, and actors that perform these activities	b	B is correct - The study of the history of systems in an organisation gives an idea about the types of systems that have been extremely useful, issues that have not been addressed over a period and new issues that require attention. It is essential to understand organisational structure and culture as the solutions that are not consistent with the culture often fail. A and C are incorrect – These are the activities that come under understanding requirements D is incorrect – These is an activity associated with the study of information flows	M5DISA	896	136	M5DISA
896. It is important to record requirements after they have been analysed. Under which phase of requirement Engineering does this fall?	A. Elicitation	B. Analysis and Negotiation	C. Documentation	D. Validation	c	C is correct - Documentation: Once the requirements have been analyzed, it is important to record them in order to make them formal through proper specification mechanism. During this phase, the team organizes the requirements in such a way that ascertains their clarity, consistency, and traceability etc. This phase is extremely important because often ‘the document produced during specification is what the rest of the development stages will be based upon’. A is incorrect – Elicitation: The RE process is normally considered as the process of finding out ‘what are the real needs of the customers as well as of the system’. It also includes activities to explore ‘how the software can meet the stakeholders’ goals’ and ‘what alternatives might exist’. B is incorrect - Analysis and Negotiation: This phase consists of a set of activities aimed to discover problems within the system requirements and achieve agreement on changes to satisfy all system stakeholders. If an analyst discovers some problems with the requirements during the analysis phase, such requirements are referred back to the elicitation phase. This process is related to the requirements that are incomplete, ambiguous and/or conflicting. Negotiation part is known as ‘the process of discussing conflicts in requirements and finding some compromise which all of the stakeholders can live with’. The principle of this process should be objective, where the judgments and the compromise for the system requirements should be based on technical and organisational needs. All the conflict requirements identified during the analysis process should be negotiated and discussed individually with the stakeholders in order to resolve the conflicts. D is incorrect – Validation: This phase ensures that models and documentation accurately express the stakeholders’ needs along with checking the final draft of requirements document for conflicts, omissions and deviations from different standards.	M5DISA	897	87	M5DISA
897. Which aspect related to Project Planning does process of handing over deliverables come under?	A. Project execution	B. Project execution	C. Project monitoring and controlling	D. Project closing	d	D is correct - Project closing has processes for handing over deliverables or terminating project. A is incorrect – Project planning consists of processes related to developing project execution plan, finalizing requirements, defining work breakdown structure and modules to be developed, estimating efforts and cost, resource planning, risk management, procurement planning and plan for communications with stakeholders. B is incorrect - Project execution consists of processes related to direct project teams, ensuring quality assurance and testing, managing requirements and changes in requirements, ensuring timely procurements and manage resources. C is incorrect - Project controlling and monitoring consists of processes related to monitoring risks, scope creeps, quality of deliverables, costs and budgets, performance reporting.	M5DISA	898	17	M5DISA
898. What does Work Breakdown Structure (WBS) represent?	A. The project in terms of manageable and controllable units of work	B. Detailed specifications with objectives	C. Assigned responsibilities and deadlines	D. Work documents containing the start and finish dates	a	A is correct - A commonly accepted approach to define project objectives is to start with a work breakdown structure (WBS) with each work module having its own objectives derived from main objectives. The WBS represents the project in terms of manageable and controllable units of work and forms the baseline for cost and resource planning. B, C and D are incorrect – Detailed specifications regarding the WBS can be used to develop work packages (WP). Each WP must have a distinct owner and a list of main objectives, and may have a list of additional objectives. The WP specifications should include dependencies on other WPs and a definition of how to evaluate performance and goal achievement. A task list is a list of actions to be carried to complete each work package and includes assigned responsibilities and deadlines. The task list aids the individual project team members in operational planning and scheduling, that when merged together forms a project schedule. Project schedules are work documents containing the start and finish dates, percentage completed, task dependencies, and resource names of individuals planned to work on tasks.	M5DISA	899	34	M5DISA
899. Half way through a project development, on which phase should an IS auditor focus in order to ensure that there is no deviation from the primary objectives of the projects?	A. Project Planning	B. Project Controlling	C. Resource Management	D. Risk Management	b	B is correct - During mid-term project review IS auditor should focus on project planning and controlling activities to ensure that these are not deviating from primary objectives of the project. A is incorrect – A and C are incorrect – These phases do not require much review during this stage. D is incorrect – Focus on risk management process provides detailed insight on the effectiveness of the project management	M5DISA	900	91	M5DISA
900. What is the tool used to verify that deployed resources are capable of finishing a task within the set time limit and with the expected quality level?	A. Earned value analysis	B. Work Breakdown structure	C. Work Package	D. Qualitative Analysis of Risks	a	A is correct - Earned Value Analysis consists of comparing expected budget till date, actual cost, estimated completion date and actual completion at regular intervals during the project. B and C are incorrect – A commonly accepted approach to define project objectives is to start with a work breakdown structure (WBS) with each work module having its own objectives derived from main objectives. The WBS represents the project in terms of manageable and controllable units of work and forms the baseline for cost and resource planning. Detailed specifications regarding the WBS can be used to develop work packages (WP). Each WP must have a distinct owner and a list of main objectives, and may have a list of additional objectives. The WP specifications should include dependencies on other WPs and a definition of how to evaluate performance and goal achievement. A task list is a list of actions to be carried to complete each work package DISA Review Questions, Answers Manual 380 and includes assigned responsibilities and deadlines. The task list aids the individual project team members in operational planning and scheduling, that when merged together forms a project schedule. Project schedules are work documents containing the start and finish dates, percentage completed, task dependencies, and resource names of individuals planned to work on tasks. D is incorrect – Qualitative Analysis of Risks is a part of project planning.	M5DISA	901	166	M5DISA
901. During risk management process, how is risk assessed and evaluated?	A. Creating an inventory of possible risk	B. Quantify the likelihood and impact of risk	C. Create a risk management plan	D. Discover risk that materializes	b	B is correct - Assess and evaluate risk: Quantify the likelihood (expressed as a percentage) and the impact of the risk (expressed as an amount of money). The “insurance policy” (total impact) that needs to be in the project budget is calculated as the likelihood multiplied by the impact. A is incorrect – This step is to identify the risk C is incorrect – This is a part of managing the risk after it has been assessed D is incorrect – This forms a part of monitoring the risk process	M5DISA	902	174	M5DISA
902. Which of the following is the feature of a waterfall model?	A. The designers create an initial base model and give little or no consideration to internal controls, but instead emphasize system characteristics such as simplicity, flexibility, and ease of use.	B. Project is divided into sequential phases, with some overlap and splash back acceptable between phases.	C. This is an iterative model where each iteration helps in optimizing the intended solution.	D. This model of development helps to ease the traumatic effect of introducing completely new system all at once	b	B is correct - The characterizing features of the waterfall model have influenced the development community in big way. Some of the KEY characteristics are: • Project is divided into sequential phases, with some overlap and splash back acceptable between phases. Systems Development – Acquisition, Maintenance and Implementation 381 • Emphasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time. • Tight control is maintained over the life of the project through the use of extensive written documentation, as well as through formal reviews and approval/signoff by the user and information technology management occurring at the end of most phases before beginning the next phase. A, C and D are incorrect – These are the features of prototype model, spiral model and the incremental model respectively.	M5DISA	903	7	M5DISA
903. In this model, a series of mini-waterfalls are performed, where all phases of the waterfall development model are completed for a small part of the system, before proceeding to the next increment. What SDLC model is this?	A. Waterfall model	B. Prototype model	C. Spiral model	D. Incremental model	d	D is correct - A few pertinent features of incremental model are listed as follows: A series of mini-waterfalls are performed, where all phases of the waterfall development model are completed for a small part of the system, before proceeding to the next increment. • Overall requirements are defined before proceeding to evolutionary, mini – Waterfall development of individual increments of the system. • The initial software concept, requirement analysis, and design of architecture and system core are defined using the Waterfall approach, followed by iterative Prototyping, which culminates in installation of the final prototype (i.e. working system). B, C and D are incorrect – This is not a feature of any of these models.	M5DISA	904	100	M5DISA
904. This model is especially useful for resolving unclear objectives and requirements; developing and validating user requirements; experimenting with or comparing various design solutions, or investigating both performance and the human computer interface.	A. Waterfall model	B. Prototyping model	C. Spiral Model	D. Incremental model	b	B is correct - Strengths of Prototyping Model: • It improves both user participation in system development and communication among project stakeholders. • It is especially useful for resolving unclear objectives and requirements; developing and validating user requirements; experimenting with or comparing various design solutions, or investigating both performance and the human computer interface. • Potential exists for exploiting knowledge gained in an early iteration as later iterations are developed. • It helps to easily identify, confusing or difficult functions and missing functionality. • It enables to generate specifications for a production application. • It encourages innovation and flexible designs. • It provides for quick implementation of an incomplete, but functional, application. • It typically results in a better definition of these users’ needs and requirements than does the traditional systems development approach. • A very short time period is normally required to develop and start experimenting with a prototype. This short time period allows system users to immediately evaluate proposed system changes. • Since system users experiment with each version of the prototype through an interactive process, errors are hopefully detected and eliminated early in the developmental process. As a result, the information system ultimately implemented should be more reliable and less costly to develop than when the traditional systems development approach is employed. A, C and D are incorrect – this is not strength of any of these models	M5DISA	905	149	M5DISA
905. Which of the following is a weakness of the spiral model?	A. It is criticized to be Inflexible, slow, costly, and cumbersome due to significant structure and tight controls.	B. Approval process and control are not formal.	C. Sometimes there are no firm deadlines, cycles continue till requirements are clearly identified.	D. Problems may arise pertaining to system architecture because not all requirements are gathered up front for the entire software life cycle.	c	C is correct – Weaknesses of the spiral model are: • It is challenging to determine the exact composition of development methodologies to use for each of the iterations around the Spiral. • A skilled and experienced project manager is required to determine how to apply it to any given project. • Sometimes there are no firm deadlines, cycles continue till requirements are clearly identified. Hence has an inherent risk of not meeting budget or schedule. A, B and D are incorrect – These are the weaknesses of the waterfall model, prototype model and incremental model respectively	M5DISA	906	135	M5DISA
906. Which of the following is a KEY feature of Rapid Application Development?	A. fast development and delivery of a high quality system at a relatively low investment cost,	B. Use of small, time-boxed subprojects or iterations where each iteration forms basis for planning next iteration.	C. Customer satisfaction by rapid delivery of useful software;	D.  Welcome changing requirements, even late in development;	a	A is correct - The KEY features of RAD are: • KEY objective is fast development and delivery of a high quality system at a relatively low investment cost, • Attempts to reduce inherent project risk by breaking a project into smaller segments and providing more ease-of-change during the development process. • Aims to produce high quality systems quickly, primarily through the use of iterative Prototyping (at any stage of development), active user involvement, and computerized development tools like Graphical User Interface (GUI) builders, Computer Aided Software Engineering (CASE) tools, Database Management Systems (DBMS), Fourth generation programming languages, Code generators and object-oriented techniques. • KEY emphasis is on fulfilling the business need while technological or engineering excellence is of lesser importance. • Project control involves prioritizing development and defining delivery deadlines or “time boxes.” If the project starts to slip, emphasis is on reducing requirements to fit the time box, not in increasing the deadline. • Generally includes Joint Application Development (JAD), where users are DISA Review Questions, Answers Manual 384 intensely involved in system design, either through consensus building in structured workshops, or through electronically facilitated interaction. B, C and D are incorrect – These are the KEY features of Agile Software development methodology	M5DISA	907	6	M5DISA
907. Which of the following is the weakness of the Agile Software development methodology?	A. Fast speed and lower cost may affect adversely the system quality.	B. The project may end up with more requirements than needed (gold-plating).	C. Potential for feature creep where more and more features are added to the system during development.	D. There is lack of emphasis on necessary designing and documentation due to time management and generally is left out or incomplete.	d	D is correct - Weaknesses of Agile methodology: • In case of some software deliverables, especially the large ones, it is difficult to assess the efforts required at the beginning of the System Development life cycle. • There is lack of emphasis on necessary designing and documentation due to time management and generally is left out or incomplete. • Agile increases potential threats to business continuity and knowledge transfer due to verbal communication and weak documentation. • Agile requires more re-work and due to the lack of long-term planning and the lightweight approach to architecture. • The project can easily get taken off track if the customer representative is not clear about the requirements and final outcome. • Agile lacks the attention to outside integration. A, B and C are incorrect – These are the weaknesses of RAD	M5DISA	908	72	M5DISA
908. This is the process of studying and analyzing an application, a software application or a product to see how it functions and to use that information to develop a similar system.	A. Software Reengineering	B. Reverse Engineering	C. Agile processes	D. Rapid Application Development	b	B is correct - Reverse engineering is the process of studying and analyzing an application, a software application or a product to see how it functions and to use that information to develop a similar system. A, C and D are incorrect – This is not part of any of these processes	M5DISA	909	150	M5DISA
909. How is a product for which software is available and can be implemented without customisation classified as?	A. Generic products without customisation	B. Commercial product with customisation	C. Outsourced development	D. Commercial product without customisation	a	A is correct - Generic products without customization: Software is available and can be implemented without customization. These products are also known as Plug-and-play or COTS (Commercial of the shelf) for example MS Office, MS projects etc. B is incorrect – Commercial product with customization: Software needs to be customized like ERP or core banking products or at lower level customization like Tally. C is incorrect – Outsourced development: Ready-made software as required is not available. Hence, the organisation intends to outsource development activities based on cost benefit analysis. D is incorrect – There is no such classification	M5DISA	910	30	M5DISA
910. In achieving the objectives of requirement analysis, the process of understanding the present system and its related problems comes under which of the following steps?	A. Fact finding	B. Analysis	C. Requirements of proposed systems	D. Identifying rationale and objectives	b	B is correct - Analysis to understand Present process: Understanding present system and its related problems helps in confirming the requirements from new application/software. A is incorrect – Fact Finding: Application system focuses on two main types of requirements. The first one is service delivery and second one is operational requirements. These may include lower operational costs, better information for managers, smooth operations for users or better levels of services to customers. To assess these needs, the analysts often interact extensively with stakeholders, to determine ‘detail requirements’. The fact-finding techniques/tools used by the system analyst include document verification, interviews, questionnaire and observation. C is incorrect - Requirements for Proposed Systems: Analysis of functional area and process, the proposed expectations can be clearly defined considering the issues and objectives. D is incorrect – Analysis also include identifying rationale and objectives, inputs and data sources, decision points, desired outcomes from application, mandatory and discretionary controls	M5DISA	911	164	M5DISA
911. The process of allotting weight-age for each requirement and then allotting score to the software that meets that requirement is called as:	A. Point scoring Analysis	B. Agenda based presentations	C. Public evaluation reports	D. Benchmarking solutions	a	A is correct - Point-Scoring Analysis (Functional gap analysis): Point-scoring analysis provides an objective means of selecting software. This is performed by allotting weight-age for each requirement and then allotting score to the software that meets that requirement. B is incorrect - The agenda-based presentations are scripted business scenarios that are designed to show how the software will perform certain critical business functions. Vendors are typically invited to demonstrate their product and follow the sample business scenarios given to them to prepare. C is incorrect – Public Evaluation Reports: Organisation may refer to independent agencies that evaluate various software products of different vendors and publish comparison along with rating based on various predefined parameters including survey of current users. (For example, magic quadrant for similar software product by Gartner, Forester etc.). This method has been frequently and usefully employed by several buyers in the past. D is incorrect – Proof of Concept (PoC) or Benchmarking Solutions: Organisations may request vendor to provide a proof of concept (by implementing product in small pilot area within organisation) that the software meets the expected requirements. This helps organisation in evaluating best product that meets the requirements. This is particularly useful for products that has high-cost and requires high level of efforts that it may not be possible to roll back.	M5DISA	912	160	M5DISA
912. While preparing the request for proposal, what should an organisation do to ensure vendor viability and financial stability?	A. Compare product functionalities against requirements	B. Validate vendor claims about their product performance	C. Get feedback from existing customers of the vendor on supporting documents of the vendor	D. Evaluate what kind of support the vendor provides	c	C is correct - Evaluate the vendor's viability with reference to period for which the vendor is in operation, the period for which the desired product is being used by the existing customers and the Vendor's financial stability on the basis of the market survey and the certification from the customers and on certain supporting documentation from the Vendor A is incorrect – This is part of software and system requirements B is incorrect – This is part of customer references D is incorrect – This is part of vendor support	M5DISA	913	36	M5DISA
913. Out of the tests performed on a program unit, what does a performance test check?	A. whether programs do, what they are supposed to do or not	B. verify the expected performance criteria of program	C. determines the stability of a given system or entity	D. examines the internal processing logic of a software system	b	B is correct - Performance tests are designed to verify the expected performance criteria of program. A, C and D are incorrect – These are the functions of a function test, stress test and structural test respectively	M5DISA	914	115	M5DISA
914. Which of the following is a feature of top down integration?	A. The testing will start from opening login screen and then login, then selecting function one by one	B. It is the traditional strategy used to integrate the components of a software system starting from smallest module/function/program.	C. It consists of unit testing, followed by sub-system testing.	D. Bottom-up testing is easy to implement as at the time of module testing, tested subordinate modules are available.	a	A is correct - Top-down Integration: This starts with the main routine followed by the stubs being substituted for the modules which are directly subordinate to the main module. Considering above example, the testing will start from opening login screen and then login, then selecting function one by one. An incomplete portion of a program code is put under a function (called stub) to allow the function. Here a stub is considered as black box and assumed to perform as expected, which is tested subsequently. Once the main module testing is complete, stubs are substituted with real modules one by one, and these modules are tested. This process continues till the atomic (smallest) modules are reached. Since decision-making processes are likely to occur in the higher levels of program hierarchy, the top-down strategy emphasizes on major control decision points encountered in the earlier stages of a process and detects any error in these processes. The difficulty arises in the top-down method, because the high-level modules are tested with stubs and not with actual modules. B, C and D are incorrect – These are the features of bottom up integration	M5DISA	915	134	M5DISA
915. With respect to System testing, what is the objective of performance testing?	A. To assess how well the application is able to recover from crashes, hardware failures and other similar problems	B. To determine that an Information System protects data and maintains functionality as intended.	C. to determine the stability of a given system or entity based on the requirements	D. to assess various parameters like response time, speed of processing, effectiveness use of a resources (RAM, CPU etc.), network, etc.	d	D is correct - Performance Testing: Software performance testing is performed on various parameters like response time, speed of processing, effectiveness use of a resources (RAM, CPU etc.), network, etc. This testing technique compares the new system's performance with that of similar systems using available industry benchmarks. A,B, C are incorrect – These are the objectives of Recovery Testing, Security testing and Stress testing respectively.	M5DISA	916	75	M5DISA
916. What does User Acceptance Testing focus on?	A. Ensuring that the system is production-ready and satisfies all accepted (baselined) requirements	B. Conforming to the quality standards of the organisation accepted before development	C. Documenting specifications, technology employed, use of coding standards	D. Controlling the execution of tests and the comparing of actual outcomes with predicted outcomes	a	A is correct - User Acceptance Testing (UAT): It is a user extensive activity and participation of functional user is a primary requirement for UAT. The objective of UAT is to ensure that the system is production-ready and satisfies all accepted (baseline) requirements. B and C are incorrect – These are the features of Quality Assurance Testing D is incorrect – This is the feature of automated testing	M5DISA	917	53	M5DISA
917. In this strategy, implementation can be staged with conversion to the new system taking place gradually.	A. Phased Changeover	B. Abrupt Changeover	C. Pilot Changeover	D. Parallel Changeover	a	A is correct - Phased Changeover: With this strategy, implementation can be staged with conversion to the new system taking place gradually. This is done based on business operations. For example, converting one function (e.g. marketing) on new system, wait for the same be stabilized and then take another function (Finance/HR/production etc.) B is incorrect – Cut-off or Direct Implementation / Abrupt Change-Over: This is achieved through an abrupt takeover – an all or no approach. With this strategy, the changeover is done in one operation, completely replacing the old system in one go. Fig 6.1 depicts Direct Implementation, which usually takes place on a set date, often after a break in production or a holiday period so that time can be used to get the hardware and software for the new system installed without causing too much disruption. C is incorrect – Pilot Changeover: With this strategy, the new system replaces the old one in one operational area or with smaller scale. Any errors can be rectified and new system is stabilized in pilot area, this stabilized system is replicated in operational areas throughout the whole system. For example converting banking operations to centralized systems are done at one branch and stabilized. The same process is replicated across all branches. D is incorrect – Parallel Changeover: This is considered the most secure method, time and resource consuming implementation. The new systems is implemented, however the old system also continues to be operational. The output of new system is regularly compared with old system. If results matches over period of time and issues observed with new system are taken care of, the old system is discontinued.	M5DISA	918	126	M5DISA
918. Which of the following is a requirement to be considered with respect to cloud computing and sourcing options?	A. The development team needs to define backup procedures	B. Client needs to be tested for all known browsers	C. Evaluation of vendors for acquisition of tools and software	D. Developers to test their code before releasing to testing team	b	B is correct - The lists of requirements that must be considered are discussed below: • Application on cloud uses platform independent web based technology like Java, Net, XML, PHP etc. Deployment of services may happen in phased manner, the project manager may consider agile development method to develop and deploy services. • Client is executed using internet browsers like internet explorer, Google chrome, Mozilla etc. and hence need to be tested for all known browsers. It is necessary to consider security while developing the software, users may or may not use security settings in their browsers. Also not all browsers offer same level of security settings. • Web application security requirements need to be considered while designing and testing the application. • Non-functional requirements of performance and response have to be considered while developing the software. • Licensing issues for utilities and middleware are complex and should be considered. A, C and D are incorrect – These are the characteristics for virtualisation	M5DISA	919	164	M5DISA
919. Which of the following is a risk with respect to security of big data?	A. When an employee leaves the company, data may still be present on their employees’ device.	B. Requires data to be stored in denormalized form i.e. schema-less in distributed environments	C. Propagation of malware resulting in data leakage, data corruption and non-availability of required data.	D. Possibility of fraud through remote access and inability to prevent/detect it.	b	B is correct - Big data requires data to be stored in denormalized form i.e. schema-less in distributed environments, where data from multiple sources can be joined and aggregated in arbitrary ways, make it challenging to establish access controls • As the big data consist of high volume, high variety and high velocity data, it makes difficult to ensure data integrity • Since it is aggregation of data from across the organisation, it also includes sensitive data • Most existing data security and compliance approaches will not scale to handle big data security. A, C and D are incorrect – These are the disadvantages of using mobile devices in SDLC	M5DISA	920	147	M5DISA
920. Which of the following is the role of an IS Auditor during post implementation review?	A. suggest appropriate controls to be included in proposed solution	B. Interview project team and stakeholders to understand expectations	C. Ensure ‘what project control standards are to be complied with	D. Evaluation of system for information security and privacy controls	d	D is correct - Information Security: System should also need to be evaluated for information security and privacy controls. This aspect of system evaluation is based on the security requirements documented during information gathering, security of infrastructure on which the application is hosted (e.g. hardware baselining, network security, access controls and vulnerability scanning). Evaluation may also include the availability aspect required for continuity (e.g. in case of high availability requirements redundant infrastructure in cluster or replication and readiness of alternate site, updating of BCP documents etc.) A, B, C are incorrect – These are the reviews to be done by the auditor as a team member and during mid project	M5DISA	921	25	M5DISA
921. In an organisation, business processes and related controls are put in place through:	A. Business Applications	B. Control Structure	C. Business Cycle	D. Business Model	a	A is correct - “Business Application”, may be defined as applications (meaning computerized software) used by organisation to run its business. The consideration is whether the said application covers / incorporates the KEY business processes of the organisation. Another important consideration is whether the control structure as available in the Business Application is appropriate to help organisation achieve its goals. Business applications are where the necessary controls needed to run business are put in place. B, C and D are incorrect – Each business cycle used by an organisation has a defined control structure that has a direct co-relation to the business model used. Organisations have to document business processes and identify KEY control points. Organisations have to ensure that the KEY control points are configured in system.	M6DISA	922	3	M6DISA
922. The ICAI has issued standards on Internal Audit in Information Technology Environment. According to this, an auditor has to:	A. Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives and guidelines issued by government or industry.	B. Establish the expected degree of reliance to be placed on internal control;	C. Determine the nature, timing, and extent of the audit procedures to be performed;	D. Consider the extent to which the IT environment is used to record, compile, process and analyse information	d	D is correct - SIA 14, on INTERNAL AUDIT IN INFORMATION TECHNOLOGY ENVIRONMENT, as issued by ICAI, states that; “The internal auditor should consider the effect of an IT environment on the internal audit engagement, inter alia: a. The extent to which the IT environment is used to record, compile, process and analyse information; and b. The system of internal control in existence in the organisation with regard to: the flow of authorised, correct and complete data to the processing centre; the processing, analysis and reporting tasks undertaken in the installation”. A, B and C are incorrect – ISACA Standards ISACA ITAF, 1201 “Engagement Planning”, identifies risk assessment as one of the KEY aspects and states that IS audit and assurance professionals, have to; • Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement. • Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives and guidelines issued by government or industry. • Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed. • Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget. ICAI Standards SA 200 “Overall Objectives of the Independent Auditor and the conduct of an audit in accordance with standards on Auditing”, Issued by ICAI, requires an auditor to plan an audit and get following information: “The auditor should plan his work to enable him to conduct an effective audit in an efficient and timely manner. Plans should be based on knowledge of the client’s business. Plans should be made to cover, among other things: a. Acquiring knowledge of the client’s accounting system, policies and internal control procedures; b. Establishing the expected degree of reliance to be placed on internal control; c. Determining and programming the nature, timing, and extent of the audit procedures to be performed; and d. Coordinating the work to be performed.	M6DISA	923	96	M6DISA
923. What is control risk with respect to risk assessment for a business application?	A. Relates to business risks, country risks and contract risks	B. Failure of a control to prevent or detect a material error that exists in system.	C. risk arising without taking into account a planned action by management	D. failure of an audit procedure to detect an error that might be material	b	B is correct - Control risk is defined as failure of a control to prevent, detect a material error that exists in system. A, C and D are incorrect – Subject matter risk, relates to business risk, country risk, contract risks. These are important for an IS auditor to consider but merged with inherent risk (discussed later). 2. Audit risk, is define as auditor reaching incorrect conclusion after an audit. The components of audit risk being control risk, inherent risk and detection risk. • Control risk is defined as failure of a control to prevent, detect a material error that exists in system. • Inherent risk is defined as risk arising without taking into account a planned action by management to reduce the risk. Simply said it related to nature of transaction / business. • Detection risk is defined as failure of an audit procedure to detect an error that might be material individually or in combination of other errors.	M6DISA	924	58	M6DISA
924. Business applications used by entities to manage resources optimally and to maximize economy, efficiency and effectiveness of business operations is known as:	A. Accounting Applications	B. Banking Applications	C. ERP Applications	D. Payroll Application	c	C is correct - ERP Application: These have been created a separate category of business application systems, due to their importance for an organisation. These software called as enterprise resource planning software are used by entities to manage resources optimally and to maximize E^3 i.e. economy, efficiency and effectiveness of business operations. A is incorrect - Accounting Applications: Applications like TALLY, TATA EX, UDYOG, used by business entities for purpose of accounting for day to day transactions, generation of financial information like balance sheet, profit and loss account, cash flow statements, are classified as accounting applications. B is incorrect – Banking Application: Today all public sector banks, private sector banks, and including regional rural banks have shifted to core banking business applications (referred to as CBS). Reserve Bank of India guidelines mandating all co-operative banks also to shift to core banking applications by December 013, means 95% plus Indian banks use CBS. CBS used by Indian banks include, FINACLE (by Infosys Technologies Ltd.), FLEXCUBE (By Oracle Financial Services Software Limited, formerly called i-flex Solutions Limited), TCS BaNCS (By TCS Limited), and many more CBS. D is incorrect – Payroll Application: Many companies across the world are outsourcing these activities to professionals. In India also many CA firms are doing good job on payroll outsourcing. TALLY has a payroll application built into it. ICAI, has made available for its members a payroll application.	M6DISA	925	148	M6DISA
925. Key business requirements for information specify ‘integrity’ as a parameter that needs to be present in information generated. By integrety we mean:	A. protection of sensitive information from unauthorised disclosure	B. accuracy and completeness of information as well as its validity	C. information being available when required	D. information being delivered in a timely, correct, consistent and usable manner	b	B is correct - Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations A is incorrect – Confidentiality: Concerns the protection of sensitive information from unauthorised disclosure C is incorrect - Availability: Relates to information being available when required by the process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. D is incorrect – Effectiveness: Deals with information being relevant and pertinent to the process as well as being delivered in a timely, correct, consistent and usable manner	M6DISA	926	144	M6DISA
926. COBIT defines six control objectives for application controls. Under which of the following objectives does validating input data classify?	A. Data collection and entry	B. Completeness and Authenticity checks	C. Processing integrity and validity	D. Transaction Authentication and Integrity	b	B is correct - Accuracy, Completeness and Authenticity Checks: Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible. A is incorrect - Source Data Collection and Entry: Ensure that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time. C is incorrect - Processing Integrity and Validity: Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. D is incorrect – Transaction Authentication and Integrity: Before passing transaction data between internal applications and business/operational functions (within or outside the enterprise), check the data for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport	M6DISA	927	68	M6DISA
927. Neural Networks and Fuzzy Logics are classified under which category of Artificial intelligence?	A. Cognitive Science	B. Robotics	C. Natural Sciences	D. Virtual Reality	a	A is correct - Cognitive Science: This is an area based on research in disciplines such as biology, neurology, psychology, mathematics and allied disciplines. It focuses on how human brain works and how humans think and learn. Applications of AI in the cognitive science are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and Fuzzy Logic B, C and D are incorrect – Robotics: This technology produces robot machines with computer intelligence and human-like physical capabilities. This area includes applications that give robots visual perception, capabilities to feel by touch, dexterity and locomotion. iii. Natural Languages. Being able to 'converse' with computers in human languages is the goal of research in this area. Interactive voice response and natural programming languages, closer to human conversation, are some of the applications. Virtual reality is another important application that can be classified under natural interfaces.	M6DISA	928	38	M6DISA
928. What are decision support systems (DSS)?	A. System used for getting valuable information for making management decisions	B. systems that provide interactive information support to managers with analytical models	C. system which allows buying and selling goods on the internet and involves information sharing, payment, fulfillment, service and support	D. system intended to capture data at the time and place of a transaction	b	B is correct - DSS are information systems that provide interactive information support to managers with analytical models. DSS are designed to be ad hoc systems for specific decisions by individual-managers. These systems answer queries that are not answered by the transactions processing systems. A, C and D are incorrect – Data warehousing system is used for getting valuable information for making management decisions. Other than buying and selling goods on the Internet, E Commerce (Electronic Commerce) involves information sharing, payment, fulfillment and service and support. a PoS is intended to capture data at the time and place of transaction which is being initiated by a business user. It is often attached to scanners to read bar codes and magnetic cards for credit card payment and electronic sales.	M6DISA	929	39	M6DISA
929. Which of the following should an IS auditor consider while auditing data warehousing systems?	A. Network capacity for speedy access	B. Accuracy and correctness of outputs generated	C. Validation of receivers details for correctness and completeness	D. Review of exceptional transaction logs	a	A is correct - IS Auditor should consider the following while auditing data warehouse: 1. Credibility of the source data 2. Accuracy of the source data 3. Complexity of the source data structure 4. Accuracy of extraction and transformation process 5. Access control rules 6. Network capacity for speedy access B is incorrect – IS Auditors role with respect to Decision Support System: 1. Credibility of the source data 2. Accuracy of the source data 3. Accuracy of extraction and transformation process 4. Accuracy and correctness of the output generated 5. Access control rules C is incorrect – The IS Auditors role with respect to EFT will be with respect to: 1. Authorisation of payment. 2. Validation of receivers details, for correctness and completeness. 3. Verifying the payment made. 4. Getting acknowledgement from the receiver, or alternatively from bank about the payment made. 5. Checking whether the obligation against which the payment was made has been fulfilled. D is incorrect – IS Auditors role for PoS systems: 1. In case there is batch processing, the IS auditor should evaluate the batch controls implemented by the organization. 2. Check if they are in operation, 3. Review exceptional transaction logs. 4. Whether the internal control system is sufficient to ensure the accuracy and completeness of the transaction batch before updating? 5. The relevance of controls is more In the case of online updating system, the IS auditor will have to evaluate the controls for accuracy and completeness of transactions.	M6DISA	930	105	M6DISA
930. Why is IS Audit performed?	A. It safeguards assets, maintains data integrity and achieves the organisations goals and objectives	B. To ensure that the organisations computer systems are available for the business at all times when required	C. Business processes have been integrated into system and decisions are being taken through this integrated system	D. To ensure that the information provided by the system is accurate, reliable and timely	c	C is correct - IS Audit is necessary in today’s business environment as business processes have been integrated into system and lot of decision is being taken through these integrated system. A, B and D are incorrect – These are the agenda to be followed for an IS Audit	M6DISA	931	103	M6DISA
931. While performing an IS audit which of the following comes under risk assessment and planning?	A. conclusions on objective(s), scope, timeline and deliverables, compliance with applicable laws and professional auditing standards	B. provide supervision to IS audit staff for whom they have supervisory responsibility, to accomplish audit objectives	C. use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan	D. obtain sufficient and appropriate evidence to achieve the audit objectives.	c	C is correct - Risk Assessment in Planning: The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources. IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements. IS audit and assurance professionals shall consider subject matter risk, audit risk and related exposure to the enterprise. A, B and D are incorrect – Engagement Planning: This includes conclusions on objective(s), scope, timeline and deliverables, compliance with applicable laws and professional auditing standards, use of a risk-based approach, where appropriate, engagement-specific issues, documentation and reporting requirements. Performance and Supervision: IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan to cover identified risk and within the agreed-on schedule. IS audit and assurance professionals shall provide supervision to IS audit staff for whom they have supervisory responsibility, to accomplish audit objectives and meet applicable professional audit standards. IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision. IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit objectives. The audit findings and conclusions shall be supported by appropriate analysis and interpretation of this evidence. IS audit and assurance professionals shall document the audit process, describing the audit work and the audit evidence that supports findings and conclusions. IS audit and assurance professionals shall identify and conclude on findings. Evidence: IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results. IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives.	M6DISA	932	162	M6DISA
932. The type of CAAT which is written for special audit purposes or targeting specialized IT environments is known as:	A. Specialised Audit Software	B. Generalised Audit Software	C. Utility Software	D. Computer Audit Software	a	A is correct - Specialised Audit software, unlike GAS, is written for special audit purposes or targeting specialized IT environments. B, C and D are incorrect – Generalised Audit software refers to generalized computer programs designed to perform data processing functions such as reading data, selecting and analyzing information, performing calculations, creating data files and reporting in a format specified by the auditor. Utility software or utilities though not developed or sold specifically for audit are often extremely useful and handy for conducting audits. Computer audit software is also known as Generalised Audit Programs (GAS)	M6DISA	933	91	M6DISA
933. Which of the following pertains to an operation using GAS?	A. Testing for UNIX controls	B. Comparing an input file with a processed file	C. Production of circularisation letters	D. Random sampling plan	d	D is correct - Typical operations using GAS include: a. Sampling Items are selected following a value based or random sampling plan. b. Extraction Items that meet the selection criteria are reported individually. c. Totaling the total value and number of items meeting selection criteria are reported. d. Ageing Data is aged by reference to a base date e. Calculation Input data is manipulated prior to applying selection criteria A, B and C are incorrect – Specialised Audit software, unlike GAS, is written for special audit purposes or targeting specialized IT environments. The objective of these software to achieve special audit procedures which may be specific to the type of business, transaction or IT environment e.g. testing for NPAs, testing for UNIX controls, testing for overnight deals in a Forex Application software etc. Such software may be either developed by the auditee or embedded as part of the client’s mission critical application software. Such software may also be developed by the auditor independently. Before using the organisation’s specialized audit software, the auditor should take care to get an assurance on the integrity and security of the software developed by the client... Utility software or utilities though not developed or sold specifically for audit are often extremely useful and handy for conducting audits. These utilities usually come as part of office automation software, operating systems, and database management systems or may even come separately. Utilities are useful in performing specific system Business Application Software Audit 403 command sequences and are also useful in performing common data analysis functions such as searching, sorting, appending, joining, analysis etc. Utilities are extensively used in design, development, testing and auditing of application software, operating systems parameters, security software parameters, security testing, debugging etc. a. File comparison: A current version of a file for example, is compared with the previous year’s version, or an input file is compared with a processed file. b. Production of circularisation letters.	M6DISA	934	1	M6DISA
934. What is continuous auditing?	A. Process of obtaining evidence directly on the quality of the records produced and maintained in the system.	B. Process of reviewing the computer logs generated at various points to build an audit trail	C. Process through which an auditor evaluates the particular system(s) and thereby generates audit reports on real time basis.	D. Process of reviewing transactions as they are processed and select items according to audit criteria specified in the resident code	c	C is correct - Continuous auditing is a process through which an auditor evaluates the particular system(s) and thereby generates audit reports on a real-time basis. Continuous auditing approach may be required to be used in various environments. Such environments usually involve systems that are 24*7 mission critical systems. A is correct – This forms part of selecting, implementing and using CAAT’s B and D are incorrect – These are different techniques of continuous auditing	M6DISA	935	27	M6DISA
935. Procedure of continuous auditing whereby digital pictures of procedures are saved and stored in the memory:	A. Snapshot	B. Integrated Test facility	C. System activity file interrogation	D. Embedded audit facilities	a	A is correct - Most applications follow a standard procedure whereby, after taking in the user input they process it to generate the corresponding output. Snapshots are digital pictures of procedures of the console that are saved and stored in the memory. Procedures of the console refer to the application procedures that take input from the DISA Review Questions, Answers Manual 404 console i.e. from the keyboard or the mouse. These procedures serve as references for subsequent output generations in the future. Typically, snapshots are implemented for tracing application software and mapping it. The user provides inputs through the console for processing the data. Snapshots are means through which each step of data processing (after the user gives the input through) is stored and recalled. B is incorrect - Integrated Test Facility (ITF) is a system in which a test pack is pushed through the production system affecting “dummy” entities. Hence this requires dummy entities to be created in the production software. For example, the auditor would introduce test transactions that affect targeting dummy customer accounts and dummy items created earlier for this testing purpose. C is incorrect – Most computer operating systems provide the capability of producing a log of every event occurring in the system, both user and computer initiated. This information is usually written to a file and can be printed out periodically. As part of audit testing of general controls, it may be useful for the auditor to review the computer logs generated at various points to build an audit trail. Wherever possible, unauthorised or anomalous activity would need to be identified for further investigation. D is incorrect – Embedded audit facilities consist of program audit procedures, which are inserted into the client’s application programs and executed simultaneously. The technique helps review transactions as they are processed and select items according to audit criteria specified in the resident code, and automatically write details of these items to an output file for subsequent audit examination.	M6DISA	936	202	M6DISA
936. Compliance testing helps an auditor:	A. substantiate the integrity of actual processing and the outcome of compliance testing	B. to test for monetary errors directly affecting financial statement balances	C. To obtain evidence of the validity and propriety of accounting treatment of transactions	D. Determine that controls are applied in a manner that complies with policies and procedures	d	D is correct - Compliance tests are used to help determine the extent of substantive testing to be performed, as stated in Statement of Auditing Standards. Such tests are necessary if the prescribed procedures are to be relied upon in determining the nature, time or extent of substantive tests of particular classes of transactions or balances. Once the KEY control points are identified, the auditor seeks to develop a preliminary understanding of the controls to ensure their existence and effectiveness. B, C and D are incorrect – These are the features of Substantive Testing Business Application Software Audit 405	M6DISA	937	65	M6DISA
937. While reviewing authorisation procedure before creating user rights, an IS auditor has to:	A. Evaluate how the user rights have been granted and monitored	B. Check who triggers the request for user rights creation	C. Check Whether there is a proper cross check mechanism to validate the user rights	D. Check Whether user right alteration process is linked to the job profile of the individual	b	B is correct - Authorisation procedure before creating user rights? IS Auditor needs to check whether there is a formal user rights approval form/document. The question that needs to be answered being a. Who triggers the request for user rights creation? Ideally, this request has to be generated through the HR department. b. Whether the form contains all relevant information for the specific user? c. Whether the form has been properly filled? d. Whether the form has valid authorisation? e. Whether forms are marked once user rights are created in system? A is incorrect – Who has the authority to create user rights? IS auditor is also concerned to know the person who has the authority to create users in the system. IS auditor needs to evaluate the rights of persons doing this job and how these rights have been granted and monitored. C is incorrect - Validation of user rights created in system? IS Auditor needs to evaluate the process how user rights created at step (ii) are validated once they have been put in the system. IS Auditor may seek answers to the following questions. a. Whether there is a proper cross-check mechanism built in the organisation to validate the user rights of the employee once they have been created? b. Whether there is timely validation of user rights and user job profiles? For example, this is a cyclical process to be done once each year to see whether the job profile of an individual is appropriately reflected in his/her user rights? D is incorrect - Process of alteration of user rights? IS Auditor is concerned with the process of alteration of rights. The IS Auditor seeks answers to the following questions. DISA Review Questions, Answers Manual 406 a. Whether the user right alteration process is linked to the job profile of an individual? b. Who triggers the request for user rights alteration?	M6DISA	938	22	M6DISA
938. This is the highest level of database abstraction which is of concern to the users is:	A. Conceptual or global view	B. Physical view	C. Internal view	D. External or user view	d	D is correct - External or user view: It is at the highest level of the database abstraction. It includes only that portion of the database or application programs which is of concern to the users. It is defined by the users or written by the programmers. It is described by the external schema. A is incorrect – Conceptual or global view: This is a reflection of a database viewed by the database administrator. A single view represents the entire database. It describes all records, relationships and constraints or boundaries. Data description to render it independent of the physical representation. It is defined by the conceptual schema, B and C are incorrect – Physical or internal view: It is at the lowest level of database abstraction. It is closest to the physical storage method. It indicates how data will be stored, describes data structure, and the access methods. It is expressed by internal schema.	M6DISA	939	38	M6DISA
939. What control does a ‘view’ function offer with respect to database security?	A. Segregation of duties	B. Addresses conflicts relating to simultaneous access	C. Enables data access limitations	D. Ability to create and reuse SQL code	c	C is correct - Views: Views enable data access limitations. A view is a content or context-dependent subset of one or more tables. A, B and D are incorrect – Database Roles and Permissions • Segregation of duties • Roles & Permissions allow control of operations that a user can perform on a database, Concurrency Control: Addresses conflicts relating to simultaneous accesses Stored Procedures: Database servers offer developers the ability to create & reuse SQL code through the use of objects called as Stored Procedures (Group of SQL statements).	M6DISA	940	83	M6DISA
940. User Creation and Access rights are done by _______________________.	A. Application Programmers	B. Specialised Users	C. Naïve Users	D. Database Administrators	d	D is correct - Normally, a database administrator first uses CREATE USER to create an account, then GRANT to define its privileges and characteristics. For Example in Oracle, The SYS and SYSTEM accounts have the database administrator (DBA) role granted to them by default. These are predefined all other users have to be created. There is a need to create user and assign some authentication mechanism like a Password. A, B, C are incorrect – These are different types of database users	M6DISA	941	87	M6DISA
941. Compliances specified in Section 17(2AA) of Companies Act 1956 which states that directors of the company are responsible to implement proper internal control relates to:	A. Taxation related compliance	B. Control related compliance	C. XBRL Compliance	D. Accounting Standard related compliance	b	B is correct - Control Related: Those specified in: - Section 17(2AA) of Companies Act 1956 (old): Detailing Director’s Responsibility Statement, which specifies that directors of the company are responsible to implement proper internal controls. - CARO, 2003 (As amended in 2004), has many clauses where statutory auditor needs to comment upon the internal controls. - SOX compliance: Financial transaction analysis, for example aging analysis for debtors and inventory, capability to drill down un-usual financial transactions. A, C and D are incorrect – Taxation related: TDS, TCS, Excise Duty, Service Tax, VAT, PF, etc. XBRL compliance: Looking to the growth of XBRL compliance in India and governments intention to slowly increase the coverage area of eligible entities, XBRL compliance shall increase in India. Many business application vendors have already started making their software capable of generating XBRL reporting. Accounting Standard related: Accounting standards prescribing the accounting guidance to transactions. It is important that the business applications used are in compliance with the applicable accounting standards.	M6DISA	942	12	M6DISA
942. What is the responsibility of management with respect to accuracy and authenticity of reports?	A. Prime responsibility of accuracy of reports generated	B. Whether established controls ensure accuracy of reports	C. Forming opinion based on such reports	D. Respond appropriately to written representations	a	A is correct - The prime responsibility for accuracy of report generated from the business applications lies with the management. B, C and D are incorrect – These are the responsibilities of the internal and statutory auditors.	M6DISA	943	177	M6DISA
943. It is becoming increasingly important for businesses to have a business contingency plans for their Information systems. The criticality of the contingency plan will depend mainly upon _____________	A. The extent of investment in the organization on IT	B. Likely level of impact due to failure or non-availability of IT	C. The severity of the incident	D. The extent of risk aversion of the organization	b	Justification: The criticality of the contingency plan will depend upon the anticipated intensity of the impact of failure or non-availability of IT, as pointed out in Option B. The other factors indicated in other options would not influence the criticality as much.	M7DISA	944	139	M7DISA
944. In terms of ascending order of severity / intensity, how would the terms incident, crisis, emergency & disaster be ordered ?	A. Incident, crisis, emergency, disaster	B. Incident, emergency, crisis, disaster	C. Emergency, incident, crisis, disaster	D. Emergency, crisis, incident, disaster	a	Justification: An incident is an event that can lead to losses for an organization &, if not managed properly, can lead to a crisis, emergency or disaster. A crisis is an event that is expected to lead to an emergency or disaster. A disaster is like an emergency, but of much larger scale. Hence, the correct order is Incident, crisis, emergency, disaster as in Option A.	M7DISA	945	126	M7DISA
945. An organization with extensive internet based business has its computer servers located in an area known for power outages at times for several hours a day. How is the organization’s exposure to this situation expressed in Business Continuity Management terms ?	A. Risk	B. Vulnerability	C. Contingency	D. Emergency	b	Justification: The degree of exposure to any risk or the consequences of risk is termed vulnerability. The exposure is to a risk & the situation is described as vulnerability. A contingency expresses the possibility of exposure to risk and an emergency when the risk is actually likely to occur. Hence, the correct answer is Option B.	M7DISA	946	132	M7DISA
946. What is Minimum Business Continuity Objective?	A. Organization objective to continue doing business despite disruptions	B. Organization objective to continue minimum level of business even during financial crisis	C. Organization approach to reduce business operations to a minimum level during crises	D. Minimum level of services/products acceptable during a disruption	d	Justification: MBCO is the minimum level of services and/or products acceptable to the organization during a disruption, as brought out in Option D. The answers in the other options are factually wrong.	M7DISA	947	69	M7DISA
947. What is Maximum Acceptable Outage ?	A. Maximum loss an organization can afford to absorb on account of a disruption	B. Maximum loss of output an organization can afford on account of a disruption	C. Maximum number of persons an organization can afford to shift out during an emergency	D. Maximum period of time an organization can tolerate disruption of a critical business function	d	Justification: MAO is the maximum period of time an organization can tolerate disruption of a critical business function, as brought out in Option D. The answers in the other options are factually wrong.	M7DISA	948	18	M7DISA
948. What is a Contingency Plan ?	A. An overall process of preparing for unexpected events	B. A list of contingencies that can strike an organization’s operations	C. Plan of deployment of a contingent of officials involved with security	D. Maximum number of persons an organization can afford to shift out during an emergency	a	Justification: A Contingency plan, as brought out in Option A, is an overall process of preparing for unexpected events. The answers in the other options are factually wrong.	M7DISA	949	174	M7DISA
949. Preventive measures and corrective measures are two of the three basic strategies that encompass a disaster recovery plan. What is the third basic strategy ?	A. Restoration phase	B. Planning phase	C. Stabilization phase	D. Multiplication phase	c	Justification: Detective measures are taken to identify the presence of unwanted events within the IT infrastructure. They are the third basic strategy involved in disaster recovery plans. Hence, the correct answer is Option C.	M7DISA	950	173	M7DISA
950. Distinguish between Business Continuity Plan (BCP) and Disaster Recovery plan (DRP)?	A. BCP is to enable business to function normally in all respects whereas DRP is to have basic functions alone operating post an event	B. BCP is to facilitate continuation of a business even after the death or disability of the promoter whereas DRP is preparation for facing natural disasters alone	C. BCP is to ensure recovery of critical functions alone whereas DRP is to have all operations functioning post an event	D. Both BCP and DRP are effectively the same; they are inter-changeable terminology	c	Justification: BCP is to ensure recovery of critical functions alone whereas DRP is to have all operations functioning post an event. Thus, BCP may be the initial response to an event or disaster when some essential functions alone are revived. DRP, however, will cover resumption of full-fledged normal operations. The answers in other options are not correct and Option C is correct.	M7DISA	951	3	M7DISA
951. Crisis phase, Emergency response phase & Recovery phase are three of the four phases that are typical of any disaster scenario. Which is the fourth phase ?	A. Restoration phase	B. Planning phase	C. Multiplication phase	D. Stabilization phase	a	Justification: The fourth phase of Disaster is the Restoration phase. This phase involves restoration of conditions to normal. Damages to equipment & facilities are normally repaired during this period. The answers in Options B to D are not correct and answer in Option A is correct.	M7DISA	952	183	M7DISA
952. What are the pre-requisites in developing a Business Continuity Plan (BCP) ?	A. Planning for all phases & making it part of business process	B. Testing of the BCP	C. Waiting for one incident to learn from, before drawing up BCP	D. Having the organization’s strategic long term plan ready	a	Justification: The major pre-requisites for developing a BCP include planning for all phases & making it a part of business process by assigning responsibility to specific business process owners. It will not be practicable to wait for one event or disaster to happen; we would have to depend upon the wisdom of the team members to brain storm, identify possible scenarios & plan corrective actions. While it would be good to have the organization’s strategic long term plan ready, it may not be an actual must. Testing of the BCP will be a subsequent step, post finalization of the BCP. Hence, answer at Option A is correct & the others wrong.	M7DISA	953	9	M7DISA
953. What are the key phases prior to development of a Business Continuity Plan (BCP) ?	A. Maintenance of the BCP	B. Business Impact Analysis & Risk Assessment	C. Testing of the BCP	D. Training & awareness of employees	b	Justification: The KEY phases prior to development of a BCP are Business Impact Analysis & Risk Assessment. Training and awareness of the employees will happen subsequent to completion of the drafting of the BCP. Testing and maintenance, too, would happen only after the plan is ready. Hence, answer at Option B is correct & the others wrong.	M7DISA	954	175	M7DISA
954. What are the key phases post development of a Business Continuity Plan (BCP) ?	A. Testing, training & awareness of employees & maintenance	B. Appointing a project team and steering committee	C. Risk assessment	D. Business Impact analysis	a	Justification: Business impact analysis, risk assessment & appointment of a project team & steering committee are steps which precede the development of a BCP. Hence, they cannot handle work relating to post development of the BCP. Testing, training & awareness of employees and maintenance are the KEY phases to be implemented post development of a BCP. Hence, answer at Option A is correct & the others wrong.	M7DISA	955	88	M7DISA
955. A Business Impact Analysis (BIA) has the objective of estimating the financial & intangible operational impacts for each business unit, assuming a worst case scenario. What other objective does it have ?	A. Address initiatives for speedy recovery from contingency	B. Identify business unit processes & estimated recovery time for each	C. Develop recovery management team	D. Develop crisis management team	b	Justification: The third major objective of the BIA would be to identify business unit processes & estimated recovery time for each of them, as indicated in Option A above. Initiatives towards recovery as also development of recovery/crisis management teams is not part of the BIA. Hence, answer at Option B is correct & the others wrong.	M7DISA	956	68	M7DISA
956. What is Recovery Time Objective (RTO) ?	A. RTO is a measure of the user’s tolerance to downtime	B. The time period the crisis is expected to last	C. The time required for the team to stem further damage	D. The time required for the crisis management team to respond	a	Justification: The RTO is a measure of the user’s tolerance to downtime. This is the amount of downtime of the business process that the business can tolerate and still remain viable. It is not any of the other aspects stated in Options B to D. Hence, answer at Option A is correct.	M7DISA	957	95	M7DISA
957. What is Service Delivery Objective (SDO) ?	A. Continuing to give services during a disaster	B. The service level through alternate process till normality is restored	C. Performing a service from an alternate site, owing to disaster	D. Inter-departmental services supporting product deliveries to customers	b	Justification: SDO is the service level through alternate process till normality is restored, as indicated in Option A above. The other answers are not factually correct. Hence, answer at Option B is correct.	M7DISA	958	95	M7DISA
958. What is Recovery Point Objective (RPO) ?	A. The extent of acceptable data loss to a business owing to node failure	B. The time by which the Crisis management team expects to achieve recovery	C. The extent of data which can be recovered after a disaster	D. The date by which lost data can be recovered by Recovery team	a	Justification: RPO is the extent of acceptable data loss to a business owing to node failure, as indicated in Option A above. The other answers are not factually correct. Hence, answer at Option A is correct.	M7DISA	959	27	M7DISA
959. What level of Recovery Time Objective (RTO) will a critical monitoring system have ?	A. Very high RTO	B. Close to a year	C. Very low RTO, close to zero	D. Medium level of RTO, close to 50 %	c	Justification: The RTO is a measure of the user’s tolerance to downtime. This is the amount of downtime of the business process that the business can tolerate and still remain viable. In a critical monitoring system, it will be measured in hours or very close to zero hours. Hence, answer at Option C only is correct.	M7DISA	960	60	M7DISA
960. A Recovery Point Objective (RPO) will be deemed critical if it is ?	A. Small	B. Large	C. Medium	D. Depends upon business requirements	a	Justification: RPO is the extent of acceptable data loss to a business owing to node failure. Hence, the lower the extent of acceptable data loss, the more critical the situation. Answer in Option A, therefore, is the correct answer. Hence, answer at Option A is correct.	M7DISA	961	58	M7DISA
961. If the Recovery Point Objective (RPO) is close to zero, how will the overall cost of maintaining the environment for recovery be ?	A. Low	B. Medium	C. Depends upon business requirements	D. High	d	Justification: RPO is the extent of acceptable data loss to a business owing to node failure. Hence, the lower the extent of acceptable data loss, the more critical the situation & the more expensive the cost of maintaining the environment. Answer in Option D therefore, is the correct answer.	M7DISA	962	160	M7DISA
962. What is the Maximum Tolerable Outage (MTO)?	A. It is the maximum time an organization can support processing in alternate mode	B. It is the maximum time an organization can afford to shut down operations	C. It is the maximum loss of output an organization is able to afford	D. It is the maximum loss of potential sales an organization can afford	a	Justification: MTO is the maximum time an organization can support processing in alternate mode, as indicated in Option A. The answers in other options are not correct. Answer in Option A, therefore, is the correct answer.	M7DISA	963	12	M7DISA
963. What happens when the Interruption Window is crossed by an organization in crisis ?	A. A state of business continuity has been achieved	B. Business Impact analysis can no longer be done or effective	C. The progressive losses caused by the interruption become unaffordable	D. The crisis no longer exists & the organization relaxes	c	Justification: The Interruption window is the time the organization can wait from the point of failure to the point of critical services/applications restoration. Answer in Option C, therefore, is the correct answer. The answers in the other options are incorrect.	M7DISA	964	193	M7DISA
964. A company sells small furniture items exclusively over the Internet. It works with an Internet service provider for facilitating its online business. In house, it runs the operations with the bare minimum of manpower. Storage of information and recording of all transactions is carried out using the company’s IT network and very limited physical documentation is maintained. Their business is growing fast and their far sighted CEO has asked his managers to carry out a risk analysis to check and ensure preparedness in the face of any contingency. How would you rate this company’s tolerance to the risk of failure of the Internet services ?	A. Vital	B. Critical	C. Sensitive	D. Non-critical	b	Justification: The Company is doing business exclusively online &, hence, dependence on the Internet is 100 %. It is also indicated that it goes in for very limited physical documentation of its business. Manning is also Spartan. Hence, the company’s tolerance to risk is critical. Answer at Option B, therefore, is correct.	M7DISA	965	199	M7DISA
965. An large Indian multinational company has its head office located at New Delhi. It has substantial investments made in this office, including large IT servers which cater to its global operations which are heavily dependent upon IT (assessed risk ranking 5). New Delhi happens to be in Seismic Zone 4 and is rated as a ‘High damage risk zone’ (assessed risk ranking 4). However, the actual occurrence of earthquakes has been rare (assessed risk ranking 2). What do you think could be the earthquake risk score for this establishment going by the standard formula for risk comparison ?	A. 3.66	B. 2.50	C. 10.00	D. 13.33	a	Justification: The risk score for this establishment would be 3.66 as per the formula (Asset cost + Likelihood + Vulnerability)/3. Answer at Option A, therefore, is correct.	M7DISA	966	154	M7DISA
966. The Head office of a large group of companies is located in a large metro city. With a view to testing its readiness to face the contingency of a fire, the organization very meticulously conducts fire drills at least once in a year at its Head office. It hires an independent professional agency to conduct the drill. Volunteers from within the organization act also assist in the process. The drill involves the initiation of a fire alarm, evacuation of all the offices, assembly at a common point, etc. The process and its outcome are carefully documented & learnings utilized for tweaking the organization’s safety processes. How would you classify this fire drill as an element of a Business Continuity Plan ?	A. Structured walk through test	B. Parallel test	C. Unstructured walk through test	D. Simulation test	d	Justification: This would be classified as a simulation test since this is a mock practice session in response to a simulated disaster. Hence, answer at Option D is correct and the other answers are wrong.	M7DISA	967	93	M7DISA
967. Training in Disaster Recovery Planning (DRP) has two KEY objectives. One is to train recovery team participants who are expected to act in the event of a disaster. The other KEY objective would be _____________	A. To understand the calculation of the risk ratio	B. To re-assess the value at risk	C. To train KEY employees on awareness & disaster prevention	D. To train the public at large as a public relations exercise	c	Justification: The other KEY objective would be to train KEY employees on awareness & disaster prevention as also the need for DRP. The answers in Options B to D may not be totally irrelevant to the process but would definitely not be top of the mind for any normal process. Hence, answer at Option C is correct and the other answers are wrong.	M7DISA	968	176	M7DISA
968. Scenario workshop & Walkthrough sessions are two of the major methods of training for disaster recovery & business continuity in general. What is the single, significant difference between both ?	A. The workshop is preceded by a stipulated scenario & the walkthrough is based upon this scenario	B. Scenario workshop is desktop activity whereas the walkthrough involves actual site visit	C. Scenario workshop is for proposed businesses whereas Walkthrough sessions are for proven, old businesses	D. Scenario workshops are for senior management whereas walkthrough sessions is for the rest of the organization	a	Justification: The key difference is that the workshop is preceded by a stipulated scenario & the walkthrough is based upon this scenario. Both are desktop activities. Both apply to all types of businesses & include all levels of managers. Hence, answer at Option A is correct and the other answers are wrong.	M7DISA	969	109	M7DISA
969. As IS Auditor, you are checking out the Business Continuity Plan (BCP) process in an organization. Apart from checking whether regular testing & updating of the BCP takes place, the other KEY Aspect that you will need to check is __________	A. Review the market dues of the organization & cash flows	B. Check whether a succession plan is in place for KEY personnel	C. Whether gaps identified in the past tests have been plugged subsequently	D. Whether the organization has got itself certified under ISO	c	Justification: The key aspect that you will have to check is whether gaps identified in past tests have been plugged subsequently. Unless, gaps/drawbacks in the existing plan are corrected, the plan will gradually become ineffective. The answers in other options are not factually relevant to the situation. Hence, answer in Option C is the correct one.	M7DISA	970	191	M7DISA
970. State True or False. Incident Response Planning focuses exclusively on the Incident Response team preparedness, apt & timely response to incidents.	A. False	B. True			a	Justification: Incident Response Planning does not focus exclusively on the Incident Response Team’s preparedness. It also works on preventative measures which can help eliminate or reduce the occurrence of the incident. Hence, the statement in the stem is false and the answer in Option A above is correct.	M7DISA	971	20	M7DISA
971. Complete the following statement. The three broad categories of incidents are definite, probable and ________________	A. Uncertain	B. Possible	C. Unfortunate	D. Indefinite	b	Justification: The third broad category of incidents is a possible incident &, hence, the answer in Option B above is correct.	M7DISA	972	85	M7DISA
973. Which one of the following could also be a possible actual incident ?	A. Introduction of new software from accredited source	B. Increase in number of licences	C. Unusual consumption of computing resources	D. Recruitment of a new software engineer	c	Justification: Of the choices given, unusual consumption of computing resources could be a possible actual incident which can cause concern & trigger an incident response. Hence, the answer in Option C above is correct.	M7DISA	973	160	M7DISA
974. Which one of the following could also be a definite indicator of an incident ?	A. Presence of unfamiliar files	B. Presence of unknown programs	C. Unusual consumption of computing resources	D. Use of dormant accounts	d	Justification: The use of dormant accounts is a definite indicator of an incident. The other choices given above could be owing to genuine reasons. Hence, the answer in Option D above is correct.	M7DISA	974	14	M7DISA
975. Which of the operating teams of contingency planning would conduct research on data that could lead to a crisis and develop actions that would adequately handle these threats ?	A. Disaster Recovery team	B. Incident Response team	C. Contingency Planning team	D. Administration team	c	Justification: It is the Contingency planning team which would conduct research on data that could lead to a crisis and develop actions that would effectively handle these threats. The incident response team as well as the disaster recovery team would enter the arena only post the incident. Hence, the answer in Option C above is correct.	M7DISA	975	111	M7DISA
976. Which of the operating teams of contingency planning would be the first to arrive during the outbreak of an incident ?	A. Incident Response team	B. Contingency Planning team	C. Disaster Recovery team	D. Administration team	a	Justification: It is the Incident Response team which would appear first on the scene when an incident occurs. If this team is unable to make headway, the Disaster Recovery team is called in. If the Disaster Recovery team finds the impact of the crisis as very high, they draw in the Business Continuity Plan team in addition. Hence, the answer in Option A above is correct.	M7DISA	976	99	M7DISA
977. State True or False. The Disaster Recovery Plan should contain details about the Disaster Recovery Management Team and its sub-teams like Administration, Supplies, Public Relations, etc. as also their respective responsibilities. The idea is to decide on these well in advance and not waste precious time arriving at the right choice of people, roles and responsibilities at the time of the actual crisis.	A. False	B. True			b	Justification: The very purpose of a Disaster Recovery Plan is to minimize the losses which a business may incur on account of a crisis. The single most important factor in such a situation is time and prior identification of the appropriate persons to take on the emergency roles is critical for speedy and effective disaster recovery efforts. Hence, the answer in Option B above is correct.	M7DISA	977	78	M7DISA
978. The Business Continuity Plan Manual comprises basically the _________	A. Business Continuity Plan alone	B. Business Continuity Plan and the Disaster Recovery Plan	C. Business Continuity Plan and the Incident Response Plan	D. Business Continuity Plan and the Contingency Response Plan	b	Justification: The BCP manual is expected to give reasonable reassurance to the senior management of the business’ capability to spring back from a disaster through a process of identifying potential crises as also plans for recovery from the crises. Hence, the BCP Manual comprises both the BCP and the DRP as indicated in Option B. The answers in the other Options are not factually correct.	M7DISA	978	143	M7DISA
979. Restoring from a Differential Back-up involves ________________	A. Restoring from last full back-up & then every incremental back-up	B. Restoring from full back-up alone	C. Restoring from last full back-up & then the differential back-up	D. Restoring from differential back-up alone	c	Justification: Restoring from a Differential Back-up involves restoring from the last full back-up and then the differential back-up, as indicated in Option C above. The other answers in other options are incorrect.	M7DISA	979	18	M7DISA
980. What is one of the most popular back up measures for wide-area data communication networks in an emergency ?	A. Dial-up in lieu of the normal leased/broad band lines	B. Circuit extension techniques	C. Micro-wave communications	D. On-demand carrier services	a	Justification: Dial-up facilities are one of the most popular back up measures for wide-area communication networks in the event of an emergency. The other options can also serve as back-up facilities but come with their own limitations / specialized uses. Eg. Circuit extension techniques are normally used with high speed leased lines, involving effective duplication of equipment/facilities. Similarly, on-demand services would depend upon the carrier’s capability & willingness. Hence, answer in Option A is correct.	M7DISA	980	118	M7DISA
981. A leading e-commerce provider is entering into the Indian market and is keen that the business is built on firm foundations to ensure its credibility to customers. Appreciating the importance of ensuring 100 % back-up for its Internet operations, it approaches a reputed vendor for advice on back-up facilities. The vendor analyses the customer’s requirements and comes up with a solution. The vendor offers the customer a ready-to-use back-up facility based upon subscription & membership. Virtually every equipment / facility which the customer has in his main facility, including air-conditioning, would be replicated at the vendor’s back-up location and it would be ready for instantaneous use in the case of an emergency, providing the customer the very dependable back-up facilities they seek but at a price. What is such a facility called ?	A. Mirror site	B. Cold site	C. Hot site	D. Cryogenic site	c	Justification: Such a ready-to-use facility is termed a hot site as indicated in Option C. A mirror site, on the other hand, is a fully redundant facility maintained by an organization. A cold site is one which is not fully equipped and would require time to bring it on par with expectations. There is not facility called as cryogenic site in this context.	M7DISA	981	24	M7DISA
982. What is a Hybrid Online Backup ?	A. Involves Local backup for recent data & Offsite backup for archived data	B. Cryogenic site	C. Back up through combination of manual as well as electronic storage	D. Remote cloud as well as physical location storage	a	Justification: A Hybrid Online Backup involves a local backup which can be used for the most recent data as also an offsite back (perhaps on the cloud) for archived data which is not required to be accessed frequently. It does not refer to a combination of manual & electronic storage; nor does it relate to a remote cloud as well as physical location storage. The term cryogenic site has no relevance in this context. Hence, answer at Option A is the correct one.	M7DISA	982	149	M7DISA
983. What is database shadowing ?	A. Maintenance of two parallel, independent databases	B. Maintenance of a parallel database with the essential information alone	C. Involves live processing of remote journaling	D. Having a mirror database on the cloud	c	Justification: Database shadowing is basically processing of remote journaling, i.e. parallel processing of all data at a remote location. The answer in Option C, hence, is correct. The other answers are incorrect.	M7DISA	983	7	M7DISA
984. State True or false. Apart from covering losses on account of damage or loss of equipment, properties, additional costs incurred to meet the contingency etc., it is possible to get insurance cover for business interruption & consequent financial losses including customer claims, delayed cash flows, etc.	A. False	B. True			b	Justification: Business interruption includes a situation involving failure of the IT system & consequent financial losses/expense incurred by the client. Hence, the answer in Option B is correct.	M7DISA	984	159	M7DISA
985. Which types of torts are excluded from liability insurance cover ?	A. Negligent tort	B. Product liability	C. Intentional torts	D. Service liability	c	Justification: Intentional torts are excluded since it is assumed that they are foreseeable and can be avoided by the insurer. The other types of torts in Options A, B, and D are insurable. Hence, the answer in Option C is correct.	M7DISA	985	166	M7DISA
986. What is an example of Errors and Omissions (E&O) insurance ?	A. Professional liability insurance	B. Marine insurance	C. Business interruption insurance	D. Motor vehicle insurance	a	Justification: E&O insurance is a form of insurance protecting the insured against liability arising from failure to meet appropriate standard of care for a given profession. Professional liability insurance is one form of E&O insurance. Marine, motor vehicle & business interruption insurance are not examples of E&O insurance since it does not fall within the limits of the definition given above. Hence, the answer in Option A is correct.	M7DISA	986	69	M7DISA
987. What is the primary goal of audit of a Business Continuity Plan (BCP)?	A. Determining effectiveness of BCP & alignment with organizational goals	B. Identify variations from laid down procedure & report to management	C. Benchmark against practices prevailing in other organizations	D. Compliance with laws & regulations	a	Justification: Any good auditor would obviously be required to note & report deviations from the stated norms. They are also expected to compare the processes involved with that of competitors / other organizations. Lastly, the IS auditor would also have to check for compliance with laws and regulations. While all these could be goals of an audit of a BCP, they would not be the primary one. On the contrary, determining effectiveness of BCP & alignment with organizational goals are critical goals which would address most of the other aspects covered in Options B to D. Hence, answer in Option A alone is the most appropriate one.	M7DISA	987	17	M7DISA
988. What is the first step in the BCP process ?	A. Identifying the weaknesses in the organizations	B. Testing the functioning of the process	C. Checking for compliance with laws & regulations	D. Identifying the mission/business-critical functions	d	Justification: The aspects identified in Options A to C are, indeed, part of the BCP audit process. However, they do not constitute the critical step. This would basically be identification of mission / business-critical functions so that the adequacy of the BCP process for these selected functions are verified as part of the audit process. Hence, answer in Option D alone is the most appropriate one.	M7DISA	988	58	M7DISA
989. State True or False. While it is important to identify all critical missions and businesses in the business continuity plan, it should be understood that attempting to cover all the mission or business-critical functions would be a very expensive affair & not very feasible. It makes better sense to identify the priority areas which would impact most through their failure.	A. True	B. False			a	Justification: Practically speaking it would be best to go by the 80/20 rule where concentrating on the top 20% of the potential causes of loss will eliminate 80% of the financial impact of a business process or the organization. Hence, answer in Option A alone is the more appropriate one.	M7DISA	989	14	M7DISA
990. State True or False. While validating the resources that support critical functions, the IS audit of the BCP process should restrict itself to computer-related matters which alone are the division’s responsibility.	A. True	B. False			b	Justification: The audit has to cover all resources, whether IT related or not, that support critical functions. For, the failure of non-computer related resources could equally endanger the IT aspects of the business. Hence, answer in Option B alone is the most appropriate one.	M7DISA	990	130	M7DISA
991. State True or False. While validating the resources that support critical functions, the IS audit of the BCP process should restrict itself to computer-related matters which alone are the division’s responsibility.	A. False	B. True			a	Justification: The audit has to cover all resources, whether IT related or not, that support critical functions. For, the failure of non-computer related resources could equally endanger the IT aspects of the business. Hence, answer in Option A alone is the most appropriate one.	M7DISA	991	102	M7DISA
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?	A. Increased access violations	B. Increased cost per transaction	C. Inadequate backup and recovery procedures	D. Duplicate transaction processing	b	Explanation: Automation Leads to decrease in cost and increase in performance. Choices A, C and D are not applicable in the given context.	MOCKDISA	992	59	MOCKDISA
Which of the following is NOT TRUE about a database management system application environment?	A. Multiple users use data concurrently	B. Data are shared by passing files between programs or systems	C. The physical structure of the data is independent of user needs	D. Each request for data made by an application program must be analyzed by DBMS.	b	Explanation: In DBMS data exchange is facilitated through SQL hence Option B is not true Files are not used for data exchange. Option A, C and D are features of DBMS.	MOCKDISA	993	22	MOCKDISA
Which one of the following network architectures is designed to provide data services using physical networks that are more reliable and offer greater bandwidth?	A. Transmission control protocol/Internet Protocol (TCP/IP)	B. File transfer protocol	C. Permanent Virtual Circuit (PVC) Integrated services digital network (ISDN)	D. Integrated services digital network (ISDN)	d	Explanation: Integrated Services for Digital Network (ISDN) is a set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network. Option A, B and C are not applicable.	MOCKDISA	994	42	MOCKDISA
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are calculated:	A. whether new hardware/system software resources are needed	B. whether unauthorized use is being made of hardware/system software resources	C. whether the system being monitored has provided users with a strategic advantage over their competitors.	D. whether there is any abnormal work load during a particular shift which may be because of private use of resources by some staff	c	Explanation: Only Option C is a kind of decision that is subjective in nature and in not based on statistics as Option A, B and D are.	MOCKDISA	995	70	MOCKDISA
Control over data preparation is important because:	A. it is often a major cost area taking about 50% of the data processing budget	B. unauthorized changes to data and program can take place	C. the work is boring so high turnover always occurs	D. it can be a major bottleneck in the work flow in a data processing installation	d	Explanation: Data Preparation is very critical for various operations that needs data so it may result in bottlenecks and affects performance. Option A may also be a reason but not the most important. Option B is not applicable as we are considering data only not programs. Option C is not applicable in the given context.	MOCKDISA	996	121	MOCKDISA
During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:	A. test data to validate data input	B. test data to determine system sort capabilities	C. generalized audit software to search for address field duplications	D. generalized audit software to search for account field duplications	c	Explanation: Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. Subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.	MOCKDISA	997	126	MOCKDISA
The IS department of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n):	A. control procedure	B. control objective	C. corrective control	D. operational control	b	Explanation: IS control objectives specify the minimum set of controls to ensure efficiency and effectiveness in the operations and functions within an organization. Control procedures are developed to provide reasonable assurance that specific objectives will be achieved. A corrective control is a category of controls that aims to minimize the threat and/or remedy problems that were not prevented or were not initially detected. Operational controls address the day-to-day operational functions and activities, and aid in ensuring that the operations are meeting the desired business objectives.	MOCKDISA	998	60	MOCKDISA
During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:	A. create the procedures document	B. terminate the audit	C. conduct compliance testing	D. identify and evaluate existing practices	d	Explanation: One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.	MOCKDISA	999	71	MOCKDISA
When implementing continuous monitoring systems, an IS auditor's first step is to identify:	A. reasonable target thresholds	B. high-risk areas within the organization	C. the location and format of output files	D. applications that provide the highest potential payback	b	Explanation: The first and most critical step in the process is to identify high-risk areas within the organization. Business department managers and senior executives are in the best positions to offer insight into these areas. Once potential areas of implementation have been identified, an assessment of potential impact should be completed to identify applications that provide the highest potential payback to the organization. At this point, tests and reasonable target thresholds should be determined prior to programming. During systems development, the location and format of the output files generated by the monitoring programs should be defined.	MOCKDISA	1,000	189	MOCKDISA
In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools is MOST suitable for performing that task?	A. CASE tools	B. Embedded data collection tools	C. Heuristic scanning tools	D. Trend/variance detection tools	d	Explanation: Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for pre-numbered documents are sequential or increasing. CASE tools are used to assist software development. Embedded (audit) data collection software is used for sampling and to provide production statistics. Heuristic scanning tools can be used to scan for viruses to indicate possible infected code.	MOCKDISA	1,001	31	MOCKDISA
Computer viruses could be detected by which one of the following actions?	A. Maintain backups of program and data.	B. Monitor usage of the device.	C. Use write-protect tabs on disks.	D. Examine the creation date and file size.	d	Explanation: Viruses can be detected by examining file content and other attributes of file hence option D is applicable. Option A, B and C are not applicable.	MOCKDISA	1,002	81	MOCKDISA
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is	A. mid-level formatting of hard disk	B. deleting all the files in the hard disk	C. deleting all the data on the hard disk	D. demagnetizing the hard disk.	d	Explanation: Demagnetizing is reduction or elimination of the magnetic moment in an object; that is, the reverse of magnetization. This results in complete erase of hard disk content. Option A, B and C are not as effective as Demagnetizing.	MOCKDISA	1,003	6	MOCKDISA
The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?	A. Test data	B. Generalized audit software	C. Integrated test facility	D. Embedded audit module	b	Explanation: Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations, making it suitable for detecting payroll overpayments. Option A, C and D are not as effective for this purpose.	MOCKDISA	1,004	71	MOCKDISA
Which of the following would be the BEST population to take a sample from when testing program changes?	A. Test library listings	B. Source program listings	C. Program change requests	D. Production library listings	d	Explanation: Production library listings represent approved and authorized executables, making them the best source for sampling when testing program changes. Option A, B and C do not represent the most reliable source for this purpose.	MOCKDISA	1,005	124	MOCKDISA
Which of the following normally would be the MOST reliable evidence for an auditor?	A. A confirmation letter received from a third party verifying an account balance	B. Assurance from line management that an application is working as designed	C. Trend data obtained from World Wide Web (Internet) sources	D. Ratio analysis developed by the IS auditor from reports supplied by line management	a	Explanation: Evidence obtained from independent third parties is considered highly reliable for auditors. Option B, C and D do not provide the same level of reliability as confirmation letters from third parties.	MOCKDISA	1,006	143	MOCKDISA
During a review of the controls over the process of defining IT service levels, an IS auditor would MOST likely interview the:	A. systems programmer	B. legal staff	C. business unit manager	D. application programmer	c	Explanation: Business unit managers understand the organizational requirements best, which is crucial in defining IT service levels. Options A, B, and D do not typically have the same level of insight into business requirements.	MOCKDISA	1,007	13	MOCKDISA
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, an IS auditor should:	A. identify and assess the risk assessment process used by management	B. identify information assets and the underlying systems	C. disclose the threats and impacts to management	D. identify and evaluate the existing controls.	d	Explanation: Identifying and evaluating existing controls is crucial once threats and potential impacts are identified to mitigate risks effectively. Options A, B, and C are important but do not address immediate risk mitigation as effectively as evaluating existing controls.	MOCKDISA	1,008	82	MOCKDISA
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:	A. can identify high-risk areas that might need a detailed review later	B. allows IS auditors to independently assess risk	C. can be used as a replacement for traditional audits	D. allows management to relinquish responsibility for control.	a	Explanation: CSA helps in identifying high-risk areas for review, aiding in proactive risk management. Options B, C, and D do not align with the primary purpose of CSA.	MOCKDISA	1,009	166	MOCKDISA
Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:	A. refuse the assignment since it is not the role of the IS auditor	B. inform management of his/her inability to conduct future audits	C. perform the assignment and future audits with due professional care	D. obtain the approval of user management to perform the implementation and follow-up.	b	Explanation: Informing management of the inability to conduct future audits ensures independence in subsequent audit activities. Options A, C, and D do not address the issue of independence effectively.	MOCKDISA	1,010	155	MOCKDISA
Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?	A. Multiple cycles of backup files remain available.	B. Access controls establish accountability for e-mail activity	C. Data classification regulates what information should be communicated via e-mail.	D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.	a	Explanation: Backup files often retain deleted emails, making them valuable evidence in litigation. Options B, C, and D do not directly address the storage and retention of emails for litigation purposes.	MOCKDISA	1,011	4	MOCKDISA
Which of the following is a benefit of a risk-based approach to audit planning?	A. scheduling may be performed months in advance	B. budgets are more likely to be met by the IS audit staff	C. staff will be exposed to a variety of technologies	D. resources are allocated to the areas of highest concern	d	Explanation: The risk-based approach ensures resources are focused on areas of highest risk, enhancing audit effectiveness. Options A, B, and C are not direct benefits of a risk-based approach to audit planning.	MOCKDISA	1,012	117	MOCKDISA
Internet was established NOT for:	A. minimizing the high risk protocol conversion functions	B. controlling all the networks connected in a better way	C. improving the overall reliability of the networks	D. restricting access to sensitive messages by restricting them to specific parts of the network	a	Explanation: The Internet was not established to minimize high-risk protocol conversion functions. Options B, C, and D are valid reasons for the establishment of the Internet.	MOCKDISA	1,013	102	MOCKDISA
An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?	A. There are a number of external modems connected to the network	B. Users can install software on their desktops	C. Network monitoring is very limited	D. Many user ids have identical passwords	d	Explanation: Many user IDs having identical passwords poses the greatest security risk as it facilitates easy exploitation by employees. Options A, B, and C also pose risks but to a lesser degree compared to shared passwords.	MOCKDISA	1,014	147	MOCKDISA
While planning an audit, an assessment of risk should be made to provide:	A. reasonable assurance that the audit will cover material items	B. definite assurance that material items will be covered during the audit work	C. reasonable assurance that all items will be covered by the audit	D. sufficient assurance that all items will be covered during the audit work	a	Explanation: An assessment of risk provides reasonable assurance that material items will be adequately covered during the audit work, aligning with IS auditing guidelines. Options B, C, and D do not correctly reflect the purpose of risk assessment in audit planning.	MOCKDISA	1,015	57	MOCKDISA
To identify the value of inventory that has been kept for more than eight weeks, an IS auditor would MOST likely use:	A. test data	B. statistical sampling	C. an integrated test facility	D. generalized audit software	d	Explanation: Generalized audit software allows direct access to data and is suitable for reviewing entire inventory files to identify items meeting specific criteria like age. Options A, B, and C are less suited for this purpose.	MOCKDISA	1,016	5	MOCKDISA
An integrated test facility is considered a useful audit tool because it:	A. is a cost-efficient approach to auditing application controls	B. enables the financial and IS auditors to integrate their audit tests	C. compares processing output with independently calculated data	D. provides the IS auditor with a tool to analyze a large range of information	c	Explanation: An integrated test facility compares actual processing output with independently calculated data, verifying accuracy and completeness of processing. Options A, B, and D do not describe the primary purpose of an integrated test facility.	MOCKDISA	1,017	145	MOCKDISA
The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?	A. Inherent	B. Detection	C. Control	D. Business	b	Explanation: IS auditor's decisions impact detection risks through audit procedures and techniques chosen. Options A, C, and D are less directly influenced by IS auditor's actions.	MOCKDISA	1,018	56	MOCKDISA
Data flow diagrams are used by IS auditors to:	A. order data hierarchically	B. highlight high-level data definitions	C. graphically summarize data paths and storage	D. portray step-by-step details of data generation	c	Explanation: Data flow diagrams graphically summarize paths and storage of data, aiding in understanding data movement. Options A, B, and D do not accurately describe the purpose of data flow diagrams in IS auditing.	MOCKDISA	1,019	33	MOCKDISA
Reviewing management's long-term strategic plans helps the IS auditor:	A. gain an understanding of an organization's goals and objectives	B. test the enterprise's internal controls	C. assess the organization's reliance on information systems	D. determine the number of audit resources needed	a	Explanation: Strategic plans outline goals and objectives, providing insight into organizational direction. Options B, C, and D are not primary objectives of reviewing strategic plans from an IS auditing perspective.	MOCKDISA	1,020	166	MOCKDISA
When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:	A. of the point at which controls are exercised as data flow through the system	B. that only preventive and detective controls are relevant	C. that corrective controls can only be regarded as compensating	D. that classification allows an IS auditor to determine which controls are missing	a	Explanation: IS auditor focuses on where controls are applied as data moves through systems to assess control effectiveness. Options B, C, and D do not accurately reflect the role of controls in IS auditing.	MOCKDISA	1,021	5	MOCKDISA
31. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do is an example of:	A. inherent risk	B. control risk	C. detection risk	D. audit risk.	c	Explanation: This is an example of detection risk.	MOCKDISA	1,022	36	MOCKDISA
32. The PRIMARY purpose of an audit charter is to:	A. document the audit process used by the enterprise	B. formally document the audit department's plan of action	C. document a code of professional conduct for the auditor	D. describe the authority and responsibilities of the audit department	d	Explanation: The audit charter typically sets out the role and responsibility of the internal audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.	MOCKDISA	1,023	170	MOCKDISA
33. An IS auditor has evaluated the controls for the integrity of the data in a financial application. Which of the following findings would be the MOST significant?	A. The application owner was unaware of several changes applied to the application by the IT department.	B. The application data are backed up only once a week.	C. The application development documentation is incomplete.	D. Information processing facilities are not protected by appropriate fire detection systems.	a	Explanation: Choice A directly affects the integrity of the application's data and is evidence of an inadequate change control process and incorrect access rights to the processing environment.	MOCKDISA	1,024	137	MOCKDISA
34. Overall business risk for a particular threat can be expressed as:	A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability	B. the magnitude of the impact should a threat source successfully exploit the vulnerability	C. the likelihood of a given threat source exploiting a given vulnerability	D. the collective judgment of the risk assessment team.	a	Explanation: Choice A considers both the probability and magnitude of impact, providing the best measure of risk to an asset.	MOCKDISA	1,025	63	MOCKDISA
35. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines?	A. Domain integrity test	B. Relational integrity test	C. Referential integrity test	D. Parity checks	a	Explanation: Domain integrity testing verifies that data conform to defined standards, validating edit and validation routines.	MOCKDISA	1,026	19	MOCKDISA
36. An IS auditor reviews an organizational chart PRIMARILY for:	A. an understanding of workflows.	B. investigating various communication channels.	C. understanding the responsibilities and authority of individuals.	D. investigating the network connected to different employees.	c	Explanation: An organizational chart helps understand roles and authority within the organization, aiding in assessing segregation of duties.	MOCKDISA	1,027	77	MOCKDISA
37. An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:	A. the controls already in place.	B. the effectiveness of the controls in place.	C. the mechanism for monitoring the risks related to the assets.	D. the threats/vulnerabilities affecting the assets.	d	Explanation: Identifying threats and vulnerabilities is crucial in assessing risks related to information systems before considering controls and their effectiveness.	MOCKDISA	1,028	66	MOCKDISA
38. Which of the following is an objective of a control self-assessment (CSA) program?	A. Concentration on areas of high risk	B. Replacement of audit responsibilities	C. Completion of control questionnaires	D. Collaborative facilitative workshops	a	Explanation: CSA programs focus on educating line management on control responsibilities and concentrating efforts on high-risk areas.	MOCKDISA	1,029	80	MOCKDISA
39. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?	A. Evaluate physical access test results.	B. Determine the risks/threats to the data center site.	C. Review business continuity procedures.	D. Test for evidence of physical access at suspect locations.	b	Explanation: Assessing risks and threats to the data center site is a foundational step in planning a security review.	MOCKDISA	1,030	110	MOCKDISA
40. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of:	A. facilitator.	B. manager.	C. partner.	D. stakeholder.	a	Explanation: IS auditors facilitate CSA sessions, guiding participants through the assessment process. They do not replace management responsibilities or act as managers or stakeholders in this context.	MOCKDISA	1,031	194	MOCKDISA
41. The use of statistical sampling procedures helps minimize:	A. sampling risk.	B. detection risk.	C. inherent risk.	D. control risk.	b	Explanation: Statistical sampling helps minimize detection risk by quantifying the probability of error in sample testing, ensuring adequacy of test procedures to identify errors. Sampling risk refers to incorrect assumptions about a population based on sample results. Inherent risk and control risk are not directly minimized by statistical sampling.	MOCKDISA	1,032	184	MOCKDISA
42. An IS auditor evaluates the test results of a modification to a system dealing with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit?	A. Design further tests of the calculations that are in error.	B. Identify variables that may have caused the test results to be inaccurate.	C. Examine some of the test cases to confirm the results.	D. Document the results and prepare a report of findings, conclusions and recommendations.	c	Explanation: The next step after finding discrepancies in calculations is to confirm the results by examining specific test cases, ensuring accuracy before proceeding with further testing or reporting.	MOCKDISA	1,033	163	MOCKDISA
43. An IS auditor is assigned to perform a post implementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:	A. implemented a specific control during the development of the application system.	B. designed an embedded audit module exclusively for auditing the application system.	C. participated as a member of the application system project team, but did not have operational responsibilities.	D. provided consulting advice concerning application system best practices.	a	Explanation: Independence may be impaired if the IS auditor was actively involved in implementing controls during the development phase of the application system. Choices B, C, and D do not impair independence in the same manner.	MOCKDISA	1,034	204	MOCKDISA
44. The BEST method of proving the accuracy of a system tax calculation is by:	A. detailed visual review and analysis of the source code of the calculation programs.	B. recreating program logic using generalized audit software to calculate monthly totals.	C. preparing simulated transactions for processing and comparing the results to predetermined results.	D. automatic flowcharting and analysis of the source code of the calculation programs.	c	Explanation: Simulating transactions and comparing results to predetermined outcomes is effective in validating the accuracy of tax calculations, ensuring real-world accuracy without depending on code-level analysis.	MOCKDISA	1,035	55	MOCKDISA
45. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?	A. Integrated test facility (ITF)	B. Continuous and intermittent simulation (CIS)	C. Audit hooks	D. Snapshots	d	Explanation: Snapshots provide a snapshot of system state at a specific point, useful for capturing audit trails. ITF, CIS, and Audit hooks serve different purposes in auditing but are not primarily focused on capturing audit trails.	MOCKDISA	1,036	156	MOCKDISA
46. The PRIMARY advantage of a continuous audit approach is that it:	A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.	B. requires the IS auditor to review and follow up immediately on all information collected.	C. can improve system security when used in time-sharing environments that process a large number of transactions.	D. does not depend on the complexity of an organization's computer systems.	c	Explanation: Continuous auditing enhances system security by monitoring transactions in real-time, especially beneficial in high-volume environments lacking detailed paper trails.	MOCKDISA	1,037	58	MOCKDISA
47. Which of the following sampling methods is MOST useful when testing for compliance?	A. Attribute sampling	B. Variable sampling	C. Stratified mean per unit	D. Difference estimation	a	Explanation: Attribute sampling is ideal for compliance testing, assessing occurrence of specific attributes (e.g., control activities) within a population.	MOCKDISA	1,038	38	MOCKDISA
48. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:	A. variable sampling.	B. substantive testing.	C. compliance testing.	D. stop-or-go sampling.	c	Explanation: Reviewing whether "new user" forms were correctly authorized aligns with compliance testing, verifying adherence to policies and controls.	MOCKDISA	1,039	35	MOCKDISA
49. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:	A. information assets are overprotected.	B. a basic level of protection is applied regardless of asset value.	C. appropriate levels of protection are applied to information assets.	D. an equal proportion of resources are devoted to protecting all information assets.	c	Explanation: Risk assessment tailors protection levels to actual risks, optimizing resource allocation compared to a standard baseline, ensuring efficient use of resources.	MOCKDISA	1,040	21	MOCKDISA
50. In a risk-based audit approach, an IS auditor should FIRST complete a(n):	A. inherent risk assessment.	B. control risk assessment.	C. test of control assessment.	D. substantive test assessment.	a	Explanation: The initial step in a risk-based audit is evaluating inherent risks before assessing controls and conducting substantive tests, establishing risk context for subsequent audit phases.	MOCKDISA	1,041	123	MOCKDISA
51. The development of an IS security policy is ultimately the responsibility of the:	A. IS department.	B. security committee.	C. security administrator.	D. board of directors.	d	Explanation: The board of directors typically has the authority to set overarching policies, including IS security policies. The IS department executes the policy, the security committee operates within its framework, and the security administrator enforces and monitors it.	MOCKDISA	1,042	110	MOCKDISA
52. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?	A. O/S and hardware refresh frequencies	B. Gain-sharing performance bonuses	C. Penalties for noncompliance	D. Charges tied to variable cost metrics	b	Explanation: Gain-sharing performance bonuses incentivize outsourcers to achieve cost savings and enhance service levels beyond contractual requirements, benefiting both parties. Refresh frequencies and penalties for noncompliance enforce minimum standards, while variable cost metrics do not promote additional efficiencies.	MOCKDISA	1,043	110	MOCKDISA
53. Involvement of senior management is MOST important in the development of:	A. strategic plans.	B. IS policies.	C. IS procedures.	D. standards and guidelines.	a	Explanation: Senior management's involvement ensures that strategic plans align with organizational goals and objectives, guiding the entire enterprise. IS policies, procedures, and standards are supportive structures derived from strategic planning.	MOCKDISA	1,044	173	MOCKDISA
54. An IS auditor should be concerned when a telecommunication analyst:	A. monitors systems performance and tracks problems resulting from program changes.	B. reviews network load requirements in terms of current and future transaction volumes.	C. assesses the impact of the network load on terminal response times and network data transfer rates.	D. recommends network balancing procedures and improvements.	a	Explanation: Monitoring system performance and tracking issues due to program changes blurs the line between operational duties and auditing responsibilities, potentially compromising objectivity and independence. The other tasks are within the scope of a telecommunications analyst's responsibilities.	MOCKDISA	1,045	23	MOCKDISA
55. The output of the risk management process is an input for making:	A. business plans.	B. audit charters.	C. security policy decisions.	D. software design decisions.	c	Explanation: Risk management outcomes inform security policy decisions by assessing acceptable risk levels and mitigation strategies. Business plans focus on broader organizational goals, audit charters on audit scope, and software design on technical requirements.	MOCKDISA	1,046	126	MOCKDISA
56. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:	A. destruction policy.	B. security policy.	C. archive policy.	D. audit policy.	c	Explanation: An archive policy ensures systematic retention and retrieval of e-mail records, reducing risks associated with evidence tampering or loss. Security and audit policies focus on different aspects of management and compliance, while destruction policies may conflict with legal requirements for record retention.	MOCKDISA	1,047	68	MOCKDISA
57. An IT steering committee should review information systems PRIMARILY to assess:	A. whether IT processes support business requirements.	B. if proposed system functionality is adequate.	C. the stability of existing software.	D. the complexity of installed technology.	a	Explanation: The primary role of an IT steering committee is to ensure IT processes align with business needs, supporting organizational objectives and efficiency. Other assessments are secondary to this primary objective.	MOCKDISA	1,048	20	MOCKDISA
58. An IS auditor reviewing an organization's IT strategic plan should FIRST review:	A. the existing IT environment.	B. the business plan.	C. the present IT budget.	D. current technology trends.	b	Explanation: The IT strategic plan should align with and support the organization's business plan, making the business plan the logical starting point for an IS auditor's review. Understanding business objectives is crucial before evaluating IT strategies and resources.	MOCKDISA	1,049	153	MOCKDISA
59. As an outcome of information security governance, strategic alignment provides:	A. security requirements driven by enterprise requirements.	B. baseline security following best practices.	C. institutionalized and commoditized solutions.	D. an understanding of risk exposure.	a	Explanation: Strategic alignment ensures that security measures meet enterprise needs, integrating security with business goals. Baseline security, solutions standardization, and risk exposure management are other outcomes, each addressing different aspects of security governance.	MOCKDISA	1,050	13	MOCKDISA
60. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:	A. compute the amortization of the related assets.	B. calculate a return on investment (ROI).	C. apply a qualitative approach.	D. spend the time needed to define exactly the loss amount.	c	Explanation: When financial projections are challenging, a qualitative approach, assigning weighted factors to potential losses, allows for a more realistic assessment. ROI and asset amortization focus on financial returns and depreciation, respectively, while defining exact loss amounts may be impractical without sufficient data.	MOCKDISA	1,051	142	MOCKDISA
61. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:	A. financial results.	B. customer satisfaction.	C. internal process efficiency.	D. innovation capacity.	a	Explanation: The IT balanced scorecard focuses on non-financial metrics such as customer satisfaction, internal processes, and innovation capacity. Financial results are typically not the primary focus as they are covered by traditional financial reporting.	MOCKDISA	1,052	134	MOCKDISA
62. Establishing the level of acceptable risk is the responsibility of:	A. quality assurance management.	B. senior business management.	C. the chief information officer.	D. the chief security officer.	b	Explanation: Senior business management has the ultimate responsibility for establishing the organization's acceptable risk level, ensuring alignment with strategic objectives. Other roles advise and support this decision-making process.	MOCKDISA	1,053	17	MOCKDISA
63. Which of the following is the MOST critical for the successful implementation and maintenance of a security policy?	A. Assimilation of the framework and intent of a written security policy by all appropriate parties	B. Management support and approval for the implementation and maintenance of a security policy	C. Enforcement of security rules by providing punitive actions for any violation of security rules	D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	Explanation: For a security policy to be effective, all users must understand and adhere to its principles. This understanding and assimilation are critical to successful implementation and ongoing maintenance. While management support, enforcement, and stringent controls are important, they rely on user comprehension and compliance to be fully effective.	MOCKDISA	1,054	198	MOCKDISA
64. To ensure an organization is complying with privacy requirements, the IS auditor should FIRST review:	A. the IT infrastructure.	B. the organization's policies, standards and procedures.	C. legal and regulatory requirements.	D. the adherence to organizational policies, standards and procedures.	c	Explanation: Legal and regulatory requirements are foundational to privacy compliance. Understanding these requirements precedes evaluating whether organizational policies, standards, and procedures adequately address them. Evaluating infrastructure and adherence to policies follows after ensuring alignment with legal mandates.	MOCKDISA	1,055	91	MOCKDISA
65. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?	A. Overlapping controls	B. Boundary controls	C. Access controls	D. Compensating controls	d	Explanation: Compensating controls mitigate risks when segregation of duties is not feasible by providing alternative measures to maintain effective controls. Overlapping controls are redundant and not directly related to segregation issues. Boundary and access controls are essential but do not substitute for segregation where it's required.	MOCKDISA	1,056	64	MOCKDISA
66. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?	A. Ensuring that invoices are paid to the provider	B. Participating in systems design with the provider	C. Renegotiating the provider's fees	D. Monitoring the outsourcing provider's performance	d	Explanation: Monitoring the outsourcing provider's performance ensures service delivery meets organizational requirements and contractual obligations. Payment, design participation, and fee negotiation are secondary to ensuring ongoing service quality and alignment with business needs.	MOCKDISA	1,057	31	MOCKDISA
67. Before implementing an IT balanced scorecard, an organization must:	A. deliver effective and efficient services.	B. define key performance indicators.	C. provide business value to IT projects.	D. control IT expenses.	b	Explanation: Defining key performance indicators (KPIs) is essential before implementing an IT balanced scorecard to measure and evaluate IT performance effectively. KPIs establish benchmarks against which performance can be assessed to drive strategic decisions and improve IT governance.	MOCKDISA	1,058	177	MOCKDISA
68. The MOST likely effect of the lack of senior management commitment to IT strategic planning is:	A. a lack of investment in technology.	B. a lack of a methodology for systems development.	C. the technology not aligning with the organization's objectives.	D. an absence of control over technology contracts.	c	Explanation: Senior management's commitment ensures IT strategies align with organizational goals. Without this alignment, IT may not support business objectives effectively, impacting overall organizational performance and strategic outcomes. Investment, methodology, and contract control are secondary to strategic alignment in determining IT's effectiveness and relevance to organizational goals.	MOCKDISA	1,059	120	MOCKDISA
69. Which of the following would BEST provide assurance of the integrity of new staff?	A. Background screening	B. References	C. Bonding	D. Qualifications listed on a resumé	a	Explanation: Background screening is the most reliable method to verify the integrity and background of new staff, ensuring they meet security and organizational standards. References provide insight but are less comprehensive. Bonding and qualifications verify other aspects of a candidate but do not substitute for thorough background verification.	MOCKDISA	1,060	136	MOCKDISA
70. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?	A. User management coordination does not exist.	B. Specific user accountability cannot be established.	C. Unauthorized users may have access to originate, modify or delete data.	D. Audit recommendations may not be implemented.	c	Explanation: Inadequate policy on data and system ownership increases the risk of unauthorized access and manipulation, compromising data integrity and security. While user coordination and accountability are crucial, unauthorized access poses the greatest immediate risk to data confidentiality and integrity. Audit recommendations are important for governance but address different aspects of policy adherence and control effectiveness.	MOCKDISA	1,061	61	MOCKDISA
71. Effective IT governance will ensure that the IT plan is consistent with the organization's:	A. business plan.	B. audit plan.	C. security plan.	D. investment plan.	a	Explanation: Effective IT governance requires alignment between IT plans and business objectives to ensure that IT supports and enhances business operations. Aligning with the business plan ensures IT investments and initiatives are strategically focused and contribute to organizational goals.	MOCKDISA	1,062	128	MOCKDISA
72. Which of the following is a function of an IS steering committee?	A. Monitoring vendor-controlled change control and testing	B. Ensuring a separation of duties within the information's processing environment	C. Approving and monitoring major projects, the status of IS plans and budgets	D. Liaising between the IS department and the end users	c	Explanation: An IS steering committee primarily oversees major IS projects, monitors IS plans and budgets, and ensures alignment with organizational objectives. Other options are either operational responsibilities or not typically within the committee's scope.	MOCKDISA	1,063	35	MOCKDISA
73. A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and:	A. the length of service since this will help ensure technical competence.	B. age as training in audit techniques may be impractical.	C. IS knowledge since this will bring enhanced credibility to the audit function.	D. ability, as an IS auditor, to be independent of existing IS relationships.	d	Explanation: Independence from existing IS relationships is crucial for an IS auditor's objectivity and effectiveness. While experience and knowledge are important, independence ensures unbiased auditing and compliance assessments.	MOCKDISA	1,064	2	MOCKDISA
74. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?	A. Response	B. Correction	C. Detection	D. Monitoring	a	Explanation: A response program is essential in handling suspected intrusions promptly and effectively as part of an organization's security policy. While correction, detection, and monitoring are all important aspects of security, they do not specifically address immediate response to security breaches as a primary policy component.	MOCKDISA	1,065	149	MOCKDISA
75. An organization has outsourced its software development. Which of the following is the responsibility of the organization's IT management?	A. Paying for provider services	B. Participating in systems design with the provider	C. Managing compliance with the contract for the outsourced services	D. Negotiating contractual agreement with the provider	c	Explanation: Managing compliance with the outsourced services contract ensures that the provider meets agreed terms and conditions, delivering services as contracted. Payment, design participation, and negotiation are important but fall under different organizational functions.	MOCKDISA	1,066	22	MOCKDISA
76. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining if IS:	A. has all the personnel and equipment it needs.	B. plans are consistent with management strategy.	C. uses its equipment and personnel efficiently and effectively.	D. has sufficient excess capacity to respond to changing directions.	b	Explanation: IS strategy alignment with management strategy ensures that IT initiatives support overall business objectives effectively. While operational efficiency and resource adequacy are important, strategic alignment directly correlates IT goals with organizational goals, driving business success.	MOCKDISA	1,067	157	MOCKDISA
77. Which of the following is the PRIMARY objective of an IT performance measurement process?	A. Minimize errors.	B. Gather performance data.	C. Establish performance baselines.	D. Optimize performance.	d	Explanation: The primary objective of IT performance measurement is to optimize performance, ensuring efficiency, effectiveness, and alignment with business goals. While minimizing errors, gathering data, and establishing baselines are part of performance management, optimization aims to achieve the best possible outcomes from IT investments and operations.	MOCKDISA	1,068	166	MOCKDISA
78. Which of the following is the initial step in creating a firewall policy?	A. A cost-benefit analysis of methods for securing the applications	B. Identification of network applications to be externally accessed	C. Identification of vulnerabilities associated with network applications to be externally accessed	D. Creation of an applications traffic matrix showing protection methods	b	Explanation: Identifying network applications to be externally accessed is the first step in creating a firewall policy, establishing the scope and focus of protection measures. Subsequent steps involve assessing vulnerabilities, analyzing traffic, and evaluating cost-benefits for effective policy implementation.	MOCKDISA	1,069	116	MOCKDISA
79. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:	A. ensure the employee maintains a good quality of life, which will lead to greater productivity.	B. reduce the opportunity for an employee to commit an improper or illegal act.	C. provide proper cross-training for another employee.	D. eliminate the potential disruption caused when an employee takes vacation one day at a time.	b	Explanation: Mandatory vacations reduce the risk of employees engaging in fraudulent or illegal activities by ensuring others perform their duties, potentially uncovering wrongdoing. While promoting work-life balance and cross-training are benefits, risk mitigation is the primary reason for mandatory vacation policies.	MOCKDISA	1,070	6	MOCKDISA
80. In reviewing the IS short-range (tactical) plan, the IS auditor should determine whether:	A. there is an integration of IS and business staffs within projects.	B. there is a clear definition of the IS mission and vision.	C. there is a strategic information technology planning methodology in place.	D. the plan correlates business objectives to IS goals and objectives.	a	Explanation: Integration of IS and business staff ensures that IT projects align with business needs and objectives, a critical factor in reviewing short-range plans for operational effectiveness. While mission clarity, strategic planning, and goal alignment are essential, staff integration directly impacts project success and business alignment.	MOCKDISA	1,071	115	MOCKDISA
81. An organization acquiring other businesses continues using its legacy EDI systems and uses three separate value-added network (VAN) providers. No written VAN agreements exist. The IS auditor should recommend that management:	A. obtains independent assurance of the third-party service providers.	B. sets up a process for monitoring the service delivery of the third party.	C. ensures that formal contracts are in place.	D. considers agreements with third-party service providers in the development of continuity plans.	c	Explanation: Written agreements would assist management in ensuring compliance with external requirements. While management should obtain independent assurance of compliance, this cannot be achieved until there is a contract in place. One aspect of managing third-party services is to provide monitoring; however, this cannot be achieved until there is a contract. Ensuring that VAN agreements are available for review may assist in the development of continuity plans, if they are deemed critical IT resources. However, this cannot be achieved until a contract is in place.	MOCKDISA	1,072	200	MOCKDISA
82. Which of the following goals would you expect to find in an organization's strategic plan?	A. Test a new accounting package.	B. Perform an evaluation of information technology needs.	C. Implement a new project planning system within the next 12 months.	D. Become the supplier of choice for the product offered.	d	Explanation: Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization's broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business and would thus be a part of the organization's strategic plan. The other choices are project-oriented and do not address business objectives.	MOCKDISA	1,073	68	MOCKDISA
83. Assessing IT risks is BEST achieved by:	A. evaluating threats associated with existing IT assets and IT projects.	B. using the firm's past actual loss experience to determine current exposure.	C. reviewing published loss statistics from comparable organizations.	D. reviewing IT control weaknesses identified in audit reports.	a	Explanation: To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves not sufficient. Basing an assessment on past losses will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Hence, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited and there may not be a sufficient assessment of strategic IT risks.	MOCKDISA	1,074	16	MOCKDISA
84. An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. Which would be the next task?	A. Report the risks to the CIO and CEO immediately.	B. Examine e-business application in development.	C. Identify threats and likelihood of occurrence.	D. Check the budget available for risk management.	c	Explanation: The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.	MOCKDISA	1,075	68	MOCKDISA
85. Which of the following IT governance best practices improves strategic alignment?	A. Supplier and partner risks are managed.	B. A knowledge base on customers, products, markets and processes is in place.	C. A structure is provided that facilitates the creation and sharing of business information.	D. Top management mediate between the imperatives of business and technology	d	Explanation: Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risks being managed is a risk management best practice. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice.	MOCKDISA	1,076	31	MOCKDISA
86. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties?	A. Sequence check	B. Check digit	C. Source documentation retention	D. Batch control reconciliations	d	Explanation: Batch control reconciliations are an example of compensating controls. Other examples of compensating controls are transaction logs, reasonableness tests, independent reviews and audit trails, such as console logs, library logs and job accounting date. Sequence checks and check digits are data validation edits, and source documentation retention is an example of a data file control.	MOCKDISA	1,077	191	MOCKDISA
87. The lack of adequate security controls represents a(n):	A. threat.	B. asset.	C. impact.	D. vulnerability	d	Explanation: The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, resulting in loss of sensitive information, which could lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the “Potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.” The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.	MOCKDISA	1,078	80	MOCKDISA
88. IT control objectives are useful to IS auditors, as they provide the basis for understanding the:	A. desired result or purpose of implementing specific control procedures.	B. best IT security control practices relevant to a specific entity.	C. techniques for securing information.	D. security policy.	a	Explanation: An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.	MOCKDISA	1,079	119	MOCKDISA
89. To support an organization's goals, the IS department should have:	A. a low-cost philosophy.	B. long- and short-range plans.	C. leading-edge technology.	D. planned to acquire new hardware and software.	b	Explanation: To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.	MOCKDISA	1,080	195	MOCKDISA
90. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that:	A. this lack of knowledge may lead to unintentional disclosure of sensitive information	B. information security is not critical to all functions.	C. IS audit should provide security training to the employees.	D. the audit finding will cause management to provide continuous training to staff.	a	Explanation: All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.	MOCKDISA	1,081	20	MOCKDISA
91. The general ledger setup function in an enterprise resource planning (ERP) system allows for setting accounting periods. Access to this function has been permitted to users in finance, the warehouse and order entry. The MOST likely reason for such broad access is the:	A. need to change accounting periods on a regular basis.	B. requirement to post entries for a closed accounting period.	C. lack of policies and procedures for the proper segregation of duties.	D. need to create/modify the chart of accounts and its allocations.	c	Explanation: Setting of accounting periods is one of the critical activities of the finance function. Granting access to this function to warehouse and order entry personnel could be a result of a lack of proper policies and procedures for the adequate segregation of duties. Accounting periods should not be changed at regular intervals, but established permanently. The requirement to post entries for a closed accounting period is a risk. If necessary, this should be done by someone in the finance or accounting area. The need to create/modify the chart of accounts and its allocations is the responsibility of the finance department and is not a function that should be performed by warehouse or order entry personnel.	MOCKDISA	1,082	35	MOCKDISA
92. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:	A. recovery.	B. retention.	C. rebuilding.	D. reuse.	b	Explanation: Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the official form of classic "paper" makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.	MOCKDISA	1,083	148	MOCKDISA
93. A top-down approach to the development of operational policies will help ensure:	A. that they are consistent across the organization.	B. that they are implemented as a part of risk assessment.	C. compliance with all policies.	D. that they are reviewed periodically.	a	Explanation: Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.	MOCKDISA	1,084	16	MOCKDISA
94. The following is an advantage of using link encryption:	A. it protects messages against traffic analysis	B. Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed	C. If an encryption key is compromised the exposure is restricted to a single user to who the key applies	D. It is easy to assign the cost of using link encryption to the users of the link.	a	Explanation: Link Encryption results in protection against traffic analysis. Options B, C and D are not applicable.	MOCKDISA	1,085	202	MOCKDISA
95. A probable advantage to an organization that has outsourced its data processing services is that:	A. needed IS expertise can be obtained from the outside.	B. greater control can be exercised over processing.	C. processing priorities can be established and enforced internally.	D. greater user involvement is required to communicate user needs.	a	Explanation: Outsourcing is a contractual arrangement whereby the organization relinquishes control over part or all of the information processing to an external party. This is frequently done to acquire additional resources or expertise that is not obtainable from inside the organization.	MOCKDISA	1,086	169	MOCKDISA
96. When an organization is outsourcing their information security function, which of the following should be kept in the organization?	A. Accountability for the corporate security policy	B. Defining the corporate security policy	C. Implementing the corporate security policy	D. Defining security procedures and guidelines	a	Explanation: Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization.	MOCKDISA	1,087	74	MOCKDISA
97. When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control?	A. Restricting physical access to computing equipment	B. Reviewing transaction and application logs	C. Performing background checks prior to hiring IT staff	D. Locking user sessions after a specified period of inactivity	b	Explanation: Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue with a lack of segregation of duties is more the misuse (deliberately or inadvertently) of access privileges that have officially been granted.	MOCKDISA	1,088	48	MOCKDISA
98. Which of the following reduces the potential impact of social engineering attacks?	A. Compliance with regulatory requirements	B. Promoting ethical understanding	C. Security awareness programs	D. Effective performance incentives	c	Explanation: Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.	MOCKDISA	1,089	83	MOCKDISA
99. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:	A. dependency on a single person.	B. inadequate succession planning.	C. one person knowing all parts of a system.	D. a disruption of operations.	c	Explanation: Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risks addressed in choices A, B and D.	MOCKDISA	1,090	23	MOCKDISA
100. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?	A. There could be a question with regards to the legal jurisdiction.	B. Having a provider abroad will cause excessive costs in future audits.	C. The auditing process will be difficult because of the distances.	D. There could be different auditing norms.	a	Explanation: In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction.	MOCKDISA	1,091	139	MOCKDISA
101. Which of the following is critical to the selection and acquisition of the correct operating system software?	A. Competitive bids	B. User department approval	C. Hardware configuration analysis	D. Purchasing department approval	c	Explanation: The purchase of operating system software depends on its compatibility with existing hardware. While competitive bids and departmental approvals are important, they do not address the fundamental compatibility issue as directly as hardware configuration analysis. Users typically do not approve operating system acquisitions.	MOCKDISA	1,092	52	MOCKDISA
102. A single digitally signed instruction was given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited the account three times. Which of the following would be the MOST appropriate control against such multiple credits?	A. Encrypting the hash of the payment instruction with the public key of the financial institution	B. Affixing a time stamp to the instruction and using it to check for duplicate payments	C. Encrypting the hash of the payment instruction with the private key of the instructor	D. Affixing a time stamp to the hash of the instruction before having it digitally signed by the instructor	b	Explanation: Affixing a time stamp to the instruction helps prevent replay attacks, ensuring that the instruction is processed only once despite multiple receipts. This control is more effective against duplicate payments compared to other options which focus on encryption and signing without addressing replay prevention directly.	MOCKDISA	1,093	81	MOCKDISA
103. Assumptions while planning an IS project involve a high degree of risk because they are:	A. based on known constraints.	B. based on objective past data.	C. a result of a lack of information.	D. often made by unqualified people.	c	Explanation: Assumptions in IS projects are risky because they are made when adequate information is lacking. Known constraints and objective past data provide more certainty and are less risky. Assumptions are not necessarily made by unqualified people; they stem from incomplete information, making them inherently risky.	MOCKDISA	1,094	138	MOCKDISA
104. An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of:	A. reverse engineering.	B. prototyping.	C. software reuse.	D. reengineering.	d	Explanation: Reengineering involves extensive enhancement of existing systems by extracting and reusing components, adapting them to modern technologies. Reverse engineering involves analyzing and understanding existing systems. Prototyping is iterative development for requirements validation, and software reuse involves using existing software components in new applications.	MOCKDISA	1,095	165	MOCKDISA
105. When implementing an acquired system in a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact the desktop environment?	A. Sociability testing	B. Parallel testing	C. White box testing	D. Validation testing	a	Explanation: Sociability testing ensures that an acquired system can operate in its target environment without adverse effects on other systems, including the desktop environment. Parallel testing compares old and new systems, white box testing examines internal structures, and validation testing verifies system functionality against requirements.	MOCKDISA	1,096	48	MOCKDISA
106. Information for detecting unauthorized input from a terminal would be BEST provided by the:	A. console log printout.	B. transaction journal.	C. automated suspense file listing.	D. user error report.	b	Explanation: The transaction journal records all terminal transactions, aiding in detecting unauthorized inputs by comparing them with authorized documents. Console logs, suspense files, and user error reports are less suitable for detecting terminal input anomalies.	MOCKDISA	1,097	120	MOCKDISA
107. The IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort?	A. Program evaluation review technique (PERT)	B. Counting source lines of code (SLOC)	C. Function point analysis	D. White box testing	c	Explanation: Function point analysis estimates application size based on inputs, outputs, and files, suitable for complex systems like the one described. PERT helps in project planning, SLOC measures code size directly, and white box testing reviews internal code behavior.	MOCKDISA	1,098	185	MOCKDISA
108. The editing/validation of data entered at a remote site would be performed MOST effectively at the:	A. central processing site after running the application system.	B. central processing site during the running of the application system.	C. remote processing site after transmission of the data to the central processing site.	D. remote processing site prior to transmission of the data to the central processing site.	d	Explanation: Validating data at the remote site before transmission ensures data quality and reduces processing overheads compared to validation after transmission or at the central site during application runtime.	MOCKDISA	1,099	71	MOCKDISA
109. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system?	A. Investigate the author.	B. Remove any underlying threats.	C. Establish compensating controls.	D. Have the offending code removed.	d	Explanation: The immediate action should be removing the Trojan horse to prevent further damage. Investigating, addressing threats, and establishing controls follow to prevent future incidents.	MOCKDISA	1,100	83	MOCKDISA
110. The GREATEST benefit in implementing an expert system is the:	A. capturing of the knowledge and experience of individuals in an organization.	B. sharing of knowledge in a central repository.	C. enhancement of personnel productivity and performance.	D. reduction of employee turnover in key departments.	a	Explanation: Expert systems capture and utilize organizational knowledge and experience, enhancing decision-making and reducing reliance on individual expertise. While knowledge sharing, productivity enhancement, and reduced turnover are benefits, they are secondary to knowledge capture and utilization.	MOCKDISA	1,101	53	MOCKDISA
111. An IS auditor reviewing a proposed application software acquisition should ensure that the:	A. operating system (OS) being used is compatible with the existing hardware platform.	B. planned OS updates have been scheduled to minimize negative impacts on company needs.	C. OS has the latest versions and updates.	D. products are compatible with the current or planned OS.	d	Explanation: The auditor's focus should be on ensuring that the software products to be acquired are compatible with the current or planned OS. Choices A, B, and C, while important, do not directly address the compatibility of the products being purchased with the OS, which is crucial for successful implementation and operation.	MOCKDISA	1,102	154	MOCKDISA
112. Which of the following is MOST likely to occur when a system development project is in the middle of the programming/coding phase?	A. Unit tests	B. Stress tests	C. Regression tests	D. Acceptance tests	a	Explanation: During the programming phase, unit tests are conducted to verify that individual programs or modules are working correctly. This phase focuses on the detailed implementation of code, ensuring it meets quality standards before integration testing begins. Stress tests, regression tests, and acceptance tests typically occur later in the development lifecycle after coding is completed and modules are integrated.	MOCKDISA	1,103	40	MOCKDISA
113. An organization planning to purchase a software package asks the IS auditor for a risk assessment. Which of the following is the MAJOR risk?	A. Unavailability of the source code	B. Lack of a vendor-quality certification	C. Absence of vendor/client references	D. Little vendor experience with the package	a	Explanation: The major risk in purchasing software without access to the source code is the inability to update or modify the software in case the vendor goes out of business. While lack of certification, absence of references, and limited vendor experience are important considerations, they are secondary to the risk of being unable to maintain or enhance the software without access to its source code.	MOCKDISA	1,104	177	MOCKDISA
114. An IS auditor assigned to audit a reorganized process should FIRST review which of the following?	A. A map of existing controls	B. Eliminated controls	C. Process charts	D. Compensating controls	c	Explanation: When auditing a reorganized process, the IS auditor should first review process charts to understand and analyze changes in the workflow. Process charts provide a visual representation of the process before and after reorganization, aiding in assessing control effectiveness. Reviewing existing controls, eliminated controls, or compensating controls without understanding the revised process flow would not provide comprehensive insights into the impact of reorganization on control mechanisms.	MOCKDISA	1,105	188	MOCKDISA
115. The PRIMARY benefit of integrating total quality management (TQM) into a software development project is:	A. comprehensive documentation	B. on-time delivery	C. cost control	D. end-user satisfaction	d	Explanation: The primary goal of TQM in software development is to enhance end-user satisfaction by ensuring that software meets user requirements and quality expectations. While documentation, on-time delivery, and cost control are important, they are outcomes rather than the primary focus of TQM, which centers on customer satisfaction through continuous improvement and adherence to quality standards.	MOCKDISA	1,106	119	MOCKDISA
116. When reviewing the quality of an IS department's development process, the IS auditor finds that he/she does not use any formal, documented methodology and standards. The IS auditor's MOST appropriate action would be to:	A. complete the audit and report the finding.	B. investigate and recommend appropriate formal standards.	C. document the informal standards and test for compliance.	D. withdraw and recommend a further audit when standards are implemented.	c	Explanation: The IS auditor should first document the existing informal standards and assess their effectiveness through compliance testing. This ensures understanding of current practices before recommending formal standards, which may already be effective informally. Reporting findings without documenting and testing would not provide actionable insights, and withdrawing without recommendations delays potential improvements.	MOCKDISA	1,107	56	MOCKDISA
117. During unit testing, the test strategy applied is:	A. black box	B. white box	C. bottom-up	D. top-down	b	Explanation: Unit testing involves testing individual components or modules of a software application to validate their functionality and logic. White box testing examines the internal structure and logic of the code, ensuring that each module operates as intended. Black box testing focuses on functional requirements, while bottom-up and top-down testing involve integration testing of multiple modules or subsystems, occurring after unit testing.	MOCKDISA	1,108	55	MOCKDISA
118. A decision support system (DSS):	A. is aimed at solving highly structured problems.	B. combines the use of models with nontraditional data access and retrieval functions.	C. emphasizes flexibility in the decision-making approach of users.	D. supports only structured decision-making tasks.	c	Explanation: A DSS provides flexible decision-making support by combining models and data access capabilities to assist users in semi-structured or unstructured decision-making scenarios. It enhances user flexibility and responsiveness to varying decision contexts, making choices A, B, and D less appropriate as they do not fully encompass the breadth of decision support functionalities offered by DSS.	MOCKDISA	1,109	143	MOCKDISA
119. Which of the following phases represents the optimum point for software baselining to occur?	A. Testing	B. Design	C. Requirement	D. Development	b	Explanation: Software baselining establishes a stable reference point in the design phase, after which changes require formal approval and impact assessment. Baseline configuration at this stage ensures consistency and manages change effectively through subsequent phases. Baselining during testing, requirement gathering, or development may lead to inconsistencies and frequent revisions, undermining stability and project progress.	MOCKDISA	1,110	131	MOCKDISA
120. A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, the IS auditor should recommend the inclusion of:	A. validation controls	B. internal credibility checks	C. clerical control procedures	D. automated systems balancing	d	Explanation: Automated systems balancing ensures integrity by reconciling inputs and outputs, detecting discrepancies for immediate correction. While validation controls and credibility checks verify data accuracy, clerical procedures are less reliable for high-volume processing due to manual error potential. Automated balancing minimizes transaction losses by promptly identifying discrepancies, enhancing processing efficiency and accuracy.	MOCKDISA	1,111	85	MOCKDISA
121. When auditing the conversion of an accounting system an IS auditor should verify the existence of a:	A. control total check.	B. validation check.	C. completeness check.	D. limit check.	a	Explanation: Tallying a control total assures the IS auditor that all data amounts have been accurately transferred to the new system during conversion. Validation checks ensure data accuracy during input, completeness checks confirm all data is entered, and limit checks verify data values are within specified ranges. However, only a control total check confirms all amounts are correctly migrated to the new system, validating the accuracy of the entire conversion process.	MOCKDISA	1,112	1	MOCKDISA
122. A debugging tool, which reports on the sequence of steps executed by a program, is called a(n):	A. output analyzer.	B. memory dump.	C. compiler.	D. logic path monitor.	d	Explanation: A logic path monitor tracks the sequence of program steps executed, aiding in identifying logic errors. An output analyzer verifies program results against expected outcomes. A memory dump captures current memory contents for analysis, useful in diagnosing system errors. Compilers translate source code into executable programs but do not directly assist in program execution analysis. Therefore, a logic path monitor best suits the IS auditor's need to track program execution sequence for debugging purposes.	MOCKDISA	1,113	68	MOCKDISA
123. Which of the following facilitates program maintenance?	A. More cohesive and loosely coupled programs	B. Less cohesive and loosely coupled programs	C. More cohesive and strongly coupled programs	D. Less cohesive and strongly coupled programs	a	Explanation: More cohesive, loosely coupled programs are easier to maintain because changes in one module are less likely to impact others. Strong coupling increases interdependence, requiring modifications in one module to consider effects on others. Looser coupling reduces maintenance complexity and risks, making it preferable for program updates and enhancements.	MOCKDISA	1,114	35	MOCKDISA
124. Which of the following ensures completeness and accuracy of accumulated data?	A. Processing control procedures	B. Data file control procedures	C. Output controls	D. Application controls	a	Explanation: Processing control procedures ensure the completeness and accuracy of accumulated data through validation and totals. Data file controls restrict unauthorized access to stored data. Output controls ensure accurate and secure data delivery to users. Application controls encompass various controls within applications but do not specifically focus on data accuracy and completeness during processing. Therefore, processing control procedures are essential for verifying data accuracy and completeness in accumulated data sets.	MOCKDISA	1,115	46	MOCKDISA
125. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically:	A. result in a correct capture of requirements.	B. ensure that desirable application controls have been implemented.	C. produce ergonomic and user-friendly interfaces.	D. generate efficient code.	a	Explanation: While CASE tools aid in requirement capture, human interaction remains crucial for accurate requirement specification. Application controls ensure operational security and integrity. Ergonomic interfaces improve usability but require human design input. Efficient code generation by CASE tools aids development but does not replace developer expertise. Therefore, the IS auditor's primary concern is ensuring human involvement in requirement capture despite CASE tool capabilities.	MOCKDISA	1,116	175	MOCKDISA
126. The MOST likely explanation for the use of applets in an Internet application is that:	A. it is sent over the network from the server.	B. the server does not run the program and the output is not sent over the network.	C. they improve the performance of the web server and network.	D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine.	c	Explanation: Applets enhance web server and network performance by running JAVA programs locally on client machines, reducing server workload and network traffic. Applets are downloaded over networks but executed on client-side JAVA virtual machines, unlike server-side programs (choices A and B). Though JAVA programs run in browsers (choice D), applets specifically improve performance by decentralizing program execution from servers to clients, a benefit distinct from other deployment methods.	MOCKDISA	1,117	75	MOCKDISA
127. Ideally, stress testing should be carried out in a:	A. test environment using test data.	B. production environment using live workloads.	C. test environment using live workloads.	D. production environment using test data.	c	Explanation: Stress testing under live workloads in a controlled test environment ensures system robustness without risking production environment disruptions. Testing with test data in production (choice D) lacks real workload representation, while live workload testing in production (choice B) risks service disruptions. Testing with live workloads in a controlled test environment (choice C) balances realistic load simulation with risk mitigation, ideal for assessing system performance under stress conditions.	MOCKDISA	1,118	72	MOCKDISA
128. Good quality software is BEST achieved:	A. through thorough testing.	B. by finding and quickly correcting programming errors.	C. by determining the amount of testing using the available time and budget.	D. by applying well-defined processes and structured reviews throughout the project.	d	Explanation: Quality software results from structured processes and reviews ensuring consistency and quality at each project stage. Testing identifies defects, while rapid error correction addresses immediate issues. Budget-based testing (choice C) may compromise quality due to insufficient testing. Effective processes and reviews (choice D) prevent defects, enhancing overall software quality before testing, reducing rework costs.	MOCKDISA	1,119	65	MOCKDISA
129. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be the IS auditor's main concern about the new process?	A. Are key controls in place to protect assets and information resources?	B. Does it address the corporate customer requirements?	C. Does the system meet the performance goals (time and resources)?	D. Have owners been identified who will be responsible for the process?	a	Explanation: The IS auditor's primary concern is ensuring key controls safeguard assets and information, critical for new process integrity and security. While customer requirements (choice B), system performance (choice C), and process ownership (choice D) are important, controls protect against risks ensuring process effectiveness and compliance.	MOCKDISA	1,120	56	MOCKDISA
130. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern?	A. Acceptance testing is to be managed by users.	B. A quality plan is not part of the contracted deliverables.	C. Not all business functions will be available on initial implementation.	D. Prototyping is being used to confirm that the system meets business requirements.	b	Explanation: A missing quality plan in the development contract risks inadequate quality assurance and oversight, essential for project success. User-managed acceptance testing (choice A), phased business function deployment (choice C), and prototyping (choice D) address specific project aspects but do not replace comprehensive quality planning, critical for ensuring project deliverables meet required standards and expectations.	MOCKDISA	1,121	95	MOCKDISA
131. The use of a GANTT chart can:	A. aid in scheduling project tasks.	B. determine project checkpoints.	C. ensure documentation standards.	D. direct the post implementation review.	a	Explanation: A GANTT chart primarily aids in scheduling project tasks by visually representing task durations and dependencies. While it may indirectly assist in identifying project checkpoints, it does not ensure documentation standards or direct post-implementation reviews. Therefore, the primary use of a GANTT chart is to schedule and manage project tasks effectively.	MOCKDISA	1,122	89	MOCKDISA
132. Using test data as part of a comprehensive test of program controls in a continuous online manner is called a(n):	A. test data/deck.	B. base-case system evaluation.	C. integrated test facility (ITF).	D. parallel simulation.	b	Explanation: Base-case system evaluation uses test data sets for comprehensive testing of program controls continuously online. It verifies system operations before acceptance and periodically validates them. Test data/deck simulates transactions through actual programs, ITF creates fictitious files for simultaneous processing with live input, and parallel simulation processes data using simulated application logic. Therefore, base-case system evaluation best describes continuous online testing of program controls with pre-developed test data sets.	MOCKDISA	1,123	74	MOCKDISA
133. Testing the connection of two or more system components that pass information from one area to another is:	A. pilot testing.	B. parallel testing	C. interface testing.	D. regression testing.	c	Explanation: Interface testing evaluates connections between system components passing information from one area to another. Pilot testing focuses on specific system aspects, parallel testing compares results from two systems, and regression testing verifies unchanged code errors. Interface testing specifically assesses inter-component data flow, essential for integrated system functionality.	MOCKDISA	1,124	123	MOCKDISA
134. Regression testing is the process of testing a program to determine if:	A. the new code contains errors.	B. discrepancies exist between functional specifications and performance.	C. new requirements have been met.	D. changes have introduced any errors in the unchanged code.	d	Explanation: Regression testing reruns test scenarios to ensure unchanged code remains error-free after modifications. It validates system integrity by retesting original test data, distinguishing new code errors (choice A) from unchanged code defects. Functional specifications (choice B) assess functionality performance, while new requirements (choice C) verify update completeness. Unchanged code error detection through regression testing maintains system reliability, highlighting the importance of verifying system stability post-modification.	MOCKDISA	1,125	166	MOCKDISA
135. Which of the following groups/individuals should assume overall direction and responsibility for costs and timetables of system development projects?	A. User management	B. Project steering committee	C. Senior management	D. Systems development management	b	Explanation: The project steering committee oversees system development project costs and schedules, ensuring project direction and accountability. User management directs project ownership and system outcomes. Senior management commits project resources, and systems development management provides technical support. Steering committees maintain cost and schedule oversight, essential for project success, indicating their primary role in managing project direction and responsibility.	MOCKDISA	1,126	40	MOCKDISA
136. The difference between white box testing and black box testing is that white box testing:	A. involves the IS auditor.	B. is performed by an independent programmer team.	C. examines a program's internal logical structure.	D. uses the bottom-up approach.	c	Explanation: White box testing scrutinizes program internal logical structures, assessing operational conditions. It contrasts with black box testing's external system behavior observation. IS auditors (choice A) do not directly participate in testing methods, and independent programmers (choice B) lack system application insights. Both testing methods use bottom-up approaches, refining system functionality. White box testing isolates logical structures, essential for pinpointing system operation intricacies, differing from black box testing's broader external behavior assessment.	MOCKDISA	1,127	148	MOCKDISA
137. An IS auditor reviewing a project, where quality is a major concern, should use the project management triangle to explain that a(n):	A. increase in quality can be achieved, even if resource allocation is decreased.	B. increase in quality is only achieved, if resource allocation is increased.	C. decrease in delivery time can be achieved, even if resource allocation is decreased.	D. decrease in delivery time can only be achieved, if quality is decreased.	a	Explanation: The project management triangle illustrates fixed project dimensions: deliverables, resources, and delivery time. Decreasing resource allocation may enhance quality if project delivery time adjusts accordingly. Quality rises without additional resources (choice B), delivery time decreases despite lower resources (choice C), and quality and time balance maintains triangle area. Quality optimization adapts to resource constraints, enriching project audits through triangle applications.	MOCKDISA	1,128	176	MOCKDISA
138. Which of the following integrity tests examines the accuracy, completeness, consistency and authorization of data?	A. Data	B. Relational	C. Domain	D. Referential	a	Explanation: Data integrity testing assesses data accuracy, completeness, consistency, and authorization. Relational testing monitors sensitive data modifications with control totals. Domain testing confirms data specification adherence, and referential testing validates parent-child data relationships. Data testing assures data reliability and security, vital for system integrity, distinct from other integrity tests, solidifying data audit trails and verifications.	MOCKDISA	1,129	54	MOCKDISA
139. Which of the following is MOST effective in controlling application maintenance?	A. Informing users of the status of changes	B. Establishing priorities on program changes	C. Obtaining user approval of program changes	D. Requiring documented user specifications for changes	c	Explanation: User approval of program changes minimizes unauthorized changes, reducing system errors and downtime. Change notifications (choice A) update users on change impacts, and priority setting (choice B) schedules change implementations. Documented specifications (choice D) define change specifics. User approval assures change accuracy, securing system maintenance, consolidating application control effectiveness, and validating change impacts.	MOCKDISA	1,130	147	MOCKDISA
140. Which of the following groups should assume ownership of a systems development project and the resulting system?	A. User management	B. Senior management	C. Project steering committee	D. Systems development management	a	Explanation: User management directs system development projects and resulting system ownership. Senior management supports project funding and monitoring, steering committees guide project directions, and systems management provides technical backing. User management affirms project milestones, ensuring system delivery, and ownership, securing system applications, and reinforcing project alignments with user mandates, delineating system development procedures.	MOCKDISA	1,131	90	MOCKDISA
141. To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters the same data again, before the money is transferred. The control adopted by the organization in this case is:	A. sequence check.	B. key verification.	C. check digit.	D. completeness check.	b	Explanation: Key verification involves entering data twice by separate individuals to ensure accuracy. It's used to prevent input errors in critical transactions like EFTs. Sequence check verifies serial number continuity, a check digit ensures data integrity against alteration, and completeness checks ensure all required data inputs are present. Key verification uniquely addresses data accuracy by human validation, critical for EFT security and reliability.	MOCKDISA	1,132	144	MOCKDISA
142. An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is:	A. continuous improvement.	B. quantitative quality goals.	C. a documented process.	D. a process tailored to specific projects.	a	Explanation: At the highest CMM level (level 5, optimizing), continuous improvement is the focus, refining processes iteratively. Lower levels emphasize documented processes (level 3), project tailoring (level 3), and quality goals (level 4). Continuous improvement consolidates quality enhancements, surpassing lower CMM stages, vital for sustained software excellence, illustrating organizational commitment to process evolution and efficiency.	MOCKDISA	1,133	19	MOCKDISA
143. The use of fourth-generation languages (4GLs) should be weighed carefully against using traditional languages, because 4GLs:	A. can lack the lower-level detail commands necessary to perform data intensive operations.	B. cannot be implemented on both the mainframe processors and microcomputers.	C. generally contain complex language subsets that must be used by skilled users.	D. cannot access database records and produce complex online outputs.	a	Explanation: 4GLs excel in rapid application development but may lack lower-level commands essential for complex data operations. They're versatile across platforms (choice B), demand skill proficiency (choice C), and access databases (choice D). Lack of detailed commands in 4GLs limits intricate data handling, affecting major applications, emphasizing careful language selection based on operational demands, vital for software efficacy and compatibility.	MOCKDISA	1,134	20	MOCKDISA
144. During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be:	A. increased maintenance.	B. improper documentation of testing.	C. inadequate functional testing.	D. delays in problem resolution.	c	Explanation: Combining quality assurance and user acceptance testing risks inadequate functional testing, compromising application performance. Increased maintenance (choice A) and documentation lapses (choice B) may occur, yet functional testing deficiencies jeopardize system operability. Timely problem resolution (choice D) offsets delays, stressing comprehensive testing segregation to ensure thorough evaluation, pivotal for software reliability, aligning IS audit focus on functional integrity preservation.	MOCKDISA	1,135	106	MOCKDISA
145. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:	A. a backup server be available to run ETCS operations with up-to-date data.	B. a backup server be loaded with all the relevant software and data.	C. the systems staff of the organization be trained to handle any event.	D. source code of the ETCS application be placed in escrow.	d	Explanation: Proprietary software contracts necessitate source code escrow, ensuring future software access if vendor support falters. Backup servers (choices A, B) and trained staff (choice C) bolster system resilience but do not secure long-term software rights. Source code escrow guarantees operational continuity, mitigating vendor risks, pivotal for critical system deployments, highlighting contract clause significance in safeguarding proprietary software access and usage.	MOCKDISA	1,136	126	MOCKDISA
146. Which of the following is a dynamic analysis tool for the purpose of testing software modules?	A. Black box test	B. Desk checking	C. Structured walk-through	D. Design and code	a	Explanation: Black box testing dynamically evaluates software modules, simulating user inputs to assess system responses. Desk checking (choice B) and walk-throughs (choice C) review code statically, while design/code (choice D) analyzes program structures. Black box testing verifies module functionalities interactively, enhancing software reliability, emphasizing dynamic testing methodologies, crucial for robust system validations, delineating IS audit focus on active module assessment, pivotal for software integrity assurance.	MOCKDISA	1,137	113	MOCKDISA
147. The impact of EDI on internal controls will be:	A. that fewer opportunities for review and authorization will exist.	B. an inherent authentication.	C. a proper distribution of EDI transactions while in the possession of third parties.	D. that IPF management will have increased responsibilities over data center controls.	a	Explanation: Electronic Data Interchange (EDI) streamlines transactions, reducing review and authorization chances, enhancing efficiency. Authentication (choice B) lacks human validation, and transaction distributions (choice C) warrant secure third-party custody. IPF responsibilities (choice D) cover center controls, contrasting fewer control reviews from EDI, pivotal for internal control adaptation, underlining audit insights on EDI impact, vital for control strategy formulation, accentuating review reduction effects on transactional workflows, critical for audit considerations.	MOCKDISA	1,138	118	MOCKDISA
148. Which of the following tasks occurs during the research stage of the benchmarking process?	A. Critical processes are identified.	B. Benchmarking partners are visited.	C. Findings are translated into core principles.	D. Benchmarking partners are identified.	d	Explanation: Benchmarking research stages identify data and benchmarking partners. Planning pinpoints critical processes (choice A), observations include partner visits (choice B), and adaptations define core principles (choice C). Partner identification underscores research significance, pivotal for benchmarking foundation, outlining audit focus on research planning, vital for benchmarking integrity, accentuating partner identification for comparative analysis, essential for strategic benchmarking, delineating audit insights into research relevance in benchmarking initiatives.	MOCKDISA	1,139	12	MOCKDISA
149. Which of the following would be a risk specifically associated with the agile development process?	A. Lack of documentation	B. Lack of testing	C. Poor requirements definition	D. Poor project management practices	a	Explanation: Agile's iterative nature may risk documentation lapses, affecting system comprehensiveness. Testing (choice B), requirements (choice C), and management (choice D) align with agile adaptability, distinct from traditional approaches. Documentation gaps challenge audit evidence, emphasizing agile audit scrutiny on adaptive practices, crucial for project success, underlining audit concerns over documentation in agile methodologies, vital for assessing agile risk impacts, stressing documentation necessities in agile projects, pivotal for audit strategy formulation.	MOCKDISA	1,140	58	MOCKDISA
150. An IS auditor evaluating data integrity in a transaction-driven system environment should review atomicity to determine whether:	A. the database survives failures (hardware or software).	B. each transaction is separated from other transactions.	C. integrity conditions are maintained.	D. a transaction is completed or a database is updated.	d	Explanation: Atomicity validates transaction completeness or database updates, ensuring data transactional integrity. Durability (choice A) sustains database resilience, isolation (choice B) segregates transactions, and consistency (choice C) maintains data conditions. Atomicity anchors data audits, crucial for transactional integrity, aligning IS audit scrutiny on data transaction validation, pivotal for system reliability, highlighting atomicity audit relevance in transaction-driven systems, crucial for audit strategy formulation.	MOCKDISA	1,141	97	MOCKDISA
151. The MOST effective method of preventing unauthorized use of data files is:	A. automated file entry.	B. tape librarian.	C. access control software.	D. locked library.	c	Explanation: Access control software is an active control designed to prevent unauthorized access to data.	MOCKDISA	1,142	93	MOCKDISA
152. Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?	A. Approval of the plan by Board of Directors.	B. Plan is tested once in a year.	C. Plan is reviewed and updated regularly.	D. Plan is circulated to all the Head of Departments	c	Explanation: Business Continuity Plan should be reviewed regularly. Options A, B and D are not that relevant.	MOCKDISA	1,143	147	MOCKDISA
153. Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce?	A. Registration authority	B. Certificate authority (CA)	C. Certification relocation list	D. Certification practice statement	b	Explanation: The certificate authority maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication. Choice A is not correct because a registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA. Choice C is incorrect since a CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority's operations.	MOCKDISA	1,144	133	MOCKDISA
154. Passwords should be:	A. assigned by the security administrator for first time logon.	B. changed every 30 days at the discretion of the user.	C. reused often to ensure the user does not forget the password.	D. displayed on the screen so that the user can ensure that it has been entered properly.	a	Explanation: Initial password assignment should be done discretely by the security administrator. Passwords should be changed often (e.g., every 30 days); however, changing should not be voluntary, it should be required by the system. Systems should not permit previous passwords to be used again; old passwords may have been compromised and would thus permit unauthorized access. Passwords should not be displayed in any form.	MOCKDISA	1,145	75	MOCKDISA
155. An IS auditor reviewing an organisation’s Business Continuity Plan discovered that the plan provides for an alternate site which can accommodate about 50% of the processing requirements of the organisation. Which of the following steps should the IS Auditor take?	A. Ensure that the alternate site could process all the critical applications.	B. Recommend that the processing capacity of the alternate site should be increased.	C. Identify applications that could be processed at the alternate site and develop manual procedures for other applications.	D. Under normal circumstances only about 25% of the processing is critical to an organization. Hence, there is no need to take any action.	a	Explanation: In given context important is to take care of critical applications hence Option A is correct. Option B, C and D are not that relevant.	MOCKDISA	1,146	107	MOCKDISA
156. The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:	A. make unauthorized changes to the database directly, without an audit trail.	B. make use of a system query language (SQL) to access information.	C. remotely access the database.	D. update data without authentication.	a	Explanation: Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application. Using SQL only provides read access to information. In a networked environment, accessing the database remotely does not make a difference. What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user id.	MOCKDISA	1,147	82	MOCKDISA
157. Which of the following antispam filtering techniques would BEST prevent a valid, variable-length e-mail message containing a heavily weighted spam keyword from being labeled as spam?	A. Heuristic (rule-based)	B. Signature-based	C. Pattern matching	D. Bayesian (statistical)	d	Explanation: Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Hence, it can "ignore" a suspicious keyword, if the entire message is within normal bounds. Heuristic filtering is less effective, since new "exception" rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable-length messages, because the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded rule-based technique, where the rules operate at the word level, using wildcards, and not at higher levels.	MOCKDISA	1,148	28	MOCKDISA
158. An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk?	A. Kerberos	B. Vitality detection	C. Multimodal biometrics	D. Before-image/after-image logging	a	Explanation: Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Choices B and C are not correct because vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.	MOCKDISA	1,149	122	MOCKDISA
159. Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?	A. Analyzer	B. Administration console	C. User interface	D. Sensor	d	Explanation: Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.	MOCKDISA	1,150	92	MOCKDISA
160. The risk of gaining unauthorized access through social engineering can BEST be addressed by:	A. security awareness programs.	B. asymmetric encryption	C. intrusion detection systems	D. a demilitarized zone.	a	Explanation: The human factor is the weakest link in the information security chain. Social engineering is the human side of breaking into an enterprise's network. It relies on interpersonal relations and deception. Organizations with technical security countermeasures, such as an authentication process, encryption, intrusion detection systems or firewalls, may still be vulnerable if an employee gives away confidential information. The best means of defense for social engineering is an ongoing security awareness program wherein all employees are educated about the dangers of social engineering.	MOCKDISA	1,151	153	MOCKDISA
161. While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?	A. A scan of all floppy disks before use	B. A virus monitor on the network file server	C. Scheduled daily scans of all network drives	D. A virus monitor on the user's personal computer	c	Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.	MOCKDISA	1,152	160	MOCKDISA
162. The creation of an electronic signature: A. encrypts the message. B. verifies from where the message came. C. cannot be compromised when using a private key. D. cannot be used with e-mail systems.	A. encrypts the message	B. verifies from where the message came	C. cannot be compromised when using a private key	D. cannot be used with e-mail systems	b	The creation of an electronic signature does not in itself encrypt the message or secure it from compromise. It only verifies the message's origination.	MOCKDISA	1,153	105	MOCKDISA
163. The IS auditor learns that when equipment was brought into the data center by a vendor, the emergency power shutoff switch was accidentally pressed and the UPS was engaged. Which of the following audit recommendations should the IS auditor suggest?	A. Relocate the shutoff switch	B. Install protective covers	C. Escort visitors	D. Log environmental failures	b	A protective cover over the switch would allow it to be accessible and visible, but would prevent accidental activation. Relocating the shutoff switch would defeat the purpose of having it readily accessible. Escorting the personnel who move the equipment may not have prevented this incident, and logging of environmental failures would provide management with a report of incidents, but reporting alone would not prevent a reoccurrence.	MOCKDISA	1,154	203	MOCKDISA
164. Which of the following provides the framework for designing and developing logical access controls? A. Information systems security policy B. Access control lists C. Password management D. System configuration files	A. Information systems security policy	B. Access control lists	C. Password management	D. System configuration files	a	The information systems security policy developed and approved by the top management in an organization is the basis upon which logical access control is designed and developed. Access control lists, password management and systems configuration files are tools for implementing the access controls.	MOCKDISA	1,155	113	MOCKDISA
165. Which of the following provides nonrepudiation services for e-commerce transactions? A. Public key infrastructure (PKI) B. Data Encryption Standard (DES) C. Message authentication code (MAC) D. Personal identification number (PIN)	A. Public key infrastructure (PKI)	B. Data Encryption Standard (DES)	C. Message authentication code (MAC)	D. Personal identification number (PIN)	a	PKI is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it, it is capable of verification, it is under the sole control of the person using it, and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKI meets these tests. The Data Encryption Standard (DES) is the most common private key cryptographic system. DES does not address non-repudiation. A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission. It has nothing to do with non-repudiation. A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual.	MOCKDISA	1,156	64	MOCKDISA
166. The BEST overall quantitative measure of the performance of biometric control devices is: A. false-rejection rate. B. false-acceptance rate. C. equal-error rate. D. estimated-error rate.	A. false-rejection rate	B. false-acceptance rate	C. equal-error rate	D. estimated-error rate	c	A low equal-error rate (EER) is a combination of a low false-rejection rate and a low false acceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EER is the measure of the more effective biometrics control device. Low false-rejection rates or low false-acceptance rates alone do not measure the efficiency of the device. Estimated-error rate is non-existing and hence irrelevant.	MOCKDISA	1,157	45	MOCKDISA
167. Active radio frequency ID (RFID) tags are subject to which of the following exposures? A. Session hijacking B. Eavesdropping C. Malicious code D. Phishing	A. Session hijacking	B. Eavesdropping	C. Malicious code	D. Phishing	b	Like wireless devices, active RFID tags are subject to eavesdropping. They are by nature not subject to session hijacking, malicious code or phishing.	MOCKDISA	1,158	15	MOCKDISA
168. Which of the following is an example of the defense in-depth security principle? A. Using two firewalls of different vendors to consecutively check the incoming network traffic B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic C. Having no physical signs on the outside of a computer center building D. Using two firewalls in parallel to check different types of incoming traffic	A. Using two firewalls of different vendors to consecutively check the incoming network traffic	B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic	C. Having no physical signs on the outside of a computer center building	D. Using two firewalls in parallel to check different types of incoming traffic	b	Defense in-depth means using different security mechanisms that back up each other. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.	MOCKDISA	1,159	94	MOCKDISA
169. Which of the following exposures could be caused by a line grabbing technique? A. Unauthorized data access B. Excessive CPU cycle usage C. Lockout of terminal polling D. Multiplexor control dysfunction	A. Unauthorized data access	B. Excessive CPU cycle usage	C. Lockout of terminal polling	D. Multiplexor control dysfunction	a	Line grabbing will enable eavesdropping, thus allowing unauthorized data access. It will not necessarily cause multiplexor dysfunction, excessive CPU usage or lockout of terminal polling.	MOCKDISA	1,160	179	MOCKDISA
170. When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator? A. Read access to data B. Delete access to transaction data files C. Logged read/execute access to programs D. Update access to job control language/script files	A. Read access to data	B. Delete access to transaction data files	C. Logged read/execute access to programs	D. Update access to job control language/script files	b	Deletion of transaction data files should be a function of the application support team, not operations staff. Read access to production data is a normal requirement of a computer operator, as is logged access to programs and access to JCL to control job execution.	MOCKDISA	1,161	109	MOCKDISA
171. A certificate authority (CA) can delegate the processes of:	A. revocation and suspension of a subscriber's certificate	B. generation and distribution of the CA public key	C. establishing a link between the requesting entity and its public key	D. issuing and distributing subscriber certificates	c	Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. Revocation and suspension and issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated.	MOCKDISA	1,162	139	MOCKDISA
172. Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the:	A. customer over the authenticity of the hosting organization	B. hosting organization over the authenticity of the customer	C. customer over the confidentiality of messages from the hosting organization	D. hosting organization over the confidentiality of messages passed to the customer	a	Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. The customer cannot be assured of the confidentiality of messages from the host as many people have access to the public key and can decrypt the messages from the host. The host cannot be assured of the confidentiality of messages sent out, as many people have access to the public key and can decrypt it.	MOCKDISA	1,163	14	MOCKDISA
173. Which of the following is a feature of an intrusion detection system (IDS)?	A. Gathering evidence on attack attempts	B. Identifying weaknesses in the policy definition	C. Blocking access to particular sites on the Internet	D. Preventing certain users from accessing specific servers	a	An IDS can gather evidence on intrusive activity such as an attack or penetration attempt. Identifying weaknesses in the policy definition is a limitation of an IDS. Choices C and D are features of firewalls, and choice B requires a manual review and, therefore, is outside the functionality of an IDS.	MOCKDISA	1,164	50	MOCKDISA
174. Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments?	A. The buyer is assured that neither the merchant nor any other party can misuse his/her credit card data	B. All personal SET certificates are stored securely in the buyer's computer	C. The buyer is liable for any transaction involving his/her personal SET certificates	D. The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date	c	The usual agreement between the credit card issuer and the cardholder stipulates that the cardholder assumes responsibility for any use of his/her personal SET certificates for ecommerce transactions. Depending upon the agreement between the merchant and the buyer's credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyer's computer (local computer security) is not part of the SET standard. Although the buyer is not required to enter his/her credit card data, he/she will have to handle the wallet software.	MOCKDISA	1,165	145	MOCKDISA
175. An Internet-based attack using password sniffing can:	A. enable one party to act as if they are another party	B. cause modification to the contents of certain transactions	C. be used to gain access to systems containing proprietary information	D. result in major problems with billing systems and transaction processing agreements	c	Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. Spoofing attacks can be used to enable one party to act as if they are another party. Data modification attacks can be used to modify the contents of certain transactions. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.	MOCKDISA	1,166	63	MOCKDISA
176. Which of the following is the MOST important action in recovering from a cyberattack?	A. Creation of an incident response team	B. Use of cyberforensic investigators	C. Execution of a business continuity plan	D. Filing an insurance claim	c	The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should exist prior to a cyberattack. When a cyberattack is suspected, cyberforensics investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. After taking the above steps, an organization may have a residual risk that needs to be insured and claimed for traditional and electronic exposures.	MOCKDISA	1,167	49	MOCKDISA
177. An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with CO2, the other filled with halon. Which of the following should be given the HIGHEST priority in the auditor's report?	A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer	B. Both fire suppression systems present a risk of suffocation when used in a closed room	C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper)	D. The documentation binders should be removed from the equipment room to reduce potential risks	b	Protecting people's life should always be of highest priority in fire suppression activities. CO2 and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries installing or refilling halon fire suppression systems is not allowed. Although CO2 and halon are effective and appropriate for fires involving synthetic combustibles and electrical equipment, they are nearly totally ineffective on solid combustibles (wood and paper). Although not of highest priority, removal of the documentation would probably reduce some of the risks.	MOCKDISA	1,168	109	MOCKDISA
178. With the help of the security officer, granting access to data is the responsibility of:	A. data owners	B. programmers	C. system analysts	D. librarians	a	Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).	MOCKDISA	1,169	7	MOCKDISA
179. Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization?	A. Virtual private network	B. Dedicated line	C. Leased line	D. Integrated services digital network	a	The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small to medium-sized organizations.	MOCKDISA	1,170	1	MOCKDISA
180. Which of the following results in a denial-of-service attack?	A. Brute-force attack	B. Ping of death	C. Leapfrog attack	D. Negative acknowledgement (NAK) attack	b	The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. A brute-force attack is typically a text attack that exhausts all possible key combinations. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user id and password information obtained illicitly from one host to compromise another host. A negative acknowledgement attack is a penetration technique that Capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.	MOCKDISA	1,171	175	MOCKDISA
181. Which of the following is an advantage of elliptic curve encryption over RSA encryption?	A. Computation speed	B. Ability to support digital signatures	C. Simpler key distribution	D. Greater strength for a given key length	a	The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was developed by Diffie and Martin E. Hellman, who were the first to conceive of the concept of public key encryption. Both encryption methods support digital signatures, are used for public key encryption and distribution, and are of similar strength.	MOCKDISA	1,172	46	MOCKDISA
182. In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:	A. connectionless integrity	B. data origin authentication	C. antireplay service	D. confidentiality	d	Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.	MOCKDISA	1,173	69	MOCKDISA
183. The security level of a private key system depends on the number of:	A. encryption key bits	B. messages sent	C. keys	D. channels used	a	The security level of a private key system depends on the number of encryption key bits. The larger the number of bits, the more difficult it would be to understand or determine the algorithm. The security of the message will depend on the encryption key bits used. More than keys by themselves, the algorithm and its complexity make the content more secured. Channels, which could be open or secure, are the mode for sending the message.	MOCKDISA	1,174	195	MOCKDISA
184. Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?	A. Statistical-based	B. Signature-based	C. Neural network	D. Host-based	a	A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may include, at times, unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of an IDS. Either of the three IDSs above may be host- or network-based.	MOCKDISA	1,175	6	MOCKDISA
185. Which of the following can consume valuable network bandwidth?	A. Trojan horses	B. Trapdoors	C. Worms	D. Vaccines	c	Worms are destructive programs that may destroy data or utilize tremendous computer and communication resources. Trojan horses can capture and transmit private information to the attacker's computer. Trapdoors are exits out of an authorized program. Vaccines are programs designed to detect computer viruses.	MOCKDISA	1,176	131	MOCKDISA
186. An accuracy measure for a biometric system is:	A. system response time	B. registration time	C. input file size	D. false-acceptance rate	d	For a biometric solution three main accuracy measures are used: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures.	MOCKDISA	1,177	6	MOCKDISA
187. Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them?	A. Overwriting the tapes	B. Initializing the tape labels	C. Degaussing the tapes	D. Erasing the tapes	c	The best way to handle obsolete magnetic tapes is to degauss them. This action leaves a very low residue of magnetic induction, essentially erasing the data from the tapes. Overwriting or erasing the tapes may cause magnetic errors but would not remove the data completely. Initializing the tape labels would not remove the data that follows the label.	MOCKDISA	1,178	17	MOCKDISA
188. What is a risk associated with attempting to control physical access to sensitive areas, such as computer rooms, using card keys or locks?	A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized.	B. The contingency plan for the organization cannot effectively test controlled access practices.	C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control.	D. Removing access for those who are no longer authorized is complex.	a	The concept of piggybacking compromises all physical control established. Choice B would be of minimal concern in a disaster recovery environment. Items in choice C are not easily duplicated. Regarding choice D, while technology is constantly changing, card keys have existed for some time and appear to be a viable option for the foreseeable future.	MOCKDISA	1,179	21	MOCKDISA
189. Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet?	A. Customers are widely dispersed geographically, but the certificate authorities are not.	B. Customers can make their transactions from any computer or mobile device.	C. The certificate authority has several data processing sub centers to administer certificates.	D. The organization is the owner of the certificate authority.	d	If the certificate authority belongs to the same organization, this would generate a conflict of interest. That is, if a customer wanted to repudiate a transaction, he/she could allege that because of the shared interests an unlawful agreement exists between the parties generating the certificates. If a customer wanted to repudiate a transaction, he/she could argue that there exists a bribery between the parties to generate the certificates, as there exist shared interests. The other options are not weaknesses.	MOCKDISA	1,180	41	MOCKDISA
190. An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies?	A. Digitalized signatures	B. Hashing	C. Parsing	D. Steganography	d	Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and it is widely applied in the design of programming languages or in data entry editing.	MOCKDISA	1,181	64	MOCKDISA
191. Which of the following cryptography options would increase overhead/cost?	A. The encryption is symmetric rather than asymmetric.	B. A long asymmetric encryption key is used.	C. The hash is encrypted rather than the message.	D. A secret key is used.	b	Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. An asymmetric algorithm requires more processing time than symmetric algorithms. A hash is shorter than the original message; hence, a smaller overhead is required if the hash is encrypted rather than the message. Use of a secret key, as a symmetric encryption key, is generally small and used for the purpose of encrypting user data.	MOCKDISA	1,182	159	MOCKDISA
192. To determine who has been given permission to use a particular system resource, the IS auditor should review?	A. Activity lists	B. Access control lists	C. Logon ID lists	D. Password lists	b	Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.	MOCKDISA	1,183	58	MOCKDISA
193. When using public key encryption to secure data being transmitted across a network:	A. both the key used to encrypt and decrypt the data are public.	B. the key used to encrypt is private, but the key used to decrypt the data is public.	C. the key used to encrypt is public, but the key used to decrypt the data is private.	D. both the key used to encrypt and decrypt the data are private.	c	Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.	MOCKDISA	1,184	152	MOCKDISA
194. When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following?	A. Number of nonthreatening events identified as threatening	B. Attacks not being identified by the system	C. Reports/logs being produced by an automated tool	D. Legitimate traffic being blocked by the system	b	Attacks not being identified by the system present a higher risk, because they are unknown and no action will be taken to address the attack. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. Often IDS reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem, and an IDS does not block any traffic.	MOCKDISA	1,185	17	MOCKDISA
195. Which of the following is a concern when data are transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partner's server?	A. The organization does not have control over encryption.	B. Messages are subjected to wire tapping	C. Data might not reach the intended recipient.	D. The communication may not be secure.	a	The SSL security protocol provides data encryption, server authentication, message integrity and optional client authentication. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on the SSL capabilities. SSL encrypts the datum while it is being transmitted over the Internet. The encryption is done in the background, without any interaction from the user, consequently there is no password to remember either. The other choices are incorrect. Since the communication between client and server is encrypted, the confidentiality of information is not affected by wire tapping. Since SSL does the client authentication, only the intended recipient will receive the decrypted data. All data sent over an encrypted SSL connection are protected with a mechanism to detect tampering, i.e., automatically determining whether data has been altered in transit.	MOCKDISA	1,186	158	MOCKDISA
196. The reliability of an application system's audit trail may be questionable if:	A. user IDs are recorded in the audit trail.	B. the security administrator has read-only rights to the audit file.	C. date and time stamps are recorded when an action occurs.	D. users can amend audit trail records when correcting system errors.	d	An audit trail is not effective if the details in it can be amended.	MOCKDISA	1,187	23	MOCKDISA
197. A malicious code that changes itself with each file it infects is called a:	A. logic bomb.	B. stealth virus.	C. Trojan horse.	D. polymorphic virus.	d	A polymorphic virus has the capability of changing its own code, enabling it to have many different variants. Since they have no consistent binary pattern, such viruses are hard to identify. A logic bomb is code that is hidden in a program or system which will cause something to happen when the user performs a certain action or when certain conditions are met. A logic bomb, which can be downloaded along with a corrupted shareware or freeware program, may destroy data, violate system security or erase the hard drive. A stealth virus is a virus that hides itself by intercepting disk access requests. When an antivirus program tries to read files or boot sectors to find the virus, the stealth virus feeds the antivirus program a clean image of the file or boot sector. A Trojan horse is a virus program that appears to be useful and harmless but which has harmful side effects such as destroying data or breaking the security of the system on which it is run.	MOCKDISA	1,188	132	MOCKDISA
198. An organization has a mix of access points that cannot be upgraded to stronger security and newer access points having advanced wireless security. The IS auditor recommends replacing the non-upgradeable access points. Which of the following would BEST justify the IS auditor's recommendation?	A. The new access points with stronger security are affordable.	B. The old access points are poorer in terms of performance.	C. The organization's security would be as strong as its weakest points.	D. The new access points are easier to manage.	c	The old access points should be discarded and replaced with products having strong security; otherwise, they will leave security holes open for attackers and thus make the entire network as weak as they are. Affordability is not the auditor's major concern. Performance is not as important as security in this situation. Product manageability is not the IS auditor's concern.	MOCKDISA	1,189	123	MOCKDISA
199. Who is principally responsible for periodically reviewing users' access to systems?	A. Computer operators	B. Security administrators	C. Data owners	D. IS auditors	c	The data owners, who are responsible for the use and reporting of information under their control, should provide written authorization for users to gain access to that information. The data owner should periodically review and evaluate authorized (granted) access to ensure these authorizations are still valid.	MOCKDISA	1,190	147	MOCKDISA
200. In the ISO/OSI model, which of the following protocols is the FIRST to establish security for the user application?	A. Session layer	B. Transport layer	C. Network layer	D. Presentation layer	a	The session layer provides functions that allow two applications to communicate across the network. The functions include security, recognition of names, logons and so on. The session layer is the first layer where security is established for user applications. The transportation layer provides transparent transfer of data between end points. The network layer controls the packet routing and switching within the network, as well as to any other network. The presentation layer provides common communication services, such as encryption, text compression and reformatting.	MOCKDISA	1,191	170	MOCKDISA
1. In ..........type of communication the router forwards the received packet through only one of its interfaces.	A. Announcement	B. multicasting	C. broadcasting	D. point to point / Unicast	d	A. Announcement is not the precise term that we normally use in networks. B. Multicasting is the term used to describe communication where a piece of information is sent from one or more points to a set of other points. C. Broadcasting is the term used to describe communication where a piece of information is sent from one point to all other points. D. Unicast is the term used to describe communication where a piece of information is sent from one point to another point.	MOCKDISA	1,192	13	MOCKDISA
2. Which of the following is not a networking device	A. Gateways	B. Linux	C. Routers	D. Bridges	b	A. Gateway is a network device B. Linux is an Operating System and not a network device. C. Router is a network device D. Bridge is a network device	MOCKDISA	1,193	54	MOCKDISA
3. What is the size of MAC address	A. 16 bits	B. 48 bits	C. 64 bits	D. 32 bits	b	A. This is not the correct size of MAC address. B. MAC addresses are 6-byte (48-bits) in length, and are written in MM:MM:MM:SS:SS format C. This is not the correct size of MAC address. D. This is not the correct size of MAC address.	MOCKDISA	1,194	204	MOCKDISA
4. Which of the following can be a software:	A. Routers	B. Switches	C. Bridges	D. Firewalls	d	A. Router is a network device and is a hardware B. Switch is a network device and is a hardware C. Bridge is a network device and is a hardware D. Firewall can be a hardware or software or combination of the two.	MOCKDISA	1,195	178	MOCKDISA
5. What is the use of PING command?	A. To test the reachability of a device on a network	B. To test hard disk fault	C. To test a bug in an application	D. To test printer quality	a	A. Ping command is used to test the reachability of a device on a network B. Ping command is not used to test hard disk fault. C. Ping command is not used to test a bug in the application D. Ping command is not used to test the printer quality.	MOCKDISA	1,196	122	MOCKDISA
6. Each IP packet must contain	A. Only Source address	B. Only Destination address	C. Source and Destination address	D. Source or Destination address	c	A. Each IP packet must contain Source and Destination Address; hence this is not a correct answer. B. Each IP packet must contain Source and Destination Address; hence this is not a correct answer. C. Each IP packet must contain Source and Destination Address D. Each IP packet must contain Source and Destination Address; hence this is not a correct answer.	MOCKDISA	1,197	14	MOCKDISA
7. Which of the following is correct regarding Class B Address of IP address	A. Network bit – 14, Host bit – 16	B. Network bit – 16, Host bit – 14	C. Network bit – 18, Host bit – 16	D. Network bit – 12, Host bit – 14	a	A. In Class B IP Addresses, First two network bits behave like higher significant bits hence, total usable bits from first two network octats would be(8 2 = 16) -2 = 14. And from Host bits both the octats are available fully. Hence, 8 2= 16. Hence this is the correct answer. B. This is not the correct for Class B IP Addresses C. This is not the correct for Class B IP Addresses D. This is not the correct for Class B IP Addresses	MOCKDISA	1,198	168	MOCKDISA
8. MAC Address is considered by ____ Layer for Node to Node Data Transmission in the form of Frames.	A. Transport Layer	B. Data Link Layer	C. Application Layer	D. Physical Layer	b	A. MAC Address is considered by Data Link Layer for Node to Node Data Transmission in the form of frames. At transport layer, ‘packets’ are the units of transportation. B. MAC Address is considered by Data Link Layer for Node to Node Data Transmission in the form of frames. C. MAC Address is considered by Data Link Layer for Node to Node Data Transmission in the form of frames. Application layer performs endpoint sending and receiving of data. D. MAC Address is considered by Data Link Layer for Node to Node Data Transmission in the form of frames. Physical layer performs actual transmission in the form of bits.	MOCKDISA	1,199	182	MOCKDISA
9. How many layers does TCP/IP model has?	A. 7	B. 4	C. 5	D. 6	c	A. OSI Model has 7 layers. B. TCP/IP has five layers. Hence this is not the correct answer. C. TCP/IP has five layers. – Application, Transport, Network, Data Link, Physical D. TCP/IP has five layers. Hence this is not the correct answer.	MOCKDISA	1,200	147	MOCKDISA
10. IPv4 Address is:	A. 32 bits	B. 64 bits	C. 128 bits	D. 8 bits	a	A. IPv4 is made up of four bytes. Hence 48 = 32 bits. B. IPv4 is made up of four bytes. Hence 48 = 32 bits. Hence, this is not a correct answer. C. IPv4 is made up of four bytes. Hence 48 = 32 bits. Hence, this is not a correct answer. D. IPv4 is made up of four bytes. Hence 48 = 32 bits. Hence, this is not a correct answer	MOCKDISA	1,201	170	MOCKDISA
11. Which of the following is NOT a cloud service model:	A. Infrastructure as a Service	B. Software as a Service	C. Platform as a Service	D. Protocol as a Service	d	A. Infrastructure as a Service is one of the cloud service model. B. Software as a Service is one of the cloud service model. C. Platform as a Service is one of the cloud service model. D. Protocol as a Service is not a cloud service model.	MOCKDISA	1,202	176	MOCKDISA
12. Which of the following is NOT a class of IP Address:	A. A	B. B	C. G	D. C	c	A. There are IP Address classes ranging from A to E. Hence, A is the valid IP Address class. B. There are IP Address classes ranging from A to E. Hence, B is the valid IP Address class. C. There are IP Address classes ranging from A to E. Hence, G is not a valid IP Address class. D. There are IP Address classes ranging from A to E. Hence, C is the valid IP Address class.	MOCKDISA	1,203	197	MOCKDISA
13. Which of the following is related to ‘Discovery of hidden patterns in the large data to find some valuable information’ :	A. Data Mining	B. Data Warehousing	C. Data Mart	D. Database	a	A. Data Mining refers to ‘Discovery of hidden patterns in the large data to find some valuable information’. B. Data Warehousing refers to central repositories of integrated data from one or more disparate sources. C. Data Mart is a subset of the data warehouse that is usually oriented to a specific business line or team. D. A database is a collection of information that is organized so that it can easily be accessed, managed, and updated.	MOCKDISA	1,204	92	MOCKDISA
14. Which of the following is NOT a measure of Green IT Initiative:	A. Unused servers should be consolidated	B. Endeavour to decrease carbon footprint	C. Preferring Air Travel over Road Travel to reduce the carbon level	D. Making use of e-mails rather than printing documents.	c	A. Consolidation of unused server reduces the energy consumption and optimizes the utilization of resources. Hence it is a measure of Green IT Initiative. B. Endeavour to decrease carbon footprint is a measure of Green IT Initiative. C. Preferring Air Travel over Road Travel to reduce the carbon level is not a Green IT Initiative. D. Making use of e-mails rather than printing documents saves environment hence a measure of Green IT Initiative.	MOCKDISA	1,205	17	MOCKDISA
15. Which of the following is NOT a Web 2.0 security concern:	A. Third Party content	B. Community based	C. Openness	D. Technology	d	A. Third Party content is a big Web 2.0 security concern. B. Community based web is a Web 2.0 security concern. C. Openness which affects the privacy and confidentiality aspect is a web 2.0 concern. D. Technology is an enabler of Web 2.0 and not a security concern.	MOCKDISA	1,206	87	MOCKDISA
16. Which of the following is a concern of BYOD:	A. Security Administration issues	B. Cost of the device	C. Network Bandwidth	D. Skill set of the employee	a	A. Security Administration issues are one of the major concerns of BYOD. B. Cost of the device is not a concern of BYOD. C. Network Bandwidth is not a concern of BYOD. D. Skill set of the employee, now a days is not a concern of BYOD.	MOCKDISA	1,207	31	MOCKDISA
17. Which of the following specific tag language is used for exchanging business reporting information?	A. XML	B. XBRL	C. Web 2.0	D. Business Exchange Language	b	A. XML (eXtensible Markup Language) is a tag language but is not specifically used for business reporting information. B. XBRL (eXtensible Business Reporting Language) is a specific tag language used for exchanging business reporting information. C. Web 2.0 is not a tag language. D. Business Exchange Language is not a term used to indicate any specific tag language.	MOCKDISA	1,208	109	MOCKDISA
18. Which of the following cloud service model indicates use of the service provider’s application/software on cloud infrastructure?	A. Software as a Service	B. Platform as a Service	C. Infrastructure as a Service	D. Cloud as a Service	a	A. In Software as a Service, one uses service provider’s application/software on cloud infrastructure. B. In Platform as a Service, one uses service provider’s basic computing infrastructure along with OS and Database Support. However, application software has to be managed by the user. C. In Infrastructure as a Service, cloud service provider provides with basic computing infrastructure only. D. Cloud as a Service is not a cloud service model.	MOCKDISA	1,209	77	MOCKDISA
19. ‘Google’ is the example of ______ Cloud.	A. Community Cloud	B. Private Cloud	C. Public Cloud	D. Personal Cloud	c	A. Google encompasses many aspects beyond just a Community Cloud. B. Google provides its services world-wide and hence not a Private Cloud. C. Google is the example of Public Cloud. D. Google provides its services world-wide and hence not a Private Cloud.	MOCKDISA	1,210	167	MOCKDISA
20. Which of the following is NOT the Risk involved in Outsourcing Services:	A. Privacy & Confidentiality	B. Complying with SLAs (Service Level Agreements)	C. Attrition of staff of Outsourcing company	D. Different platforms (Operating Systems) being used by the outsourcing service provider and the client.	d	A. Privacy & Confidentiality is the major risk with outsourcing services. B. Complying with SLAs (Service Level Agreements) is a risk with outsourcing services. C. Attrition of staff of outsourcing company can be a risk to its client. D. Use of different platforms, normally, doesn’t affect the deliverable agreed with the outsourcing company and hence, not a risk involved in outsourcing services.	MOCKDISA	1,211	150	MOCKDISA
21. Which of the following is not an Operating System?	A. Windows	B. Linux	C. Router	D. Android	c	A. Windows is an operating system. B. Linux is an operating system. C. Router is one of the network components and not an operating system. D. Android is an operating system.	MOCKDISA	1,212	19	MOCKDISA
22. Which of the following does connect CPU and other components on motherboard:	A. Fiber Optic Cable	B. BUS	C. Twisted Pair Cable	D. Registers	b	A. Fiber Optic Cable is a communication media that works outside the CPU and doesn’t connect CPU and other components on mother-board. B. BUS connects CPU and other components on mother board. C. Twisted Pair Cable is a communication media that works outside the CPU and doesn’t connect CPU and other components on mother-board. D. Registers are the memory locations owned by the CPU and doesn’t connect CPU and other components on mother-board.	MOCKDISA	1,213	78	MOCKDISA
23. Which of the following is NOT directly related to functioning of CPU:	A. Arithmetic and Logical unit	B. Control unit	C. Network Interface card	D. Registers	c	A. Arithmetic and logical unit is one of the parts of CPU hence directly related to the functioning of CPU. B. Control Unit is one of the parts of CPU hence directly related to the functioning of CPU. C. Network Interface Card is not directly related to the functioning of CPU. It is used to connect system to the network. D. Registers are one of the parts of CPU hence directly related to the functioning of CPU.	MOCKDISA	1,214	155	MOCKDISA
24. Which of the following memory doesn’t exist physically but is created as per the need basis by sharing the secondary memory?	A. Random Access Memory	B. Non-volatile Memory	C. Virtual Memory	D. Cache Memory	c	A. Random Access Memory exists physically and is not shared from secondary memory. B. Non-volatile memory refers to the secondary memory and it exists physically. C. Virtual Memory doesn’t exist physically but created as per the need basis by sharing the secondary memory to support the RAM. D. Cache Memory exists physically and is used to store frequently used data.	MOCKDISA	1,215	65	MOCKDISA
25. Which of the following options is NOT an Internal (primary) memory:	A. Random Access Memory	B. Read Only Memory	C. Cache Memory	D. Virtual Memory	d	A. Random Access Memory is a part of internal (primary) memory. B. Read Only Memory is a part of internal (primary) memory. C. Cache Memory is a part of internal (primary) memory. D. Virtual Memory is not a part of internal (primary) memory, however it’s virtually created to support internal memory.	MOCKDISA	1,216	78	MOCKDISA
26. Which of the following is correct hierarchy of below data units / terms	1. Character	2. Record	3. Field	4. Database	d	A. Database contains Files, File contains records, Record contains fields, Field contains characters. Hence, this is not a correct option. B. Database contains Files, File contains records, Record contains fields, Field contains characters. Hence, this is a correct option. C. Database contains Files, File contains records, Record contains fields, Field contains characters. Hence, this is not a correct option. D. Database contains Files, File contains records, Record contains fields, Field contains characters. Hence, this is not a correct optio	MOCKDISA	1,217	54	MOCKDISA
27. Which of the following database model explains the relationship among entities in the form of tables and relationships among the tables:	A. Network Model	B. Hierarchy Model	C. Table Model	D. Relational Model	d	A. Network Model doesn’t explain relationship in the form of tables. B. Hierarchy Model doesn’t explain relationship in the form of tables. C. There is no database model called table model. D. Relational model explains the relationship among entities in the form of tables and relationships among the tables.	MOCKDISA	1,218	184	MOCKDISA
28. If a magnet with strong magnetic field comes in physical contact with below data storage devices; data on which of the following devices may get scrambled?	A. Hard Drive (Hard Disk)	B. Audio CD	C. Video CD	D. DVD	a	A. Hard Drive (Hard Disk) is a magnetic device hence if a magnet with strong magnetic field comes in physical contact; its data may get scrambled. B. Audio CD is an optical device hence not affected by a magnet. C. Video CD is an optical device hence not affected by a magnet. D. DVD is an optical device hence not affected by a magnet.	MOCKDISA	1,219	125	MOCKDISA
29. The Primary job of the operating system is	A. Manage Commands	B. Manage Users	C. Manage Programs	D. Manage Resources	d	A. Managing command is not the primary job of operating system. B. Managing Users is not the primary job of operating system. C. Managing Programs us not the primary job of operating system. D. Managing Resources is the primary job of operating system.	MOCKDISA	1,220	57	MOCKDISA
30. Virtual Memory is	A. Extremely Large Main memory	B. Extremely Large Secondary memory	C. An illusion of extremely large main memory	D. An illusion of extremely large secondary memory	c	A. Virtual Memory is not extremely large main memory. B. Virtual Memory is also not an extremely large secondary memory. C. Virtual Memory is an illusion of extremely large main memory. D. Virtual Memory is not an illusion of extremely large secondary memory.	MOCKDISA	1,221	20	MOCKDISA
31. Which of the following does NOT belong to any type of database languages grouped under Structured Query Language (SQL):	A. Data Definition Language	B. Data Modification Language	C. Data Control Language	D. Data Manipulation Language	b	A. Data Definition Language (DDL) belongs to a type of database languages grouped under Structured Query Language (SQL). B. Data Modification Language doesn’t belong to a type of database languages grouped under Structured Query Language (SQL). C. Data Control Language (DCL) belongs to a type of database languages grouped under Structured Query Language (SQL). D. Data Manipulation Language (DML) belongs to a type of database languages grouped under Structured Query Language (SQL).	MOCKDISA	1,222	181	MOCKDISA
32. What should be the FIRST step while OS upgrading?	A. Delete old Operating System	B. Backup old Operating System	C. Backup Critical Data	D. Format Hard Disks	c	A. While upgrading OS, firstly critical data should be backed up hence this is not a correct option. B. While upgrading OS, firstly critical data should be backed up hence this is not a correct option. C. While upgrading OS, firstly critical data should be backed up hence this is a correct option. D. While upgrading OS, firstly critical data should be backed up hence this is not a correct option.	MOCKDISA	1,223	17	MOCKDISA
33. Which of the following is correct option arranging memories from highest speed to the lowest: 1. Primary Memory 2. Cache Memory 3. Secondary Memory 4. Registers	A. 4- 3- 2- 1	B. 2- 3- 4- 1	C. 4- 2- 1- 3	D. 4- 1- 2- 3	d	A. The Register is the memory having highest speed followed by primary memory, then cache memory and at last secondary memory hence this is not the correct option. B. The Register is the memory having highest speed followed by primary memory, then cache memory and at last secondary memory hence this is not the correct option. C. The Register is the memory having highest speed followed by primary memory, then cache memory and at last secondary memory hence this is not the correct option. D. The Register is the memory having highest speed followed by primary memory, then cache memory and at last secondary memory hence this is the correct option.	MOCKDISA	1,224	50	MOCKDISA
34. For which of the following applications would rapid recovery be MOST crucial?	A. Corporate planning	B. Regulatory reporting	C. Departmental Reporting	D. Banking Website	d	A. Recovery of corporate planning is important but not as crucial as banking website. B. Recovery of regulatory reporting is important but not as crucial as banking website. C. Recovery of departmental reporting is important but not as crucial as banking website. D. Rapid recovery of Banking Website is the MOST crucial.	MOCKDISA	1,225	152	MOCKDISA
35. Response Time in Hardware Asset Management refers to:	A. Length of time between submission of transaction and first character of output.	B. Length of time for submission of the job and receipt of completed output	C. Length of time between the requisitions to buy the asset is raised and the asset is received.	D. Length of time required to repair the hardware.	a	A. Response time in hardware asset management refers to Length of time between submission of transaction and first character of output. B. Length of time for submission of the job and receipt of completed output is called throughput time. C. Length of time between the requisitions to buy the asset is raised and the asset is received is not referred to by response time. D. Length of time required to repair the hardware is not referred to by response time.	MOCKDISA	1,226	161	MOCKDISA
36. Following is an Example of System Software:	A. Tally ERP 9	B. Microsoft Word	C. Easytax – Tax Return Preparation Software	D. Android	d	A. Tally ERP 9 is an example of application software. B. Microsoft Word is an example of application software. C. Easytax – Tax Return Preparation Software is an example of application software. D. Android is an example of system software.	MOCKDISA	1,227	78	MOCKDISA
37. Which of the following is an example of End Point Device:	A. Switch	B. Router	C. Smart Phone	D. Gateway	c	A. Switch is an example of intermediate network device. It’s not an end point device. B. Router is an example of intermediate network device. It’s not an end point device. C. Smart Phone is an example of end point device. D. Gateway is an example of intermediate network device. It’s not an end point device.	MOCKDISA	1,228	27	MOCKDISA
38. Organizing fields and tables in a database so as to minimize redundancy and maximize efficiency is specifically called:	A. Simplification of Database	B. Normalization of Database	C. Updation of Database	D. Maintenance of Database	b	A. ‘Simplification’ is not the proper term that is used to indicate ‘Organizing fields and tables in a database so as to minimize redundancy and maximize efficiency’. B. Normalization refers to organizing fields and tables in a database so as to minimize redundancy and maximize efficiency. C. ‘Updation’ is not the proper term that is used to indicate ‘Organizing fields and tables in a database so as to minimize redundancy and maximize efficiency’. D. ‘Maintenance’ is not the proper term that is used to indicate ‘Organizing fields and tables in a database so as to minimize redundancy and maximize efficiency’.	MOCKDISA	1,229	3	MOCKDISA
39. Which of the following is NOT the function of Database Administrator:	A. Designing the schema of Database	B. Tuning the database for changing use needs.	C. Maintaining availability and ensuring integrity of databases	D. Deciding about the policy matter related to data	d	A. Designing the schema of Database is a function of Database Administrator. B. Tuning the database for changing use needs is a function of Database Administrator. C. Maintaining availability and ensuring integrity of databases is a function of database administrator. D. Deciding about the policy matter related to data is a function of Data Administrator and not of Database administrator.	MOCKDISA	1,230	75	MOCKDISA
40. Which of the following memory is called a bridge between CPU and Main Memory:	A. Registers	B. Cache Memory	C. Virtual Memory	D. Secondary Memory	b	A. Registers are the part of CPU and is not a bridge between CPU and Main Memory. B. Cache Memory is called a bridge between CPU and Main Memory. C. Virtual Memory is not a bridge between CPU and Main Memory. D. Secondary Memory is not a bridge between CPU and Main Memory.	MOCKDISA	1,231	136	MOCKDISA
41. While performing cyber forensic investigation, the IS auditor is MOST concerned with	A. Analysis of Audit Evidence	B. Confidentiality of Audit Evidence	C. Preservation of Audit Evidence	D. Evaluation of Audit Evidence	c	A. Analysis of Evidence is important but not as crucial as preservation of audit evidence. B. Confidentiality of Evidence is important but not as crucial as preservation of audit evidence. C. Preservation of Audit Evidence is the most important and crucial part of cyber forensic investigation hence the biggest concern for an IS Auditor. D. Evaluation of Evidence is important but not as crucial as preservation of audit evidence.	MOCKDISA	1,232	140	MOCKDISA
42. An IS auditor auditing a co-operative bank observed that a clerk was performing the function of a Manager (Branch Operations). He should:	A. Conclude that the Internal Controls are inadequate	B. Conclude that the segregation of duty is not performed	C. Suspend the Audit	D. Expand the scope to perform substantive testing to see the implication of clerk’s actions	d	A. Direct conclusion, without verifying further evidences is not proper. B. Direct conclusion, without verifying further evidences is not proper. C. Suspension of the Audit is without any base and reason. D. Expansion of scope in search of more corroborative and compelling evidences to see the implication of clerk’s is the correct course of action.	MOCKDISA	1,233	183	MOCKDISA
43. During an exit interview, one of the audit committee members doesn’t agree with the impact of a finding concluded by the IS auditor. An IS auditor should:	A. Ask the audit committee member to accept the full responsibility of impact in writing	B. Agree with the audit committee member as he is the part of senior management	C. Explain the significance of finding and risk of not correcting the same	D. Suspend the assignment and walkout	c	A. Acceptance of full responsibility by the audit committee member will not preclude the auditor from his responsibilities. This is not a proper course of action. B. Agreement with committee member because he is part of senior management is not justified on the part of auditor and is not a proper course of action. C. Explaining the significance of finding and risk of not correcting the same is proper course of action. D. Suspension of audit and walking out due to non agreement of a finding with senior management is not the prudent practice on the part of auditor.	MOCKDISA	1,234	73	MOCKDISA
44. Which of the following is the BEST segregation of duty to ensure that unauthorized data entry or data modification cannot take place:	A. Separate computer operator from DBA (Database Administrator)	B. Separate application programmer from DBA	C. Separate Test programmers from application programmers	D. Separate quality assurance personnel from DBA	a	A. Data Entry and Data Modification is normally undertaken by the computer operator and it happens in the database which is handled by the DBA. Hence, this option indicates the BEST segregation of duty. B. Separating the application programmer from DBA doesn’t ensure unauthorized data entry and data modification. C. Separating Test programmers from application programmers doesn’t ensure unauthorized data entry and data modification. D. Separating QA personnel from DBA doesn’t ensure unauthorized data entry and data modification.	MOCKDISA	1,235	159	MOCKDISA
45. Two personnel simultaneously accessing and refilling cash in the ATM machine of a bank is the BEST example of:	A. Dual Access	B. Dual Control	C. Supervisory Control	D. Maker Checker Control	b	A. In Dual Access, two persons simultaneously open the ATM Machine but responsibility of cash deposit is on one of the persons only. B. Two personnel simultaneously accessing and refilling cash in the ATM machine of a bank is the BEST example of Dual Control. C. Supervisory Control doesn’t suit the given scenario hence not the correct answer. D. Maker Checker Control doesn’t suit the given scenario hence not the correct answer.	MOCKDISA	1,236	65	MOCKDISA
46. __________ is a set of methodologies that transform raw data into meaningful and useful information for business purpose.	A. Data analysis	B. CAAT Tools	C. Artificial Intelligence	D. Business Intelligence	d	A. Data Analysis is not the precise term that is used for the given question. B. CAAT Tools are the tools to perform many functions over and above transforming raw data into meaningful and useful information for business purpose. C. Artificial Intelligence is not related to the matter given in the question. D. Business Intelligence is a set of methodologies that transform raw data into meaningful and useful information for business purpose.	MOCKDISA	1,237	72	MOCKDISA
47. Which of the following is the BEST example of Compliance Testing?	A. Verification of user access controls	B. Vouching of transaction with supporting evidences	C. Re-performance of interest calculation on a sample of bank FD accounts	D. Verification of accuracy of purchase of transaction for a given period	a	A. Verification of user access control is the BEST example of Compliance Testing. B. Vouching of transaction with supporting evidences is the example of Substantive Testing. C. Re-performance of interest calculation on a sample of bank FD accounts is the example of Substantive Testing. D. Verification of accuracy of purchase of transaction for a given period is the example of Substantive Testing.	MOCKDISA	1,238	120	MOCKDISA
48. ___________ is an end-to-end evaluation of a control to see that if operated as designed, it can effectively mitigate the risk to an acceptable level.	A. Audit Trail	B. Structured Walkthrough	C. Analytical Review procedures	D. Observation	b	A. Audit Trail covers the trace of the transaction right from beginning to the end. B. Structured Walkthrough is an end-to-end evaluation of a control to see that if operated as designed, it can effectively mitigate the risk to an acceptable level. C. Analytical Review Procedures are part of Substantive procedures and doesn’t precisely indicate the given scenario. D. Observation doesn’t indicate precisely, the given scenario.	MOCKDISA	1,239	139	MOCKDISA
49. While carrying out an IS audit, the auditor was informed that the system he is auditing is attacked by an intruder. Which of the following is the BIGGEST concern of the auditor?	A. Rebooting of the system	B. Disconnecting the system from internet	C. Senior management was not informed about the attack immediately after the event	D. Backup routine was not run for past seven days	a	A. Rebooting, if done without confirming the preservation of the required evidence can have a serious impact on investigation hence the BIGGEST concern for IS Auditor. B. Disconnecting the system from internet is not the concern of the auditor. C. Not informing senior management about the attack, immediately after the event is not the BIGGEST concern for the auditor. D. Non running of backup routine is a concern but not as big as rebooting of the system.	MOCKDISA	1,240	64	MOCKDISA
50. An IS Auditor observed that the client has outsourced its Accounting process to an outsourcing firm. Which of the following is the BIGGEST concern for the IS auditor?	A. ‘Right to audit’ is not reserved in the agreement	B. Client and the outsourcing firm are operated on different platforms and OS	C. There is a minor discrepancy in drafting the SLA (Service Level Agreement)	D. The outsourcing firm is in a different country	a	A. ‘Right to audit’ is very important aspect of control when it comes to outsourcing of any process of an organization. Hence, if it is not reserved in agreement, is a BIGGEST concern for the IS auditor. B. Client and the outsourcing firm operated on different platforms and OS is not the concern for IS auditor. C. There is a minor discrepancy in drafting the SLA (Service Level Agreement) is not a BIGGEST concern for IS auditor. D. Outsourcing firm in a different company is not a BIGGEST concern for IS auditor.	MOCKDISA	1,241	108	MOCKDISA
51. Before issuing the final IS audit report, the IS auditor should discuss the finding (draft report) with management staff so as:	A. To get approval for issuance of final IS audit report	B. To see that nothing is left auditing from the decided scope	C. To gain agreement on the finding	D. To decide the format of the final IS audit report	c	A. IS auditor is not required to take approval on the findings. B. To see that nothing is left from the decided scope is the responsibility of the auditor himself. C. IS auditor should discuss the finding (draft report) with management staff to gain agreement on the finding thereby avoiding any misunderstanding and confusion. D. Format of the final IS audit report should be such that the decided scope and achievement of objective of the audit can be conveyed in the best manner. For that there is no need to discuss draft report with management.	MOCKDISA	1,242	98	MOCKDISA
52. Which of the following is NOT undertaken during an exit interview?	A. Decision regarding material findings to be included in Audit Report	B. Ensuring that the facts presented in the report are correct	C. Ensuring that the recommendations are realistic and cost effective.	D. Recommending implementation dates for agreed on recommendations	a	A. Decision regarding material findings to be included in Audit Report depends on the professional judgment of IS Auditor. It is not to be undertaken in exit interview. B. Ensuring that the facts presented in the report are correct is undertaken in exit interview. C. Ensuring that the recommendations are realistic and cost effective is undertaken in exit interview. D. Recommending implementation dates for agreed on recommendations is undertaken in exit interview.	MOCKDISA	1,243	84	MOCKDISA
53. Which of the following sampling type is used when the auditor wants to prevent excessive sampling by stopping the audit test at earliest possible moment?	A. Discovery sampling	B. Attribute sampling	C. Stop-or-go sampling	D. Judgemental sampling	c	A. Discovery sampling is a method of sampling to assess whether the percentage error is not in excess of a specified percentage of the population. B. Attribute Sampling allows the auditor to estimate the proportion of population items containing a specified characteristic. C. Stop-or-go sampling is used when the auditor wants to prevent excessive sampling by stopping the audit test at earliest possible moment. D. Judgmental sampling is a type of nonrandom sampling that is selected based on the opinion/intuition of an expert.	MOCKDISA	1,244	198	MOCKDISA
54. In Control Self Assessment (CSA), the role of the IS auditor is:	A. To conduct the audit on his own	B. To conduct the assessment of his own work	C. To setup evaluation criteria for assessment of controls	D. To facilitate the management in carrying out assessment of controls.	d	A. In Control Self Assessment (CSA), various controls are evaluated by the employees of client organization only. B. In Control Self Assessment (CSA), role of the auditor is that of the facilitator. There is no question of evaluation of his own work. C. In Control Self Assessment (CSA), evaluation criteria is also set by the responsible persons of client organization. D. In Control Self Assessment (CSA), the IS auditor facilitates the management in carrying out assessment of controls.	MOCKDISA	1,245	102	MOCKDISA
55. Which of the following does a lack of adequate internal control represent?	A. A vulnerability	B. A threat	C. An impact	D. An asset	a	A. Vulnerability refers to the weakness contained by the system which can be exploited by the threat to create risk. B. Threat represents a lack of adequate internal control. C. Impact is the out-come if the risk gets exploited. D. Asset is not represented by a lack of adequate internal control.	MOCKDISA	1,246	183	MOCKDISA
56. What is the MAJOR benefit of preferring control self assessment(CSA) over traditional audit?	A. It requires less audit resources	B. It doesn’t require formal audit report	C. It detects risk sooner	D. Auditing standards are not required to be followed	c	A. Audit Resources required for performing a particular evaluation process is the same no matter it is conducted by IS Auditor (Traditional Audit) or by personnel of the organization (CSA). B. Non requirement of Formal Audit Report is not the benefit of preferring CSA over traditional audit. C. Control Self Assessment takes place at the regular interval by the personnel who belong to the organization only. Hence, it detects risk sooner. D. Non compliance of Auditing Standards is not the benefit of preferring CSA over traditional audit.	MOCKDISA	1,247	138	MOCKDISA
57. An IS auditor wants to verify the number of instances where system changes were not appropriately approved. Which of the following sampling method should an IS auditor use to draw the conclusion?	A. Judgemental sampling	B. Stop-or-go sampling	C. Variable sampling	D. Attribute sampling	d	A. Judgmental sampling is a type of nonrandom sampling that is selected based on the opinion/intuition of an expert. B. Stop-or-go sampling is used when the auditor wants to prevent excessive sampling by stopping the audit test at earliest possible moment. C. Variable sampling is used in case of Substantive audit procedures. D. To see whether all the systems changes were approved or not is the compliance test. For compliance test attribute sampling is used. Attribute Sampling allows the auditor to estimate the proportion of population items containing a specified characteristic.	MOCKDISA	1,248	197	MOCKDISA
58. While auditing the firewall system, it was noticed by the IS auditor that it was installed by his associate firm. What should an IS auditor do FIRST?	A. Disclose the fact to the client	B. Suspend the audit	C. Take steps to restore the level of independence	D. Put a note in audit report	a	A. Disclosing the fact to the client is the FIRST step the IS auditor should take when he notices that the firewall, he was auditing, is installed by his associate firm. B. There is no need to suspend the audit in this issue. C. No restoration is feasible once the firewall is already installed. However, the management should be informed about the fact. D. Putting a note in audit report will not be an effective action.	MOCKDISA	1,249	103	MOCKDISA
59. A client is proposing to implement a newer version of mail management system. Which of the following tasks IS auditor can perform without affecting his independence?	A. Recommend the vendor who can provide the BEST mail management system	B. Supporting the client in designing of various controls for the new system	C. Review the penetration test results to opine on the effectiveness of the controls	D. Offering his own customized mail management system	c	A. Recommending the vendor who can provide the BEST mail management system will compromising his independence. B. Supporting the client in designing of various controls for the new system will compromise his independence. C. Review of penetration test results to opine on the effectiveness of the controls can be performed without affecting the effectiveness of the control. D. Offering his own customized mail management system will definitely compromise his independence.	MOCKDISA	1,250	25	MOCKDISA
60. An IS auditor is testing the user access matrix of the large financial company for which he has selected a sample from current employee list provided by the client. Which of the following evidence is MOST reliable to support such testing?	A. A list of user accounts with access rights which is generated from the system	B. HR level documents signed by the respective departmental heads	C. An excel sheet provided by the system administrator	D. Observation of the users while they are accessing the system in the presence of system administrator	a	A. A list of user accounts with access rights generated from the system is most reliable evidence for testing user access matrix. B. HR level documents signed by the respective departmental heads may not reflect actual access rights. C. An excel sheet provided by the system administrator may not be up-to-date or accurate. D. Observation of the users while they are accessing the system is not a comprehensive method for verifying access rights.	MOCKDISA	1,251	180	MOCKDISA
61. Which of the following type of risk is directly attributable to the actions and decisions of IS Auditor?	A. Detection Risk	B. Inherent Risk	C. Control Risk	D. Administrative Risk	a	A. Detection Risk is directly attributable to the actions and decisions of IS Auditor B. Inherent Risk refers to the auditor's assessment of the likelihood that there are material misstatements due to error or fraud in segment before considering the effectiveness of internal control C. Control Risk refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by entity's internal control mechanism D. Administrative Risk is not the risk directly attributable to the actions or decisions of IS Auditor	MOCKDISA	1,252	34	MOCKDISA
62. In planning the IS Audit, the MOST important thing is to decide:	A. Significant Risk Areas	B. Remuneration for the audit	C. Qualification of audit staff	D. Time available for audit	a	A. In planning the IS Audit, the MOST important thing is to decide Significant Risk Areas B. Remuneration for the audit is not as important as deciding significant risk areas C. Qualification of audit staff is not as important as deciding significant risk areas D. Time available for audit is not as important as deciding significant risk areas	MOCKDISA	1,253	155	MOCKDISA
63. Which of the following statement is correct for IS Auditor with reference to the Materiality:	A. Lower the level of materiality, lower is the audit risk that an IS auditor is willing to take.	B. Higher the level of materiality, higher is the audit risk that an IS auditor is willing to take.	C. Higher the level of materiality, lower is the audit risk that an IS auditor is willing to take.	D. None of the Above	c	A. Level of materiality and level of audit risk is inversely related hence this option is not correct B. Level of materiality and level of audit risk is inversely related hence this option is not correct C. Level of materiality and level of audit risk is inversely related hence this is the correct option D. This is not the correct option as option c is the correct option	MOCKDISA	1,254	130	MOCKDISA
64. Which of the following type of IS control, an Antivirus Software represents?	A. Preventive Control	B. Detective Control	C. Corrective Control	D. All of the above	d	A. An antivirus software represents all types of controls hence only preventive control is not the proper option to select B. An antivirus software represents all types of controls hence only detective control is not the proper option to select C. An antivirus software represents all types of controls hence only corrective control is not the proper option to select D. An antivirus software represents all types of controls hence this is the best option to select	MOCKDISA	1,255	133	MOCKDISA
65. Which of the following is NOT provided by the Audit Charter?	A. Authority and scope of audit function	B. Audit Materiality	C. Mandate for performing audit function	D. Roles and Responsibility of audit function	b	A. Authority and scope of audit function is provided by the Audit Charter B. Audit Materiality is not provided by audit charter C. Mandate for performing audit function is provided by the Audit Charter D. Roles and Responsibility of audit function is provided by the Audit Charter	MOCKDISA	1,256	173	MOCKDISA
66. ‘Insurance Coverage’ falls under which type of a specific risk mitigation strategy:	A. Risk Avoidance	B. Risk Acceptance	C. Risk Transfer	D. Risk Reduction	c	A. When insurance coverage is taken, risk is transferred to the third party hence this is not the correct option to choose from B. When insurance coverage is taken, risk is transferred to the third party hence this is not the correct option to choose from C. When insurance coverage is taken, risk is transferred to the third party hence Risk transfer is the correct option D. When insurance coverage is taken, risk is transferred to the third party hence this is not the correct option to choose from	MOCKDISA	1,257	31	MOCKDISA
67. Enterprise governance, being the entire accountability framework of the organisation, lays most emphasis on which dimension?	A. Performance.	B. Conformance.	C. Governance.	D. Management.	a	A. Enterprise governance is the entire accountability framework of the organisation with the twin dimensions of conformance and performance of processes, with more emphasis on performance. B. Being enterprise governance’s more emphasis on performance, conformance is less suitable option. C. Being enterprise governance’s more emphasis on performance, governance is less suitable option. D. Being enterprise governance’s more emphasis on performance, management is less suitable option	MOCKDISA	1,258	173	MOCKDISA
68. Corporate Governance’s effective implementation is dependent on all except ________	A. The right people.	B. The right place.	C. The right time.	D. The right decisions.	b	A. Corporate Governance’s effective implementation is dependent on the right people. B. Corporate Governance’s effective implementation is not dependent on the right place. C. Corporate Governance’s effective implementation is dependent on the right time. D. Corporate Governance’s effective implementation is dependent on the right decisions	MOCKDISA	1,259	98	MOCKDISA
69. Which perspective of ‘The Balanced Score Card’ will allow the managers to determine how well the business is performing and whether their products meet customer requirements?	A. The Financial Perspective.	B. The Customer Perspective.	C. The Internal Business Process Perspective.	D. The Learning & Growth Perspective.	c	A. The Financial Perspective suggests financial data on risk assessment and costs versus benefits. B. The Customer Perspective will indicate the extent of customer satisfaction with the products/services supplied. C. The Internal Business Process Perspective will allow the managers to determine how well the business is performing and whether their products meet customer requirements. D. The Learning & Growth Perspective creates a culture that support organisational change, employees training, corporate cultural attitudes, growth and innovation.	MOCKDISA	1,260	47	MOCKDISA
70. Which of the following is a part of information security governance?	A. Confidentiality.	B. Authenticity.	C. Accountability.	D. Reliability.	a	A. Confidentiality is a part of information security governance. B. Authenticity is not involved in information security governance. C. Accountability is not involved in information security governance. D. Reliability is not involved in information security governance.	MOCKDISA	1,261	195	MOCKDISA
71. Enterprise Architecture involves documenting the organisation’s IT assets in a systematic and structured method to promote all except ________.	A. Information Systems.	B. Management.	C. Planning.	D. Understanding IT investments.	a	A. Enterprise Architecture does not promote information systems. B. Enterprise Architecture involves documenting the organisation’s IT assets in a systematic and structured method to promote management from a technology and business perspective. C. Enterprise Architecture involves documenting the organisation’s IT assets in a systematic and structured method to promote planning from a technology and business perspective. D. Enterprise Architecture involves documenting the organisation’s IT assets in a systematic and structured method to promote understanding of IT investments from a technology and business perspective.	MOCKDISA	1,262	37	MOCKDISA
72. Which is the process of selecting and implementing measures to reduce risk?	A. Risk Appetite.	B. Risk Treatment.	C. Risk Management.	D. Risk Assessment.	b	A. Risk Appetite is the extent to which management is willing to take risks. B. Risk Treatment is the process of selecting and implementing measures to reduce risk. C. Coordinating activities in order to direct and control an organisation with respect to risk comprising, risk assessment and risk treatment is Risk Management. D. Risk Assessment is the process of risk analysis and evaluation.	MOCKDISA	1,263	21	MOCKDISA
73. Which is not an advantage of forming the IS Steering Committee?	A. Establishes user focus in IS.	B. Promotes user ownership of systems.	C. User representation.	D. Decentralization of authority.	d	A. Establishing user focus in IS is an advantage of forming the IS Steering Committee. B. Promotion of user ownership of systems is an advantage of forming the IS Steering Committee. C. User representation is an advantage of forming the IS Steering Committee. D. Decentralization of authority is never an advantage of forming the IS Steering Committee.	MOCKDISA	1,264	74	MOCKDISA
74. Which is most dynamic amongst the below options since it must reflect the regular changes in business focus and environment?	A. Guidelines.	B. Standards.	C. Procedures.	D. Policies.	c	A. Guidelines are not as dynamic as procedures are. B. Standards are not as dynamic as procedures are. C. Procedures are more dynamic than the parent policy since they must reflect the regular changes in business focus and environment. Hence they must be frequently reviewed and updated. D. Policies are not as dynamic as procedures are.	MOCKDISA	1,265	145	MOCKDISA
75. Which is the process of providing a part or all of an organization’s IS functions to multiple firms for a fee as well as an agreed service level?	A. Out-tasking.	B. Outsourcing.	C. Co-sourcing.	D. Multiple sourcing.	b	A. Out-tasking provides a part or all of an organization’s IS functions to multiple firms for a fee as well as an agreed service level. B. Outsourcing differs in a way that IS functions are transferred to a third party. C. In Co-sourcing, client is responsible for the management of outsourced activities while the vendor provides consultancy services and experienced personnel when needed. D. Multiple sourcing is not any type of sourcing in sourcing process.	MOCKDISA	1,266	83	MOCKDISA
76. Which persons are responsible for designing application systems based on user specifications, resulting in the development of functional specifications and other high level systems design documents?	A. Application Systems Programmers.	B. Application Systems Analysts.	C. Application Systems Development Manager.	D. Application Systems Officer.	b	A. Application Systems Programmers develops new application systems and maintain the existing production systems. B. Application Systems Analysts are responsible for designing application systems based on user specifications, resulting in the development of functional specifications and other high level systems design documents. C. Application Systems Development Manager oversee the work of application systems analysts and application programmers who design, develop and maintain new or existing application programs. D. Application Systems Officer does not form part of IS Department.	MOCKDISA	1,267	171	MOCKDISA
77. An IS auditor discovers that several IT based projects were implemented that were not approved by the steering committee. What is the greatest concern for the IS Auditor	A. IT projects will not be adequately funded	B. IT projects are not following the SDLC process	C. IT projects are not consistently formally approved	D. The IT department may not be working towards a common goal of the organization	d	A. This is a concern but not as big as the risk of lack of goal orientation of the organization as a whole B. This is a concern but not as big as the risk of lack of goal orientation of the organization as a whole C. This is a concern but not as big as the risk of lack of goal orientation of the organization as a whole D. If several projects are not approved by the IT Steering committee then IT department may not be working towards a common goal of the organization	MOCKDISA	1,268	83	MOCKDISA
78. Which of the following situation is mainly addressed by a Software Escrow Agreement:	A. Vendor of the Software goes out of business	B. IS auditor’s requirement to access the code written by the organization	C. User’s requirement of re-installing the application software in his PC	D. Organization’s requirement to have offsite backup of source code	a	A. Software escrow agreement addresses the situation that if the vendor of software goes out of business then the trusted third party who is entrusted with the possession of code can be called upon to get the copies of originally written code B. Software escrow agreement doesn’t mainly addresses the given requirement C. Software escrow agreement doesn’t mainly addresses the given requirement D. Software escrow agreement doesn’t mainly addresses the given requirement	MOCKDISA	1,269	3	MOCKDISA
79. Organization’s DRP head has entered into a reciprocal agreement as one of the strategy of Disaster Recovery Planning. Which of the following risk treatment approach does it indicate?	A. Risk Transfer	B. Risk Avoidance	C. Risk Mitigation	D. Risk Acceptance	c	A. Risk Transfer refers to the transfer of one’s risk to a third party by paying appropriate risk premium. Reciprocal Agreement refers to an agreement between two organizations (or two internal business groups) with basically the same equipment/same environment that allows each one to recover at each other's site. B. Risk avoidance refers to avoiding those actions or events that may lead to risk C. Reciprocal Agreement refers to an agreement between two organizations (or two internal business groups) with basically the same equipment/same environment that allows each one to recover at each other's site. This is a strategy of Risk Mitigation D. Risk acceptance is a good and necessary part of all risk management. It is preferable to accept risks temporarily once it is clear they cannot be resolved for a period of time.	MOCKDISA	1,270	71	MOCKDISA
80. An IS auditor, performing review of and organization’s governance model, is MOST concerned about:	A. The organization doesn’t have malware protection policy	B. Organization’s information security policy is not periodically reviewed by senior management or the dedicated committee constituted by the board	C. A policy that the Systems must remain up-to-date by installing the latest available patch is not implemented	D. All the members of the board do not have a copy of Information Security Policy.	b	A. Not having a malware protection policy is a concern but not as serious as non consideration by the senior management B. An IS auditor, performing review of and organization’s governance model, is MOST concerned that the organization’s information security policy is not periodically reviewed by senior management or the dedicated committee constituted by the board C. System should be remained up-to-date by installing the latest patch however non maintenance of the same is not as big concern as non consideration by the senior management D. All the members of the board do not have a copy of Information Security Policy – is a trivial concern compared to the periodic review by senior management	MOCKDISA	1,271	53	MOCKDISA
81. Effective IT governance ensures that the IT plan is consistent with the Organization’s:	A. Audit Plan	B. Business Plan	C. Investment Plan	D. Insurance Plan	b	A. IT plan has to be consistent with organization’s business plan hence this is not the correct choice B. Effective IT governance ensures that the IT plan is consistent with the Organization’s Business Plan C. IT plan has to be consistent with organization’s business plan hence this is not the correct choice D. IT plan has to be consistent with organization’s business plan hence this is not the correct choice	MOCKDISA	1,272	12	MOCKDISA
82. IT governance is the primary responsibility of:	A. Board of Directors (BODs)	B. CEO	C. IT Steering Committee	D. IT Security Officer	a	A. IT governance is the primary responsibility of Board of Directors (BODs) B. IT governance is the primary responsibility of Board of Directors (BODs) hence this is not the correct choice C. IT governance is the primary responsibility of Board of Directors (BODs) hence this is not the correct choice D. IT governance is the primary responsibility of Board of Directors (BODs) hence this is not the correct choice	MOCKDISA	1,273	45	MOCKDISA
83. An IS Auditor is reviewing the recently concluded recruitment process of an organization. Which of the following should be considered the BEST assurance mechanism to ensure the integrity aspect?	A. References given in the resume	B. Qualification listed in the resume	C. References	D. Background Screening	d	A. References given in the resumes don’t give best assurance about the integrity of the proposed employee B. Qualification listed in the resume don’t give assurance about integrity aspect C. References don’t give best assurance about the integrity of the proposed employees D. Background screening is the best choice to ensure the integrity aspect of recruitment process	MOCKDISA	1,274	169	MOCKDISA
84. To support an organization’s goal, the IT department should have:	E. Long and short range plans	F. Philosophy of Cost effectiveness	G. Latest Technology	H. Hardware Acquisition Plan	a	A. To support organization’s goal, the IT department should have primarily long and short range plans B. Philosophy of cost effectiveness is important but primarily to have proper plans is more important C. Latest Technology is important but primarily to have proper plans is more important D. Hardware Acquisition Plan is important but primarily to have proper plans is more important	MOCKDISA	1,275	191	MOCKDISA
85. Which of the following is considered to be MOST important while evaluating organization’s IT Strategy by an IS Auditor:	A. IT Strategy complies with hardware procurement procedures	B. IT strategy supports business objectives	C. IT Strategy is within the budget limits as specified by senior management	D. IT Strategy is approved by the CEO	b	A. Hardware procurement procedures should comply with IT Strategy. However, supporting business objective is most important B. While evaluating organization’s IT Strategy it is most important to see that it supports business objectives C. To have IT strategy within the budget limit as specified by senior management is important but supporting business objective is most important D. IT Strategy should be approved by top management which may or may not involve only CEO. However, supporting business objective is most important	MOCKDISA	1,276	23	MOCKDISA
86. To ensure whether organization is complying with the privacy requirements, IS auditor should FIRST review:	A. Organizational policies	B. Organizational standards and procedures	C. Legal and Regulatory requirements	D. IT Infrastructure	c	A. The auditor may review organizational policies but first of all, legal and regulatory requirements should be reviewed B. The auditor may review organizational standards and procedures but first of all, legal and regulatory requirements should be reviewed C. To ensure whether organization is complying with the privacy requirements, IS auditor should FIRST review Legal and Regulatory requirements D. The auditor may review IT infrastructure but first of all, legal and regulatory requirements should be reviewed	MOCKDISA	1,277	145	MOCKDISA
87. An IS auditor reviewing the role of IT Steering Committee is MOST concerned when IT Steering Committee:	A. Is responsible to determine business goals	B. Is responsible for project approval	C. Is responsible for long term IT plan	D. Is responsible for reporting of the IT Project status to senior management	a	A. Role of the IT Steering committee is to approve the project, making long term IT plan, reporting of IT project status to senior management etc. Hence, if it is made responsible to determine business goals, it is the biggest concern for IS Auditor B. Role of the IT Steering committee is to approve the project, making long term IT plan, reporting of IT project status to senior management etc. Hence, this is not a concern for IS Auditor C. Role of the IT Steering committee is to approve the project, making long term IT plan, reporting of IT project status to senior management etc. Hence, this is not a concern for IS Auditor D. Role of the IT Steering committee is to approve the project, making long term IT plan, reporting of IT project status to senior management etc. Hence, this is not a concern for IS Auditor	MOCKDISA	1,278	127	MOCKDISA
88. Assessment of IT Risk is BEST achieved by:	A. Use of historic loss exposure data to assess the current scenario	B. Evaluation of associated threats and vulnerabilities	C. Review of Risk Management in previous year audit reports	D. Review of public evaluation reports about the organization’s risks	b	A. Use of historic loss exposure data to assess the current scenario may not give proper risk assessment in the correct perspective B. Evaluation of associated threats and vulnerabilities gives the best assessment of IT risk C. Review of Risk Management in previous year audit reports may give an idea about the IT risk but it will not be all exhaustive as per the current threats and vulnerabilities D. Review of public evaluation reports about the organization’s risks may be useful in IT risk assessment but cannot be solely relied upon	MOCKDISA	1,279	204	MOCKDISA
89. A top-down approach in development of operational policies ensures:	A. They are reviewed periodically by top management	B. They adhere to the IT Security policy	C. They are consistent across the organization	D. Departmental requirements are considered first.	c	A. The essence of Top down approach is that organizational goals are always kept in consideration while carrying out any process from top node to bottom node. Periodic review by top management is not primarily ensured by the said approach B. The essence of Top down approach is that organizational goals are always kept in consideration while carrying out any process from top node to bottom node. Adherence to IT security policy is not primarily ensured by the said approach C. The essence of Top down approach is that organizational goals are always kept in consideration while carrying out any process from top node to bottom node. Hence it is consistent across the organization D. The essence of Top down approach is that organizational goals are always kept in consideration while carrying out any process from top node to bottom node. Departmental requirements are not considered first. Organizational requirements are considered first in top-down approach	MOCKDISA	1,280	158	MOCKDISA
90. Which of the following is the MOST important element for successful implementation of IT Governance:	A. Performing Risk Assessment	B. Implementing IT balanced Scorecard	C. Identifying organizational strategies	D. Developing a good IT Security Policy	c	A. For successful implementation of IT Governance the most important thing is to identify organizational strategies. Risk Assessment is performed subsequently B. For successful implementation of IT Governance the most important thing is to identify organizational strategies. IT balanced scorecard comes at a later point in time C. For successful implementation of IT Governance the most important thing is to identify organizational strategies. D. Mere development of a good IT security policy doesn’t guarantee for successful implementation of IT Governance	MOCKDISA	1,281	92	MOCKDISA
91. Which of the following tool an IS auditor should recommend that helps BEST in achieving IT and business alignment:	A. IT Balanced Scorecard	B. Control Self Assessment	C. Business Process Reengineering	D. Business Impact Analysis	a	A. IT Balanced Scorecard helps best in achieving IT and business alignment. Hence, this should be recommended by an IS auditor B. Control self assessment (CSA) is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes. It doesn’t help primarily in aligning IT and business C. Business Process Reengineering (BPR) is the analysis and redesign of workflows within and between enterprises in order to optimize end-to-end processes and automate non-value-added tasks. It doesn’t help primarily in aligning IT and business D. Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to criticalbusiness operations as a result of a disaster, accident or emergency. It doesn’t help primarily in aligning IT and business	MOCKDISA	1,282	85	MOCKDISA
92. The primary control purpose of job rotations and allowing vacations is to:	A. Facilitate Cross-training	B. Boost employee morale	C. Provide competitive employee benefit	D. Detect improper or illegal employee acts	d	A. Cross training is one of the outputs of job rotation however is not the primary purpose of doing so B. Boosting employee morale is not the purpose of job rotation and allowing vacations C. Provide competitive employee benefit is not the purpose of job rotation and allowing vacations D. Detect improper or illegal employee acts is the primary purpose of job rotation and allowing vacations	MOCKDISA	1,283	201	MOCKDISA
93. ‘Rerun Procedure’ and ‘Hash Totals’ respectively are example of ________ control and ________ control.	A. Corrective, Detective.	B. Corrective, Preventive.	C. Detective, Preventive.	D. Detective, Corrective.	a	A. Rerun Procedure is an example of corrective control as it is designed to correct an error when it is detected. Hash Totals is an example of detective control as it is designed to detect errors and malicious acts. B. Rerun Procedure and Hash Totals are examples of corrective and detective controls respectively. C. Rerun Procedure and Hash Totals are examples of corrective and detective controls respectively. D. Rerun Procedure and Hash Totals are examples of corrective and detective controls respectively.	MOCKDISA	1,284	51	MOCKDISA
94. Power supply from external sources such as a grid and generators are subject to many quality problems. All of the following cleanse the incoming power supply and deliver clean power fit for the equipments except ________.	A. Surge Protectors.	B. Spike Busters.	C. Sag Cleanser.	D. Line Conditioners.	c	A. Surge protectors cleanse the incoming power supply and deliver clean power fit for the equipment. B. Spike Busters cleanse the incoming power supply and deliver clean power fit for the equipment. C. Sag Cleanser cannot function to cleanse the incoming power supply. D. Line Conditioners cleanse the incoming power supply and deliver clean power fit for the equipment.	MOCKDISA	1,285	193	MOCKDISA
95. Which controls are protection mechanisms that limit users’ access to data to what is appropriate for them?	A. Physical Access Controls.	B. Network Security Controls.	C. Application Controls.	D. Logical Access Controls.	d	A. Physical Access Controls restrict physical access to resources and protect them from intentional and unintentional loss or impairment. B. Network Security Controls is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network. C. Application Controls safeguard assets, maintain data integrity and achieve organisational goals effectively and efficiently. D. Logical Access Controls are protection mechanisms that limit users’ access to data to what is appropriate for them.	MOCKDISA	1,286	162	MOCKDISA
96. Which is the appropriate example of Rounding Down Technique?	A. Turning Rs. 1008.02 to Rs. 1008.00.	B. Turning Rs. 1008.02 to Rs. 1008.10.	C. Turning Rs. 1008.02 to Rs. 1008.50.	D. Turning Rs. 1008.02 to Rs. 1008.05.	a	A. In Rounding Down Technique, the perpetrator rounds down the amounts in various transactions down to the nearest desired decimal place. In above example, the closest downward decimal place to Rs. 1008.02 is 1008.00. B. Rounding Down Technique does not round the amounts upwards from Rs. 1008.02 to Rs. 1008.10. C. Rounding Down Technique does not round the amounts upwards from Rs. 1008.02 to Rs. 1008.50. D. Rounding Down Technique does not round the amounts upwards from Rs. 1008.02 to Rs. 1008.05.	MOCKDISA	1,287	118	MOCKDISA
97. Which malicious code is attached to a host program and propagates when an intended program is executed?	A. Worms.	B. Viruses.	C. Trojan Horses.	D. Logic Bombs.	b	A. Worms are malicious programs that attack a network by moving from device to device and create undesirable traffic. B. Viruses are malicious codes are attached to a host program and propagate when an intended program is executed. C. Trojan Horses are malicious codes which hide inside a host program that does something useful. D. Logic Bombs are legitimate programs to which malicious code is added.	MOCKDISA	1,288	163	MOCKDISA
98. Which malicious code is difficult to detect because they hide themselves from antivirus software by altering their appearance after each infection?	A. Polymorphic Viruses.	B. Stealth Viruses.	C. Macro Viruses.	D. Trojan Horses.	a	A. Polymorphic Viruses are malicious codes which are difficult to detect because they hide themselves from antivirus software by altering their appearance after each infection B. Stealth Viruses attempt to hide their presence from both the operating system and the antivirus software by encrypting themselves. C. Macro Viruses infects an application and causes a sequence of actions to be performed automatically when the application is started or event triggers. D. Trojan Horses are malicious codes which hide inside a host program that does something useful.	MOCKDISA	1,289	40	MOCKDISA
99. Which malicious code tracks the internet activities of the user usually for the purpose of sending targeted advertisements?	A. Stealth Viruses.	B. Polymorphic Viruses.	C. Adware and Spyware.	D. Macro Viruses.	c	A. Stealth Viruses attempt to hide their presence from both the operating system and the antivirus software by encrypting themselves. B. Polymorphic Viruses hide themselves from antivirus software by altering their appearance after each infection. C. Adware and Spyware are malicious codes which tracks the internet activities of the user usually for the purpose of sending targeted advertisements D. Macro Viruses infects an application and causes a sequence of actions to be performed automatically when the application is started or event triggers.	MOCKDISA	1,290	132	MOCKDISA
100. If an intruder is able to bypass the network parameter security controls, which is the last barrier to be conquered for unlimited access to all the resources?	A. Application System.	B. Network System.	C. Logical Access System.	D. Operating System.	d	A. Application system is not the last barrier to be conquered for unlimited access to all the resources. B. Network System is not the last barrier to be conquered for unlimited access to all the resources. C. Logical Access System is not the last barrier to be conquered for unlimited access to all the resources. D. Operating system provides the platform for an application to use various IS resources and perform a specific business function. If an intruder is able to bypass the network parameter security controls, operating system is the last barrier to be conquered for unlimited access to all the resource	MOCKDISA	1,291	86	MOCKDISA
101. What ensures that a particular session can only be initiated from a particular location or computer terminal?	A. Automated terminal identification.	B. User identification and authentication.	C. Terminal log-on procedures.	D. Password management system.	a	A. Automated terminal identification ensures that a particular session can only be initiated from a particular location or computer terminal. B. User identification and authentication ensures users must be identified and authenticated in a foolproof manner. C. Terminal log-on procedures prevents misuse by an intruder. D. Password management system enforces the use of strong passwords.	MOCKDISA	1,292	59	MOCKDISA
102. Which are the programs that help to manage critical functions of the operating system?	A. Clock Synchronization.	B. System Utility.	C. Event Logging.	D. Enforced Path.	b	A. Clock Synchronization synchronizes clock time to maintain event logs across the enterprise. B. System Utilities are the programs that help to manage critical functions of the operating system. C. Event logging does recording all the 'happenings' of local files on the system and it includes accessing, deleting, adding a file or an application, modifying the system's date, shuting down the system, changing the system configuration, etc. D. An enforced path takes a user from their workstation to the services that they are authorised to use without risk of accessing, either by mistake or design, other services which they are not authorised to use.	MOCKDISA	1,293	183	MOCKDISA
103. Which mechanism of database control checks the destination of output obtained through authorized access?	A. Auditing.	B. Covert Channels.	C. Flow Controls.	D. Inference Controls.	c	A. Auditing reports security-related events in a structured format such as system journals, audit trails and system logs. B. Covert Channels ensures DBMS does not have concealed channels. C. Flow Controls checks the destination of output obtained through authorized access. D. Inference Controls ensures DBMS assigns classification to aggregate information.	MOCKDISA	1,294	175	MOCKDISA
104. Which mechanism of database control allows the database to have multiple instances of objects, each having their own classification level?	A. Polyinstantiation.	B. Flow Controls.	C. Covert Channels.	D. Inference Controls.	a	A. Polyinstantiation allows the database to have multiple instances of objects, each having their own classification level. B. Flow Controls checks the destination of output obtained through authorized access. C. Covert Channels ensures DBMS does not have concealed channels. D. Inference Controls ensures DBMS assigns classification to aggregate information.	MOCKDISA	1,295	166	MOCKDISA
105. Which mechanism of database control ensures DBMS provides a way to assign classifications to aggregate information?	A. No back doors.	B. Flow Controls.	C. Covert Channels.	D. Inference Controls.	d	A. No back doors ensures access to data be made available only via the DBMS. B. Flow Controls checks the destination of output obtained through authorized access. C. Covert Channels ensures DBMS does not have concealed channels. D. Inference Controls ensures DBMS provides a way to assign classifications to aggregate information.	MOCKDISA	1,296	164	MOCKDISA
106. In which accounting audit trail, data can be traced from its source to the items it affects?	A. External Label.	B. Implosion Operation.	C. Internal Label.	D. Explosion Operation.	b	A. External Label labels on the storage devices that assist users by providing information about database name, creation, transaction file, back up information, etc. B. In Implosion Operation, data can be traced from its source to the items it affects. C. Internal Label identifies a table, file or a database by the application program access. D. Explosion Operation reconstructs the sequence of events that have occurred in a data item in the database definition or the database.	MOCKDISA	1,297	57	MOCKDISA
107. In which accounting audit trail, the sequence of events that have occurred in a data item in the database definition or the database can be reconstructed?	A. Explosion Operation.	B. External Label.	C. Implosion Operation.	D. Internal Label.	a	A. In Explosion Operation, the sequence of events that have occurred in a data item in the database definition or the database can be reconstructed. B. External Label labels on the storage devices that assist users by providing information about database name, creation, transaction file, back up information, etc. C. In Implosion Operation, data can be traced from its source to the items it affects. D. Internal Label identify a table, file or a database by the application program access.	MOCKDISA	1,298	130	MOCKDISA
108. What works on the principles of tables and relations and allows rules of integrity and access to be specified?	A. Pluggable Authentication Modules.	B. Data Dependent Access Control.	C. Granularity of Access Control.	D. Relational Database.	d	A. Pluggable Authentication Module framework provides system administrators with the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. B. Data Dependent Access Control is an access-control decision based on the data contained in the records. C. Granularity of Access Control is access control that can be imposed at various degrees of granularity in a system. D. Relational Database works on the principles of tables and relations and allows rules of integrity and access to be specified.	MOCKDISA	1,299	89	MOCKDISA
109. What refers to gathering discrete bits of information from various sources and then putting them together to make a coherent whole?	A. Social Engineering.	B. Port Scan.	C. Reconnaissance.	D. Impersonation.	c	A. Social Engineering involves using social skills and personal interaction to get someone to reveal security-relevant information and even actions that can lead to an attack. B. Port Scan is an easy way to gather network information to use a port scanner, a program that, for a particular IP address, reports which ports respond to messages and which of the several known vulnerabilities are present. C. Reconnaissance refers to gathering discrete bits of information from various sources and then putting them together to make a coherent whole. D. Impersonation is a way to obtain information about a network by impersonating another person or process.	MOCKDISA	1,300	127	MOCKDISA
110. Which vulnerability is based on the thinking that not always only the message is sensitive but the fact that it exists is also sensitive?	A. Exposure.	B. Man-in-the-Middle Attack.	C. Traffic Analysis.	D. Session Hijacking.	c	A. Exposure is exposing content of a message in temporary buffers that build, format and present the message. B. In Man-in-the-Middle Attack, one entity intrudes between two others. C. Traffic Analysis is based on the thinking that not always only the message is sensitive but the fact that it exists is also sensitive. D. Session Hijacking is intercepting and carrying on a session begun by another entity.	MOCKDISA	1,301	181	MOCKDISA
111. Which is an ICMP protocol which requests a destination to return a reply, intended to show that the destination system is reachable and functioning?	A. Ping.	B. Traffic Redirection.	C. Connection Flooding.	D. DNS Attacks.	a	A. Ping is an ICMP protocol which requests a destination to return a reply, intended to show that the destination system is reachable and functioning. B. Traffic Redirection happens when router forwards traffic on its way through intermediate networks between a source host’s network and destination’s network. C. Connection Flooding happens when an attacker sends more data than what a communication system can handle. D. DNS Attacks are the attacks that convert domain names into network addresses.	MOCKDISA	1,302	48	MOCKDISA
112. Which two network security controls are similar in a way that both support authentication and confidentiality and also designed to be independent of specific cryptographic protocols?	A. SSL Encryption and IPSec.	B. SSL Encryption and Public Key Infrastructure.	C. Public Key Infrastructure and IPSec.	D. Public Key Infrastructure and Link Encryption.	a	A. IP Sec is similar to SSL, in that it supports authentication and confidentiality in a way that does not necessitate significant change either above applications or below TCP protocols. Like SSL, it was designed to be independent of specific cryptographic protocols and to allow the two communicating parties to agree on a mutually supported set of protocols. B. Incorrect pair of network security control for the specified situation. C. Incorrect pair of network security control for the specified situation. D. Incorrect pair of network security control for the specified situation.	MOCKDISA	1,303	172	MOCKDISA
113. Which of the following does give BEST protection against SQL Injection attacks in a website:	A. Avoid queries to the Database	B. Get the approval of DBA before firing a query	C. Input validations exist within the Web Application	D. SQL interface should not be allotted to the end user	c	A. Avoiding queries to the database will not solve the problem B. Every time getting approval of DBA before firing a query will not solve the problem C. Input validations within the web application can give the best protection against SQL injection attacks D. Normally SQL interface in not directly allotted to the end user. It is routed through a good and validated User Interface	MOCKDISA	1,304	59	MOCKDISA
114. Which of the following is the BEST defense against the introduction of Trojan Horse software in an organization?	A. Anti-virus System	B. Intrusion Detection System	C. Firewall	D. Password protected screen saver	a	A. Trojan Horse is a kind of a malicious computer program which can be best prevented by anti-virus system B. Intrusion Detection System is not the best defense for preventing malicious compute program. An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station C. Firewall cannot prevent malicious computer programs D. Password protected screen saver cannot prevent malicious computer program	MOCKDISA	1,305	14	MOCKDISA
115. Which of the following is the BEST mechanism for minimizing unauthorized access to unattended user computers?	A. CCTV Camera surveillance system	B. Auto termination of sessions	C. Switching off the monitor	D. Use of Password protected screen saver	d	A. CCTV camera surveillance system will not minimize or prevent unauthorized access to unattended user computers B. Auto termination of sessions is a mechanism to prevent unauthorized access but will be ineffective until session is terminated and nonetheless user computer will always allowed to be access physically C. Switching off the monitor will not prevent/minimize unauthorized access to unattended user computers D. Use of password protected screen saver is the best mechanism to minimize unauthorized access to unattended user computers	MOCKDISA	1,306	78	MOCKDISA
116. Which of the following is the BEST mechanism for minimizing unauthorized access to Network Administrator’s Account?	A. Two Factor Authentication	B. Automatic password expiration	C. Password change alert every week	D. Password complexity rules	a	A. Two factor authentication is a technique wherein identification and authentication of the user takes place with two factors: One based on what user has and other based on what user knows. Hence that is the BEST mechanism for minimizing unauthorized access to network administrator’s account B. Automatic password expiration is not the best mechanism for minimizing unauthorized access to network administrator’s account C. Password change alert every week is not the best mechanism for minimizing unauthorized access to network administrator’s account D. Password complexity rules are good mechanism but not as good as two factor authentication	MOCKDISA	1,307	140	MOCKDISA
117. An organization is currently planning to implement a new ERP Solution and wants its users to have access to the various system reports on a ‘need to know’ basis. Which of the following access control method BEST suits this requirement?	A. Discretionary Access Control	B. Role based Access Control	C. Mandatory Access Control	D. Single Sign On Access Control	b	A. Discretionary Access Control is a mechanism where a superior allocate the powers to use system to the subordinates depending on the user requirements however role based access control is a more precise choice B. Role based access controls is the best method to suit the requirement of access control based on ‘need to know’ basis C. Mandatory access control doesn’t particularly support the requirements of ‘need to know’ D. Single Sign On Access Control doesn’t particularly support the requirements of ‘need to know’	MOCKDISA	1,308	27	MOCKDISA
118. An employee of an organization received a digital book reader as a gift and connected the same to his work PC to transfer e-books. The primary risk that this scenario introduces is that:	A. The digital book reader may be incompatible with the user’s PC	B. The employee may bring inappropriate books in the office	C. The digital book reader could be infected with virus	D. The digital book reader storage media could be used to steal corporate data	c	A. Incompatibility of digital book reader with user’s pc is not a primary risk B. The employee may bring inappropriate books in the office is a risk but not a primary one C. Digital book reader could be infected with virus and the same may affect the network of the organization – this is the primary risk of the given scenario D. The digital book reader storage media could be used to steal corporate data is a risk but not a primary one	MOCKDISA	1,309	69	MOCKDISA
119. A senior IT manager of the company has been terminated. The organization removed all his access to the company’s resources. Yet, the IT manager is threatening the organization to disrupt the company’s system if he is not paid a large sum of money. Which of the following could have been used by the IT manager to disrupt the Company’s system:	A. Logic Bomb Attack	B. Virus Infection	C. Worm Infection	D. DOS Attack	a	A. A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. This could have been used by the IT manager to disrupt the Company’s System B. Prospective virus infection is normally not possible if the access to all the resources is taken away. C. Prospective worm infection is normally not possible if the access to all the resources is taken away. D. Denial of Service attack may be possible if the system is connected to internet but logic bomb attack is a more serious threat	MOCKDISA	1,310	107	MOCKDISA
120. A company offers free Wi-Fi to all its guests whomsoever visit the company premises by authenticating them through a generic user id and password which was allotted at the reception desk. Which of the following control BEST suits this situation?	A. Change of password of wireless network on weekly basis	B. Installation of Firewall between wireless public network and company network	C. Installation of Intrusion Detection System (IDS) within wireless public network	D. Physical segregation of public wireless network from the company network	d	A. Change of password of wireless network on weekly basis will not prevent the threat B. Installation of firewall between both the networks is a good solution but separate physical network is the most safe one C. Installation of IDS will not prevent the threat. D. Physical segregation of public wireless network from the company network is the best suitable control in the given situation	MOCKDISA	1,311	197	MOCKDISA
121. Which of the following tests simulates a real attack where penetration tester as well as the target both are not having any information of each other:	A. Blind Testing	B. Double Blind Testing	C. Targeted Testing	D. External Testing	b	A. In blind testing the tester is not having the information about the target but the target does have the information about the tester B. In Double blind test tester as well as target is not having any information about each other C. In targeted testing tester is having exhaustive information about the target but target doesn’t have the information about the tester D. External testing has got no concern with blinding effect	MOCKDISA	1,312	133	MOCKDISA
122. During the review of IDS logs, an IS auditor notices that some of the traffic coming from Internet appear to have originated from Internal IP address of the Company’s Server. Which of the following activities precisely indicate such type of attack?	A. IP Spoofing	B. DOS Attack	C. Social Engineering Attack	D. Network Equipment Failure	a	A. IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. In current scenario IDS observes traffic from internet which appears to have IP address originated from company’s server hence it’s a IP spoofing attack B. DOS attack refers to a attack where a machine or network resource is made unavailable to its intended users hence this is not the correct choice looking to the given scenario C. Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Hence this is not the correct choice looking to the given scenario D. Network Equipment Failure is not the correct choice looking to the given scenario	MOCKDISA	1,313	152	MOCKDISA
123. An IS Auditor wants to know that who has been given permission to use a particular system resource. He can BEST verify the same from:	A. Observation	B. Login ID - Password List	C. Access Control List	D. Activity List	c	A. Observation can be a method for verification of the authorization but access control list is a stronger evidence B. Login ID - Password List can’t be used to verify the required information C. Access Control list is the best method to verify the permissions given to particular system resources D. Activity list can’t be used to verify the required information	MOCKDISA	1,314	107	MOCKDISA
124. An IS auditor, while performing logical access controls review, observed that there are some shared user accounts. The BIGGEST risk resulting from this situation is that:	A. Unauthorized person gaining access through the shared ID	B. User Access Management becomes complex	C. Passwords cannot be decided unanimously	D. User accountability may not be established	d	A. Using shared user accounts those who have shared the account can gain entry into the system but this is not the biggest risk B. Complexity of User Access Management is not the risk C. Undecided unanimous password is not the risk D. User Accountability may not be established – is the biggest risk if shared user accounts exist	MOCKDISA	1,315	98	MOCKDISA
125. Which of the following conditions satisfies the requirements of a two-factor user authentication?	A. Ratina Scan + Fingerprint Scan	B. Smart Card + PIN	C. User ID + Password	D. System Resource ID + GPS	b	A. Two factor authentication is a technique wherein identification and authentication of the user takes place with two factors: One based on what user has and other based on what user knows. Ratina scan and finger print scan both belong to the first factor hence not the correct choice B. Smart Card and PIN satisfies both the conditions as stated in choice a) above hence the correct choice C. Two factor authentication talks only about authentication. User ID is used for identification purpose hence only password will lead to single factor authentication only hence not the correct choice D. System Resource ID and GPS doesn’t satisfy any factor of authentication hence not the correct choice	MOCKDISA	1,316	64	MOCKDISA
126. Which of the following is the responsibility of the owner of the Information Asset:	A. Implementation of Security policy within application system	B. Implementation of Access Rules to data and programs	C. Assignment of criticality levels to data	D. Arrange for Physical and Logical security for data	c	A. Implementation of security policy within application system is the ultimate responsibility of project sponsor B. Implementation of access rules to data and program is the responsibility of database administrator C. Assignment of criticality levels to data is the responsibility of owner of the information asset D. Arrangement for physical and logical security for data is the responsibility of Chief Security Officer	MOCKDISA	1,317	159	MOCKDISA
127. During System administration procedures, following should be given ‘Read-Only’ access:	A. Security Log Files	B. Access Control Lists	C. Logging Options	D. User Profiles	a	A. Security log files are very important evidence which is useful to detect any unusual behavior or event hence it should be given ‘Read-Only’ access only. B. Access Control list requires modification from time to time hence can’t be given Read-Only access C. Logging options require modification from time to time hence can’t be given read-Only access D. User profiles require modification from time to time hence can’t be given read-Only access	MOCKDISA	1,318	120	MOCKDISA
128. A cracker could obtain passwords without the use of computer tools or programs through the technique of:	A. Phishing	B. Trojan Horse	C. Social Engineering	D. Back Doors	c	A. In phishing some program or tool is required to obtain password B. In Trojan horsesome program or tool is required to obtain password C. In Social Engineering a cracker could obtain passwords without the use of computer tools or programs D. In Back Doors some program or tool is required to obtain password	MOCKDISA	1,319	58	MOCKDISA
129. Which of the following is the technique used in Digital Rights Management to protect Intellectual Property Rights?	A. Hashing	B. Digital Signature	C. Piggybacking	D. Steganography	d	A. Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. However it is not used in digital rights management to protect IPR B. A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. However it is not used in digital rights management to protect IPR C. Piggybacking is a situation when an authorized person allows (intentionally or unintentionally) others to pass through a secure door. However it is not used in digital rights management to protect IPR D. Steganography is the art of covered or hidden writing. The purpose of steganography is covert communication-to hide the existence of a message from a third party. This technique used in Digital Rights Management to protect Intellectual Property Rights	MOCKDISA	1,320	52	MOCKDISA
130. Which of the following is an example of a passive attack initiated through the Internet?	A. Traffic Analysis	B. Email Spoofing	C. DOS Attack	D. Masquerading	a	A. A passive attack is a network attack in which a system is monitored and sometimes scanned for open ports and vulnerabilities. The purpose is solely to gain information about the target and no data is changed on the target. Traffic Analysis represents the attack B. Email spoofing is the creation of email messages with a forged sender address. However, traffic analysis represents passive attack in a better manner C. DOS attack refers to a attack where a machine or network resource is made unavailable to its intended users. However, traffic analysis represents passive attack in a better manner D. Masquerading refers to pretending to be something/someone else than what actually is. However, traffic analysis represents passive attack in a better manner	MOCKDISA	1,321	123	MOCKDISA
131. Which of the following the MOST important accuracy measure for a biometric system:	A. Biometric System Response Time	B. False Acceptance Rate	C. False Rejection Rate	D. Input File Size	b	A. Biometric System Response time is not the accuracy measure B. False Acceptance rate refers to rate at which unauthorized persons are accepted by the system. This is the most important accuracy measure C. False Rejection rate refers to rate at which access of the authorized persons is denied by the bio metric system. However, this is not as critical as false acceptance rate. D. Input file size is not the accuracy measure	MOCKDISA	1,322	10	MOCKDISA
132. The security level of a PKI (Public Key Infrastructure) System depends on:	A. Number of Encryption key bits	B. Length of message	C. Type of Channel being used to send the message	D. Number of Keys	a	A. Higher the encryption Key size (in bits), higher the security and more it would be difficult to crack the same. Hence security level of a PKI (Public Key Infrastructure) depends on number of encryption key bits B. Length of message is not the factor to decide security level of PKI C. Type of Channel being used to send the message is not the factor to decide security level of PKI D. Number of Keys is not the factor to decide security level of PKI	MOCKDISA	1,323	52	MOCKDISA
133. Which of the following is NOT a characteristics of waterfall model of SDLC:	A. Emphasis on planning	B. Implementation of entire system at one time	C. Tight Control	D. Continuous user involvement	d	A. Emphasis on planning is a characteristics of waterfall model of SDLC B. Implementation of entire system at one time a characteristics of waterfall model of SDLC C. Tight Control is a characteristics of waterfall model of SDLC D. Continuous user involvement is not a characteristics of waterfall model of SDLC	MOCKDISA	1,324	126	MOCKDISA
134. An organization having fluctuating and less experienced project teams should go for:	A. Waterfall Model	B. Prototyping Model	C. Agile Methodology	D. Spiral Model	a	A. Waterfall Model is a very well documented and structured manner and hence organization having fluctuating and less experienced project teams should go for Waterfall Model B. Prototyping Model is not appropriate for fluctuating and less experienced project teams C. Agile Methodology is not appropriate for fluctuating and less experienced project teams D. Prototyping Model is not appropriate for fluctuating and less experienced project teams	MOCKDISA	1,325	30	MOCKDISA
135. In which of the following model, Risk Management is given highest importance:	A. Agile Methodology	B. Spiral Model	C. Waterfall Model	D. Prototyping Model	b	A. Risk Management is given highest importance in Spiral Model hence this is not the correct option B. Risk Management is given highest importance in Spiral Model C. Risk Management is given highest importance in Spiral Model hence this is not the correct option D. Risk Management is given highest importance in Spiral Model hence this is not the correct option	MOCKDISA	1,326	122	MOCKDISA
136. Which of the following model of SDLC is said to be MOST adaptive to changing requirements:	A. Rapid Application Development	B. Prototyping Model	C. Agile Methodology	D. Incremental Model	c	A. Rapid Application Development is not the MOST adaptive to changing requirements B. Prototyping model is not the MOST adaptive to changing requirements C. Agile Methodology is the MOST adaptive to changing requirements D. Incremental model is not the MOST adaptive to changing requirements	MOCKDISA	1,327	188	MOCKDISA
137. Which of the following general purpose notational language is used in OOSD (Object Oriented Software Development):	A. Unified Machine Language	B. Unified Modeling Language	C. Unique Modeling Language	D. Unified Object Oriented Language	b	A. Unified Machine Language is not the term that is used to refer general purpose notational language used in OOSD B. Unified Modeling Language is the general purpose notational language used in OOSD C. Unique Modeling Language is not the term that is used to refer general purpose notational language used in OOSD D. Unified Object Oriented Language is not term that is used to refer general purpose notational language used in OOSD	MOCKDISA	1,328	45	MOCKDISA
138. Which of the following process does start with the feasibility study and lasts even after the Implementation is over:	A. System Testing	B. Requirement Analysis	C. Benefit Realization	D. User Acceptance Testing	c	A. Benefit realization is the process which starts with the feasibility study and lasts even after the implementation is over hence this is not the correct option B. Benefit realization is the process which starts with the feasibility study and lasts even after the implementation is over hence this is not the correct option C. Benefit realization is the process which starts with the feasibility study and lasts even after the implementation is over hence this is the correct option D. Benefit realization is the process which starts with the feasibility study and lasts even after the implementation is over hence this is not the correct option	MOCKDISA	1,329	176	MOCKDISA
139. During which of the following process users and analysts come to agreement as to ‘What constitutes the Software to be developed’:	A. Requirement Engineering	B. Product Selection	C. Vendor Selection	D. User Acceptance Testing	a	A. During Requirement engineering process users and analysts come to agreement as to ‘What constitutes the Software to be developed’. B. Before Product selection requirement of the system is already identified. C. Before Vendor Selection requirement of the system is already identified. D. User Acceptance testing takes place long after completion of development of the system	MOCKDISA	1,330	58	MOCKDISA
140. Which of the following is an example of non-functional requirement for a Hospital:	A. Processing of Patients records with respect to payments received from them	B. Separation of records for insured patients and uninsured patients	C. Department wise Installation of secured POS Terminals	D. Processing the doctors’ prescriptions against medicines purchased from in-house medical shop.	c	A. Processing of Patients records with respect to payments received from them is an example of functional requirements B. Separation of records for insured patients and uninsured patients is an example of functional requirements C. Department wise installation of secured POS terminals is an example of non-functional requirement as it is not directly concerned with an operation of a hospital. D. Processing the doctors’ prescriptions against medicines purchased from in-house medical shop is an example of functional requirement.	MOCKDISA	1,331	186	MOCKDISA
141. Which of the following is NOT the criteria for vendor selection:	A. Constitution of Vendor	B. Financials of Vendor	C. Commitment to Service	D. Reliability	a	A. Constitution of vendor doesn’t affect the service provided by any vendor hence it is not a criteria for vendor selection. B. Financials of Vendor is a valid criteria for vendor selection C. Commitment to service is a valid criteria for vendor selection D. Reliability is a valid criteria for vendor selection	MOCKDISA	1,332	27	MOCKDISA
142. Which of the following method does use statistical approach to product evaluation:	A. Questionnaire Method	B. End User Acceptability	C. Proof of Concept (PoC)	D. Point Scoring Analysis	d	A. Questionnaire Method does not use statistical approach B. End User Acceptability has no statistical approach C. Proof of Concept (PoC) typically involves practical demonstrations, not statistical analysis D. Point Scoring Analysis involves statistical analysis for evaluation	MOCKDISA	1,333	17	MOCKDISA
143. An application has seven modules. Out of them, 4th Module is changed by following a formal change management process. Which of the following testing should be performed to see that the 4th Module maintains integrity with other modules:	A. Stress Testing	B. Unit Testing	C. Regression Testing	D. Functional Testing	c	A. Stress testing tests robustness, not module integrity B. Unit testing focuses on individual units, not module integration C. Regression testing ensures changes maintain system integrity D. Functional testing checks system functionality, not module integration	MOCKDISA	1,334	72	MOCKDISA
144. In which of the following testing, concept of stubs (dummy entities) is used:	A. Top down testing	B. Bottom up testing	C. Stress Testing	D. Regression Testing	a	A. Top Down testing involves using stubs for lower-level modules B. Bottom up testing starts with lower-level modules, no need for stubs C. Stress Testing tests robustness, not use stubs D. Regression Testing verifies changes, not use stubs	MOCKDISA	1,335	33	MOCKDISA
145. Recovery Testing is normally a part of	A. Unit Testing	B. System Testing	C. Integration Testing	D. User Acceptance Testing	b	A. Recovery testing occurs at system level, not unit testing B. Recovery testing ensures system recovery after failure C. Integration testing checks integration of components, not recovery D. User Acceptance Testing is for user approval, not recovery	MOCKDISA	1,336	67	MOCKDISA
146. In which of the following type of testing, data is processed in production like systems and outcome is analyzed for real life conditions:	A. Automated Testing	B. Beta Testing	C. Integrated Test Facilities	D. Quality Assurance Testing	c	A. Automated Testing focuses on automated checks, not real-life conditions B. Beta Testing involves real users, not necessarily real-life conditions C. Integrated Test Facilities (ITF) tests with real-life data in production-like conditions D. Quality Assurance Testing checks quality standards, not real-life conditions	MOCKDISA	1,337	67	MOCKDISA
147. Which of the following implementation approach is MOST risky and requires a great deal of planning:	A. Direct Cut off Implementation	B. Phased Implementation	C. Pilot Implementation	D. Parallel Implementation	a	A. Direct Cut off Implementation abruptly replaces old system with new, high risk B. Phased Implementation spreads risk over phases C. Pilot Implementation tests on a small scale, low risk D. Parallel Implementation uses both systems concurrently, less risk	MOCKDISA	1,338	6	MOCKDISA
148. A relatively small organization of risk averse nature but having ample resources, is consulting an IS Auditor for BEST implementation strategy for its newly developed ERP System. The IS Auditor should suggest:	A. Abrupt Change Over	B. Phased Change Over	C. Pilot Change Over	D. Parallel Change Over	d	A. Abrupt Change Over is high risk, not suitable for risk averse organization B. Phased Change Over is less risky, but Parallel Change Over uses ample resources with minimum risk C. Pilot Change Over is not necessary for small risk averse organizations	MOCKDISA	1,339	185	MOCKDISA
149. While reviewing a sample on change control procedure, IS Auditor is MOST concerned about the following fact:	A. A change is not made as per the Industry standards	B. The change is implemented by the developers, directly in the production libraries	C. The same change was requested two years back but was rolled back subsequently	D. Users are not trained to work in the changed environment	b	A. Non-compliance with industry standards is a concern, but direct implementation in production is a major integrity risk B. Implementing changes directly in production can compromise system integrity C. Rolled back changes are not as critical as direct production changes D. User training is important, but less critical for immediate system integrity	MOCKDISA	1,340	133	MOCKDISA
150. During SDLC, when a project team has to develop an application using a particular technology which is new to them, it takes the help of:	A. Domain Specialist	B. Technology Specialist	C. Project Manager	D. Technology Designer	b	A. Domain Specialist is for domain knowledge, not specific technology B. Technology Specialist provides expertise for new technologies C. Project Manager manages overall project, not technology specifics D. Technology Designer is not a recognized role for technology consultation	MOCKDISA	1,341	194	MOCKDISA
151. ___________ is responsible for monitoring and controlling costs, timelines and risks.	A. Programmer	B. Module/Team Leader	C. Project Manager	D. Quality Assurance Team	c	A. Programmer writes software, not responsible for monitoring costs B. Module/Team Leader provides guidance, not overall control C. Project Manager monitors and controls costs, timelines, and risks D. Quality Assurance Team tests software, not responsible for overall project management	MOCKDISA	1,342	13	MOCKDISA
152. In which of the following testing, software is released as a trial version to get feedback from its users as regard to the improvements to be made in the software:	A. Quality Assurance Testing	B. Functional Testing	C. Alpha Testing	D. Beta Testing	d	A. Quality Assurance Testing ensures quality standards, not trial releases B. Functional Testing verifies software functionality C. Alpha Testing tests software in development phase D. Beta Testing involves releasing software for user feedback before final release	MOCKDISA	1,343	174	MOCKDISA
153. What data should be used for regression testing:	A. Different data than used in the previous test	B. The most current production data	C. The data used in original test	D. Data produced by test data generator	c	A. Regression testing uses original test data to ensure consistency B. Production data may change, not suitable for regression testing C. Regression testing checks against original test scenarios D. Test data generator produces synthetic data, not for regression testing	MOCKDISA	1,344	150	MOCKDISA
154. Which of the following group/individuals should assume overall direction and responsibility for costs and timetables of system development projects:	A. Project Manager	B. Project Steering Committee	C. Senior Management	D. User Management	b	A. Project Manager manages project details, not overall direction B. Project Steering Committee directs and manages project resources and goals C. Senior Management oversees broader organizational strategy D. User Management focuses on user needs, not project management	MOCKDISA	1,345	168	MOCKDISA
155. An IS auditor is assigned to help design the data security aspects of an application under development. Which of the following provides the MOST reasonable assurance that corporate assets are protected when the application is being certified for production:	A. A review conducted by the internal auditor	B. A review conducted by the assigned IS auditor	C. Specifications by the user on the depth and content of the review	D. An independent review conducted by another equally experienced IS auditor	d	A. Internal auditor’s review may lack independence B. Assigned IS auditor’s review may lack independence C. User specifications guide, but independent review provides assurance D. Independent review by equally experienced IS auditor ensures thorough assessment	MOCKDISA	1,346	194	MOCKDISA
156. The PRIMARY role of an IS auditor during the system design phase of an application development project is to:	A. ensure all necessary controls are included in the initial design.	B. advise the development manager on adherence to the schedule.	C. advise on specific and detailed control procedures.	D. ensure that the design accurately reflects the requirement.	d	A. Ensuring controls is part of audit, not primary role in design phase B. Schedule adherence is project management, not audit focus C. Specific controls are important, but ensuring accurate design is primary D. IS auditor ensures design meets organizational requirements	MOCKDISA	1,347	80	MOCKDISA
157. Which of the following relationship among the programmes facilitates effective program maintenance:	A. Less cohesive and loosely coupled programs	B. More cohesive and strongly coupled programs	C. More cohesive and loosely coupled programs	D. Less cohesive and strongly coupled programs	c	A. Less cohesive and loosely coupled programs lead to maintenance challenges B. More cohesive and strongly coupled programs reduce flexibility C. More cohesive and loosely coupled programs balance cohesion and flexibility D. Less cohesive and strongly coupled programs increase maintenance complexity	MOCKDISA	1,348	62	MOCKDISA
158. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:	A. Recommend that problem resolution be escalated.	B. Ignore the error, as it is not possible to get objective evidence for the software error.	C. Report the error as a finding and leave further exploration to the auditee's discretion.	D. Attempt to resolve the error	a	A. IS auditor should escalate unresolved issues for resolution B. Ignoring errors compromises audit integrity C. Reporting is important, but unresolved issues need escalation D. Resolving errors isn’t auditor’s primary role; escalation is	MOCKDISA	1,349	178	MOCKDISA
159. Which of the following is a technique that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality:	A. Rapid application development	B. Critical path methodology	C. Function point analysis	D. Program evaluation review technique	a	A. Rapid Application Development accelerates system development with reduced costs and maintained quality B. Critical path methodology manages project timelines, not development speed C. Function point analysis measures software size, not development speed D. Program evaluation review technique evaluates project performance, not speed	MOCKDISA	1,350	29	MOCKDISA
160. When a systems development life cycle (SDLC) methodology is inadequate, the MOST serious immediate risk is that the new system will:	A. be completed late.	B. exceed the cost estimates.	C. be incompatible with existing systems.	D. not meet business and user needs.	d	A. Late completion is a risk, but not the most serious B. Cost overruns are a concern, but not the most serious C. Compatibility issues are significant, but not the most serious D. Failing to meet business and user needs is the most critical risk	MOCKDISA	1,351	7	MOCKDISA
161. Which of the following should be reviewed FIRST by an IS Auditor in audit of application software:	A. Business Model	B. Business Application	C. Business Laws	D. Business Controls	a	A. Business model review sets context for application software audit B. Business application is part of audit, not the initial focus C. Business laws are important but secondary to business model D. Business controls are implemented based on business model review	MOCKDISA	1,352	84	MOCKDISA
162. Initial adoption of Business Model adopted by an organization is dependent upon:	A. Business Application	B. Business Objective	C. Controls in business applications	D. Business Laws	b	A. Business application follows business model adoption B. Business objective drives business model adoption C. Controls are implemented based on business model D. Laws influence but do not dictate business model adoption	MOCKDISA	1,353	162	MOCKDISA
163. Which of the following data validation edits is effective in detecting transposition and transcription errors:	A. Range Check	B. Validity Check	C. Check Digit	D. Redundancy Check	c	A. Range check ensures input within a set range B. Validity check ensures correct type of input C. Check digit detects transposition and transcription errors D. Redundancy check detects changes to raw data, not specific to errors	MOCKDISA	1,354	30	MOCKDISA
164. Which of the following controls can BEST validate a transaction:	A. Authorization of a transaction by supervisory personnel in adjacent department.	B. Authorization of transaction by department supervisor prior to sending it for batch processing.	C. Key field verification during Data Entry.	D. Use of programs to check the transaction against the criteria set by the management.	d	A. Authorization by personnel lacks the automated validation B. Pre-processing lacks comprehensive validation C. Key field verification ensures correct input, not transaction validation D. Programmatic checks against criteria provide robust validation	MOCKDISA	1,355	10	MOCKDISA
165. System Administrator of a public utility company has to change the access rights of users frequently due to changes in roles, on account of leaves and/or transfer of employees. Which of the following system administrator should do first?	A. Verify authorization.	B. Create new user id.	C. Change access rights.	D. Grant the new role.	a	A. Verify authorization before any access changes B. Creating user IDs comes after verifying authorization C. Change access rights follow verification of authorization D. Granting new role comes after verifying authorization	MOCKDISA	1,356	115	MOCKDISA
166. Programmers frequently create entry points into a program for debugging purposes and/or insertion of new program course at a later date. This entry points are called:	A. Logic bombs	B. Trap doors	C. Trojan horses	D. Worms	b	A. Logic bombs are malicious code for specific actions B. Trap doors are hidden entries for debugging and future use C. Trojan horses are malware disguised as legitimate software D. Worms are self-replicating malware, not entry points	MOCKDISA	1,357	76	MOCKDISA
167. Which of the following would BEST ensure proper updating of critical fields in a master record?	A. Field checks.	B. Control Totals.	C. Reasonableness checks.	D. Before and after maintenance report.	a	A. Field checks validate updates to critical fields B. Control totals ensure completeness, not field updates C. Reasonableness checks verify data within logical limits D. Reports do not directly ensure updates, unlike field checks	MOCKDISA	1,358	89	MOCKDISA
168. An IS auditor was asked to audit ERP implementation. The auditor did not have prior experience of ERP implementation. The auditor should:	A. Refuse the assignment in absence of required skills.	B. Attend the training program on implementation of ERP.	C. Conduct the audit with due professional care.	D. Take help of independent skilled professional.	d	A. Refusing without seeking help limits professional growth B. Training helps but not immediate solution C. Due care requires adequate knowledge, lacking in ERP D. Seeking help ensures thorough audit despite lack of experience	MOCKDISA	1,359	128	MOCKDISA
169. Centralized data base server is being accessed by users from various geographical locations. Concurrency controls provided in this system primarily ensures:	A. Integrity of data.	B. Usability of data.	C. Confidentiality of data.	D. Availability of data.	a	A. Concurrency control prevents data integrity issues B. Usability and confidentiality are not primary concerns C. Availability is managed separately from concurrency controls	MOCKDISA	1,360	87	MOCKDISA
170. Exception reports generated by application systems are useful to the management:	A. As compensating control for segregation of duties.	B. As feedback on the processing status.	C. In resolving problems in data processing.	D. In evaluating supervisory performance.	b	A. Compensating controls are separate from exception reports B. Reports provide feedback on processing anomalies C. Reports help, but primary use is feedback to management D. Reports are not for evaluating supervisory performance	MOCKDISA	1,361	153	MOCKDISA
171. Which of the following will help IS auditor in determining the effectiveness of help desk operations:	Problem aging analysis	Problem escalation report	Query log maintained by help desk	Awareness level of end users	c	Effectiveness of helpdesk operations can be determined by reviewing query log maintained by help desk	MOCKDISA	1,362	62	MOCKDISA
172. A company disposing of personal computers that once were used to store confidential data should first:	Demagnetize the hard disk	Low level format the hard disk	Delete all data contained on the hard disk	Defragment the data contained on the hard disk	a	Hard disk is a magnetic media. Demagnetization of hard disk is the safest way to prevent exposure of confidential data that was once stored on it	MOCKDISA	1,363	97	MOCKDISA
173. A tax calculation program maintains several hundred tax rates. The BEST control to ensure that Tax rates entered into the program are accurate is:	Independent review of the transaction listing	Programmed edit check to prevent entry of invalid data	Programmed reasonableness checks with 20% data entry range	Visual verification of data entered by the processing department	b	Programmed edit check to prevent entry of invalid data is the best input control to ensure that tax rates entered into the program are accurate	MOCKDISA	1,364	115	MOCKDISA
174. Which of the following Data Base Administrator activities is unlikely to be recorded on detective control logs:	Deletion of a record	Change of a password	Disclosure of a password	Changes to access rights	c	Disclosure of the password may not happen on the system and is unlikely to be recorded on detective control log	MOCKDISA	1,365	167	MOCKDISA
175. The primary reason for replacing cheques with electronic fund transfer(EFT) systems in the accounts payable area is to:	Make the payment process more efficient	Comply with international EFT banking standards	Decrease the number of paper based payment forms	Reduce the risk of unauthorized changes to payment transactions	c	To decrease the number of paper based payment forms was the primary reason for replacing cheques with electronic fund transfer(EFT) systems in the accounts payable area	MOCKDISA	1,366	8	MOCKDISA
176. Which of the following is an implementation risk within the process of decision support systems(DSS):	Management control	Semi structured dimensions	Changes in decision processes	Inability to specify purpose and usage patterns	d	Inability to specify purpose and usage patterns is an implementation risk within the process of decision support systems(DSS)	MOCKDISA	1,367	25	MOCKDISA
177. Which of the following is a strength of client/server security system:	Change control and change management procedures are inherently strong	User can manipulate data without controlling resources on the main frame	Network components seldom become obsolete	Access to confidential data or data manipulation is strongly controlled	d	Access to confidential data or data manipulation is strongly controlled - is one of the regular features of client server security system	MOCKDISA	1,368	183	MOCKDISA
178. While auditing IT application infrastructure, the IS auditor observed that there were no procedure defined for the performance monitoring of a third party vendor who was assigned the maintenance of hardware with a clause for 99% uptime during business hours. The BEST course for the auditor is:	To suggest procedures to functional management and report to top management	To consult legal counsel for non performance by the vendor	To request the vendor management to provide necessary uptime reports	To evaluate the performance of third party vendor for estimating expected performance	a	The best course for the auditor is to suggest procedures to functional management and report to top management	MOCKDISA	1,369	92	MOCKDISA
179. While posting a message on facebook, if user posts the same message again, facebook gives a warning. The warning indicates following type of control:	Limit check	Dependency check	Range check	Duplicate check	d	Duplicate check is a check that keeps track of the events to see that they don’t happen more than once except intended by the user. Hence a warning raised by facebook on posting of same message again is the example of duplicate check	MOCKDISA	1,370	167	MOCKDISA
180. Company’s billing system does not allow billing to those dealers who have not paid advance amount against proforma invoice. This check is BEST called as:	Limit check	Dependency check	Range check	Duplicate check	b	Dependency Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Thus if system doesn’t allow billing to dealers who have not paid advance amount against proforma invoice is an example of dependency check	MOCKDISA	1,371	18	MOCKDISA
181. While auditing e-commerce transactions auditors key concern includes all except:	Authorization	Authentication	Major supplier	Confirmation	c	Major supplier is not the key concern of auditor while auditing e-commerce transactions	MOCKDISA	1,372	127	MOCKDISA
182. An IS auditor processes a dummy transaction to check whether the system is allowing cash payment exceeding Rs.20000. This check represents which of the following evidence collection techniques:	Inquiry and confirmation	Recalculation	Inspection	Re-performance	d	Re-performance is the auditor's independent execution of procedures or controls that were originally performed as part of the entity's internal control, either manually or through the use of CAATs. Here auditor processes a dummy transaction to check whether the system is allowing cash payment exceeding Rs.20000. This represents re-performance technique of evidence collection	MOCKDISA	1,373	101	MOCKDISA
183. Which of the following audit tool is most useful to an IS auditor when an audit trail is required:	Integrated Test Facility (ITF)	Continuous and intermittent Simulation (CIS)	Audit Hooks	Snapshots	d	A snapshot is a virtual image of the content of a set of data at the instant of creation. Physically, a snapshot may be a full (complete bit-for-bit) copy of the data set, or it may contain only those elements of the data set that have been updated since snapshot creation. This is most useful to an IS auditor when an audit trail is required	MOCKDISA	1,374	122	MOCKDISA
184. An employee has left the company. The first thing to do is to:	Hire a replacement employee	Disable his/her access rights	Ask the employee to clear all dues/ advances	Escort employee out of the company premises	b	If an employee left the company, first thing to do is to disable his/her access rights	MOCKDISA	1,375	133	MOCKDISA
185. Which of the following is the first step in compliance testing? To review:	Access security controls	Input controls	Processing controls	Output controls	a	The first step in compliance testing is to review access security controls	MOCKDISA	1,376	193	MOCKDISA
186. The cashier of a company has rights to create bank master in tally. This error is a reflection of poor definition for which type of control:	User control	Application control	Input control	Output control	a	The cashier of a company should not have right to create bank master in tally, if it has happened, it indicates poor definition of user control	MOCKDISA	1,377	13	MOCKDISA
187. What is the first step in preparing a new Business Continuity Plan or in updating an existing one:	Risk Management of key business processes	Identification of strategically important processes	Identification of potential vulnerabilities	Business Impact Analysis	b	Identification of the strategically important processes is the FIRST step in preparing a new BCP or updating an existing one as only after identifying the processes, risk management, vulnerability assessment and business impact analysis can be done	MOCKDISA	1,378	91	MOCKDISA
188. Which of the following BEST suggests the relationship between Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP):	DRP is a sub component of BCP	BCP is a sub component of DRP	Both BCP and DRP are mutually exclusive	BCP and DRP both have almost the same meaning	a	DRP is normally a technological aspect to restore critical processes/IT Services in the event of interruption. And this aspect is a part of overall Business Continuity Planning	MOCKDISA	1,379	180	MOCKDISA
189. Which of the following plan is MOST specifically used to recover a facility rendered inoperable, including relocating operations into a new location?	Disaster Recovery Plan	Business Continuity Plan	Back Up Plan	Contingency Plan	a	DRP is most specifically used to recover a facility rendered inoperable, including relocating operations into a new location	MOCKDISA	1,380	43	MOCKDISA
190. While evaluating Business Continuity Plan, “An IS auditor should evaluate an organization’s preparedness for pandemic outbreaks”, what does ‘pandemic’ mean in the above statement?	Terrorist events	Malicious acts	Epidemics or outbreaks of infectious disease in humans	Natural disasters	c	Pandemic refers to the infectious disease in humans which must be considered while preparing BCP	MOCKDISA	1,381	196	MOCKDISA
191. An organization running a critical information system and cannot afford the downtime of more than 10 seconds will have __________ in case of a disaster.	Lessen recovery costs, higher downtime costs	Lessen downtime costs, higher recovery costs	Higher downtime costs, higher recovery costs	Lessen downtime costs, lessen recovery costs	b	When allowable downtime is 10 seconds or less, system needs to be up and running in not more than 10 seconds of the disaster. To make this possible, recovery cost i.e. cost incurred to resume the system - as it was before the disaster - will have to be incurred much higher. And consequently due to less downtime, downtime cost i.e. cost incurred due to down system will be minimal.	MOCKDISA	1,382	56	MOCKDISA
192. Absence of which of the following is the BIGGEST concern for an IS auditor who is auditing a Business Continuity Plan?	Procedure for declaring a disaster	Identification for contract information	Circumstances under which a disaster should be declared	Explanation of the recovery process	c	Without specifying the trigger points for invoking BCP/DRP, no BCP/DRP will make a sense and it will become useless. Without this, all remaining concerns are of no value.	MOCKDISA	1,383	107	MOCKDISA
193. One of the MOST important outcomes of Business Impact Analysis is a way to group information systems according to their____________	Recovery time	Down time	Value	Maintenance Requirements	a	Recovery strategy is selected based on the outcome of BIA. If multiple assets are having the same Recovery time then they are put together under a single recovery strategy in BCP.	MOCKDISA	1,384	141	MOCKDISA
194. Which of the following Business Continuity Insurance Plan covers loss from dishonest or fraudulent acts by employees?	Transparency coverage	Loyalty coverage	Honesty coverage	Fidelity coverage	d	Fidelity refers to faithfulness of a person demonstrated by continuing loyalty and support. Fidelity coverage is a type of insurance plan that covers loss from dishonest or fraudulent acts by employees.	MOCKDISA	1,385	56	MOCKDISA
195. _________ is a method for Systems’ Risk Ranking, where probability of adverse disruptions is multiplied with monetary impact of disruptions to determine maximum reasonable cost of prevention.	Loss Prevention Expectancy (LPE)	Risk Loss Product (RLP)	Weighted Loss Assessment (WLA)	Annualized Loss Expectancy (ALE)	d	Annualized Loss Expectancy (ALE) is the method for Systems’ Risk Ranking where probability of adverse disruptions is multiplied with monetary impact of disruptions to determine maximum reasonable cost of prevention.	MOCKDISA	1,386	162	MOCKDISA
196. Which of the following is the BIGGEST concern for an IS auditor while evaluating the Business Continuity Plan?	The plan contains conflicting responsibilities	The plan is not tested	The plan is not read by the team members	The plan is not updated for last six months	b	BCP, even though thoughtfully designed and developed, provides no guarantee for its successful execution unless it is tested with the appropriate method. Hence, non-tested BCP is the BIGGEST concern for the IS auditor.	MOCKDISA	1,387	129	MOCKDISA
197. When an enterprise has an insurance coverage as a part of its Disaster Recovery Plan, which risk treatment approach is followed?	Risk avoidance	Risk mitigation	Risk transfer	Risk acceptance	c	Risk transfer is a risk management and control strategy that involves the contractual shifting of a pure risk from one party to another. Insurance policy is one such example where by paying premium the risk of loss due to disaster is transferred from policy holder to the insurer.	MOCKDISA	1,388	112	MOCKDISA
198. Which of the following Business Continuity Planning test is a cost-effective way of simulating a system crash locally without causing much harm to the actual facilities?	Preparedness test	Paper test	Desk based evaluation	Pre-test	b	In paper test, plan walk through takes place to get idea about the possible service disruption by major participants involved in plan execution. It precedes preparedness test.	MOCKDISA	1,389	106	MOCKDISA
199. Effectiveness of Business Continuity Planning (BCP) can be BEST verified by an IS auditor by:	Reviewing the alignment of BCP with that of peers in the same industry	Reviewing the test results of BCP	Verifying cost benefit analysis of BCP	Confirming that BCP is approved by Board Of Directors having expertise in the field	b	BCP, even though thoughtfully designed and developed, can be verified for its effectiveness only by reviewing its test results obtained through appropriate test methods.	MOCKDISA	1,390	6	MOCKDISA
200. Which of the following is most suitable method for ensuring up-to-date Business Continuity Plan (BCP)?	Yearly full functional tests	Continuous Liaison among BCP team members	Regular structured walk through tests	Keep on changing the team members with the more experienced ones	c	Regular structured walk through tests takes place to get idea about the possible service disruption by major participants involved in plan execution. It helps in keeping the plan up-to-date.	MOCKDISA	1,391	69	MOCKDISA
1. The level of on-line system response time is best determined by which of the following	System planning phase	System Design Phase	System Programming phase	System testing phase	b	On line time indicates how much time is taken between entry of query and its reply and deals with utilisation of system resources which need to be considered during system design phase.	MOCKDISA	1,392	1	MOCKDISA
2. Which of the following tools is most useful in detecting security intrusions	Data mining Tools.	Data optimisation Tools	Data reorganisation tools.	Data access tools.	a	Data mining is a set of automated tools that convert data in the warehouse to some useful information. Data mining techniques could also be used for fraud detection, intrusion detection, abnormal patterns in data.	MOCKDISA	1,393	141	MOCKDISA
3. Which of the following is not a proper definition of workload from a computer capacity perspective	Transactions	Storage	Communications Traffic	Bandwidth	d	Workload is basically the request of the users submitted to the computing resources. Bandwidth describes capacity and not workload.	MOCKDISA	1,394	137	MOCKDISA
4. Database application systems have similarities and differences from traditional flat file application systems. Database systems differ most in which of the following control areas.	Referential integrity	Access Controls.	Data editing and validation routines.	Data Recovery	a	Referential integrity means that no record will have reference to the primary key of the non exsistent record. When a record is deleted all other referenced records are automatically deleted.	MOCKDISA	1,395	92	MOCKDISA
5. Which of the following statements is not true?	With a multiplexer the total bandwidth entering the device is normally different from the bandwidth leaving it.	With a concentrator the total bandwidth entering the device is normally different from the bandwidth leaving it.	Devices are available that perform the functions of both concentrators and multiplexers.	Concentrators can give much better utilisation of the available bandwidth than a multiplexer.	a	In case of a multiplexer the total bandwidth entering and leaving are roughly equivalent.	MOCKDISA	1,396	59	MOCKDISA
6. Which of the following is a simple networking device that interconnects two or more local area networks :	Router	Bridge.	Gateway.	Brouter	b	Bridges are networking devices that connect two LANs.	MOCKDISA	1,397	76	MOCKDISA
7. Which of the following components of the database structured query language hold the actual data in the database	Schemas	Subschemas.	Tables.	Views.	c	Actual data is stored in tables.	MOCKDISA	1,398	135	MOCKDISA
8. Magnetic storage media sanitization is important to protect sensitive information. Which of the following is not a general method of purging magnetic storage media.	Overwriting.	Clearing.	Degaussing	Destruction.	b	Clearing information means rendering it unrecoverable by keyboard attack with data remaining on the storage media.	MOCKDISA	1,399	112	MOCKDISA
9. The possible security threats inherent in a LAN environment include passive and active threats. Which of the following is a passive threat	Denial of message service.	Masquerading	Traffic Analysis	Modification of message service	c	Passive threats do not alter any data in a system. Messages are simply read to gain some knowledge.	MOCKDISA	1,400	86	MOCKDISA
10. Which of the following statements is true in a LAN environment	The gateway is responsible for returning acknowledgements	The destination station is responsible for returning acknowledgements	The originating station is responsible for returning acknowledgements	The network operating system is responsible for returning acknowledgements	a	A gateway is a device used for connecting two dissimilar networks.	MOCKDISA	1,401	19	MOCKDISA
11. Which of the following data models is suitable for predetermined data relationships	Hierarchical model	Network model	Relational model	Distributed model	a	Option A is the correct answer. Option A provides somewhat general structures compared to hierarchical model.	MOCKDISA	1,402	103	MOCKDISA
12. Which of the following is a disadvantage of client/server computing	open systems	Freedom	Specialisation	Complexity	d	The disadvantage is technical immaturity and complexity in designing compared with other traditional systems.	MOCKDISA	1,403	118	MOCKDISA
13. Data normalisation is typically found in which of the following database models	Hierarchy data model	Relational data model	Network data model	Object data model	b	Normalisation is the formal process for eliminating access and update anomalies. Relational data model is widely accepted and includes normalisation.	MOCKDISA	1,404	40	MOCKDISA
14. When constructing the communications infrastructure for moving data over a local area network the major implementations choices involve decisions about all of the following except	Terminal controllers	Repeaters	File servers	Bridges.	a	Terminal controllers direct tasks the terminal must perform but are not a major infrastructure choice for data movement.	MOCKDISA	1,405	188	MOCKDISA
15. Which of the following transmission media is unsuitable for handling intra-building data or voice communications	Twisted pair	Coaxial Cable	Optical fibre	Microwave transmission.	d	Microwave transmission is more appropriate for long distance transmission rather than intra-building communications.	MOCKDISA	1,406	37	MOCKDISA
16. If any link should fail only the terminal on that specific link will be affected by the line outage is true with which of the following network topologies	Star	Tree	Ring	Mixed.	a	In a star topology, each terminal is connected to a central hub; if one link fails, only that terminal is affected.	MOCKDISA	1,407	179	MOCKDISA
17. Which of the following network topologies is best suited where each terminal has a large volume of data traffic and must operate at a high data rate on a leased line	Star	Tree	Ring	Mixed.	a	Star topology provides high data rate on leased lines with individual terminal connections to a central hub.	MOCKDISA	1,408	73	MOCKDISA
18. A sophisticated network line monitoring device is called	Line Monitor	Protocol Analyzer	Barometer	Voltmeter.	b	A protocol analyzer is sophisticated and performs data analysis, unlike simpler devices like a line monitor.	MOCKDISA	1,409	19	MOCKDISA
19. Wireless Local area networks operate in which of the following layers of the ISO/OSI Reference model	Physical and data layers	Data and network link layers	Transport and presentations layers	Application and session layers	a	WLANs operate primarily in the physical and data layers for handling frequencies and modulation.	MOCKDISA	1,410	147	MOCKDISA
20. During the acceptance testing of a new LAN installation which of the following test plan items requires proactive thinking	Connectivity and interoperability	Network performance	Cable plant integrity	User application systems	c	Testing cable plant integrity proactively ensures faults are identified before installation completes, avoiding post-installation issues.	MOCKDISA	1,411	57	MOCKDISA
21. The Database administrator is not responsible for which of the following functions	Physical design of the database	Logical design of the database	Security of the database	Performance of the database	b	Option B is the correct answer. DBA is responsible for physical design (A), security (C), and performance (D).	MOCKDISA	1,412	116	MOCKDISA
22. Which of the following is often the greatest failing of distributed system management solutions.	Scalability	Heterogeneity	Security	Synchronization	c	Managing security is a major problem in distributed systems operating in hostile environments.	MOCKDISA	1,413	71	MOCKDISA
23. Which of the following client/server implementation approaches is the least complex.	File transfer	Applications programming interface	GUI based operating system	Peer-to-peer communications	a	Option A is the correct answer. File transfer is the least complex among the given choices.	MOCKDISA	1,414	72	MOCKDISA
24. Payroll master file updates are sent from a remote terminal to a mainframe program on a real-time system. A control which works to ensure accuracy of the transmission is a	Echo Checking	Protection ring	Hash total	Integrated test facility	a	Echo checking validates data transmission accuracy by sending data back for comparison.	MOCKDISA	1,415	116	MOCKDISA
25. An insurance firm uses a wide area Network to allow agents away from home office to obtain current rates and client information and to submit approved claims using notebook computers and dial-in modems. In this situation which of the following methods would provide the best data security.	Dedicated phonelines	Call back features	Frequent changes of user IDS and passwords	End to end data encryption	d	Option D provides the best security for data transmitted over open networks.	MOCKDISA	1,416	129	MOCKDISA
26. The information systems and audit directors agreed that maintaining the integrity of the system that kept inventory data was crucial for distributing correct product quantities to stores. The best way to ensure the integrity of this application software is through.	Access controls for terminals in the receiving department	Audit trails for items sold and received	Change controls for inventory software	Monitoring software for the network	c	Change controls ensure only authorized and tested programs are used, maintaining software integrity.	MOCKDISA	1,417	167	MOCKDISA
27. A dial-up order entry system is used by salesmen to enter customer orders from the customer's location via portable computers assigned to each salesman. However, unauthorized persons using their own system have entered fraudulent transactions into the order entry system. A control that would permit only authorized persons using portable computers to access the system is:	A callback procedure	An error correcting code	Frequent access code revalidation	Modem equalization	c	Frequent access code revalidation would restrict unauthorized access effectively.	MOCKDISA	1,418	97	MOCKDISA
28. Compared to closed systems open systems are characterized by	Less expensive components	Decreased interoperability	More dependence on particular vendors	More restricted portability	a	Option A is correct as open systems generally use less expensive components.	MOCKDISA	1,419	29	MOCKDISA
29. A major risk involving the use of the packet switching network technique is that	Packets may arrive at destinations out of sequence	Routing of packets cannot vary depending on network conditions	Terminals lack intelligence on public data networks	Terminals lack storage capacity on public data networks	a	Option A is correct as packet switching networks can deliver packets out of sequence.	MOCKDISA	1,420	13	MOCKDISA
30. Protocols would not address which of the following	Message size, sequence and format	Message routing instructions	Error detection and correction	Message authentication	d	Option D is correct as protocols do not specifically address message authentication	MOCKDISA	1,421	154	MOCKDISA
31. Which of the following is an inappropriate control over telecommunication hardware	Logical Access controls	Security over wiring closets	Contingency plans	Restricted access to test equipment	a	Option A is correct as logical access control is software-based, not hardware-based.	MOCKDISA	1,422	186	MOCKDISA
32. Which of the following statements is true with respect to data dictionaries	A data dictionary must be always be active to be useful	An active data dictionary must be dependent on database management systems	A passive data dictionary is an important feature of database management systems	A data dictionary can exist only with a database system	b	Option B is correct as an active data dictionary relies on integration with database management systems.	MOCKDISA	1,423	136	MOCKDISA
33. Which of the following layers of the ISO/OSI Reference Model handles error detection and correction	Data link	Physical	Network	Application	a	Option A is correct as the data link layer is responsible for error detection and correction.	MOCKDISA	1,424	20	MOCKDISA
34. Which of the following allows transmission of sequential elements with or without interruption	Serial Transmission	Serial to parallel conversion	Parallel to serial conversion	Parallel transmission	a	Option C is correct as serial transmission involves sending data elements one at a time.	MOCKDISA	1,425	6	MOCKDISA
35. An asynchronous transfer mode type of network is not good for which of the following situations	Wide area networks	Small networks	Backbones	Multimedia applications	b	Option B is correct as asynchronous transfer mode is suitable for various network sizes except very small ones.	MOCKDISA	1,426	68	MOCKDISA
36. To reduce security exposure when transmitting proprietary data over communication lines a company should select	Asynchronous modems	Authentication techniques	Call back techniques	Cryptographic devices	d	Option D is correct as cryptographic devices provide strong encryption for data security.	MOCKDISA	1,427	32	MOCKDISA
37. Encryption protection is least likely to be used in which of the following situations	When transactions are transmitted over local area networks	When wire transfers are made between banks	When confidential data are sent by satellite transmission	When financial data are sent over dedicated leased lines	a	Option A is correct as encryption is less critical within local area networks compared to other scenarios.	MOCKDISA	1,428	75	MOCKDISA
38. A superstore has 8 personal computers, four printers, and one plotter all networked together in one building. This type of network is called	Ring	Star	Local area	Wide area	c	Option C is correct as this describes a local area network (LAN).	MOCKDISA	1,429	178	MOCKDISA
39. Which of the following functions can be performed by an intelligent terminal	Validating the conceptual schema and storing data formats	Validating data input and monitoring the data dictionary	Validating the external schema and storing data records	Validating data input and storing processed error messages	d	Option D is correct as intelligent terminals can validate input and handle error messages.	MOCKDISA	1,430	180	MOCKDISA
40. The most difficult aspect of using Internet resources is	Making the physical connection	Locating the best information source	Obtaining the equipment required	Getting authorization for access	b	Option B is correct as finding the best information source can be challenging on the Internet.	MOCKDISA	1,431	102	MOCKDISA
41. The scope of an IS Audit affects which of the following	Audit Schedules	Audit objectives	Audit summary	Audit programme	a	Option A is correct as scope defines the boundaries and influences the duration of audit schedules.	MOCKDISA	1,432	149	MOCKDISA
42. Which one of the following items includes the other three items	Inherent Risk	Control risk	Audit risk	Detection Risk	c	Option C is correct as Audit Risk encompasses inherent risk, control risk, and detection risk.	MOCKDISA	1,433	137	MOCKDISA
43. Which of the following would not be considered in performing a risk analysis exercise	System complexity	Results of prior audits	Auditor skills	System changes	c	Option C is correct as auditor skills are considered during audit scheduling, not risk analysis.	MOCKDISA	1,434	94	MOCKDISA
44. The major purpose of an exit conference is	Communication with all affected parties	Correction of deficiencies found	Assessment of Audit staff’s performance	Presentation of the final audit report	a	Option A is correct as the exit conference aims to ensure understanding and agreement on audit findings.	MOCKDISA	1,435	128	MOCKDISA
45. During an Audit an IS Auditor found no written procedures for an application system. What should the auditor do	Cancel the audit immediately since it is hard to do an audit without documentation	Reschedule the audit when the procedures are written	Report the issue to the management	Document the procedures and audit against them	d	Option D is correct as the auditor should document procedures and audit against them based on observations and interviews.	MOCKDISA	1,436	177	MOCKDISA
46. The objective of control tests of details of the transactions performed by the IS Auditor is to	Determine the nature timing and extent of substantive tests to be performed on the IS records and files	Determine material control weaknesses in the IS operations	Evaluate whether an IS control policy or procedure is working effectively	Inquire whether all IS employees have an access card to enter the computer room	c	Option C is correct as control tests evaluate the effectiveness of IS control policies and procedures.	MOCKDISA	1,437	29	MOCKDISA
47. Which of the following is the technique used to obtain evidential matter about tests of controls	Re-performance	Analysis	Comparisons	Calculations	a	Option A is correct as re-performance is used in compliance testing to obtain evidence about controls.	MOCKDISA	1,438	23	MOCKDISA
48. Sample size	Increases with use of higher confidence levels	Decreases with use of higher confidence levels	Remains unchanged with changes in confidence levels	Increases with the use of lower confidence levels	a	Option A is correct as higher confidence levels require larger sample sizes to reduce risk.	MOCKDISA	1,439	158	MOCKDISA
49. The appropriate sampling plan to use to identify at least one irregularity assuming some number of irregularities exists in a population and then to discontinue sampling when one irregularity is observed is	Stop or go sampling	Discovery sampling	Variables sampling	Attributes sampling	b	Option B is correct as discovery sampling aims to find irregularities and stop sampling once one is found.	MOCKDISA	1,440	103	MOCKDISA
50. The primary reason for an auditor to use statistical sampling is to	Obtain a smaller sample than would be required by non-statistical sampling techniques	Obtain a sample more representative of the population than would be obtained by non-statistical techniques	Allow auditor to quantify and thus control the risk of making an incorrect decision based on sample evidence	Meet auditing standards	c	Option C is correct as statistical sampling provides quantifiable risk assessment based on sample results.	MOCKDISA	1,441	23	MOCKDISA
51. An auditor wishes to determine if the error rate on travel reimbursement claims is within the five percent tolerance level set by management. What sampling plan should the auditor use	Variables sampling	Attributes sampling	Judgemental Sampling	Dollar unit sampling	b	Option B is correct as attributes sampling is used for testing the proportion of items in a population that possess a specified characteristic.	MOCKDISA	1,442	83	MOCKDISA
52. Which of the following is not an audit procedure that is commonly used in conducting IS tests of controls (Compliance reviews and tests)	Confirmations	Inquiry	Observations	Inspection	a	Option A is correct as confirmations are part of substantive testing, not tests of controls.	MOCKDISA	1,443	132	MOCKDISA
53. Which of the following represents the correct sequence of performing the IS audit procedure	2, 4, 3, 1	3, 4, 2, 1	4, 2, 3, 1	2, 4, 3, 1	d	Option D is correct as preliminary evaluation (2), interviews (4), compliance tests (3), and substantive tests (1) represent the logical sequence of IS audit procedures.	MOCKDISA	1,444	191	MOCKDISA
54. Which one of the following if material would be an irregularity	Application programmers forgot to indicate file retention periods	IS operation analyst did not follow a procedure due to an oversight	Tape librarian forgot to log tape movement	An IS auditor knowingly approved an invoice for his friend’s IS Consulting firm for a significant amount of time not actually worked	d	Option D is correct as it describes an irregularity involving deliberate action or falsification.	MOCKDISA	1,445	124	MOCKDISA
55. An IS auditor’s primary consideration regarding internal control policies, procedures and standards available in the IS Department is whether they are	Documented	Distributed	Followed	Approved	c	Option C is correct as the primary concern is whether controls are effectively followed.	MOCKDISA	1,446	82	MOCKDISA
56. Comparing job runs logs to computer job schedules will provide critical evidence that	All recorded jobs were completed	Only scheduled jobs were run	Some jobs were completed ahead of schedule	Some jobs were overridden by computer operators	d	Option D is correct as it verifies if jobs were manually overridden, affecting control and accuracy.	MOCKDISA	1,447	29	MOCKDISA
57. In an IT environment which of the following is not a substantive review and/or test	Determining whether program changes are approved	Performing system aging analysis	Performing program activity analysis	Performing job activity analysis	a	Option A is correct as determining whether program changes are approved is a control review, not a substantive test.	MOCKDISA	1,448	100	MOCKDISA
58. Indicate the order in which primary questions must be addressed when an organization is determined to audit for fraud	What does the organisation have that someone would want to defraud	How might someone go about defrauding the organisation	How can organisation detect fraud	How vulnerable is the organisation	d	Option D is correct as it represents the logical sequence of questions to address when planning a fraud audit.	MOCKDISA	1,449	197	MOCKDISA
59. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should	refuse the assignment since it is not the role of the IS auditor	inform management of his/her inability to conduct future audits	perform the assignment and future audits with due professional care	obtain the approval of user management to perform the implementation and follow-up	b	Option B is correct as the IS auditor should avoid future audit involvement to maintain independence after assisting in control implementation.	MOCKDISA	1,450	22	MOCKDISA
60. In a computer centre environment which of the following is not a compliance review and/or test	Performing system outage analysis	Determining whether job run logs are reviewed	Determining whether the disaster recovery plan is tested	Determining whether the job accounting log is reviewed	a	Option A is correct as performing system outage analysis is substantive testing, not compliance testing.	MOCKDISA	1,451	1	MOCKDISA
61. Which of the following is not a benefit of using information technology in solving audit problems	It reduces audit risk	It improves the timeliness of the audit	It increases audit opportunities	It improves the auditor’s judgement	d	Option D is correct; IT cannot directly improve the subjective judgement of auditors.	MOCKDISA	1,452	191	MOCKDISA
62. Which of the following pre-processing controls is least likely to provide the auditor with assurance about the validity of transactions	Verification of the requester	Authentication of information	Exception processing	Decryption of data	d	Option D is correct; decryption of data is typically a post-processing activity, not directly related to transaction validity assurance.	MOCKDISA	1,453	157	MOCKDISA
63. The source of evidence to determine if ex-employees continue to have access to a company’s automated databases is	Discuss the password removal process with the database administrator	Reviewing computer logs of access attempts	Reconciling current payroll lists with database access lists	Reviewing access control software for the latest version	c	Option C is correct; reconciling current payroll lists with database access lists directly verifies if ex-employees still have access.	MOCKDISA	1,454	36	MOCKDISA
64. An IS auditor involved in the requirements phase of a new application development project should ensure that	Programmers provide input to the functional requirements	Security requirements have been defined	Payback for the system is within an acceptable range	A turnkey solution for the system requirements is available	b	Option B is correct; ensuring security requirements are defined is crucial during the early phases of development.	MOCKDISA	1,455	28	MOCKDISA
65. Which of the following is often an advantage of using prototyping for systems development	The finished system will have adequate controls	The system will have adequate security/audit trail	It reduces time to deployment	It is easy to achieve change control	c	Option C is correct; prototyping is known for its ability to accelerate deployment time.	MOCKDISA	1,456	143	MOCKDISA
66. In addition to controls over access, programming, and program changes, a computerized system needs to establish an audit trail of information. Which of the following information would generally not be included in an audit trail log designed to summarize unauthorized system access logs	A list of authorized users	The type of event or transaction attempted	The terminal used to make the attempt	The data in the program sought	a	Option A is correct; an audit trail log for unauthorized access typically focuses on unauthorized activities and events, not authorized users.	MOCKDISA	1,457	145	MOCKDISA
67. Which of the following best represents Corporate Governance	To protect shareholders’ interest	To protect management interest	To protect stakeholders interest	To protect auditors interest	c	Option C is correct; corporate governance is about protecting the interests of all stakeholders.	MOCKDISA	1,458	97	MOCKDISA
68. Which of the following IT governance best practices improves strategic alignment	Supplier and partner risks are managed	A knowledge base on customers, products, markets, and processes is in place	A structure is provided that facilitates the creation and sharing of business information	Top management mediate between the imperatives of business and technology	d	Option D is correct; strategic alignment in IT governance involves top management aligning business and technology imperatives.	MOCKDISA	1,459	47	MOCKDISA
69. Computer operators should not be given access to which of the following	Computer Console Terminal	Operations Documentation	Programming Documentation	Disk Drives	c	Option C is correct; computer operators should not have access to programming documentation for security reasons.	MOCKDISA	1,460	188	MOCKDISA
70. Which of the following statements is true with regards to Corporate Governance Dimension	Corporate Governance dimension is proactive	Corporate Governance Dimension is business oriented	Corporate Governance Dimension focuses on strategy and value creation	Corporate Governance Dimension is historic	d	Option D is correct; corporate governance dimension refers to historical aspects rather than being proactive or business-oriented.	MOCKDISA	1,461	103	MOCKDISA
71. Which of the following principles are most relevant for Governance Domain	Benefit Realisation, Risk Optimisation, Resource Optimisation	Four Dimensions of balance score card	Evaluate, Direct, Monitor	Plan, Build, Run and monitor	c	Option C is correct; Evaluate, Direct, Monitor are specific actions related to governance responsibilities.	MOCKDISA	1,462	73	MOCKDISA
72. From a control perspective, the key element in job descriptions is that they	Provide instructions on how to do the job and define authority	Are current, documented and readily available to the employee	Communicate management's specific job performance expectations	Establish responsibility and accountability for the employee's actions	d	Option D is correct; job descriptions should clearly establish responsibility and accountability to maintain effective controls.	MOCKDISA	1,463	4	MOCKDISA
73. Which of the following is a compatible function for database administrator	Capacity Planning	Computer operations	Application Development	Application maintenance	a	Option A is correct; capacity planning aligns with the responsibilities of a database administrator without conflicting roles.	MOCKDISA	1,464	195	MOCKDISA
74. Risk is the possibility of something adverse happening to an organisation. Which of the following steps is most difficult to accomplish in a risk management process	Risk identification	Risk Assessment	Risk mitigation	Risk maintenance	b	Option B is correct; assessing risk involves complex analysis and judgment, making it often the most challenging step in risk management.	MOCKDISA	1,465	177	MOCKDISA
75. Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users?	System analysis	Authorization of access to data	Application programming	Data administration	b	Option B is correct; authorization of access to data is crucial for segregation of duties and preventing unauthorized access.	MOCKDISA	1,466	163	MOCKDISA
76. Organisation Capacity to sustain loss due to uncertainty and expressed in Monetary terms is best known as:	Risk Appetite	Risk Tolerance	Risk acceptance	Risk Mitigation	a	Option A is correct; risk appetite refers to the amount of risk an organization is willing to accept.	MOCKDISA	1,467	27	MOCKDISA
77. COBIT 5 is the model for which of the following	IT Planning	IT governance	IT standards	IT infrastructure	b	Option B is correct; COBIT 5 focuses on IT governance, providing a comprehensive framework for managing enterprise IT.	MOCKDISA	1,468	50	MOCKDISA
78. The most likely to attract and retain IS security staff is	Special Training Sessions	Annual Conferences	Competitive salaries	Flexible Work schedules	d	Option D is correct; flexible work schedules are a significant motivator for retaining IS security staff.	MOCKDISA	1,469	182	MOCKDISA
79. During a logical access controls review, the IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:	An unauthorized user may use the ID to gain access	User access management is time-consuming	Passwords are easily guessed	User accountability may not be established	d	Option D is correct; shared user accounts compromise accountability, a critical aspect of access control.	MOCKDISA	1,470	23	MOCKDISA
80. Which of the following is an example of lead indicator	Financial Results	Market share retained over three years	Improvement in Customer Satisfaction survey	Regular training hours of employees	d	Option D is correct; regular training hours of employees are a lead indicator, predicting future outcomes.	MOCKDISA	1,471	61	MOCKDISA
81. Which of the following are the major benefits of security measures, training and education programs that accrue to an organisation	Reducing fraud	Reducing Unauthorised actions	Improving Employee behaviour	Reducing errors and Omissions	c	Option C is correct; improved employee behavior contributes to reducing fraud, unauthorized actions, and errors.	MOCKDISA	1,472	197	MOCKDISA
82. When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the:	hardware is protected against power surges	integrity is maintained if the main power is interrupted	immediate power will be available if the main power is lost	hardware is protected against long-term power fluctuations	a	Option A is correct; a voltage regulator protects hardware against short-term power surges.	MOCKDISA	1,473	83	MOCKDISA
83. The quality assurance group is typically responsible for:	ensuring that the output received from system processing is complete	monitoring the execution of computer processing tasks	ensuring that programs and program changes and documentation adhere to established standards	designing procedures to protect data against accidental disclosure, modification or destruction	c	Option C is correct; QA ensures adherence to standards for programs and documentation.	MOCKDISA	1,474	138	MOCKDISA
84. The Security manager is responsible for	Planning and managing overall needs for data resources	Ensuring the integrity of data in shared environment	Determining and monitoring controls over access to data	Making data available to users when and where it is needed	c	Option C is correct; security managers oversee controls on access to data.	MOCKDISA	1,475	81	MOCKDISA
85. Which of the following groups/individuals should assume overall direction and responsibility for costs and timetables of system development projects?	User management	Project steering committee	Senior management	Systems development management	b	Option B is correct; the project steering committee oversees project costs and timetables.	MOCKDISA	1,476	75	MOCKDISA
86. Which of the following is most essential to implement IT governance within organisation	IT Department reports to steering committee	IT Budget is based on percent of business budget	IT strategy is aligned with business objectives	IT issues are part of agenda on board meeting	c	Option C is correct; IT governance requires alignment with business objectives.	MOCKDISA	1,477	131	MOCKDISA
87. Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?	Function point analysis	Earned value analysis	Cost budget	Program Evaluation and Review Technique	b	Option B is correct; earned value analysis is used for project progress and forecasting.	MOCKDISA	1,478	23	MOCKDISA
88. From a risk management viewpoint which of the following options is not acceptable	Accept the risk	Assign the risk	Avoid the risk	Defer the risk	d	Option D is correct; deferring risk means delaying or ignoring it, which is not a proactive risk management approach.	MOCKDISA	1,479	167	MOCKDISA
89. The responsibility for designing, implementing and maintaining a system of internal control lies with:	the IS auditor	management	the external auditor	the programming staff	b	Option B is correct; management is responsible for internal control systems.	MOCKDISA	1,480	172	MOCKDISA
90. Security can be lax under which of the following organisational structures or management practices	Right sizing	Upsizing	Downsizing	Budget sizing	c	Option C is correct; downsizing can lead to security laxity due to reduced staffing and oversight.	MOCKDISA	1,481	107	MOCKDISA
91. Which of the following items is most important in controlling the risks of operating a computer-based information system.	a vulnerability inducing a threat	Asset valuation	Threat identification	Vulnerability analysis	a	Option A is correct; understanding vulnerabilities and threats is crucial to managing risks in an information system.	MOCKDISA	1,482	173	MOCKDISA
92. An IS auditor involved in the requirements phase of a new application development project should ensure that:	programmers provide input to the functional requirements	security requirements have been defined	payback for the system is within an acceptable range	a turnkey solution for the system requirements is available	b	Option B is correct; defining security requirements is critical in the early phases of application development.	MOCKDISA	1,483	17	MOCKDISA
93. Data corruption can be prevented by which of the following.	Redundancy	Isolation	Policies	Procedures	a	Option A is correct; redundancy helps prevent data loss or corruption by ensuring data is stored in multiple locations.	MOCKDISA	1,484	66	MOCKDISA
94. Data leakage cannot be prevented by which of the following.	Redundancy	Encryption	Access controls	Cryptography	a	Option A is correct; redundancy does not prevent data leakage directly.	MOCKDISA	1,485	144	MOCKDISA
95. An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?	Pilot	Parallel	Direct cut-over	Phased	c	Option C is correct; direct cut-over involves switching immediately, posing the highest risk as it lacks fallback options.	MOCKDISA	1,486	66	MOCKDISA
96. For e-commerce applications which of the following forms the foundation for building secure online application systems	Client security	Secure transport protocols	Operating system security	Server Security	c	Option C is correct; operating system security is fundamental for secure e-commerce applications.	MOCKDISA	1,487	64	MOCKDISA
97. Which of the following is not a primary component or aspect of firewall systems	Protocol filtering	Application gateways	Extended logging capability	Packet Switching	d	Option D is correct; packet switching is not a primary component of firewall systems.	MOCKDISA	1,488	202	MOCKDISA
98. A message authentication code (MAC) is a	Data checksum	Cryptographic checksum	Digital Signature	Cyclic Redundancy Check	b	Option B is correct; a MAC is a cryptographic checksum used for data integrity and authentication.	MOCKDISA	1,489	113	MOCKDISA
99. Which of the following provide both integrity and confidentiality services for data and messages	Digital signature	Encryption	Cryptographic checksums	Granular access control	b	Option B is correct; encryption provides both integrity and confidentiality services.	MOCKDISA	1,490	77	MOCKDISA
100. The principle of least privilege refers to the security objective of granting users only those accesses they need to perform their job duties. which of the following actions is inconsistent with the principle of least privilege.	Authorization creep	Reauthorization when employees change positions	Users have little access to the system	Users have significant access to the systems	a	Option A is correct; authorization creep grants users more access than necessary, violating the principle of least privilege.	MOCKDISA	1,491	122	MOCKDISA
101. Which of the following user identification and authentication techniques depend on reference profiles or templates.	Memory tokens	Smart tokens	Cryptography	Bio metric systems	d	Option D is correct; biometric systems use reference profiles or templates for identification and authentication.	MOCKDISA	1,492	176	MOCKDISA
102. Which of the following attacks take advantage of dynamic system actions and the ability to manipulate the timing of those actions.	Active attacks	Passive attacks	Asynchronous attacks	Tunneling attacks	c	Option C is correct; asynchronous attacks manipulate the timing of queued actions to exploit vulnerabilities.	MOCKDISA	1,493	99	MOCKDISA
103. Secure gateways block or filter access between two networks. Which of the following benefits resulting from the use of secure gateways is not true.	Secure gateways prevent the spread of computer viruses	Secure gateways reduce risks from malicious hackers	Secure gateways reduce internal system security overhead	Secure gateways can centralize management services	a	Option A is correct; secure gateways primarily control access between networks but do not directly prevent computer viruses.	MOCKDISA	1,494	49	MOCKDISA
104. Attacks by hackers are a major problem. Which of the following control techniques prevent hackers from trying to log into computer systems.	Access control list and smart tokens	Dial back modems and firewalls	Access control lists and dial back modems	Dial back modems and smart tokens	b	Option B is correct; dial back modems and firewalls are effective against unauthorized access attempts by hackers.	MOCKDISA	1,495	133	MOCKDISA
105. Which of the following is an operating system access control function?	Logging user activities	Logging data communication access activities	Verifying user authorization at the field level	Changing data files	a	Option A is correct; logging user activities is a fundamental function of operating system access control.	MOCKDISA	1,496	96	MOCKDISA
106. Which of the following is a direct example of social engineering from a computer security viewpoint	Involvement in computer fraud	Involvement in trickery or coercion techniques	Involvement in computer theft	Involvement in computer sabotage	b	Option B is correct; social engineering involves tricking or coercing individuals into divulging sensitive information.	MOCKDISA	1,497	184	MOCKDISA
107. Name the damaging act that uses a computer program to trigger an unauthorized malicious activity when some predefined condition occurs	Logic Bombs	Computer viruses	Worm	Nak attack	a	Option A is correct; logic bombs execute malicious actions based on specific conditions.	MOCKDISA	1,498	121	MOCKDISA
108. In a database management system (DBMS), the location of data and the method of accessing the data are provided by the:	data dictionary	metadata	directory system	data definition language	c	Option C is correct; the directory system specifies data location and access methods in a DBMS.	MOCKDISA	1,499	53	MOCKDISA
109. The most common concern regarding a physical security area is:	Fire suppression system	Piggybacking	Locks and Keys	Natural disasters	b	Option B is correct; piggybacking poses a risk of unauthorized access in physical security areas.	MOCKDISA	1,500	182	MOCKDISA
110. A universal serial bus (USB) port:	connects the network without a network card	connects the network with an Ethernet adapter	replaces all existing connections	connects the monitor	b	Option B is correct; a USB port can connect a network using an Ethernet adapter without needing a separate network card.	MOCKDISA	1,501	59	MOCKDISA
111. An attack in which someone manipulates others into revealing information that can be used for personal gain is called:	Social Engineering	Electronic trashing	Electronic piggybacking	Electronic harassment	a	Option A is correct; social engineering involves manipulating individuals to divulge sensitive information.	MOCKDISA	1,502	161	MOCKDISA
112. An attack that attempts to exploit a weakness in the system at a low level of abstraction is called:	Technical attack	Tunneling attack	Nak attack	Active attack	b	Option B is correct; tunneling attacks exploit low-level system weaknesses.	MOCKDISA	1,503	136	MOCKDISA
113. Which of the following is the most effective method for password creation:	Use Password generators	Use password advisors	Assign passwords to users	Implement user selected passwords	b	Option B is correct; password advisors help users create strong passwords.	MOCKDISA	1,504	174	MOCKDISA
114. The world wide web on the internet can be protected against the risk of eavesdropping in an economical and conventional manner through the use of:	Link and document encryption	Secure socket layer and secure HTTP	Link encryption and secure socket layer	Document encryption and secure HTTP	b	Option B is correct; SSL (Secure Socket Layer) and HTTPS provide encryption to protect against eavesdropping.	MOCKDISA	1,505	161	MOCKDISA
115. A source of eavesdropping on the world Wide web server is:	Access Logs	System Logs	Agent Logs	Error Logs	b	Option B is correct; system logs can be exploited for eavesdropping through traffic analysis.	MOCKDISA	1,506	156	MOCKDISA
116. In a TCP/IP-based network, an IP address specifies a:	network connection	router/gateway	computer in the network	device on the network	a	Option A is correct; an IP address specifies a network connection in a TCP/IP network.	MOCKDISA	1,507	203	MOCKDISA
117. Which of the following statements about encryption is not true:	Software encryption degrades system performance	Hardware encryption is faster	Encryption is a desirable option in a LAN	Key management is an administrative burden	c	Option C is correct; encryption can degrade LAN performance due to overheads.	MOCKDISA	1,508	4	MOCKDISA
118. Ensuring data and program integrity is important. Which of the following controls applies the separation of duties principle most in an automated computer environment:	File placement controls	Data file naming conventions	Program library controls	Program and job naming conventions	c	Option C is correct; program library controls enforce separation of duties by managing which programs can run in production.	MOCKDISA	1,509	124	MOCKDISA
119. Identify the damaging act where the network is searched for idle computing resources and executes the program in small segments:	Computer Viruses	Trojan Horses	Worms	Asynchronous attacks	c	Option C is correct; worms exploit idle computing resources to execute segments of a program.	MOCKDISA	1,510	139	MOCKDISA
120. Cryptography provides all of the following except:	Authentication	Confidentiality	Integrity	Availability	d	Option D is correct; cryptography primarily focuses on authentication, confidentiality, and integrity, not availability.	MOCKDISA	1,511	190	MOCKDISA
121. Which of the following layers does not provide confidentiality services:	Presentation Layer	Transport Layer	Network layer	Session Layer	d	Option D is correct; the Session Layer does not provide confidentiality services.	MOCKDISA	1,512	181	MOCKDISA
122. Which of the following identification techniques provides the best means of user authentication:	What the user is	What the user has	What the user knows	What the user has and what the user knows	d	Option D is correct; two-factor authentication provides stronger security than single-factor methods.	MOCKDISA	1,513	76	MOCKDISA
123. Which of the following methods provides the highest security to protect access from Unauthorised people:	Encryption	Call Back or dial back systems	Magnetic cards with identification number	User ID and Password	a	Option A is correct; encryption provides strong protection against unauthorized access.	MOCKDISA	1,514	83	MOCKDISA
124. Which of the following password related factors cannot be tested with automated vulnerability testing tools:	Password length	Password lifetime	Password secrecy	Password storage	c	Option C is correct; secrecy of passwords cannot be verified by automated tools.	MOCKDISA	1,515	13	MOCKDISA
125. Which of the following ISO/OSI layers provides access control services:	Transport layer	Presentation Layer	Session layer	Data link Layer	a	Option A is correct; the Transport layer provides access control services.	MOCKDISA	1,516	115	MOCKDISA
126. Which of the security codes is the longest thereby making it difficult to guess:	Passphrases	Passwords	Lockwords	Passcodes	a	Option A is correct; passphrases, due to their length, are harder to guess.	MOCKDISA	1,517	85	MOCKDISA
127. Indicate the most objective and relevant evidence of fraud in a computer environment:	Physical examination	Physical observation	Inquiries of people	Computer Logs	d	Option D is correct; computer logs provide objective evidence of activities.	MOCKDISA	1,518	129	MOCKDISA
128. Programmers frequently create entry points into a program for debugging purposes and/or insertion of new program codes at a later date. These entry points are called:	Logic bombs	Worms	Trapdoors	Trojan Horses	c	Option C is correct; trapdoors are intentional entry points into software.	MOCKDISA	1,519	132	MOCKDISA
129. In a fire extinguishing environment a dry pipe is:	A sprinkler system in which the water does not enter the pipes until the automatic sensor indicates that there is a fire in the area	A sprinkler system in which the water is in the pipe but the outside of the pipe is dry	A Halon gas system that contains a dry pipe	A carbon dioxide gas system that has a dry chemical to extinguish a fire	a	Option A is correct; a dry pipe sprinkler system activates water flow only when a fire is detected.	MOCKDISA	1,520	81	MOCKDISA
130. What is the name of the malicious act involving a computer program looking normal but containing harmful code:	Trapdoor	Trojan Horse	Worm	Time Bomb	b	Option B is correct; a Trojan Horse appears benign but carries harmful code.	MOCKDISA	1,521	4	MOCKDISA
131. Which of the following would BEST support 24/7 availability?	Daily backup	Offsite storage	Mirroring	Periodic testing	c	Option C is correct; mirroring ensures immediate recoverability for continuous availability.	MOCKDISA	1,522	48	MOCKDISA
132. Which of the following combination controls would not be appropriate in extinguishing fires:	Smoke/fire detectors	Water sprinklers	Uninterruptible power supply equipment	Fire or evacuation drills	c	Option C is correct; while useful for other purposes, uninterruptible power supply equipment does not directly extinguish fires.	MOCKDISA	1,523	169	MOCKDISA
133. If end users find errors and omissions during acceptance testing of software who should make corrections to an application system:	End users	Quality assurance specialist	Database application specialist	Application programmer/analyst	d	Option D is correct; application programmers/analysts are responsible for correcting software during acceptance testing.	MOCKDISA	1,524	92	MOCKDISA
134. If a database is restored using before-image dumps, where should the process be started following an interruption?	Before the last transaction	After the last transaction	As the first transaction after the latest checkpoint	As the last transaction before the latest checkpoint	a	Option A is correct; starting before the last transaction ensures the database is restored to a consistent state.	MOCKDISA	1,525	74	MOCKDISA
135. Which of the following phases of a system development life cycle should not be compressed for the proper development of a prototype:	System initiation	System definition	System testing	System Design	c	Option C is correct; system testing should not be compressed to ensure prototype quality.	MOCKDISA	1,526	45	MOCKDISA
136. Which of the following is not part of software quality metrics:	Completeness	Ergonomics	Correctness	Reliability	b	Option B is correct; ergonomics deals with physical design considerations, not software quality metrics.	MOCKDISA	1,527	169	MOCKDISA
137. Which of the following items is most difficult to manage in a system development life cycle project:	Project member turnover	Changes in hardware	Creeping Functions	Changes in project funding	c	Option C is correct; creeping functions (scope creep) pose challenges by continually adding requirements.	MOCKDISA	1,528	32	MOCKDISA
138. Which of the following system development approaches best brings the operational viewpoint to the requirement specification phase:	Waterfall model	Incremental development model	Evolutionary development model	Rapid prototyping model	d	Option D is correct; rapid prototyping involves end-user feedback early in the process.	MOCKDISA	1,529	76	MOCKDISA
139. In object oriented technology an object is the unit of work. Which of the following is not a key concept of object oriented technology:	Encapsulation	Reusability	Messaging	Inheritance	b	Option B is correct; while beneficial, reusability is not considered a key concept of object-oriented technology.	MOCKDISA	1,530	162	MOCKDISA
140. The software test objective of verifying that each required capability is implemented correctly is achieved in which of the following types of software testing approaches:	Conversion test	Function test	Parallel test	Volume test	b	Option B is correct; function tests verify correct implementation of each capability.	MOCKDISA	1,531	35	MOCKDISA
141. Which of the following reasons is most compelling to get rid of legacy application system	More flexible computing platforms are needed	The operating system software is no longer supported	Program modifications are difficult	The hardware platform is no longer supported	c	Option C is correct; difficult program modifications pose a significant risk in legacy systems.	MOCKDISA	1,532	126	MOCKDISA
142. The architecture of an expert system does not include which one of the following	Knowledge base	Computing environment	Inference Engine	End user interface	b	Option B is correct; the computing environment varies and is not integral to the expert system's architecture.	MOCKDISA	1,533	63	MOCKDISA
143. An IS auditor performing a review of the backup processing facilities should be MOST concerned that:	Adequate fire insurance exists	Regular hardware maintenance is performed	Offsite storage of transaction and master files exists	Backup processing facilities are fully tested	c	Option C is correct; offsite storage is crucial for recovery of data in case of a disaster.	MOCKDISA	1,534	103	MOCKDISA
144. Which of the following is not used in software requirements, design, programming and the project management processes	Prototyping	Test Data generators	Simulation	Modeling	b	Option B is correct; test data generators are primarily used in testing, not in development processes.	MOCKDISA	1,535	30	MOCKDISA
145. Software reverse engineering can do all of the following except:	Software requirements	Software planning	Software documentation	Software reusability	b	Option B is correct; software planning requires human judgment and is not a result of reverse engineering.	MOCKDISA	1,536	13	MOCKDISA
146. Rapid prototyping is not useful in which of the following phases of a system development life cycle	Requirements	Design	Implementation	Maintenance	d	Option D is correct; rapid prototyping is not typically applied to maintenance phases.	MOCKDISA	1,537	160	MOCKDISA
147. Which of the following testing techniques can be used in all phases of a system development life cycle	Performance testing	Regression analysis and testing	Back to Back testing	Stress Testing	b	Option B is correct; regression testing is used throughout SDLC to validate changes and ensure stability.	MOCKDISA	1,538	168	MOCKDISA
148. Which of the following software development models became the basis for the other models	Waterfall Model	Prototyping model	Spiral model	Incremental model	a	Option A is correct; other models have evolved from the waterfall model's sequential approach.	MOCKDISA	1,539	188	MOCKDISA
149. A company performs full backup of data and programs on a regular basis. The primary purpose of this practice is to:	Maintain data integrity in the applications	Restore application processing after a disruption	Prevent unauthorized changes to programs and data	Ensure recovery of data processing in case of a disaster	b	Option B is correct; backups are crucial for restoring application processing after disruptions.	MOCKDISA	1,540	33	MOCKDISA
150. The correct sequence of application software testing is	Integration test, unit test, systems test, acceptance test	Unit test, Systems test, integration test, acceptance test	Acceptance test, unit test, integration test, systems test	Unit test, integration test, systems test, acceptance test	d	Option D is correct; unit testing precedes integration testing, followed by system testing and acceptance testing.	MOCKDISA	1,541	81	MOCKDISA
151. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:	Database integrity checks	Validation checks	Input controls	Database commits and rollbacks	d	Option D is correct; commits and rollbacks ensure data integrity during transaction processing.	MOCKDISA	1,542	177	MOCKDISA
152. Which of the following system development approaches best captures the reality of the way people actually work	Object oriented development model	Waterfall development model	Incremental development model	Evolutionary development model	a	Option A is correct; object-oriented development builds upon existing concepts, closer to real-world practices.	MOCKDISA	1,543	154	MOCKDISA
153. When developing a backup strategy, the FIRST step is to:	Identify the data	Select the storage location	Specify the storage media	Define the retention period	a	Option A is correct; identifying what data needs to be backed up is the initial step in developing a backup strategy.	MOCKDISA	1,544	150	MOCKDISA
154. During the planning stage of an IS audit, the PRIMARY goal of the IS auditor is to:	Address audit objectives	Collect sufficient evidence	Specify appropriate tests	Minimize audit resources	a	Option A is correct; planning ensures audit objectives are met effectively.	MOCKDISA	1,545	190	MOCKDISA
155. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools is MOST suitable for performing that task?	CASE tools	Embedded data collection tools	Heuristic scanning tools	Trend/variance detection tools	d	Option D is correct; trend/variance detection tools are designed to detect anomalies in behavior.	MOCKDISA	1,546	12	MOCKDISA
156. The IS auditor's participation in which of the following system development life cycle activities would provide the most benefit to the organization:	Program development	Configuration planning	System requirements definition	Program testing	c	Option C is correct; involvement in requirements definition helps identify necessary controls.	MOCKDISA	1,547	115	MOCKDISA
157. Beta test sites for software products are usually defined as:	Locations and environments with personnel able to measure programmer productivity	Environments within which to satisfy early commitments to customer shipments of new software products	Sites willing to help the software vendor evaluate product completeness and correctness	Sites used to test product demand	c	Option C is correct; beta test sites assist in evaluating product completeness and correctness.	MOCKDISA	1,548	60	MOCKDISA
158. Both White Box testing and Black Box testing are performed in which of the following:	Unit testing	Integration Testing	System Testing	Acceptance testing	a	Option A is correct; unit testing involves both white box and black box testing at the lowest level.	MOCKDISA	1,549	6	MOCKDISA
159. Which of the following tests is driven by system requirements:	Black Box testing	White Box testing	Gray box Testing	Integration testing	a	Option A is correct; black box testing validates system requirements.	MOCKDISA	1,550	87	MOCKDISA
160. Attributes of software product quality do not include:	Design	Documents	Code	Tools	d	Option D is correct; tools are not considered an attribute of software product quality.	MOCKDISA	1,551	187	MOCKDISA
161. One class of data processing error is the failure to enter all the data that should be presented to the system. Which one of the following would you expect management to install in their effort to detect this class of error:	Existence check	Control Totals	Limit Check	Reasonableness check	b	Option B is correct; control totals reconcile input to source document totals, detecting missing data.	MOCKDISA	1,552	163	MOCKDISA
162. A company’s wage distribution report requires extensive corrections each month because of labor hours charged to inactive jobs. Which of the following data processing input controls appears to be missing:	Completeness test	Validity test	Limit test	Control total	b	Option B is correct; validity tests ensure transaction codes and data are valid, preventing errors like inactive job charges.	MOCKDISA	1,553	82	MOCKDISA
163. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines?	Domain integrity test	Relational integrity test	Referential integrity test	Parity checks	a	Option A is correct; domain integrity tests verify data conformity to defined standards, including validation routines.	MOCKDISA	1,554	163	MOCKDISA
164. An online bank teller system permitted withdrawals from inactive accounts. The best control for denying such withdrawals is a:	Proof calculation	Check digit verification	Master file lookup	Duplicate record check	c	Option C is correct; a master file lookup would deny access to inactive accounts effectively.	MOCKDISA	1,555	142	MOCKDISA
165. In a critical server, an IS auditor discovers a Trojan horse that was produced by a known virus that exploits a vulnerability of an operating system. Which of the following should an IS auditor do FIRST?	Investigate the virus's author	Analyze the operating system log	Ensure that the malicious code is removed	Install the patch that eliminates the vulnerability	c	Option C is correct; removing the malicious code ensures immediate system safeguarding.	MOCKDISA	1,556	102	MOCKDISA
166. Which of the following is the PRIMARY advantage of using computer forensic software for investigations?	The preservation of the chain of custody for electronic evidence	Time and cost savings	Efficiency and effectiveness	Ability to search for violations of intellectual property rights	a	Option A is correct; preserving chain of custody ensures admissibility of evidence.	MOCKDISA	1,557	94	MOCKDISA
167. Before each employee pay raise was effective, a data entry operator entered a new wage rate for salaried and hourly employees. The operator by mistake entered Rs. 100 instead of Rs. 10 for an hourly rate. The best control for preventing this error from resulting in overpayment of wages to employees is use of:	A reasonableness check	Self checking digit	Prior data matching	A mathematical accuracy check	a	Option A is correct; reasonableness checks would detect and prevent such overpayments.	MOCKDISA	1,558	202	MOCKDISA
168. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, an IS auditor should:	Identify and assess the risk assessment process used by management	Identify information assets and the underlying systems	Disclose the threats and impacts to management	Identify and evaluate the existing controls	d	Option D is correct; evaluating existing controls follows identifying threats and impacts in risk analysis.	MOCKDISA	1,559	182	MOCKDISA
169. A data entry clerk typed the account number as 124356 into the computer for a customer's payment on account when the account number that should have been typed was 123456, resulting in the wrong customer account being updated. What input control would have prevented this error:	Check Digit	Control Totals	Limit Check	Value Test	a	Option A is correct; check digits are designed to catch transposition errors in data entry.	MOCKDISA	1,560	181	MOCKDISA
170. Which of the following should be of MOST concern to an IS auditor?	Lack of reporting of a successful attack on the network	Failure to notify police of an attempted intrusion	Lack of periodic examination of access rights	Lack of notification to the public of an intrusion	a	Option A is correct; failure to report a successful attack could lead to ongoing vulnerabilities and breaches.	MOCKDISA	1,561	107	MOCKDISA
171. During a review of the controls over the process of defining IT service levels, an IS auditor would MOST likely interview the:	Systems programmer	Legal staff	Business unit manager	Application programmer	c	Option C is correct; the business unit manager understands organizational requirements, crucial for defining service levels.	MOCKDISA	1,562	145	MOCKDISA
172. The best control for identifying missing and duplicate transactions over long time periods is :	Manual agreement of a batch register	Computer agreement of batch totals	A batch sequence check	A cumulative sequence check	d	Option D is correct; cumulative sequence checks track processed transactions over time for discrepancies.	MOCKDISA	1,563	30	MOCKDISA
173. A computer operator has been removing the last page of a printed report before its distribution to authorized users. The best corrective action is to employ:	Retention control	Spooler control	Distribution logs	End of job markers	d	Option D is correct; end of job markers ensure complete report delivery and verify receipt.	MOCKDISA	1,564	192	MOCKDISA
174. An auditor wishes to determine the extent to which invalid data can be contained in a human resources computer system. Examples are invalid job classification, age in excess of retirement age. The best approach to determine the extent of the potential problem is to:	Submit test data to test the effectiveness of edit controls over the input of data	Review and test access controls to ensure that access is limited to authorized individuals	Use generalized audit software to develop a detailed report of all data outside specified parameters	Use generalized audit software to select a sample of employees. Use sample to determine the validity of test data items and project the result to the population as a whole	c	Option C is correct; using audit software to report data outside parameters efficiently identifies invalid entries.	MOCKDISA	1,565	186	MOCKDISA
175. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:	Of the point at which controls are exercised as data flow through the system	That only preventive and detective controls are relevant	That corrective controls can only be regarded as compensating	That classification allows an IS auditor to determine which controls are missing	a	Option A is correct; understanding control points in data flow is crucial for effective control evaluation.	MOCKDISA	1,566	173	MOCKDISA
176. Which of the following would be the BEST population to take a sample from when testing program changes?	Test library listings	Source program listings	Program change requests	Production library listings	d	Option D is correct; production library listings contain approved executables for organizational data processing.	MOCKDISA	1,567	32	MOCKDISA
177. The auditor wants to determine whether or not the computer program is appropriately matching the purchase receipts and vendor invoices throughout the year. Which one of the following computerized audit techniques would be most efficient and effective in accomplishing this objective:	Use the test data method during the last quarter	Use of an integrated test facility throughout the year	Use parallel simulation and apply on a monthly basis	Use the System Control and Audit review file on a daily basis	b	Option B is correct; integrated test facility allows continuous monitoring of program accuracy with real data throughout the year.	MOCKDISA	1,568	35	MOCKDISA
178. Which of the following forms of evidence for the auditor would be considered the MOST reliable?	An oral statement from the auditee	The results of a test performed by an IS auditor	An internally generated computer accounting report	A confirmation letter received from an outside source	d	Option D is correct; confirmation letters from external sources are highly reliable evidence.	MOCKDISA	1,569	186	MOCKDISA
179. Which of the following information systems auditing technique processes real transaction data through auditor developed test programs.	Integrated test facility	Tracing	Parallel simulation	Mapping	c	Option C is correct; parallel simulation uses real transaction data for auditor-developed tests.	MOCKDISA	1,570	16	MOCKDISA
180. In auditing an online perpetual inventory system an auditor selected certain file updating transactions for detailed testing. The audit technique which will provide a computer trail of all relevant processing steps applied to a specific transaction is described as :	Simulation	Snapshot	Code comparison	Tagging and Tracing	d	Option D is correct; tagging and tracing provides a detailed computer trail of processing steps for audited transactions.	MOCKDISA	1,571	77	MOCKDISA
181. An IS auditor reviews an organizational chart PRIMARILY for:	An understanding of workflows	Investigating various communication channels	Understanding the responsibilities and authority of individuals	Investigating the network connected to different employees	c	Option C is correct; organizational charts clarify roles and responsibilities.	MOCKDISA	1,572	67	MOCKDISA
182. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?	Evaluate physical access test results	Determine the risks/threats to the data center site	Review business continuity procedures	Test for evidence of physical access at suspect locations	b	Option B is correct; assessing risks/threats is foundational in security reviews.	MOCKDISA	1,573	26	MOCKDISA
183. The primary reason auditors are reluctant to use Integrated Test Facility is that it requires them to:	Reserve specific master file records and process them at regular intervals	Collect transaction and master file records in a separate file	Notify user personnel so they can make manual adjustments to output	Identify and reverse the fictitious entries to avoid contamination of the master file	d	Option D is correct; managing fictitious entries is a critical concern with ITF.	MOCKDISA	1,574	141	MOCKDISA
184. Embedded audit modules:	Identify unexpected computer code	Aid in debugging application systems	Analyze the efficiency of programming	Enable continuous monitoring of transaction processing	d	Option D is correct; embedded audit modules allow ongoing monitoring of transactions.	MOCKDISA	1,575	72	MOCKDISA
185. An internal auditor was assigned to confirm whether operating personnel had corrected several errors in transaction files that were discovered during a recent audit. Which of the following automated tools is the auditor most likely to use:	On-line enquiry	Parallel simulation	Mapping	Tracing	a	Option A is correct; on-line enquiry facilitates interactive record verification.	MOCKDISA	1,576	66	MOCKDISA
186. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:	Evaluate the record retention plans for off-premises storage	Interview programmers about the procedures currently being followed	Compare utilization records to operations schedules	Review data file access records to test the librarian function	b	Option B is correct; interviewing programmers clarifies access control procedures.	MOCKDISA	1,577	103	MOCKDISA
187. Disaster recovery plans protect against which of the following:	Physical Losses	Economic Losses	Equipment Losses	Inventory Losses	b	Option B is correct; disaster recovery plans primarily mitigate economic losses.	MOCKDISA	1,578	117	MOCKDISA
188. The least critical factor in estimating the maximum tolerable downtime during a disaster is:	Availability of Cold site during the disaster	Time of the disaster	Applications affected by the disaster	Length of the disaster	a	Option A is correct; cold site availability is less critical compared to other factors in downtime estimation.	MOCKDISA	1,579	126	MOCKDISA
189. Which of the following is not an assumption made during the development of a disaster recovery and contingency plan?	Testing and maintenance of the contingency plan should be continual	All resources and materials required to restore processing capability at the backup recovery site should be obtainable off-site	All the less critical jobs need not be recovered	In a multisite environment, a separate set of recovery plans should be developed for each computer center	c	Option C is correct; all critical jobs should be considered for recovery in a contingency plan.	MOCKDISA	1,580	17	MOCKDISA
190. Business functions that can be done manually but only for a brief period of time:	Vital	Sensitive	Critical	Non-Critical	a	Option A is correct; vital functions are essential and cannot be interrupted for long.	MOCKDISA	1,581	131	MOCKDISA
191. identify the correct statement	Both differential and incremental backups take the same amount of time	Incremental backups take longer to complete than differential backups	Differential backups take longer to complete than incremental backups	Incremental backups take longer when using tape drives	c	Option C is correct; differential backups typically take longer than incremental backups.	MOCKDISA	1,582	165	MOCKDISA
192. Which is the most rigorous form of Disaster Recovery Plan Testing	Checklist test	Simulation testing	Full interruption test	Parallel Testing	c	Option C is correct; full interruption test involves disrupting operations for thorough testing.	MOCKDISA	1,583	53	MOCKDISA
193. There are several reasons for a company to develop and implement a disaster recovery plan. What is the most important goal of disaster recovery.	Protect human life	Protect the integrity of the business	Protect critical operating systems.	Protect customer relationships	a	Option A is correct; protecting human life is paramount in disaster recovery planning.	MOCKDISA	1,584	160	MOCKDISA
194. What is the inherent limitation of a disaster recovery planning exercise?	Inability to include all types of disasters.	Assembling disaster management and recovery teams.	Developing early warning monitors that will trigger alerts and responses.	Conducting periodic drills.	a	Option A is correct; planning cannot cover all possible disaster scenarios.	MOCKDISA	1,585	108	MOCKDISA
195. The most effective way to ascertain the hot site vendor’s integrity in practices and priorities in the resource sharing area is to :	Review all subscriber contracts with the hot site vendor	Observe an actual disaster at the hot site vendor	Request a copy of the annual external audit report	Request the hot site vendor’s compliance in writing	c	Option C is correct; an external audit report provides independent verification.	MOCKDISA	1,586	66	MOCKDISA
196. Which of the following rationales is not a sound one. Disaster recovery plan should be tested	By Simulation	In stages.	In an unannounced manner.	In actual use.	d	Option D is correct; testing should not rely on a real disaster occurrence.	MOCKDISA	1,587	63	MOCKDISA
197. If the recovery time objective (RTO) increases:	the disaster tolerance increases.	the cost of recovery increases.	a cold site cannot be used.	the data backup frequency increases.	a	Option A is correct; a higher RTO indicates greater tolerance for downtime.	MOCKDISA	1,588	167	MOCKDISA
198. In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy?	Disaster tolerance is high.	Recovery time objective is high.	Recovery point objective is low.	Recovery point objective is high.	c	Option C is correct; data mirroring is suitable when the RPO is low.	MOCKDISA	1,589	191	MOCKDISA
199. Which of the following is the best method for determining the criticality of each application system in the production environment	Interview the application programmers	Perform Gap analysis	Review the most recent application audit.	Perform a Business Impact Analysis.	d	Option D is correct; BIA assesses the impact of applications on the organization.	MOCKDISA	1,590	14	MOCKDISA
200. Which of the following represents the greatest risk created by reciprocal agreement for disaster recovery made between two companies:	Developments may result in hardware and software incompatibility	Resources may not be available when needed	The recovery plan cannot be tested	The security infrastructures in each company may be different	a	Option A is correct; compatibility issues can arise from differing upgrades. configurations then the other party will not be able to use their facilities as compatibility issues will crop. This indicates that both the companies will not be able to use each other facilities in case of a disaster.	MOCKDISA	1,591	63	MOCKDISA
1. Which of the following is not the layer of TCP/IP protocol?	Application Layer	Session Layer	Transport Layer	Internetwork layer	b	Session Layer is not a TCP/IP protocol layer.	MOCKDISA	1,592	47	MOCKDISA
2. A concurrent audit technique would include the following:	Integrated test facility	Continuous intermittent simulation	SCARF	All of the above	d	All options are part of concurrent audit techniques.	MOCKDISA	1,593	173	MOCKDISA
3. In audit planning, auditors assess various audit risk factors, which of the following is NOT an audit risk factor considered during audit planning?	Compliance risk	Sampling risk	Market risk	Environmental risk	a	Compliance risk is assessed during the audit, not during audit planning.	MOCKDISA	1,594	61	MOCKDISA
4. When would compensating controls be most important?	There is a lacuna in systems control	Existence of a manual control to cover system lacuna	Controls are found to be slack	Controls over systems are reasonably adequate	b	Compensating controls are used to cover system lacunae with manual controls.	MOCKDISA	1,595	124	MOCKDISA
5. The auditor's role in systems development should be as a(n):	Independent reviewer	Developer of internal controls	Team member in developing program	Management representative for reporting	a	Auditor's role in system development is to maintain independence as a reviewer.	MOCKDISA	1,596	128	MOCKDISA
6. Confirmation involves which of the following actions?	With third parties	Recalculation	Statistics	Regression analysis	a	Confirmation involves verifying balances with third parties.	MOCKDISA	1,597	17	MOCKDISA
7. When sorting inventory records by location with generalized audit software, which of the following functions of a generalized audit software package is used?	File manipulation	Data analysis	Data dictionary	None of the above	a	File manipulation allows sorting of inventory records by location.	MOCKDISA	1,598	171	MOCKDISA
8. Evaluation of audit evidence includes which of the following?	Assess the quality of internal controls	Assess the reliability of information	Assess operating performance	All of the above	d	All options are part of evaluating audit evidence.	MOCKDISA	1,599	31	MOCKDISA
9. Which of the following is the first line of defense?	Directive controls	Detective controls	Corrective controls	Data recovery controls	a	Directive controls are the first line of defense in enterprise security.	MOCKDISA	1,600	29	MOCKDISA
10. When the services that operate and manage the communications line are provided in addition to the line itself, this is referred to as:	VAN	VPN	PAN	WAN	a	VAN stands for Value Added Network, which includes additional services with the communications line.	MOCKDISA	1,601	134	MOCKDISA
11. Which statement is false regarding extranets?	Security and privacy are serious concerns so the extranets are generally secured behind a firewall.	The cost of equipment to establish an extranet may be thousands of dollars at each site and the secure communications lines can be hundreds of dollars each month	Extranets is a good source of information dissemination	None of the above	b	Option B is false because the cost of establishing an extranet is not typically thousands of dollars per site.	MOCKDISA	1,602	38	MOCKDISA
12. Which of the following is a direct benefit of adopting an Interorganizational system?	Increased ability to compete	Increased operational efficiency	Increased customer confidence	Decreased operational costs	b	Interorganizational systems primarily enhance operational efficiency.	MOCKDISA	1,603	79	MOCKDISA
13. Which language can provide file formatting structure and a means for describing data within the file of a Web page?	XML	HTML	DML	None of the above	a	XML provides structure and data description capabilities within web pages.	MOCKDISA	1,604	32	MOCKDISA
14. Which information system is intended to meet the general information needs of managers throughout the firm?	Expert system	Management information system	Robotics	Decision support system	b	Management information systems cater to general information needs of managers.	MOCKDISA	1,605	75	MOCKDISA
15. Which type of video conferencing occurs when people at the receiving sites can talk to people at the transmitting site, while everyone views the same video images?	Two-way video and audio	One-way video and two-way audio	One-way video and one-way audio	Two-way video and two-way audio	b	Option B describes video conferencing where audio is two-way and video is one-way.	MOCKDISA	1,606	60	MOCKDISA
16. The specialist whose duties fall into the areas of planning, implementation, operation, and security is the:	Data administrator	CIO	Database administrator	Data owner	c	A Database administrator (DBA) covers planning, implementation, operation, and security of databases.	MOCKDISA	1,607	51	MOCKDISA
17. Which systems development skill involves the study and ultimate understanding of a situation for the purpose of formulating a response or solution?	Communication skills	Analytical ability	Mathematical accuracy	Documentation ability	b	Analytical ability involves studying a situation to formulate a response or solution.	MOCKDISA	1,608	42	MOCKDISA
18. The challenge faced by developing a knowledge management system that states "that a clear definition of KM must be formulated and used within the organization that fits within the existing IT infrastructure, falls into which logical set?	Standards	Cost benefit risks	Geographical risks	None of the above	a	Developing a standard definition for KM aligns with the challenge mentioned.	MOCKDISA	1,609	35	MOCKDISA
19. Which of the following is NOT a connection strategy used in distributed systems?	Circuit switching	Message switching	Token switching	Packet switching	c	Token switching is not a connection strategy used in distributed systems.	MOCKDISA	1,610	46	MOCKDISA
20. What is a common problem found in distributed systems?	Process Synchronization	Communication synchronization	Deadlock problem	Power failure	c	Deadlock problems are common in distributed systems due to concurrent access issues.	MOCKDISA	1,611	135	MOCKDISA
21. Once the changes are written to the log, they are considered to be-	Committed	Aborted	Completed	None of the above	a	Changes written to a log are committed unless unauthorized modifications occur.	MOCKDISA	1,612	79	MOCKDISA
22. When you continuously measure yourself against your peers, you are employing-	Benchmarking	Peer to peer review	Outsourcing	None of the above	a	Benchmarking involves comparing against peers to assess performance.	MOCKDISA	1,613	15	MOCKDISA
23. What term refers to the amount of information that can pass through a system during a specified amount of time?	Data speed	Broadband	Throughput	System speed	c	Throughput specifically denotes the data transfer rate in a system.	MOCKDISA	1,614	144	MOCKDISA
24. When one computer provides services to another computer, the environment is a(n) _____ infrastructure.	Independent	Client-server environment	Dependent	Reliant	b	A client-server environment involves one computer (client) requesting services from another (server).	MOCKDISA	1,615	116	MOCKDISA
25. When there is little or no exchange of information within an organization's information systems, we say that the systems are-	Independent	Autonomous	Centralized	Decentralized	d	Decentralized systems do not share information extensively within the organization.	MOCKDISA	1,616	153	MOCKDISA
26. What term refers to the structure, and substructures, of an organization's information systems?	Subsystems	Infrastructure	IT configurations	None of the above	b	Infrastructure encompasses the structure and substructures of information systems.	MOCKDISA	1,617	97	MOCKDISA
27. When two or more computers are able to share information, what is this called?	Cooperative processing	Interoperability	Standardized processing	Data interchange	b	Interoperability refers to the ability of computers to share information.	MOCKDISA	1,618	26	MOCKDISA
28. What type of information systems reuses self-contained blocks of code in its systems?	Modular systems	Component programming	Block based coding	Service oriented architecture (SOA)	d	Service Oriented Architecture (SOA) uses reusable blocks of code.	MOCKDISA	1,619	87	MOCKDISA
29. Which of the following risks will increase by the installation of a database system?	Programming errors	Data entry errors	Improper file access	Loss of parity	c	Improper file access risk increases with database system installation without proper access controls.	MOCKDISA	1,620	55	MOCKDISA
30. An independent software program that connects two otherwise separate applications to share computing resources across heterogeneous technologies is known as:	Middleware	Firmware	Software	Embedded systems	a	Middleware connects separate applications for resource sharing across different technologies.	MOCKDISA	1,621	159	MOCKDISA
31. In an inventory system on a database management system, one stored record contains part number, part name, part colour, and part weight. These individual items are called-	Stored files	Fields	Bytes	Occurrences	b	Individual part details like number, name, color, weight are referred to as fields in a database record.	MOCKDISA	1,622	135	MOCKDISA
32. Which of the following database model is considered most versatile?	The hierarchical model	The tree model	The network model	The relational model	d	The relational model allows for versatile and complex data modeling using tables and relationships.	MOCKDISA	1,623	52	MOCKDISA
33. The relationship between online real-time database systems and batch processing systems is that-	A firm will have only one processing mode because a single computer cannot do both.	A firm will not use batch processing if it has a large computer	A firm may use both processing modes concurrently	A firm will always prefer online real-time processing system because batch processing is slow.	c	Organizations often use both online real-time and batch processing systems concurrently depending on needs.	MOCKDISA	1,624	58	MOCKDISA
34. Which of the following translates e-mail formats from one network to another so that the message can travel through all the networks?	Gateway	Protocol converter	Front-end communication processor	Concentrator/multiplexor	a	Gateways facilitate the translation and routing of email messages across different networks.	MOCKDISA	1,625	124	MOCKDISA
35. Which of the following is a benefit of using “call back” devices?	Provide an audit trail.	Can be used in a switchboard environment.	Permit unlimited user mobility.	Allow call forwarding.	a	"Call back" devices provide an audit trail of authenticated users via modem callback, enhancing security.	MOCKDISA	1,626	33	MOCKDISA
36. A hub is that device which connects-	Two LANs using different protocols	A LAN with a WAN	A LAN with a MAN	Two segments of a single LAN	d	A hub connects multiple segments of a single LAN to facilitate communication.	MOCKDISA	1,627	198	MOCKDISA
37. In a social media risk management, what is the MOST important asset an IS auditor will focus on?	Brand and reputation	Compliance to policy	Corrective controls in place	None of the above	a	Brand and reputation are crucial in social media risk management due to their impact on business credibility.	MOCKDISA	1,628	132	MOCKDISA
38. In the audit of third party contracts, industry standards advocate which of the following controls as mandatory?	Compliance to SSAE 16 standard	Compliance to ISAE 3402	Right to audit clause in the contract	All of the above	c	The right to audit clause is essential for auditing third party service providers, ensuring compliance and continuity.	MOCKDISA	1,629	145	MOCKDISA
39. What are the opportunities for IS auditor in terms of training?	Training IT professionals on controls	Training internal audit staff	Creating security awareness amongst client personnel	All of the above	d	IS auditors have opportunities in training across various domains like controls, internal audit, and security awareness.	MOCKDISA	1,630	158	MOCKDISA
40. Which of the following is NOT a type of Business Analytics?	Descriptive analysis	Retrospective analysis	Predictive analysis	Prescriptive analysis	b	Retrospective analysis is not a recognized type of business analytics; the other options are valid types.	MOCKDISA	1,631	65	MOCKDISA
41. Control in design of an information system is used to	Inspect the system and check that it is built as per specifications	Protect data from accidental or intentional loss	Ensure that the system processes data as it was designed to and that the results are reliable	Ensure privacy of data processed by it	c	Controls in system design ensure accurate data processing and reliable results.	MOCKDISA	1,632	170	MOCKDISA
42. Controls are necessary in information systems as	Massive amount of data are processed and chances of human errors in data entry is more.	Accidental errors can cause loss of money and credibility	Protect the system from virus attack	Disk may crash causing data loss	a	Controls mitigate risks arising from large data volumes and potential human errors in data entry.	MOCKDISA	1,633	88	MOCKDISA
43. Audit in the design of information system is used to	Inspect the system and check that it is built as per specifications	Protect data from accidental or intentional loss	Ensure that the system processes data as it was designed to and that the results are reliable	Ensure privacy of data processed by it	a	Auditing system design verifies compliance with initial specifications and requirements.	MOCKDISA	1,634	10	MOCKDISA
44. An audit trail is established in a system to	Detect errors in a system	Enable auditing of a system	Localize the source of an error in a system	Trail a program	c	An audit trail helps locate the source of errors for correction and accountability.	MOCKDISA	1,635	46	MOCKDISA
45. The purpose of parallel run is to	To see whether outputs of a newly computerized system matches those of currently running manual or legacy system	Have redundancy for reliability	Test an operational information system	Test a system being newly designed	b	Parallel run ensures operational continuity and validates new system outputs against existing ones.	MOCKDISA	1,636	96	MOCKDISA
46. Which of the following is MOST LIKELY to be included in general control procedures?	Proper authorization procedures	Data and program access policies	Data processing operations	System Development methodologies	a	Proper authorization procedures are fundamental to general control procedures.	MOCKDISA	1,637	200	MOCKDISA
47. The auditor typically has two roles to play in computer environments. First, (s) he may be responsible for evaluating the client’s computer system controls in the course of an audit. Second, (s) he may be able to	Use the computer as a tool to perform the audit more efficiently or effectively.	Earn additional revenue by selling hardware systems to audit clients.	Provide the IRS with computer files of audit clients.	Earn additional revenue by selling software systems to audit clients.	a	Using computers to enhance audit efficiency is a primary role of the IS auditor.	MOCKDISA	1,638	66	MOCKDISA
48. Modern computer technology makes it possible to perform paperless audits. For example, in an audit of computer-processed customer accounts receivable balances, an auditor might use a microcomputer to access the accounts receivable directly and copy selected customer records into the microcomputer for audit analysis. Which of the following is an advantage of this type of paperless audit of accounts receivable balances?	It reduces the amount of substantive testing required.	It allows immediate processing of audit data on a spreadsheet working paper.	It increases the amount of technical skill required of the auditor.	It allows direct confirmation of customer account balances.	a	Paperless audits reduce testing effort by extracting and analyzing data efficiently.	MOCKDISA	1,639	7	MOCKDISA
49. Detection risk refers to:	Concluding that material errors do not exist, when in fact they do.	Controls that fail to detect an error.	Controls that detect high-risk errors.	Detecting an error but failing to report it.	a	Detection risk relates to the auditor's risk of failing to detect material errors during testing.	MOCKDISA	1,640	3	MOCKDISA
50. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:	Refuse the assignment since it is not the role of the IS auditor.	Inform management of his/her inability to conduct future audits.	Perform the assignment and future audits with due professional care.	Obtain the approval of user management to perform the implementation and follow-up.	b	The IS auditor should decline roles that compromise independence in future audits.	MOCKDISA	1,641	37	MOCKDISA
51. Which of the following should be the FIRST step of an IS audit?	Create a flowchart of the decision branches.	Gain an understanding of the environment under review.	Perform a risk assessment.	Develop the audit plan.	b	Understanding the environment precedes risk assessment and audit planning.	MOCKDISA	1,642	146	MOCKDISA
52. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:	Variable sampling.	Substantive testing.	Compliance testing.	Stop-or-go sampling.	c	Reviewing "new user" forms for authorization compliance falls under compliance testing.	MOCKDISA	1,643	5	MOCKDISA
53. Overall business risk for a particular threat can be expressed as:	A product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.	The magnitude of the impact should a threat source successfully exploit the vulnerability.	The likelihood of a given threat source exploiting a given vulnerability.	The collective judgment of the risk assessment team.	a	Business risk considers both the likelihood and impact of a threat exploiting a vulnerability.	MOCKDISA	1,644	40	MOCKDISA
54. An audit charter should:	Be dynamic and change often to coincide with the changing nature of technology and the audit profession.	Clearly state audit objectives for the delegation of authority for the maintenance and review of internal controls.	Document the audit procedures designed to achieve the planned audit objectives.	Outline the overall authority, scope and responsibilities of the audit function.	b	An audit charter defines objectives and authority for maintaining internal controls.	MOCKDISA	1,645	160	MOCKDISA
55. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:	Of the point at which controls are exercised as data flow through the system.	That only preventive and detective controls are relevant.	That corrective controls can only be regarded as compensating.	That classification allows an IS auditor to determine which controls are missing.	a	Controls' effectiveness is influenced by where they are applied in data flow.	MOCKDISA	1,646	188	MOCKDISA
56. An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?	There are a number of external modems connected to the network.	Users can install software on their desktops.	Network monitoring is very limited.	Many user ids have identical passwords.	d	Identical passwords pose a significant security risk due to ease of exploitation.	MOCKDISA	1,647	179	MOCKDISA
57. An IS auditor’s primary purpose of looking for audit trails is to:	Improve response time for users.	Establish accountability and responsibility for processed transactions.	Improve the operational efficiency of the system.	Provide useful information to auditors who may wish to track transactions.	b	Audit trails establish accountability by tracking transaction processing.	MOCKDISA	1,648	46	MOCKDISA
58. In an organization where an IT security baseline has been defined, the IS auditor should FIRST ensure:	Implementation.	Compliance.	Documentation.	Sufficiency.	d	Initial focus should be on ensuring controls are sufficient before addressing compliance and documentation.	MOCKDISA	1,649	43	MOCKDISA
59. An IS auditor performing a general controls review of IS management practices relating to personnel should pay particular attention to:	Mandatory vacation policies and compliance.	Staff classifications and fair compensation policies.	Staff training.	The functions assigned to staff.	d	Segregation of duties is critical in personnel management reviews.	MOCKDISA	1,650	153	MOCKDISA
60. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:	Recovery.	Retention.	Rebuilding.	Reuse.	b	An effective e-mail policy includes provisions for retention to meet legal and operational needs.	MOCKDISA	1,651	93	MOCKDISA
61. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization’s IS strategy? That it:	Has been approved by line management.	Does not vary from the IS department’s preliminary budget.	Complies with procurement procedures.	Supports the business objectives of the organization.	d	IS strategy should align closely with business objectives for effective implementation.	MOCKDISA	1,652	88	MOCKDISA
62. By information system testing we mean	Testing an information system correctly.	Determining whether a system is performing as per specifications.	Determining whether a system is performing optimally.	Ensuring proper function of a system.	b	System testing involves verifying if the system meets specified requirements.	MOCKDISA	1,653	37	MOCKDISA
63. Which of the following is not relevant with cross training?	A breakdown in controls due to insufficient understanding and support.	More than one individual has been properly trained to perform a specific job or procedure.	It decreases dependence on one employee.	It would be prudent to have first assessed the risks of any one person knowing all parts of a system and what exposure in control this may cause.	a	Cross training aims to mitigate risk by ensuring multiple individuals can perform critical tasks.	MOCKDISA	1,654	180	MOCKDISA
64. The risk that an auditor could not find a control weakness when in fact it was present is called	Detection risk	Control risk	Inherent risk	Overall audit risk	a	Detection risk refers to the risk of not detecting existing control weaknesses.	MOCKDISA	1,655	179	MOCKDISA
65. IS auditors must have a thorough understanding of the risk assessment Process. Risk assessment is a	Subjective process	Objective process	Mathematical process	Statistical process	a	Risk assessment involves subjective evaluation of risks despite using objective tools.	MOCKDISA	1,656	204	MOCKDISA
66. The responsibility, authority and accountability of the information systems audit functions is appropriately documented in an audit charter and MUST be	Approved by the highest level of management	Approved by audit department	Approved by user management	Changed every year before commencement of IS audits.	a	The audit charter, defining audit roles, must be approved at the highest management level.	MOCKDISA	1,657	175	MOCKDISA
67. GEIT aims at directing IT activities to achieve business objectives for meeting needs of	Investors	Shareholders	Stakeholders	Regulators	c	GEIT focuses on aligning IT with the needs and value expectations of stakeholders. Governance of Enterprise IT (GEIT) is a framework and practices that help organizations use IT resources to meet their goals	MOCKDISA	1,658	17	MOCKDISA
68. Which of the following is a key component of governance?	Security policy	Employee rights	Transparency	Risk assessment	c	Transparency is crucial in governance to ensure stakeholders are well-informed and trust is maintained.	MOCKDISA	1,659	24	MOCKDISA
69. Business governance assists Board to understand	Key controls	Key performance drivers	Risk assessment	Enterprise functions	b	Business governance helps the board grasp key factors driving organizational performance.	MOCKDISA	1,660	176	MOCKDISA
70. Who is responsible for establishing right organizational structures and setting decision-making accountabilities?	Senior management	Operational management	CIO	IT Steering Committee	a	Senior management sets organizational structures and decision-making responsibilities.	MOCKDISA	1,661	119	MOCKDISA
71. Which is the primary objective of Enterprise Risk Management (ERM)?	Right level of controls	Availability of information	Tight security at low cost	Implement IT best practices	a	ERM aims to establish and maintain the appropriate level of controls to manage risks effectively.	MOCKDISA	1,662	94	MOCKDISA
72. Enterprise governance and enterprise IT governance needs a balance between	Compliance and ROI required by shareholders	Profit maximization and wealth maximization fixed by Board	Conformance goals and performance goals as set by Board	IT risks and cost of implementing IT controls as set by IT.	d	Effective GEIT requires balancing IT risks with the cost of implementing controls.	MOCKDISA	1,663	197	MOCKDISA
73. Which is the most important function for IT governance to be effective?	Monitoring	Evaluation	Directing	Managing	c	Effective IT governance hinges on clear direction from management (Directing).	MOCKDISA	1,664	84	MOCKDISA
74. Primary objective of implementing policies, principles and framework	Communicate stakeholder intent	Benchmark performance with competitors	Confirm regulatory compliance	Implement corporate governance	a	Policies and frameworks are implemented primarily to communicate stakeholder intent.	MOCKDISA	1,665	47	MOCKDISA
75. IT risk management process helps in	Prioritizing business functions for audit planning	Optimizing internal control framework	Ensuring residual risk is at an acceptable level	Complying with regulatory requirement	c	IT risk management aims to reduce risks to an acceptable residual level.	MOCKDISA	1,666	174	MOCKDISA
76. Which of the following is a major risk factor?	Inflationary trends	Vendor launches new software	BOD elects new Chairman	Change in Govt. post elections	d	Change in government post elections is a significant risk factor for organizations.	MOCKDISA	1,667	148	MOCKDISA
77. The extent to which an organization can accept financial loss is	Risk tolerance	Risk appetite	Risk management	Risk acceptance	b	Risk appetite defines the capacity of an organization to accept financial loss.	MOCKDISA	1,668	105	MOCKDISA
78. Which of the following is a strategic IT risk?	IS audit may not identify critical non-compliance	Networks are not available, it affects customers	New application does not achieve expected benefits	Defer replacement of obsolete hardware.	d	Delaying the replacement of obsolete hardware poses a strategic IT risk.	MOCKDISA	1,669	108	MOCKDISA
79. Which of the following is the first action after evaluation of inherent risk?	Evaluate implemented controls	Update risk register	Prepare heat map	Prioritize evaluated risks	a	After evaluating inherent risk, the next step is to assess the effectiveness of existing controls.	MOCKDISA	1,670	113	MOCKDISA
80. Which of the following is the reason to review risk?	Changes in risk factors	Change in risk appetite	Change in budget	Change in risk strategy	a	Risk reviews are necessary in response to changes in risk factors.	MOCKDISA	1,671	27	MOCKDISA
81. Which of the following is important consideration for an SLA while outsourcing IT operations to cloud service provider?	Ownership of information	Periodic audit reports	Logical access controls	Reduction in operations cost	a	Ownership of information is crucial in SLAs to maintain control over data outsourced to cloud providers.	MOCKDISA	1,672	58	MOCKDISA
82. Which of the following is primary input for IT resource capacity planning?	Annual financial budget	IT resource acquisition plan	Number of databases in use	Expected growth of business	d	IT resource capacity planning primarily relies on expected business growth and the corresponding need for resources.	MOCKDISA	1,673	154	MOCKDISA
83. In order for a IT strategic plan to be successful, the organization must first ensure the plan focuses on	Optimization of cost	Is aligned with business strategy	Provides direction for IT deployment	Consists of long and short term plans.	b	A successful IT strategic plan must align closely with the overall business strategy to be effective.	MOCKDISA	1,674	113	MOCKDISA
84. Objective of resource optimization process is to ensure	Resource needs for the enterprise are minimized.	Return on IT investments is ensured.	Increased monitoring of benefit realization	Making IT infrastructure resilient.	c	The primary objective of resource optimization is to maximize the benefits realized from IT investments.	MOCKDISA	1,675	144	MOCKDISA
85. Which of the following is best control for building requisite skills and competencies within an organization?	Hiring only qualified personnel	Outsourcing critical operations	Conducting skill enhancement training	Defining skill requirements in job description	c	Skill enhancement training is the most effective method for building skills and competencies within an organization.	MOCKDISA	1,676	153	MOCKDISA
86. Which of the following is function of Information Security Manager?	Implement firewalls in the organization	Perform IT risk assessment	Approve Information Security Policy	Define rules for implementing ID	d	Information Security Managers define rules for implementing identity and access management (ID) within an organization.	MOCKDISA	1,677	111	MOCKDISA
87. A data administrator is primarily a	Database administrator	Data owner	Data custodian	Data integrator	c	A data administrator is primarily responsible for managing and safeguarding data as a custodian.	MOCKDISA	1,678	184	MOCKDISA
88. Which of the following is the most important resource of the organization?	Policies and procedures	IT infrastructure and applications	Information and data	Culture, ethics, behaviour	c	In modern organizations, information and data are considered the most critical resources.	MOCKDISA	1,679	98	MOCKDISA
89. Function of IT Steering Committee is	Align IT objectives with business	Approve and manage IT projects	Supervise IT and business operations	Decide IT strategy for the organization.	a	The primary function of an IT Steering Committee is to align IT objectives with the overall business objectives.	MOCKDISA	1,680	9	MOCKDISA
90. Prioritizing IT initiatives is based on	Results of risk assessments.	Expected benefits realization	Recommendations of CIO	Rate of obsolescence of IT	b	IT initiatives are prioritized based on the expected benefits and returns on investment they are projected to deliver.	MOCKDISA	1,681	192	MOCKDISA
91. Which of the following has the highest impact?	Absence of business continuity plan	Absence of security operations centre	Absence of monitoring SLA	Absence of risk management process	a	The absence of a business continuity plan has the highest impact as it directly affects the organization's ability to recover from disasters.	MOCKDISA	1,682	176	MOCKDISA
92. In the context of effective information security governance, the primary objective of value delivery is to	Optimize security investments in support of business objectives	Implement a standard set of security practices	Institute a standards-based solution	Implement a continuous improvement culture	a	Value delivery in information security governance aims to optimize security investments to align with business objectives.	MOCKDISA	1,683	138	MOCKDISA
93. Which of the following features of a SMART CARD makes it flexible to use?	the ability to protect stored information	the use of a microprocessor and programmable memory	the high speeds at which it is able to operate	the capability of storing huge amounts of information per unit of area	b	The use of a microprocessor and programmable memory makes a SMART CARD flexible for various applications.	MOCKDISA	1,684	70	MOCKDISA
94. Which of the following does NOT use a 'Cryptographic Technique' to protect data?	the use of digital signatures	data encryption	the use of stored encrypted password files	using asymmetric keys at 'sender' and 'receiver' nodes	c	Encrypted password files protect passwords, not data, and do not employ cryptographic techniques to protect data itself.	MOCKDISA	1,685	112	MOCKDISA
95. Which of the following is the MOST important characteristic of the Internet?	The 'secure' surroundings within which it is implemented	The ability to provide an open, easy-to-use network	It eliminates the need for firewalls	It is not necessary to use a fast computer to use the Internet.	b	The Internet's most important characteristic is its ability to provide an open, easy-to-use network for global communication and information exchange.	MOCKDISA	1,686	139	MOCKDISA
96. What is the importance of using Protocols on the Internet?	to provide a universal data 'platform' for all connections to use	so that nobody gets confused	to enable the use of cryptographic techniques	to prevent the use of viruses	a	Protocols on the Internet provide a universal set of rules and standards for data exchange and communication between devices and networks.	MOCKDISA	1,687	10	MOCKDISA
97. Which of the following is not an illustration of a SMART Card?	A credit card which can be used to operate a mobile phone	An electronic money card e.g Mondex	A drivers licence containing current information about bookings etc.	An access control card containing a digitised photo.	d	An access control card with a digitized photo does not necessarily include a microprocessor and programmable memory, which are essential characteristics of a SMART Card.	MOCKDISA	1,688	49	MOCKDISA
98. In which of the following is damage generally invisible, it is difficult to know the extent of damage?	Viruses	Computer misuse	Computer fraud	Theft	a	Viruses cause damage that is often invisible and difficult to assess accurately in terms of its extent.	MOCKDISA	1,689	39	MOCKDISA
99. Which of the following can be used MOST effectively to prevent a logical breach of security?	operating system and other system software	computer architectural design	distributed systems design	network design	a	Operating systems and system software are crucial in preventing logical breaches of security by implementing access controls and security mechanisms.	MOCKDISA	1,690	126	MOCKDISA
100. Why is it that Traditional Methods of authentication are found unsuitable for Computer Networks?	They do not use cryptographic techniques	They do not permit high speed data flow	They use passwords	They are incompatible with the internet	a	Traditional authentication methods are inadequate for computer networks because they often do not employ cryptographic techniques, which are essential for secure data transmission over networks.	MOCKDISA	1,691	153	MOCKDISA
101. What can a firewall protect against?	Unauthenticated interactive logins from the "outside" world	Connecting to and from the "outside" world	Fire	Viruses	b	Firewalls are primarily designed to protect against unauthenticated interactive logins from the "outside" world, enhancing network security by controlling incoming and outgoing traffic.	MOCKDISA	1,692	26	MOCKDISA
102. What is the purpose of access controls within the organization?	To limit the actions or operations that a legitimate user can perform	To authorise full access to authorised users	To stop unauthorised users accessing resources	To protect computers from viral infections	a	Access controls aim to limit the actions or operations that legitimate users can perform to prevent security breaches and unauthorized access to resources.	MOCKDISA	1,693	171	MOCKDISA
103. Which of the following is NOT a good property of a firewall?	it should allow for easy modification by authorised users	only authorised traffic must be allowed to pass through it	the firewall itself, should be immune to penetration	traffic must only be allowed to pass from inside to outside the firewall	a	Firewalls should not allow easy modification by authorized users to maintain their integrity and security.	MOCKDISA	1,694	41	MOCKDISA
104. When the firm's purpose for their information infrastructure is to make its data and information available to those who are authorized to use it, the firm is seeking the objective of:	Availability	Authorization	Confidentiality	Non repudiation	c	The firm seeks availability of information to ensure that data and information are accessible to authorized users when needed.	MOCKDISA	1,695	136	MOCKDISA
105. Which of the following is not a component of risk management?	Set benchmarks	Implement controls	Set budgetary constraints	Approving new systems development	a	Setting benchmarks is not a component of risk management; it is related to strategic planning.	MOCKDISA	1,696	26	MOCKDISA
106. When changes are made to the firm's data, information, and software, the type of information security risk is:	Unauthorized modification	Unauthorized disclosure and theft	Unauthorized viewing	Unauthorized intrusion	b	Unauthorized modification refers to unauthorized changes made to data, information, or software, compromising integrity.	MOCKDISA	1,697	148	MOCKDISA
107. Which of the following would BEST ensure Continuity in a WAN across the organization?	Built-in alternate routing	Completing full system backup daily	A repair contract with a service provider	A duplicate machine alongside each server	a	Built-in alternate routing ensures continuity by rerouting messages automatically in case of server or link failure in the WAN.	MOCKDISA	1,698	177	MOCKDISA
108. For which of the following is an information security policy not developed?	Hardware and software control	Computer use	Authorization to information assets	System development	a	An information security policy covers computer use, authorization to information assets, and system development but not specifically hardware and software control.	MOCKDISA	1,699	9	MOCKDISA
109. In which of the following is a router used in a firewall?	Packet filtering firewall	Stateful inspection firewall	Single homed firewall	Dual homed firewall	a	Routers are used in packet filtering firewalls to manage and filter network traffic based on packet information.	MOCKDISA	1,700	174	MOCKDISA
110. Which of the following technical controls protect stored and transmitted information from unauthorized disclosure?	Cryptographic control	Access control	Physical control	Biometric control	b	Cryptographic controls protect information by encrypting it, ensuring that stored and transmitted data cannot be accessed or modified by unauthorized entities.	MOCKDISA	1,701	111	MOCKDISA
111. The backup plan that is in use when hot and cold sites are in place is referred to as:	Mobility	Contingency	Redundancy Plan	Fall back plan	b	A contingency plan refers to arrangements made to ensure critical functions can continue during and after a disaster, typically involving hot or cold sites for data recovery.	MOCKDISA	1,702	155	MOCKDISA
112. Which of the following is independent malicious program that need not any host program?	Worm	Trojan horse	Virus	Trap doors	d	A trap door is a hidden feature in a program that allows unauthorized access, but it requires a host program to operate, unlike worms which operate independently.	MOCKDISA	1,703	160	MOCKDISA
113. Which of the following malicious program do not replicate automatically?	Trojan Horse	Virus	Worm	Zombie	a	A Trojan Horse does not replicate by itself; it requires user interaction to spread, unlike viruses and worms which can self-replicate.	MOCKDISA	1,704	126	MOCKDISA
114. Which of the following programs secretly take over another Internet-attached computer and then uses that computer to launch an attack?	Worm	Zombie	Virus	Trap door	b	A zombie program takes over another computer to launch attacks, typically as part of a botnet, while worms and viruses propagate differently and trap doors provide unauthorized access.	MOCKDISA	1,705	22	MOCKDISA
115. How are viruses spread?	Downloading infected programs and files from internet.	Through Firewalls	Garbled information.	Install anti-virus.	a	Viruses commonly spread through infected downloads from the internet, exploiting vulnerabilities in software to infect systems. Firewalls and antivirus software help prevent such infections.	MOCKDISA	1,706	8	MOCKDISA
116. How do users prevent and protect themselves against viruses?	Do not open e-mail attachments, use an OS that has virus security features, and scan other users’ media storage devices before using them on your computer.	Delete unwanted SPAM from your computer.	Files with weird and obscene messages should be stored.	Missing Files or folders should be deleted.	a	Effective virus protection involves cautious email practices, using secure operating systems, and scanning external media for threats before use. Other options do not address virus prevention directly.	MOCKDISA	1,707	172	MOCKDISA
117. An information system always	Requires hardware to house programs	Transforms inputs to information	Gives accurate results	Is vulnerable to modification	a	Information systems require hardware infrastructure to host and execute programs, enabling the transformation of inputs into useful information.	MOCKDISA	1,708	115	MOCKDISA
118. Operating systems software is primarily aimed at	Running operations in system	Supporting business users in their tasks.	Performing network monitoring	Serves as a front end processor	b	Operating systems primarily support users by facilitating interaction with computer resources and managing system operations, not necessarily running the operations themselves.	MOCKDISA	1,709	153	MOCKDISA
119. An example of an information to support strategic management is:	Business intelligence system	Artificial intelligence	Decision support systems	Management information system	a	Business intelligence systems provide strategic insights and analysis, aiding decision-making at a strategic level, whereas other options support decision-making at operational or tactical levels.	MOCKDISA	1,710	157	MOCKDISA
120. An example of an information that supports operational management is:	Electronic document management	Business intelligence systems	Management information system	None of the above	a	Electronic document management supports operational management by facilitating efficient document exchange and management within organizations.	MOCKDISA	1,711	168	MOCKDISA
121. Which type of software is focused on supporting communication, collaboration and coordination?	Groupware	Workflow	Middleware	Freeware	a	Groupware specifically supports communication, collaboration, and coordination within systems.	MOCKDISA	1,712	131	MOCKDISA
122. The criterion used to assess how user and business needs are met in software is:	Functionality	User interface	Cost	Efficiency	d	Efficiency is crucial in assessing whether software meets user and business needs effectively.	MOCKDISA	1,713	47	MOCKDISA
123. Multipartite viruses attack on	all of the mentioned	files	boot sector	memory	d	Multipartite viruses are capable of attacking files, boot sectors, and memory simultaneously.	MOCKDISA	1,714	187	MOCKDISA
124. Which one of the following is not an attack, but a search for vulnerabilities to attack?	port scanning	memory access violation	denial of service	dumpster diving	a	Port scanning is a method used to find vulnerabilities and open ports, not an attack itself.	MOCKDISA	1,715	117	MOCKDISA
125. File virus attaches itself to the	executable file	source file	object file	all of the mentioned	c	File viruses typically attach themselves to executable files.	MOCKDISA	1,716	192	MOCKDISA
126. When an attempt is to make a machine or network resource unavailable to its intended users, the attack is called	denial-of-service attack	slow read attack	spoofed attack	starvation attack	a	A denial-of-service attack aims to make a resource unavailable to its intended users.	MOCKDISA	1,717	125	MOCKDISA
127. This type of virus is activated when a user runs an application such as a word processor or spreadsheet	Boot sector virus	Macro virus	Polymorphic virus	None of the above	b	Macro viruses activate when specific applications like word processors or spreadsheets are run.	MOCKDISA	1,718	13	MOCKDISA
128. A security measure to enable accidentally or deliberately deleted data to be resurrected is:	Risk mitigation	Backup/restore	Offsite storage	Redundancy	b	Backup/restore is used to recover accidentally deleted or damaged data.	MOCKDISA	1,719	120	MOCKDISA
129. What is the name of the mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system?	Authentication	Authorization	Identification	Non-repudiation	c	Identification is the process where an entity proposes a label to gain access, followed by authentication to prove identity.	MOCKDISA	1,720	197	MOCKDISA
131. What allows a firewall to react to emergent event and update or create rules to deal with event?	Dynamic filtering	Static filtering	Stateful inspection	First generation filtering	a	Dynamic filtering enables firewalls to react proactively to emergent events and adjust rules accordingly.	MOCKDISA	1,721	26	MOCKDISA
132. While evaluating the collective effect of preventive detective and corrective controls, within a process, an IS auditor should be aware of which of the following?	Only preventive and detective controls are relevant	The point at which the control is exercised as data passes through the system	Corrective controls are regarded as compensating	Classification allows the auditor to identify which controls are missing	b	IS auditors need to understand the point of control implementation as data flows through the system to assess control effectiveness.	MOCKDISA	1,722	178	MOCKDISA
133. Which of the following is a network diagnostic tool for monitoring and recording network information?	Online monitor	Downtime report	Help desk report	Protocol analyzer	d	Protocol analyzers monitor and record network information from packets, distinguishing them from other tools like online monitors and help desk reports.	MOCKDISA	1,723	183	MOCKDISA
134. A context diagram is used	As the first step in developing a detailed DFD of a system	In systems analysis of very complex systems	As an aid to system design	As an aid to programmer	a	Context diagrams serve as initial steps in developing detailed Data Flow Diagrams (DFDs) for system understanding.	MOCKDISA	1,724	142	MOCKDISA
135. Which of the following is/are the sources for project requests?	Request from Department managers	Request from senior executives	Request from system Analyst	All of the above	d	Project requests can originate from department managers, senior executives, or system analysts.	MOCKDISA	1,725	106	MOCKDISA
136. A DFD is normally levelled as	It is easier to read and understand a number of smaller DFDs than one large DFD	It is a good idea in design	It is recommended by many experts	it is easy to do it	a	DFDs are typically leveled to create smaller, more understandable diagrams rather than a single complex one.	MOCKDISA	1,726	27	MOCKDISA
137. A project is a process with which of the following characteristics?	High volume, high variety	Low volume, high variety	High volume, low variety	Low volume, low variety	b	Projects typically involve low volume and high variety of tasks or requirements.	MOCKDISA	1,727	23	MOCKDISA
138. What are the main features of a project?	Unique with fixed cost and time constraints	Unique with variable costs and time constraints	Repeatable with variable costs and time constraints	Repeatable with low costs and short timescales	a	Projects are unique endeavors with fixed time and cost constraints, distinguishing them from other options.	MOCKDISA	1,728	155	MOCKDISA
139. In which of the four stages in a project would you determine the milestones or significant events?	Planning	Scoping	Implementation	Evaluation	b	Milestones and significant events are determined during the Scoping stage of a project.	MOCKDISA	1,729	163	MOCKDISA
140. In which of the four stages in a project would you determine the work activities required?	Planning	Scoping	Implementation	Evaluation	a	Work activities are determined during the Planning stage of a project.	MOCKDISA	1,730	1	MOCKDISA
141. Activities can be drawn in a hierarchical structure called a	WBS (Work breakdown Structure)	WAS (Work Allocation Structure)	WCS (Work Control Structure)	WDS (Work Detail Structure)	a	Activities are structured hierarchically in a Work Breakdown Structure (WBS).	MOCKDISA	1,731	60	MOCKDISA
142. Analysing the potential risks in a project is conducting which of the following processes	Risk evaluation	Risk assessment	Risk mitigation	Risk acceptance	b	Analysing potential risks in a project is known as risk assessment.	MOCKDISA	1,732	166	MOCKDISA
143. A system to ensure that an organization can return to work after a crisis	Crisis management system	Business continuity management	Incident response system	None of the above	b	Business continuity management ensures an organization can resume operations after a crisis.	MOCKDISA	1,733	13	MOCKDISA
144. The element of service quality which is defined as 'the knowledge and courtesy of employees and their ability to convey trust and confidence'.	Responsiveness	Assurance	Service level	Ownership	b	Assurance in service quality relates to employees' knowledge, courtesy, and ability to convey trust.	MOCKDISA	1,734	87	MOCKDISA
145. Which of the following should not be used when operators use a communication network control language?	Down line loading of a program	Altering audit trail	Transmitting system warning and status messages	Monitoring network control terminal	b	Altering the audit trail is not appropriate when operators use a communication network control language.	MOCKDISA	1,735	145	MOCKDISA
146. Which of the following is not a MAJOR BENEFIT of application software prototyping?	Reduction in development cost	Faster development of systems	Meeting user requirements	Redirect software maintenance efforts	d	Redirecting software maintenance efforts is not a major benefit of application software prototyping.	MOCKDISA	1,736	98	MOCKDISA
147. Which of the following represents a typical prototype of an interactive application?	Screens and process programs	Screens, interactive edits, and sample reports	Interactive edits, process programs, and sample reports	Screens, interactive edits, process programs, and sample reports	b	Screens, interactive edits, and sample reports are typical components of an interactive application prototype.	MOCKDISA	1,737	181	MOCKDISA
148. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?	References from other customers	Service level agreement (SLA) template	Maintenance agreement	Conversion plan	a	References from other customers are typically included in an RFP to assess vendor suitability.	MOCKDISA	1,738	96	MOCKDISA
149. The Quality Assurance Group is typically responsible for:	Ensuring that the output received from system processing is complete	Monitoring the execution of computer processing tasks	Ensuring the programs and program changes and documentation adhere to established standards	Designing standards and procedures to protect data against accidental disclosure, modification, or destruction	c	Quality Assurance ensures programs and changes adhere to established standards, focusing on quality control.	MOCKDISA	1,739	129	MOCKDISA
150. Which of the following Computer Aided Software Engineering (CASE) products is used for developing detailed designs, such as screens and report layouts?	Super CASE	Upper CASE	Middle CASE	Lower CASE	c	Middle CASE tools are used for developing detailed designs like screens and report layouts.	MOCKDISA	1,740	172	MOCKDISA
151. A criticism of the data flow approach to program design is	It is not a top-down design method	There is no assurance that different programmers will generate the same design for a problem	It leads to inefficient programs	It works best for on-line programs rather than batch programs	b	The criticism of data flow approach relates to the variability in design outcomes by different programmers.	MOCKDISA	1,741	49	MOCKDISA
152. Which of the following is MOST likely to be the motivation for the auditor using program source code review:	Generalized audit software is unavailable	The auditor believes the program to be reviewed contains inefficient code	The program processes only small quantities of data so there is little code available for review	The auditor is unwilling to treat the program as a black box	d	Using program source code review indicates the auditor's reluctance to treat the program as a black box.	MOCKDISA	1,742	123	MOCKDISA
153. Executable specifications are an extension of which of the following system development approaches?	Waterfall model	Incremental development model	Evolutionary development model	Rapid prototyping model	d	Executable specifications are a feature of rapid prototyping model in system development.	MOCKDISA	1,743	111	MOCKDISA
154. A systems analyst should have access to each of the following except	Source code	Password identification tables	User procedures	Edit criteria	b	A systems analyst should not have access to password identification tables due to security reasons.	MOCKDISA	1,744	94	MOCKDISA
155. During the entry phase the system designer	Explains to users various alternative designs that can be implemented	Attempts to determine what problem is the real motivation for the system development effort	Assists users to formulate the strategic design	Attempts to unfreeze the organizations	d	During the entry phase, the system designer aims to unfreeze the organization for change.	MOCKDISA	1,745	130	MOCKDISA
156. The primary difference between program testing and system testing is:	Program testing is more comprehensive than system testing	System testing focuses on testing the interfaces between programs, whereas program testing focuses on individual programs	System testing is concerned with testing all aspects of a system including job designs and reward system designs	Programmers have no involvement in system testing, whereas designers are involved in program testing	b	System testing focuses on testing interfaces between programs, while program testing tests individual programs.	MOCKDISA	1,746	34	MOCKDISA
157. Which of the following characteristics of user-developed systems has been identified in empirical research:	Usually have only a single user	Typically obtain data from a centralized database	Often perform important, day-to-day operational functions	All of the above	c	User-developed systems often perform important operational functions in day-to-day activities.	MOCKDISA	1,747	84	MOCKDISA
158. Pseudocode is needed because:	High-level design cannot be expressed in code that is compilable	It ensures the “GO TO” statement is not used	It is easy to use by unskilled programmers	It provides an informal way of expressing a design	a	Pseudocode is used because high-level designs cannot be directly compiled into code.	MOCKDISA	1,748	167	MOCKDISA
159. The information systems requirements plan is derived directly from the:	Information systems applications and facilities plan	Information systems strategic plan	Master plan	Organizational strategic plan	b	The information systems requirements plan is derived from the information systems strategic plan.	MOCKDISA	1,749	42	MOCKDISA
160. Which of the following might be output as a result of using a CASE tool?	Programming code	Flowcharts and data flow diagrams	Prototypes and cost/benefit analysis	All of the above	d	CASE tools can output various artifacts such as programming code, diagrams, and analysis reports.	MOCKDISA	1,750	141	MOCKDISA
161. An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures, the IS manager has been arbitrarily approving projects that can be completed in a short duration and referring other, more complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that:	Users participate in the review and approval process	Formal approval procedures be adopted and documented	Projects be referred to appropriate levels of management for approval	The IS manager’s job description be changed to include approval authority	b	The first step recommended should be to establish formal approval procedures.	MOCKDISA	1,751	54	MOCKDISA
162. Which one is not an Infrastructure Software?	DBMS	Operating system	Compiler	Result oriented system	d	Infrastructure software like DBMS, OS, and compilers are directly related to computing infrastructure, whereas a "result oriented system" is not typically considered infrastructure software.	MOCKDISA	1,752	84	MOCKDISA
163. All modules of the system are integrated and tested as complete system in case of:	Bottom-up testing	Top-down testing	Sandwich testing	Big-Bang testing	d	Big-Bang testing involves integrating and testing all modules of the system together.	MOCKDISA	1,753	78	MOCKDISA
164. Site of beta testing is:	Software company	User site	Tester site	All of the above	b	Beta testing involves testing the software in a real-world user environment, hence it is conducted at the user site.	MOCKDISA	1,754	179	MOCKDISA
165. Which of the following is NOT a product metric?	Productivity	Size	Reliability	Functionality	a	Productivity measures output relative to input and is not a direct product metric like size, reliability, or functionality.	MOCKDISA	1,755	98	MOCKDISA
166. Estimate of size of project is dependent on:	Cost	Time	Schedule	None of the above	d	Project size estimation is independent of factors like cost, time, or schedule; it focuses on quantifying the scope and scale of the project.	MOCKDISA	1,756	48	MOCKDISA
167. Which of the following is NOT a level in the Capability Maturity Model?	Repeatable	Ad hoc	Reusable	Organised	c	Levels in the Capability Maturity Model (CMM) include Repeatable, Ad hoc, and Organised, but not Reusable.	MOCKDISA	1,757	70	MOCKDISA
168. Spiral model begins with:	Design	Risk analysis	Coding	Customer communication	d	The Spiral model begins with customer communication to understand needs and risks before proceeding with subsequent phases like risk analysis.	MOCKDISA	1,758	189	MOCKDISA
169. The main activity of the design phase of the system life cycle is to:	Replace system with a new one	Develop and test a new system	Understand current system	Propose alternatives to current system	d	In the design phase, the main activity is to propose alternatives and models for the new system based on current system understanding.	MOCKDISA	1,759	135	MOCKDISA
170. What is operating system?	Collection of programs that manages hardware resources	System service provider to the application programs	Link to interface the hardware and application programs	All of the mentioned	d	An operating system performs all these functions, making it a comprehensive software layer between hardware and applications.	MOCKDISA	1,760	117	MOCKDISA
171. To access the services of operating system, the interface is provided by the	System calls	API	Library	Assembly instructions	a	System calls provide the interface for accessing operating system services.	MOCKDISA	1,761	134	MOCKDISA
172. Which one of the following error will be handle by the operating system?	Power failure	Lack of paper in printer	Connection failure in the network	All of the mentioned	d	The operating system handles errors like power failures, printer issues, and network failures.	MOCKDISA	1,762	195	MOCKDISA
173. The number of resources requested by a process:	Must always be less than the total number of resources available in the system	Must always be equal to the total number of resources available in the system	Must not exceed the total number of resources available in the system	Must exceed the total number of resources available in the system	c	Processes should not request more resources than are available to prevent resource exhaustion.	MOCKDISA	1,763	71	MOCKDISA
174. Which of the following is not a method of file access?	Sequential access	Direct access	Random	Indexed sequential access	c	Random access is a method of accessing files, so it is not the correct answer.	MOCKDISA	1,764	142	MOCKDISA
175. What is networked virtual memory?	Caching	Segmentation	RAM disk	None of these	a	Networked virtual memory often involves caching mechanisms to optimize memory usage across a network.	MOCKDISA	1,765	93	MOCKDISA
176. A process can be terminated due to:	Normal exit	Fatal error	Killed by another process	All of the mentioned	d	Processes can terminate normally, due to errors, or being killed by other processes.	MOCKDISA	1,766	76	MOCKDISA
177. What is interprocess communication?	Communication within the process	Communication between two processes	Communications between two threads of same process	None of the mentioned	b	Interprocess communication refers to communication between different processes.	MOCKDISA	1,767	52	MOCKDISA
178. A set of processes is deadlock if:	Each process is blocked and will remain so forever	Each process is terminated	All processes are trying to kill each other	None of the mentioned	a	Deadlock occurs when processes are blocked indefinitely waiting for resources.	MOCKDISA	1,768	43	MOCKDISA
179. Which buffer holds the output for a device?	Spool	Output	Status	Magic	a	A spool buffer holds output for devices like printers, allowing queued files to be processed in order.	MOCKDISA	1,769	75	MOCKDISA
180. What do we call the process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate?	Baselining	Benchmarking	Best practices	Due diligence	b	Benchmarking involves studying and adopting practices from other organizations to improve one's own practices.	MOCKDISA	1,770	35	MOCKDISA
181. A review of an EDP system reveals the following items. Which of these is a potential internal control weakness?	Backup master files are stored in a remote location	Users must verbally approve all changes to be made to application programs	Computer operators have restricted access to system programs and data files	Computer operators are required to take vacations.	b	Verbal approval for changes poses a risk of unauthorized modifications.	MOCKDISA	1,771	30	MOCKDISA
182. When obtaining an understanding of an entity's control environment, an auditor should concentrate on the substance of management's policies and procedures rather than their form because	The auditor may believe that the policies and procedures are inappropriate for that particular entity.	The board of directors may not be aware of management's attitude toward the control environment.	Management may establish appropriate procedures and policies but not act on them.	The policies and procedures may be so weak that no reliance is contemplated by the auditor.	c	Effective control environment is about actual implementation, not just formal documentation.	MOCKDISA	1,772	82	MOCKDISA
183. An on-line sales order processing system most likely would have an advantage over a batch sales order processing system by	Detecting errors in the data entry process more easily by the use of data entry programs.	Enabling shipment of customer orders to be initiated as soon as the orders are received.	Recording more secure backup copies of the database on magnetic tape files.	Maintaining more accurate records of customer accounts and finished goods inventories.	b	Online systems can process and initiate orders immediately upon receipt, providing faster service.	MOCKDISA	1,773	85	MOCKDISA
184. Which of the following controls would prevent the following situation? A worker's paycheck was incorrectly processed as he had transposed letters in his department identification code, having entered AABC an invalid code, instead of ACAB	Control total	Limit test	Internal label check	Table look up procedure	d	Table look up procedures can catch data entry errors like transposed letters.	MOCKDISA	1,774	85	MOCKDISA
185. Programmers should do all except	Test programs for proper performance	Evaluate legitimacy of transactions data input	Develop flowcharts for new applications	Programmers should perform each of the above	b	Programmers are typically not responsible for evaluating the legitimacy of transaction data input.	MOCKDISA	1,775	167	MOCKDISA
186. Output controls are not designed to assure that data generated by the computer are:	Accurate	Distributed only to authorized people	Complete	Used appropriately by employees in making decisions.	d	Output controls focus on accuracy, completeness, and authorized distribution, not how the data is used by employees.	MOCKDISA	1,776	8	MOCKDISA
187. Rather than maintain an internal IT centre, what can companies use to perform many basic functions such as payroll?	External service providers	External application service providers	Internal control service providers	Internal auditors	b	External application service providers often handle functions like payroll processing for organizations.	MOCKDISA	1,777	38	MOCKDISA
188. What is the activity of keeping the firm and its information resources functioning after a catastrophe?	Security management	Business continuity management	Resource management	People management	b	Business continuity management ensures continuity of operations after a disaster.	MOCKDISA	1,778	152	MOCKDISA
189. An incremental backup	Copies selected files	Copies all files	Copies all files since the last full backup	Copies all files changed since the last full or incremental backup	c	Incremental backups only copy files changed since the last full backup.	MOCKDISA	1,779	130	MOCKDISA
190. What is the maximum length of time that an organization can tolerate between data backups?	Recovery service point (RSP)	Recovery point objective (RPO)	Optimal recovery time frame (ORT)	Recovery time objective (RTO)	b	Recovery Point Objective (RPO) defines the maximum tolerable period between backups.	MOCKDISA	1,780	81	MOCKDISA
191. Another name for Contingency Planning is	Synergy planning	Ad hoc planning	Business level planning	Scenario planning	d	Contingency planning involves planning for future events based on imagined scenarios.	MOCKDISA	1,781	62	MOCKDISA
192. What is a definition of an objective?	A defined specified outcome to be achieved in the long-term	A clear set of goals to be attained given a set number of resources	A clearly defined and measurable outcome to be achieved over a specified timeframe	Set standard of performance agreed by workers and managers.	c	An objective must be measurable and achievable within a specified timeframe.	MOCKDISA	1,782	181	MOCKDISA
193. Which is not a recognised form of business continuity planning?	Building planning	IT plan	Strategic plan	Short term plan	a	Building planning is not related to business continuity planning, which focuses on maintaining operations during disruptions.	MOCKDISA	1,783	44	MOCKDISA
194. What is the definition of a scenario in scenario planning?	An unpredictable event	An imagined sequence of future events	A planned for event	An unplanned event	b	Scenarios are about imagining future events and their consequences.	MOCKDISA	1,784	74	MOCKDISA
195. What one of the following is NOT a key management skill in planning?	Conceptual skills	IT & computing skills	People skills	Analytical skills	b	IT and computing skills are important but not a key management skill specifically in planning.	MOCKDISA	1,785	195	MOCKDISA
196. What plan describes the details for recovery when a disaster hits an organization?	Disaster diagram	Disaster and revival plan	Recovery plan	Business continuity plan	c	A recovery plan outlines specific actions to recover from a disaster.	MOCKDISA	1,786	149	MOCKDISA
197. The primary objective of testing a business continuity plan is	Familiarize employees with plan	Ensure all residual risks have been addressed	Exercise all possible scenarios	Identify limitations of the business continuity plan	d	Testing aims to identify weaknesses and limitations in the plan.	MOCKDISA	1,787	161	MOCKDISA
198. During the design of a business continuity plan the business impact analysis (BIA) identifies critical processes and supporting applications. This will primarily influence the	Responsibility for maintaining the business continuity plan	Criteria for selecting a recovery site provider	Recovery strategy	Responsibilities of key personnel.	c	BIA results shape the recovery strategy by identifying critical processes and applications.	MOCKDISA	1,788	48	MOCKDISA
199. Activation of an enterprise business continuity plan should be based on predetermined criteria that address the	Duration of the outage	Type of outage	Probability of outage	Cause of outage	a	Activation criteria typically focus on the duration of the outage as a primary factor.	MOCKDISA	1,789	162	MOCKDISA
200. An IS auditor can verify that an organization’s BCP is effective by reviewing	Alignment of BCP with industry best practices	Results of BCP tests performed by IS and end-user personnel	Offsite facility, its contents security and environmental controls	Annual financial cost of BCP activities versus expected benefit of implementation of the plan.	b	Effectiveness is best evaluated through reviewing actual test results of the BCP.	MOCKDISA	1,790	49	MOCKDISA
201. A medium sized organization whose IT disaster recovery measures have been in place and regularly tested for years has just developed a formal BCP. A basic BCP Tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed next, to verify the adequacy of the new BCP?	Full scale test with relocation of all departments including IT to the contingency site	Walkthrough test of a series of predefined scenarios with all critical personnel involved	IT disaster recovery test with business departments involved in testing the critical applications	Functional test of a scenario with limited IT involvement	d	After a tabletop exercise, the next step recommended is a functional test to verify administrative and organizational functions before involving IT in a full-scale test.	MOCKDISA	1,791	96	MOCKDISA
1. In a data warehouse, data quality is achieved by:	A. cleansing.	B. restructuring.	C. source data credibility.	D. transformation.	c	In a data warehouse system, data quality relies on the credibility of the source data.	MOCKDISA	1,792	4	MOCKDISA
2. Which of the following is the GREATEST risk when implementing a data warehouse?	A. Increased response time on the production systems	B. Access controls that are not adequate to prevent data modification	C. Data duplication	D. Data that is not updated or current	b	Access controls preventing data modification are critical to maintaining data integrity in a warehouse.	MOCKDISA	1,793	55	MOCKDISA
3. Which of the following is critical to the selection and acquisition of the correct operating system software?	A. Competitive bids	B. User department approval	C. Hardware configuration analysis	D. Purchasing department approval	c	Hardware configuration analysis ensures compatibility with existing systems for OS selection.	MOCKDISA	1,794	139	MOCKDISA
4. Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime?	A. Utilization reports	B. Hardware error reports	C. System logs	D. Availability reports	d	Availability reports specifically track uptime, crucial for SLA compliance monitoring.	MOCKDISA	1,795	195	MOCKDISA
5. A benefit of quality of service (QoS) is that the:	A. entire network's availability and performance will be significantly improved.	B. telecom carrier will provide the company with accurate service-level compliance reports.	C. participating applications will have guaranteed service levels.	D. communications link will be supported by security controls to perform secure online transactions.	c	QoS guarantees specific service levels for applications, optimizing network performance.	MOCKDISA	1,796	90	MOCKDISA
6. For an online transaction processing system, transactions per second is a measure of:	A. throughput.	B. response time.	C. turnaround time.	D. uptime.	a	Transactions per second measure the throughput or productivity of the system.	MOCKDISA	1,797	49	MOCKDISA
7. Which of the following is MOST important when assessing services provided by an Internet service provider (ISP)?	A. Performance reports generated by the ISP	B. The service level agreement (SLA)	C. Interviews with the provider	D. Interviews with other clients of the ISP	b	SLA outlines agreed service levels, crucial for evaluating ISP services objectively.	MOCKDISA	1,798	179	MOCKDISA
8. Which of the following would normally be found in application run manuals?	A. Details of source documents	B. Error codes and their recovery actions	C. Program flowcharts and file definitions	D. Change records for the application source code	b	Run manuals typically include error codes and recovery procedures for operators.	MOCKDISA	1,799	114	MOCKDISA
9. Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?	A. The use of diskless workstations	B. Periodic checking of hard drives	C. The use of current antivirus software	D. Policies that result in instant dismissal if violated	b	Periodic checks of hard drives are effective in identifying illegal software loaded onto a network.	MOCKDISA	1,800	31	MOCKDISA
10. An IS auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late-night shift a month as the senior computer operator. The MOST appropriate course of action for the IS auditor is to:	A. advise senior management of the risk involved.	B. agree to work with the security officer on these shifts as a form of preventative control.	C. develop a computer-assisted audit technique to detect instances of abuses of this arrangement.	D. review the system log for each of the late-night shifts to determine whether any irregular actions occurred.	a	Advising senior management of the risk is crucial due to the violation of separation of duties.	MOCKDISA	1,801	64	MOCKDISA
11. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:	A. the setup is geographically dispersed.	B. the network servers are clustered in a site.	C. a hot site is ready for activation.	D. diverse routing is implemented for the network.	b	Clustering network servers in one location increases vulnerability to single-point failures.	MOCKDISA	1,802	81	MOCKDISA
12. To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review?	A. System access log files	B. Enabled access control software parameters	C. Logs of access control violations	D. System configuration files for control options used	d	Reviewing system configuration files shows which users have privileged access, crucial for security audits.	MOCKDISA	1,803	102	MOCKDISA
13. A Ping command is used to measure:	A. attenuation.	B. throughput.	C. delay distortion.	D. latency.	d	Ping measures latency, the delay in transmitting data from source to destination.	MOCKDISA	1,804	51	MOCKDISA
14. Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program?	A. A system downtime log	B. Vendors' reliability figures	C. Regularly scheduled maintenance log	D. A written preventive maintenance schedule	a	System downtime logs provide direct feedback on the effectiveness of preventive maintenance efforts.	MOCKDISA	1,805	151	MOCKDISA
15. Which of the following is the MOST effective means of determining which controls are functioning properly in an operating system?	A. Consulting with the vendor	B. Reviewing the vendor installation guide	C. Consulting with the system programmer	D. Reviewing the system generation parameters	d	Reviewing system generation parameters directly shows how controls are configured and operating within the OS.	MOCKDISA	1,806	89	MOCKDISA
16. Capacity monitoring software is used to ensure:	A. maximum use of available capacity.	B. that future acquisitions meet user needs.	C. concurrent use by a large number of users.	D. continuity of efficient operations.	d	Capacity monitoring ensures efficient system operation by tracking current usage against capacity limits.	MOCKDISA	1,807	126	MOCKDISA
17. An independent software program that connects two otherwise separate applications sharing computing resources across heterogeneous technologies is known as:	A. middleware.	B. firmware.	C. application software.	D. embedded systems.	a	Middleware connects disparate applications across different technologies and platforms.	MOCKDISA	1,808	22	MOCKDISA
18. IS management has recently informed the IS auditor of its decision to disable certain referential integrity controls in the payroll system to provide users with a faster report generator. This will MOST likely increase the risk of:	A. data entry by unauthorized users.	B. a nonexistent employee being paid.	C. an employee receiving an unauthorized raise.	D. duplicate data entry by authorized users.	b	Disabling referential integrity controls increases the risk of nonexistent entities being processed erroneously.	MOCKDISA	1,809	192	MOCKDISA
19. Following a reorganization of a company's legacy database, it was discovered that records were accidentally deleted. Which of the following controls would have MOST effectively detected this occurrence?	A. Range check	B. Table lookups	C. Run-to-run totals	D. One-for-one checking	c	Run-to-run totals provide effective detection by comparing totals across processing runs.	MOCKDISA	1,810	82	MOCKDISA
20. The method of routing traffic through split-cable facilities or duplicate-cable facilities is called:	A. alternative routing.	B. diverse routing.	C. redundancy.	D. circular routing.	b	Diverse routing involves routing traffic through separate physical paths to enhance network resilience.	MOCKDISA	1,811	74	MOCKDISA
21. Which of the following is widely accepted as one of the critical components in networking management?	A. Configuration management	B. Topological mappings	C. Application of monitoring tools	D. Proxy server troubleshooting	a	Configuration management is essential for managing network functionality and performance.	MOCKDISA	1,812	131	MOCKDISA
22. An IS auditor needs to link his/her microcomputer to a mainframe system that uses binary synchronous data communications with block data transmission. However, the IS auditor's microcomputer, as presently configured, is capable of only asynchronous ASCII character data communications. Which of the following must be added to the IS auditor's computer to enable it to communicate with the mainframe system?	A. Buffer capacity and parallel port	B. Network controller and buffer capacity	C. Parallel port and protocol conversion	D. Protocol conversion and buffer capability	d	Protocol conversion and buffer capability are required to translate and handle the different data transmission formats.	MOCKDISA	1,813	52	MOCKDISA
23. The interface that allows access to lower- or higher-level network services is called:	A. firmware.	B. middleware.	C. X.25 interface.	D. utilities.	b	Middleware provides access to network services across different levels and technologies.	MOCKDISA	1,814	116	MOCKDISA
24. Which of the following controls will detect MOST effectively the presence of bursts of errors in network transmissions?	A. Parity check	B. Echo check	C. Block sum check	D. Cyclic redundancy check	d	Cyclic redundancy check (CRC) is effective in detecting errors, including bursts of errors, in data transmissions.	MOCKDISA	1,815	106	MOCKDISA
25. Which of the following types of firewalls provide the GREATEST degree and granularity of control?	A. Screening router	B. Packet filter	C. Application gateway	D. Circuit gateway	c	Application gateways offer detailed control over traffic by inspecting each application-level command.	MOCKDISA	1,816	62	MOCKDISA
26. Which of the following reports is a measure of telecommunication transmissions and determines whether transmissions are completed accurately?	A. Online monitor reports	B. Downtime reports	C. Help desk reports	D. Response-time reports	a	Online monitor reports measure and verify the accuracy of telecommunication transmissions.	MOCKDISA	1,817	92	MOCKDISA
27. Which of the following is MOST directly affected by network performance monitoring tools?	A. Integrity	B. Availability	C. Completeness	D. Confidentiality	b	Network performance monitoring tools primarily ensure the availability of network services.	MOCKDISA	1,818	106	MOCKDISA
28. Checking for authorized software baselines is an activity addressed within which of the following?	A. Project management	B. Configuration management	C. Problem management	D. Risk management	b	Configuration management includes managing software baselines among IT components.	MOCKDISA	1,819	125	MOCKDISA
29. Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?	A. Firewalls	B. Routers	C. Layer 2 switches	D. VLANs	a	Firewalls are designed to prevent unauthorized access between network segments.	MOCKDISA	1,820	95	MOCKDISA
30. To evaluate the referential integrity of a database, an IS auditor should review the:	A. composite keys.	B. indexed fields.	C. physical schema.	D. foreign keys.	d	Foreign keys ensure referential integrity by linking tables through primary and foreign key relationships.	MOCKDISA	1,821	107	MOCKDISA
31. Which of the following operating system mechanisms checks each request by a subject (user process) to access and use an object (e.g., file, device, program) to ensure that the request complies with a security policy?	A. Address Resolution Protocol	B. Access control analyzer	C. Reference monitor	D. Concurrent monitor	c	A reference monitor ensures compliance with security policies for accessing system objects.	MOCKDISA	1,822	47	MOCKDISA
32. Which of the following is an operating system access control function?	A. Logging user activities	B. Logging data communication access activities	C. Verifying user authorization at the field level	D. Changing data files	a	Logging user activities is a fundamental access control function in operating systems.	MOCKDISA	1,823	105	MOCKDISA
33. An IS auditor is PRIMARILY concerned about electromagnetic emissions from a cathode ray tube (CRT) because they may:	A. cause health disorders (such as headaches) and diseases.	B. be intercepted and information may be obtained from them.	C. cause interference in communications.	D. cause errors in the motherboard.	b	Electromagnetic emissions from CRTs can be intercepted, compromising information security.	MOCKDISA	1,824	89	MOCKDISA
34. Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device?	A. Filters	B. Switches	C. Routers	D. Firewalls	b	Switches direct packets only to the intended device, reducing packet capture by unintended devices.	MOCKDISA	1,825	20	MOCKDISA
35. In a database management system (DBMS), the location of data and the method of accessing the data are provided by the:	A. data dictionary.	B. metadata.	C. directory system.	D. data definition language.	c	The directory system specifies data location and access methods in a DBMS.	MOCKDISA	1,826	104	MOCKDISA
36. In a client-server system, which of the following control techniques is used to inspect activity from known or unknown users?	A. Diskless workstations	B. Data encryption techniques	C. Network monitoring devices	D. Authentication systems	c	Network monitoring devices inspect activities from known or unknown users in client-server systems.	MOCKDISA	1,827	120	MOCKDISA
37. When reviewing system parameters, an IS auditor's PRIMARY concern should be that:	A. they are set to meet security and performance requirements.	B. changes are recorded in an audit trail and periodically reviewed.	C. changes are authorized and supported by appropriate documents.	D. access to parameters in the system is restricted.	a	System parameters should be set to balance security and performance requirements.	MOCKDISA	1,828	83	MOCKDISA
38. By establishing a network session through an appropriate application, a sender transmits a message by breaking it into packets, but the packets may reach the receiver out of sequence. Which OSI layer addresses the out-of-sequence message through segment sequencing?	A. Network layer	B. Session layer	C. Application layer	D. Transport layer	d	The transport layer addresses out-of-sequence packets through segment sequencing.	MOCKDISA	1,829	153	MOCKDISA
39. Which of the following is a control over component communication failure/errors?	A. Restricting operator access and maintaining audit trails	B. Monitoring and reviewing system engineering activity	C. Providing network redundancy	D. Establishing physical barriers to the data transmitted over the network	c	Network redundancy prevents communication failures/errors by providing backup routes.	MOCKDISA	1,830	145	MOCKDISA
40. An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable?	A. Electromagnetic interference (EMI)	B. Cross-talk	C. Dispersion	D. Attenuation	d	Attenuation occurs in UTP cables over 100 meters, leading to signal weakening and communication issues.	MOCKDISA	1,831	54	MOCKDISA
41. Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?	A. A substantive test of program library controls	B. A compliance test of program library controls	C. A compliance test of the program compiler controls	D. A substantive test of the program compiler controls	b	A compliance test of program library controls verifies if controls ensure source and object versions match.	MOCKDISA	1,832	2	MOCKDISA
42. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can:	A. Identify high-risk areas that might need a detailed review later	B. Reduce audit costs	C. Reduce audit time	D. Increase audit accuracy	c	CSA techniques reduce audit time by internally assessing control effectiveness.	MOCKDISA	1,833	151	MOCKDISA
43. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?	A. Integrated test facility (ITF)	B. Continuous and intermittent simulation (CIS)	C. Audit hooks	D. Snapshots	d	Snapshots provide a snapshot of system state for audit trail purposes.	MOCKDISA	1,834	186	MOCKDISA
44. An IS auditor performing a review of an application's controls would evaluate the:	A. efficiency of the application in meeting the business processes.	B. impact of any exposures discovered.	C. business processes served by the application.	D. application's optimization.	b	Reviewing controls assesses impacts of exposures arising from control weaknesses.	MOCKDISA	1,835	72	MOCKDISA
45. Which of the following is a substantive test?	A. Checking a list of exception reports	B. Ensuring approval for parameter changes	C. Using a statistical sample to inventory the tape library	D. Reviewing password history reports	c	Using a statistical sample to inventory validates the actual existence and accuracy of tape library records.	MOCKDISA	1,836	172	MOCKDISA
46. An audit charter should:	A. be dynamic and change often to coincide with the changing nature of technology and the audit profession.	B. clearly state audit objectives for and the delegation of authority to the maintenance and review of internal controls.	C. document the audit procedures designed to achieve the planned audit objectives.	D. outline the overall authority, scope and responsibilities of the audit function.	d	An audit charter outlines the authority, scope, and responsibilities of the audit function.	MOCKDISA	1,837	167	MOCKDISA
47. Which of the following is an advantage of an integrated test facility (ITF)?	A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction.	B. Periodic testing does not require separate test processes.	C. It validates application systems and tests the ongoing operation of the system.	D. It eliminates the need to prepare test data.	b	ITF allows for periodic testing without separate processes, reducing effort and time.	MOCKDISA	1,838	128	MOCKDISA
48. An integrated test facility is considered a useful audit tool because it:	A. is a cost-efficient approach to auditing application controls.	B. enables the financial and IS auditors to integrate their audit tests.	C. compares processing output with independently calculated data.	D. provides the IS auditor with a tool to analyze a large range of information.	c	ITF compares actual processing output with independently calculated data to verify accuracy.	MOCKDISA	1,839	168	MOCKDISA
49. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:	A. of the point at which controls are exercised as data flow through the system.	B. that only preventive and detective controls are relevant.	C. that corrective controls can only be regarded as compensating.	D. that classification allows an IS auditor to determine which controls are missing.	a	Understanding when controls are applied in data flow is crucial for assessing control effectiveness.	MOCKDISA	1,840	172	MOCKDISA
50. An IS auditor reviews an organizational chart PRIMARILY for:	A. an understanding of workflows.	B. investigating various communication channels.	C. understanding the responsibilities and authority of individuals.	D. investigating the network connected to different employees.	c	Organizational charts clarify responsibilities and authority, aiding in segregation of duties assessment.	MOCKDISA	1,841	44	MOCKDISA
51. Which of the following BEST describes an integrated test facility?	A. A technique that enables the IS auditor to test a computer application for the purpose of verifying correct processing	B. The utilization of hardware and/or software to review and test the functioning of a computer system	C. A method of using special programming options to permit the printout of the path through a computer program taken to process a specific transaction	D. A procedure for tagging and extending transactions and master records that are used by an IS auditor for tests	a	Integrated test facility enables continuous testing of applications to verify processing accuracy.	MOCKDISA	1,842	52	MOCKDISA
52. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:	A. evaluate the record retention plans for off-premises storage.	B. interview programmers about the procedures currently being followed.	C. compare utilization records to operations schedules.	D. review data file access records to test the librarian function.	b	Interviewing programmers provides direct insight into access controls over program documentation.	MOCKDISA	1,843	46	MOCKDISA
53. Which of the following sampling methods is MOST useful when testing for compliance?	A. Attribute sampling	B. Variable sampling	C. Stratified mean per unit	D. Difference estimation	a	Attribute sampling is ideal for compliance testing to confirm the presence of specific qualities or attributes.	MOCKDISA	1,844	158	MOCKDISA
54. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?	A. Multiple cycles of backup files remain available.	B. Access controls establish accountability for e-mail activity.	C. Data classification regulates what information should be communicated via e-mail.	D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.	a	E-mail systems retain multiple backup cycles, aiding in the retrieval of deleted messages for litigation.	MOCKDISA	1,845	125	MOCKDISA
55. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?	A. Discussion with management	B. Review of the organization chart	C. Observation and interviews	D. Testing of user access rights	c	Observation and interviews directly reveal whether incompatible duties are performed by the same individual.	MOCKDISA	1,846	82	MOCKDISA
56. An IS auditor has evaluated the controls for the integrity of the data in a financial application. Which of the following findings would be the MOST significant?	A. The application owner was unaware of several changes applied to the application by the IT department.	B. The application data are backed up only once a week.	C. The application development documentation is incomplete.	D. Information processing facilities are not protected by appropriate fire detection systems.	a	Lack of awareness by the owner regarding changes affects data integrity and indicates weak change controls.	MOCKDISA	1,847	161	MOCKDISA
57. Overall business risk for a particular threat can be expressed as:	A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.	B. the magnitude of the impact should a threat source successfully exploit the vulnerability.	C. the likelihood of a given threat source exploiting a given vulnerability.	D. the collective judgment of the risk assessment team.	a	Business risk combines probability and impact to assess vulnerability exploitation outcomes.	MOCKDISA	1,848	136	MOCKDISA
58. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:	A. variable sampling.	B. substantive testing.	C. compliance testing.	D. stop-or-go sampling.	c	Checking authorization of new user forms aligns with compliance testing to ensure policy adherence.	MOCKDISA	1,849	188	MOCKDISA
59. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:	A. can identify high-risk areas that might need a detailed review later.	B. allows IS auditors to independently assess risk.	C. can be used as a replacement for traditional audits.	D. allows management to relinquish responsibility for control.	a	CSA identifies high-risk areas, enhancing internal controls with focused reviews.	MOCKDISA	1,850	72	MOCKDISA
60. Data flow diagrams are used by IS auditors to:	A. order data hierarchically.	B. highlight high-level data definitions.	C. graphically summarize data paths and storage.	D. portray step-by-step details of data generation.	c	Data flow diagrams summarize paths and storage of data, aiding in understanding data flow and storage within systems.	MOCKDISA	1,851	159	MOCKDISA
61. The use of statistical sampling procedures helps minimize:	A. sampling risk.	B. detection risk.	C. inherent risk.	D. control risk.	b	Statistical sampling helps minimize detection risk by quantifying the risk of incorrect conclusions due to inadequate test procedures.	MOCKDISA	1,852	159	MOCKDISA
62. What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?	A. Business risk	B. Detection risk	C. Residual risk	D. Inherent risk	b	Detection risk arises when inadequate audit procedures fail to identify existing errors.	MOCKDISA	1,853	130	MOCKDISA
63. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?	A. Inherent	B. Detection	C. Control	D. Business	b	IS auditors directly influence detection risks through their audit procedures and techniques.	MOCKDISA	1,854	176	MOCKDISA
64. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines?	A. Domain integrity test	B. Relational integrity test	C. Referential integrity test	D. Parity checks	a	Domain integrity tests ensure data conforms to defined standards, validating edit and validation routines.	MOCKDISA	1,855	95	MOCKDISA
65. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?	A. Evaluate physical access test results.	B. Determine the risks/threats to the data center site.	C. Review business continuity procedures.	D. Test for evidence of physical access at suspect locations.	b	Assessing risks and threats to the data center site is a primary step in planning a security review.	MOCKDISA	1,856	57	MOCKDISA
66. The PRIMARY purpose of audit trails is to:	A. improve response time for users.	B. establish accountability and responsibility for processed transactions.	C. improve the operational efficiency of the system.	D. provide useful information to auditors who may wish to track transactions.	b	Audit trails primarily serve to establish accountability for transactions processed within a system.	MOCKDISA	1,857	32	MOCKDISA
67. Which of the following would BEST provide assurance of the integrity of new staff?	A. Background screening	B. References	C. Bonding	D. Qualifications listed on a resume	a	Background screening is the most reliable method for ensuring the integrity of new staff.	MOCKDISA	1,858	51	MOCKDISA
68. To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the:	A. enterprise data model.	B. IT balanced scorecard (BSC).	C. IT organizational structure.	D. historical financial statements.	b	Reviewing the IT balanced scorecard provides insights into IT asset planning and management effectiveness.	MOCKDISA	1,859	95	MOCKDISA
69. The advantage of a bottom-up approach to the development of organizational policies is that the policies:	A. are developed for the organization as a whole.	B. are more likely to be derived as a result of a risk assessment.	C. will not conflict with overall corporate policy.	D. ensure consistency across the organization.	b	Bottom-up policies are derived from operational needs and risk assessments, ensuring relevance and alignment with organizational risks.	MOCKDISA	1,860	102	MOCKDISA
70. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution. Choose all that apply.	A. Facilitating the sharing of security risk-related information among authorizing officials	B. Preserving high-level communications and working group relationships in an organization	C. Establishing effective continuous monitoring program for the organization	D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan	a	The CIO facilitates the sharing of security risk-related information among officials, a critical responsibility in senior IT management.	MOCKDISA	1,861	172	MOCKDISA
71. A data administrator is responsible for:	A. maintaining database system software.	B. defining data elements, data names and their relationship.	C. developing physical database structures.	D. developing data dictionary system software.	b	A data administrator's role focuses on defining data elements and their relationships.	MOCKDISA	1,862	114	MOCKDISA
72. Before implementing an IT balanced scorecard, an organization must:	A. deliver effective and efficient services.	B. define key performance indicators.	C. provide business value to IT projects.	D. control IT expenses.	b	Defining key performance indicators is crucial before implementing an IT balanced scorecard to measure success.	MOCKDISA	1,863	63	MOCKDISA
73. A local area network (LAN) administrator normally would be restricted from:	A. having end-user responsibilities.	B. reporting to the end-user manager.	C. having programming responsibilities.	D. being responsible for LAN security administration.	c	LAN administrators typically do not handle programming responsibilities.	MOCKDISA	1,864	125	MOCKDISA
74. The initial step in establishing an information security program is the:	A. development and implementation of an information security standards manual.	B. performance of a comprehensive security control review by the IS auditor.	C. adoption of a corporate information security policy statement.	D. purchase of security access control software.	c	Adopting a corporate information security policy statement is the first step in setting up an information security program.	MOCKDISA	1,865	95	MOCKDISA
75. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?	A. Response	B. Correction	C. Detection	D. Monitoring	a	A sound information security policy would include a response program for handling suspected intrusions.	MOCKDISA	1,866	129	MOCKDISA
76. The MOST likely effect of the lack of senior management commitment to IT strategic planning is:	A. a lack of investment in technology.	B. a lack of a methodology for systems development.	C. the technology not aligning with the organization's objectives.	D. an absence of control over technology contracts.	c	Without senior management commitment, IT strategies may not align with organizational objectives.	MOCKDISA	1,867	147	MOCKDISA
77. When an organization is outsourcing their information security function, which of the following should be kept in the organization?	A. Accountability for the corporate security policy	B. Defining the corporate security policy	C. Implementing the corporate security policy	D. Defining security procedures and guidelines	a	Accountability for the corporate security policy cannot be outsourced.	MOCKDISA	1,868	84	MOCKDISA
78. An organization has outsourced its software development. Which of the following is the responsibility of the organization's IT management?	A. Paying for provider services	B. Participating in systems design with the provider	C. Managing compliance with the contract for the outsourced services	D. Negotiating contractual agreement with the provider	c	Managing compliance with the outsourced services contract is the responsibility of IT management.	MOCKDISA	1,869	157	MOCKDISA
79. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that:	A. this lack of knowledge may lead to unintentional disclosure of sensitive information	B. information security is not critical to all functions.	C. IS audit should provide security training to the employees.	D. the audit finding will cause management to provide continuous training to staff.	a	Lack of awareness about security policies can lead to unintentional disclosure of sensitive information.	MOCKDISA	1,870	46	MOCKDISA
80. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executivemanagement, such as the _______________. (fill-in-the-blank)	A. Security administrator	B. Systems auditor	C. Board of directors	D. Financial auditor	c	Ultimate responsibility for BCP and DRP plans lies with executive management, typically the board of directors.	MOCKDISA	1,871	87	MOCKDISA
81. IT control objectives are useful to IS auditors, as they provide the basis for understanding the:	A. desired result or purpose of implementing specific control procedures.	B. best IT security control practices relevant to a specific entity.	C. techniques for securing information.	D. security policy.	a	IT control objectives define the desired result or purpose of implementing specific control procedures.	MOCKDISA	1,872	14	MOCKDISA
82. Which of the following is the PRIMARY objective of an IT performance measurement process?	A. Minimize errors.	B. Gather performance data.	C. Establish performance baselines.	D. Optimize performance.	d	The primary objective of an IT performance measurement process is to optimize performance.	MOCKDISA	1,873	35	MOCKDISA
83. Which of the following would provide a mechanism whereby IS management can determine if the activities of the organization have deviated from the planned or expected levels?	A. Quality management	B. IS assessment methods	C. Management principles	D. Industry standards/benchmarking	b	IS assessment methods help IS management determine if organizational activities have deviated from planned or expected levels.	MOCKDISA	1,874	174	MOCKDISA
84. Which of the following is the MOST critical for the successful implementation and maintenance of a security policy?	A. Assimilation of the framework and intent of a written security policy by all appropriate parties	B. Management support and approval for the implementation and maintenance of a security policy	C. Enforcement of security rules by providing punitive actions for any violation of security rules	D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	Assimilation of the security policy framework by all parties is critical for its successful implementation and maintenance.	MOCKDISA	1,875	92	MOCKDISA
85. The PRIMARY objective of an audit of IT security policies is to ensure that:	A. they are distributed and available to all staff.	B. security and control policies support business and IT objectives.	C. there is a published organizational chart with functional descriptions.	D. duties are appropriately segregated.	b	An audit of IT security policies primarily aims to ensure that they support business and IT objectives.	MOCKDISA	1,876	68	MOCKDISA
86. Which of the following is MOST critical for the successful implementation and maintenance of a security policy?	A. Assimilation of the framework and intent of a written security policy by all appropriate parties	B. Management support and approval for the implementation and maintenance of a security policy	C. Enforcement of security rules by providing punitive actions for any violation of security rules	D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	Assimilation of the security policy framework by all parties is critical for its successful implementation and maintenance.	MOCKDISA	1,877	198	MOCKDISA
87. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties?	A. Sequence check	B. Check digit	C. Source documentation retention	D. Batch control reconciliations	d	Batch control reconciliations are compensating controls for inadequate segregation of duties.	MOCKDISA	1,878	72	MOCKDISA
88. Which of the following reduces the potential impact of social engineering attacks?	A. Compliance with regulatory requirements	B. Promoting ethical understanding	C. Security awareness programs	D. Effective performance incentives	c	Security awareness programs are effective in reducing the impact of social engineering attacks.	MOCKDISA	1,879	91	MOCKDISA
89. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?	A. O/S and hardware refresh frequencies	B. Gain-sharing performance bonuses	C. Penalties for noncompliance	D. Charges tied to variable cost metrics	b	Gain-sharing performance bonuses encourage outsourcers to minimize costs and improve service levels.	MOCKDISA	1,880	114	MOCKDISA
90. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:	A. recovery.	B. retention.	C. rebuilding.	D. reuse.	b	A comprehensive e-mail policy should address the retention of e-mails to ensure compliance and legal requirements.	MOCKDISA	1,881	39	MOCKDISA
91. When are benchmarking partners identified within the benchmarking process?	A. In the design stage	B. In the testing stage	C. In the research stage	D. In the development stage	c	Benchmarking partners are identified in the research stage of the benchmarking process.	MOCKDISA	1,882	34	MOCKDISA
92. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?	A. Optimized	B. Managed	C. Defined	D. Repeatable	b	When responsibilities for IT security are clearly assigned and enforced, and risk analysis is consistent, it indicates a "Managed" level in the security governance maturity model.	MOCKDISA	1,883	119	MOCKDISA
93. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?	A. Sensitive data can be read by operators.	B. Data can be amended without authorization.	C. Unauthorized report copies can be printed.	D. Output can be lost in the event of system failure.	c	The most serious exposure of spooling for offline printing is the possibility of unauthorized report copies being printed.	MOCKDISA	1,884	163	MOCKDISA
94. Applying a retention date on a file will ensure that:	A. data cannot be read until the date is set.	B. data will not be deleted before that date.	C. backup copies are not retained after that date.	D. datasets having the same name are differentiated.	b	Applying a retention date ensures that data will not be deleted before that date.	MOCKDISA	1,885	6	MOCKDISA
95. Which of the following can be used to verify output results and control totals by matching them against the input data and control totals?	A. Batch header forms	B. Batch balancing	C. Data conversion error corrections	D. Access controls over print spools	b	Batch balancing verifies output results and control totals against input data and control totals.	MOCKDISA	1,886	128	MOCKDISA
96. Which of the following would an IS auditor expect to find in a console log?	A. Names of system users	B. Shift supervisor identification	C. System errors	D. Data edit errors	c	A console log typically contains information about system errors.	MOCKDISA	1,887	194	MOCKDISA
97. A network diagnostic tool that monitors and records network information is a(n):	A. Online monitor	B. Downtime report	C. Help desk report	D. Protocol analyzer	d	A protocol analyzer is a network diagnostic tool that monitors and records network information.	MOCKDISA	1,888	9	MOCKDISA
98. Which of the following will help detect changes made by an intruder to the system log of a server?	A. Mirroring the system log on another server	B. Simultaneously duplicating the system log on a write-once disk	C. Write-protecting the directory containing the system log	D. Storing the backup of the system log offsite	b	Duplicating the system log on a write-once disk helps detect changes made by intruders.	MOCKDISA	1,889	168	MOCKDISA
99. During an audit of the tape management system at a data center, an IS auditor discovered that parameters are set to bypass or ignore the labels written on tape header records. The IS auditor also determined that effective staging and job setup procedures were in place. In this situation, the IS auditor should conclude that the:	A. tape headers should be manually logged and checked by the operators.	B. staging and job setup procedures are not appropriate compensating controls.	C. staging and job setup procedures compensate for the tape label control weakness.	D. tape management system parameters must be set to check all labels.	c	Effective staging and job setup procedures compensate for the weakness of tape label control in this scenario.	MOCKDISA	1,890	60	MOCKDISA
100. IT operations for a large organization have been outsourced. An IS auditor reviewing the outsourced operation should be MOST concerned about which of the following findings?	A. The outsourcing contract does not cover disaster recovery for the outsourced IT operations.	B. The service provider does not have incident handling procedures.	C. Recently a corrupted database could not be recovered because of library management problems.	D. Incident logs are not being reviewed.	a	The lack of disaster recovery coverage in the outsourcing contract is the most critical concern for an IS auditor reviewing outsourced IT operations.	MOCKDISA	1,891	96	MOCKDISA
101. Which of the following BEST ensures the integrity of a server's operating system?	A. Protecting the server in a secure location	B. Setting a boot password	C. Hardening the server configuration	D. Implementing activity logging	c	Hardening a server's configuration ensures it is securely configured to prevent unauthorized access and maintain OS integrity.	MOCKDISA	1,892	203	MOCKDISA
102. An IS auditor detected that several PCs connected to the Internet have a low security level that is allowing for the free recording of cookies. This creates a risk because cookies locally store:	A. information about the Internet site.	B. information about the user.	C. information for the Internet connection.	D. Internet pages.	b	Cookies locally store information about the user, posing privacy risks if security levels are low and cookies are freely recorded.	MOCKDISA	1,893	40	MOCKDISA
103. Which of the following is the MOST probable cause for a mail server being used to send spam?	A. Installing an open relay server	B. Enabling Post Office Protocol (POP3)	C. Using Simple Mail Transfer Protocol (SMTP)	D. Activating user accounting	a	An open relay server allows unauthorized use of a mail server to send spam, compromising its integrity and reputation.	MOCKDISA	1,894	183	MOCKDISA
104. Which of the following is the MOST probable cause for a mail server being used to send spam?	A. Installing an open relay server	B. Enabling Post Office Protocol (POP3)	C. Using Simple Mail Transfer Protocol (SMTP)	D. Activating user accounting	a	An open relay server allows unauthorized use of a mail server to send spam, compromising its integrity and reputation.	MOCKDISA	1,895	130	MOCKDISA
105. The MOST significant security concern when using flash memory (e.g., USB removable disk) is that the:	A. contents are highly volatile.	B. data cannot be backed up.	C. data can be copied.	D. device may not be compatible with other peripherals.	c	Flash memory allows easy copying of data, posing a significant security concern for confidentiality and data integrity.	MOCKDISA	1,896	39	MOCKDISA
106. The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in:	A. loss of confidentiality.	B. increased redundancy.	C. unauthorized accesses.	D. application malfunctions.	b	Denormalizing tables increases redundancy, which can improve performance but may complicate maintenance and increase storage requirements.	MOCKDISA	1,897	35	MOCKDISA
107. Web and e-mail filtering tools are PRIMARILY valuable to an organization because they:	A. protect the organization from viruses and non business materials.	B. maximize employee performance.	C. safeguard the organization's image.	D. assist the organization in preventing legal issues	a	Filtering tools primarily protect against viruses and inappropriate content, reducing risks to security and productivity.	MOCKDISA	1,898	165	MOCKDISA
108. Which of the following is the GREATEST risk related to the monitoring of audit logs?	A. Logs are not backed up periodically.	B. Routine events are recorded.	C. Procedures for enabling logs are not documented.	D. Unauthorized system actions are recorded but not investigated.	d	Failing to investigate unauthorized actions recorded in audit logs undermines their effectiveness in detecting and responding to security incidents.	MOCKDISA	1,899	43	MOCKDISA
109. An organization wants to enforce data integrity principles and achieve faster performance/execution in a database application. Which of the following design principles should be applied?	A. User (customized) triggers	B. Data validation at the front end	C. Data validation at the back end	D. Referential integrity	d	Referential integrity ensures data relationships are maintained, enhancing both integrity and performance in database operations.	MOCKDISA	1,900	87	MOCKDISA
110. To share data in a multivendor network environment, it is essential to implement program-to-program communication. With respect to program-to-program communication features that can be implemented in this environment, which of the following makes implementation and maintenance difficult?	A. User isolation	B. Controlled remote access	C. Transparent remote access	D. The network environments	d	The complexity of network environments can significantly challenge the implementation and maintenance of program-to-program communication features across multiple vendors.	MOCKDISA	1,901	84	MOCKDISA
111. An IS auditor is reviewing the database administration (DBA) function to ascertain whether adequate provision has been made for controlling data. The IS auditor should determine that the:	A. function reports to data processing operations.	B. responsibilities of the function are well defined.	C. database administrator is a competent systems programmer.	D. audit software has the capability of efficiently accessing the database.	b	Well-defined responsibilities ensure effective control and management independence within the DBA function.	MOCKDISA	1,902	19	MOCKDISA
112. Which of the following is a control over database administration activities?	A. A database checkpoint to restart processing after a system failure	B. Database compression to reduce unused space	C. Supervisory review of access logs	D. Backup and recovery procedures to ensure database availability	c	Supervisory review of access logs ensures oversight and control over database administration activities, including security and compliance.	MOCKDISA	1,903	190	MOCKDISA
113. To maximize the performance of a large database in a parallel processing environment, which of the following is used for separating indexes?	A. Disk partitioning	B. Mirroring	C. Hashing	D. Duplexing	c	Hashing is used to partition indexes in parallel processing environments, optimizing data access and retrieval.	MOCKDISA	1,904	30	MOCKDISA
114. Which of the following will prevent dangling tuples in a database?	A. Cyclic integrity	B. Domain integrity	C. Relational integrity	D. Referential integrity	d	Referential integrity ensures that all references between tables remain valid, preventing dangling tuples and maintaining data consistency.	MOCKDISA	1,905	173	MOCKDISA
115. The objective of concurrency control in a database system is to:	A. restrict updating of the database to authorized users.	B. prevent integrity problems, when two processes attempt to update the same data at the same time.	C. prevent inadvertent or unauthorized disclosure of data in the database.	D. ensure the accuracy, completeness and consistency of data.	b	Concurrency control prevents data integrity issues that arise when multiple processes attempt simultaneous updates to the same data.	MOCKDISA	1,906	76	MOCKDISA
116. A referential integrity constraint consists of:	A. ensuring the integrity of transaction processing.	B. ensuring that data are updated through triggers.	C. ensuring controlled user updates to the database.	D. rules for designing tables and queries.	b	Referential integrity constraints ensure automatic updates to maintain consistency between related tables using triggers.	MOCKDISA	1,907	92	MOCKDISA
117. Which of the following controls would provide the GREATEST assurance of database integrity?	A. Audit log procedures	B. Table link/reference checks	C. Query/table access time checks	D. Rollback and roll forward database features	b	Table link/reference checks detect and prevent errors in data relationships, ensuring the highest level of database integrity assurance.	MOCKDISA	1,908	6	MOCKDISA
118. The database administrator has decided to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of:	A. loss of audit trails.	B. redundancy of data.	C. loss of data integrity.	D. unauthorized access to data.	b	Disabling normalization controls increases the risk of data redundancy, potentially compromising data consistency and storage efficiency.	MOCKDISA	1,909	117	MOCKDISA
119. In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?	A. Automated logging of changes to development libraries	B. Additional staff to provide separation of duties	C. Procedures that verify that only approved program changes are implemented	D. Access controls to prevent the operator from making program modifications	c	Implementing procedures to verify approved program changes ensures control and accountability in a small organization where strict separation of duties may not be feasible.	MOCKDISA	1,910	92	MOCKDISA
120. Vendors have released patches fixing security flaws in their software. Which of the following should the IS auditor recommend in this situation?	A. Assess the impact of patches prior to installation.	B. Ask the vendors for a new software version with all fixes included.	C. Install the security patch immediately.	D. Decline to deal with these vendors in the future.	a	Assessing the impact of patches prior to installation ensures that potential disruptions or compatibility issues are identified and managed effectively.	MOCKDISA	1,911	129	MOCKDISA
121. A programmer, using firecall IDs, as provided in the manufacture's manual, gained access to the production environment and made an unauthorized change. Which of the following could have prevented this from happening?	A. Deactivation	B. Monitoring	C. Authorization	D. Resetting	d	Resetting firecall IDs prevents unauthorized access by resetting credentials to a secure state.	MOCKDISA	1,912	35	MOCKDISA
122. One of the purposes of library control software is to allow:	A. programmers access to production source and object libraries.	B. batch program updating.	C. operators to update the control library with the production version before testing is completed.	D. read-only access to source code.	d	Library control software primarily ensures read-only access to source code to prevent unauthorized changes.	MOCKDISA	1,913	131	MOCKDISA
123. An organization is moving its application maintenance in-house from an outside source. Which of the following should be the main concern of an IS auditor?	A. Regression testing	B. Job scheduling	C. User manuals	D. Change control procedures	d	Moving application maintenance requires robust change control procedures to manage updates and ensure system stability.	MOCKDISA	1,914	158	MOCKDISA
124. Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?	A. Release-to-release source and object comparison reports	B. Library control software restricting changes to source code	C. Restricted access to source code and object code	D. Date and time-stamp reviews of source and object code	d	Reviewing date and time-stamps ensures that production code matches approved versions, ensuring synchronization.	MOCKDISA	1,915	65	MOCKDISA
125. An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?	A. Allow changes to be made only with the DBA user account.	B. Make changes to the database after granting access to a normal user account	C. Use the DBA user account to make changes, log the changes and review the change log the following day.	D. Use the normal user account to make changes, log the changes and review the change log the following day.	c	Using the DBA account with logging and subsequent review compensates for reduced procedural steps, ensuring oversight and accountability.	MOCKDISA	1,916	172	MOCKDISA
126. Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures?	A. Review software migration records and verify approvals.	B. Identify changes that have occurred and verify approvals.	C. Review change control documentation and verify approvals.	D. Ensure that only appropriate staff can migrate changes into production.	b	Identifying and verifying actual changes against approvals directly assesses adherence to change control procedures.	MOCKDISA	1,917	114	MOCKDISA
127. After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?	A. Differential reporting	B. False-positive reporting	C. False-negative reporting	D. Less-detail reporting	c	False-negative reporting means critical vulnerabilities are missed, leaving the network exposed to potential attacks.	MOCKDISA	1,918	176	MOCKDISA
128. The FIRST step in managing the risk of a cyberattack is to:	A. assess the vulnerability impact.	B. evaluate the likelihood of threats.	C. identify critical information assets.	D. estimate potential damage.	c	Identifying critical information assets is fundamental to prioritizing security efforts and mitigating risks effectively.	MOCKDISA	1,919	9	MOCKDISA
129. Which of the following is the MOST effective method for dealing with the spreading of a network worm that exploits a vulnerability in a protocol?	A. Install the vendor's security fix for the vulnerability.	B. Block the protocol traffic in the perimeter firewall.	C. Block the protocol traffic between internal network segments.	D. Stop the service until an appropriate security fix is installed.	d	Stopping the vulnerable service and applying the security fix immediately halts the worm's spread and mitigates risk.	MOCKDISA	1,920	1	MOCKDISA
130. Which of the following is the BEST control to detect internal attacks on IT resources?	A. Checking of activity logs	B. Reviewing firewall logs	C. Implementing a security policy	D. Implementing appropriate segregation of duties	a	Regularly checking activity logs helps detect unauthorized internal activities, providing insight into potential security breaches.	MOCKDISA	1,921	27	MOCKDISA
131. A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern?	A. Most employees use laptops.	B. A packet filtering firewall is used.	C. The IP address space is smaller than the number of PCs.	D. Access to a network port is not restricted.	d	Unrestricted access to network ports allows unauthorized network connections, posing the greatest security risk in a DHCP environment.	MOCKDISA	1,922	171	MOCKDISA
132. An IS auditor is performing a network security review of a telecom company that provides Internet connection services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer's payment information. The IS auditor should be MOST concerned, if a hacker:	A. compromises the Wireless Application Protocol (WAP) gateway.	B. installs a sniffing program in front of the server.	C. steals a customer's PDA.	D. listens to the wireless transmission.	a	Compromising the WAP gateway exposes all customer messages, undermining the security provided by WTLS and SSL.	MOCKDISA	1,923	178	MOCKDISA
133. Analysis of which of the following would MOST likely enable the IS auditor to determine if an unapproved program attempted to access sensitive data?	A. Abnormal job termination reports	B. Operator problem reports	C. System logs	D. Operator work schedules	c	System logs provide automated reports that track activities, including unauthorized attempts by programs to access sensitive data.	MOCKDISA	1,924	115	MOCKDISA
134. A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives?	A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies	B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing	C. Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format	D. Reengineering the existing processing and redesigning the existing system	c	Implementing an EDI system streamlines processes, reduces review time, and enhances error detection, meeting automation objectives effectively.	MOCKDISA	1,925	25	MOCKDISA
135. A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing?	A. Unit testing	B. Integration testing	C. Design walk-throughs	D. Configuration management	b	System failures upon resubmission suggest inadequacies in integration testing, which ensures components work together correctly before acceptance.	MOCKDISA	1,926	171	MOCKDISA
136. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?	A. Comparing source code	B. Reviewing system log files	C. Comparing object code	D. Reviewing executable and source code integrity	b	Reviewing system log files provides a trail of activities, revealing unauthorized modifications to production code.	MOCKDISA	1,927	192	MOCKDISA
137. An employee is responsible for updating daily the interest rates in a finance application, including interest rate exceptions for preferred customers. Which of the following is the BEST control to ensure that all rate exceptions are approved?	A. A supervisor must enter his/her password before a rate exception is validated.	B. Rates outside the normal range require prior management approval.	C. The system beeps an alarm when rate exceptions are entered.	D. All interest rates must be logged and verified every 30 days.	b	Requiring prior management approval for rates outside the norm ensures oversight and authorization, preventing unauthorized changes.	MOCKDISA	1,928	59	MOCKDISA
138. An IS auditor is conducting a review of an application system after users have completed acceptance testing. What should be the IS auditor’s major concern?	A. Determining whether test objectives were documented	B. Assessing whether users documented expected test results	C. Reviewing whether test problem logs were completed	D. Determining if there are unresolved issues	d	Unresolved issues post-acceptance testing can impact system functionality and usability, posing significant concerns for the IS auditor.	MOCKDISA	1,929	183	MOCKDISA
139. By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:	A. reliable products are guaranteed.	B. programmers' efficiency is improved.	C. security requirements are designed.	D. predictable software processes are followed.	d	CMM evaluation ensures predictable software processes are adhered to, enhancing consistency and reliability in software development.	MOCKDISA	1,930	145	MOCKDISA
140. Ideally, stress testing should be carried out in a:	A. test environment using test data.	B. production environment using live workloads.	C. test environment using live workloads.	D. production environment using test data.	c	Stress testing with live workloads in a controlled test environment ensures systems can handle peak loads without risking production data or operations.	MOCKDISA	1,931	180	MOCKDISA
141. In an EDI process, the device which transmits and receives electronic documents is the:	A. communications handler.	B. EDI translator.	C. application interface.	D. EDI interface.	a	A communications handler manages the transmission and reception of electronic documents between trading partners and networks in an EDI system.	MOCKDISA	1,932	100	MOCKDISA
142. In an electronic fund transfer (EFT) system, which of the following controls would be useful in detecting a duplication of messages?	A. Message authentication code	B. Digital signature	C. Authorization sequence number	D. Segregation of authorization	c	An authorization sequence number helps detect message duplications, ensuring each message is unique and authorized.	MOCKDISA	1,933	149	MOCKDISA
143. Information for detecting unauthorized input from a terminal would be BEST provided by the:	A. console log printout.	B. transaction journal.	C. automated suspense file listing.	D. user error report.	b	The transaction journal records all terminal transactions, facilitating detection of unauthorized inputs by comparing with authorized documents.	MOCKDISA	1,934	201	MOCKDISA
144. Peer reviews to detect software errors during a program development activity are called:	A. emulation techniques.	B. structured walk-throughs.	C. modular program techniques.	D. top-down program construction.	b	Structured walk-throughs involve peer reviews to identify software errors early in the development process, improving quality and reducing risks.	MOCKDISA	1,935	141	MOCKDISA
145. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically:	A. result in a correct capture of requirements.	B. ensure that desirable application controls have been implemented.	C. produce ergonomic and user-friendly interfaces.	D. generate efficient code.	a	While CASE tools aid in development, they do not ensure accurate requirement capture without proper user interaction and analysis.	MOCKDISA	1,936	126	MOCKDISA
146. The request for proposal (RFP) for the acquisition of an application system would MOST likely be approved by the:	A. project steering committee.	B. project sponsor.	C. project manager.	D. user project team.	a	The project steering committee, comprising representatives from impacted functions, typically approves RFPs for application system acquisitions.	MOCKDISA	1,937	126	MOCKDISA
147. The use of a GANTT chart can:	A. aid in scheduling project tasks.	B. determine project checkpoints.	C. ensure documentation standards.	D. direct the post-implementation review.	a	GANTT charts primarily aid in scheduling project tasks, helping to manage timelines and dependencies effectively.	MOCKDISA	1,938	204	MOCKDISA
148. Which of the following is a characteristic of timebox management? It:	A. is not suitable for prototyping or rapid application development (RAD).	B. eliminates the need for a quality process.	C. prevents cost overruns and delivery delays.	D. separates system and user acceptance testing.	c	Timebox management sets strict boundaries for time and cost, effectively preventing cost overruns and delays in project delivery.	MOCKDISA	1,939	105	MOCKDISA
149. Which of the following is an implementation risk within the process of decision support systems?	A. Management control	B. Semi-structured dimensions	C. Inability to specify purpose and usage patterns	D. Changes in decision processes	c	Difficulty in specifying purpose and usage patterns poses a risk in DSS implementation, impacting effectiveness and alignment with business needs.	MOCKDISA	1,940	150	MOCKDISA
150. Which of the following is the FIRST step in a business process reengineering (BPR) project?	A. Defining the areas to be reviewed	B. Developing a project plan	C. Understanding the process under review	D. Reengineering and streamlining the process under review	a	Defining the areas to be reviewed sets the foundation for a BPR project, guiding subsequent planning, analysis, and improvement efforts.	MOCKDISA	1,941	171	MOCKDISA
151. Which of the following is used to ensure that batch data is completely and accurately transferred between two systems?	A. Control total	B. Check digit	C. Check sum	D. Control account	a	Control totals ensure completeness and accuracy by summing batch data values for verification during transfer between systems.	MOCKDISA	1,942	79	MOCKDISA
152. Which of the following should be included in a feasibility study for a project to implement an EDI process?	A. The encryption algorithm format	B. The detailed internal control procedures	C. The necessary communication protocols	D. The proposed trusted third-party agreement	c	Feasibility studies for EDI projects should include communication protocols to assess technical and cost implications.	MOCKDISA	1,943	18	MOCKDISA
153. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern?	A. Acceptance testing is to be managed by users.	B. A quality plan is not part of the contracted deliverables.	C. Not all business functions will be available on initial implementation.	D. Prototyping is being used to confirm that the system meets business requirements.	b	The absence of a quality plan is critical as it ensures comprehensive quality assurance throughout the project lifecycle.	MOCKDISA	1,944	63	MOCKDISA
154. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced?	A. Verifying production to customer orders	B. Logging all customer orders in the ERP system	C. Using hash totals in the order transmitting process	D. Approving (production supervisor) orders prior to production	a	Verifying production against customer orders ensures accuracy and alignment between orders and manufacturing output.	MOCKDISA	1,945	118	MOCKDISA
155. A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?	A. Key verification	B. One-for-one checking	C. Manual recalculations	D. Functional acknowledgements	d	Functional acknowledgements in EDI interfaces provide audit trails and ensure efficient data mapping between systems.	MOCKDISA	1,946	162	MOCKDISA
156. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be the IS auditor's main concern about the new process?	A. Are key controls in place to protect assets and information resources?	B. Does it address the corporate customer requirements?	C. Does the system meet the performance goals (time and resources)?	D. Have owners been identified who will be responsible for the process?	a	Ensuring key controls are in place to protect assets and information resources is critical during a BPR project implementation.	MOCKDISA	1,947	66	MOCKDISA
157. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms are completed and delivered to the bank, which prepares checks and reports. To BEST ensure payroll data accuracy:	A. Payroll reports should be compared to input forms.	B. Gross payroll should be recalculated manually.	C. Checks should be compared to input forms.	D. Checks should be reconciled with output reports.	a	Comparing payroll reports with input forms ensures accuracy by verifying input data against processed results.	MOCKDISA	1,948	168	MOCKDISA
158. A data validation edit that matches input data to an occurrence rate is a:	A. Limit check.	B. Reasonableness check.	C. Range check.	D. Validity check.	b	A reasonableness check matches input data against predefined occurrence rates or limits to ensure data accuracy and validity.	MOCKDISA	1,949	146	MOCKDISA
159. A data warehouse is:	A. Object-oriented.	B. Subject-oriented.	C. Departmental specific.	D. A volatile database.	b	Data warehouses are subject-oriented, designed to support decision-making across multiple subjects or areas within an organization.	MOCKDISA	1,950	22	MOCKDISA
160. A debugging tool, which reports on the sequence of steps executed by a program, is called a(n):	A. Output analyzer.	B. Memory dump.	C. Compiler.	D. Logic path monitor.	d	A logic path monitor reports on program execution steps, aiding programmers in identifying logic errors during debugging processes.	MOCKDISA	1,951	23	MOCKDISA
161. A decision support system (DSS):	A. is aimed at solving highly structured problems.	B. combines the use of models with nontraditional data access and retrieval functions.	C. emphasizes flexibility in the decision-making approach of users.	D. supports only structured decision-making tasks.	c	DSS emphasizes flexibility in decision-making, accommodating less-structured problems and combining models with traditional data functions.	MOCKDISA	1,952	70	MOCKDISA
162. Which of the following is a check (control) for completeness?	A. Check digits	B. Parity bits	C. One-for-one checking	D. Prerecorded input	b	Parity bits verify completeness by ensuring all transmitted data bits are received without error.	MOCKDISA	1,953	100	MOCKDISA
163. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks?	A. Check digit	B. Existence check	C. Completeness check	D. Reasonableness check	c	A completeness check ensures fields contain data, not blanks or zeros, ensuring data validity.	MOCKDISA	1,954	134	MOCKDISA
164. Which of the following types of controls is designed to provide the ability to verify data and record values through the stages of application processing?	A. Range checks	B. Run-to-run totals	C. Limit checks on calculated amounts	D. Exception reports	b	Run-to-run totals verify data values through application processing stages, ensuring data integrity.	MOCKDISA	1,955	24	MOCKDISA
165. The editing/validation of data entered at a remote site would be performed MOST effectively at the:	A. central processing site after running the application system.	B. central processing site during the running of the application system.	C. remote processing site after transmission of the data to the central processing site.	D. remote processing site prior to transmission of the data to the central processing site.	d	Validating data at the remote site before transmission ensures errors are caught early, improving data integrity.	MOCKDISA	1,956	197	MOCKDISA
166. To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is:	A. during data preparation.	B. in transit to the computer.	C. between related computer runs.	D. during the return of the data to the user department.	a	Implementing control totals during data preparation ensures early detection of data loss or errors.	MOCKDISA	1,957	161	MOCKDISA
167. Functional acknowledgements are used:	A. as an audit trail for EDI transactions.	B. to functionally describe the IS department.	C. to document user roles and responsibilities.	D. as a functional description of application software.	a	Functional acknowledgements serve as an audit trail for verifying receipt of EDI transactions.	MOCKDISA	1,958	61	MOCKDISA
168. The impact of EDI on internal controls will be:	A. that fewer opportunities for review and authorization will exist.	B. an inherent authentication.	C. a proper distribution of EDI transactions while in the possession of third parties.	D. that IPF management will have increased responsibilities over data center controls.	a	EDI reduces manual review opportunities, impacting internal control oversight.	MOCKDISA	1,959	107	MOCKDISA
169. Sales orders are automatically numbered sequentially at each of a retailer's multiple outlets. The MOST appropriate control to ensure that all orders transmitted to production are received and processed would be to:	A. send and reconcile transaction counts and totals.	B. have data transmitted back to the local site for comparison.	C. compare data communications protocols with parity checking.	D. track and account for the numerical sequence of sales orders at the production facility.	a	Reconciling transaction counts ensures all orders are processed accurately at the central production facility.	MOCKDISA	1,960	139	MOCKDISA
170. Which of the following ensures completeness and accuracy of accumulated data?	A. Processing control procedures	B. Data file control procedures	C. Output controls	D. Application controls	a	Processing control procedures ensure accuracy and completeness of data through systematic processing checks and balances.	MOCKDISA	1,961	2	MOCKDISA
171. A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:	A. reasonableness check.	B. parity check.	C. redundancy check.	D. check digits.	c	Redundancy checks detect transmission errors by appending calculated bits to data segments.	MOCKDISA	1,962	48	MOCKDISA
172. Which of the following integrity tests examines the accuracy, completeness, consistency and authorization of data?	A. Data	B. Relational	C. Domain	D. Referential	a	Data integrity testing covers accuracy, completeness, consistency, and authorization of data.	MOCKDISA	1,963	142	MOCKDISA
173. Which of the following data validation edits is effective in detecting transposition and transcription errors?	A. Range check	B. Check digit	C. Validity check	D. Duplicate check	b	Check digits detect transposition and transcription errors by appending calculated values to data.	MOCKDISA	1,964	159	MOCKDISA
174. Which of the following data validation edits could be used by a bank, to ensure the correctness of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors?	A. Sequence check	B. Validity check	C. Check digit	D. Existence check	c	Check digits verify bank account number accuracy by appending calculated values.	MOCKDISA	1,965	118	MOCKDISA
175. During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend?	A. Implement data backup and recovery procedures.	B. Define standards and closely monitor for compliance.	C. Ensure that only authorized personnel can update the database.	D. Establish controls to handle concurrent access problems.	a	Data backup and recovery procedures correct database corruption issues by restoring data integrity.	MOCKDISA	1,966	155	MOCKDISA
176. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?	A. Log all table update transactions.	B. Implement before-and-after image reporting.	C. Use tracing and tagging.	D. Implement integrity constraints in the database.	d	Integrity constraints in the database prevent entry of out-of-range data, ensuring data validity.	MOCKDISA	1,967	13	MOCKDISA
177. When assessing the portability of a database application, the IS auditor should verify that:	A. a structured query language (SQL) is used.	B. information import and export procedures exist with other systems.	C. indexes are used.	D. all entities have a significant name and identified primary and foreign keys.	a	SQL usage ensures database application portability by facilitating standard query operations across platforms.	MOCKDISA	1,968	188	MOCKDISA
178. In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:	A. isolation.	B. consistency.	C. atomicity.	D. durability.	c	Atomicity ensures transactions are completed fully or not at all, maintaining data integrity in online systems.	MOCKDISA	1,969	133	MOCKDISA
179. Which of the following would help to ensure the portability of an application connected to a database? The:	A. verification of database import and export procedures.	B. usage of a structured query language (SQL).	C. analysis of stored procedures/triggers.	D. synchronization of the entity-relation model with the database physical schema.	b	SQL usage supports application portability by enabling standardized database interactions across different platforms.	MOCKDISA	1,970	8	MOCKDISA
180. A single digitally signed instruction was given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited the account three times. Which of the following would be the MOST appropriate control against such multiple credits?	A. Encrypting the hash of the payment instruction with the public key of the financial institution	B. Affixing a time stamp to the instruction and using it to check for duplicate payments	C. Encrypting the hash of the payment instruction with the private key of the instructor	D. Affixing a time stamp to the hash of the instruction before having it digitally signed by the instructor	b	Timestamping instructions prevents duplicate processing, ensuring single crediting per instruction.	MOCKDISA	1,971	17	MOCKDISA
181. An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action?	A. Analyze the need for the structural change.	B. Recommend restoration to the originally designed structure.	C. Recommend the implementation of a change control process.	D. Determine if the modifications were properly approved.	d	The IS auditor should first determine if modifications were properly approved before considering further actions.	MOCKDISA	1,972	85	MOCKDISA
182. An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated?	A. Consistency	B. Isolation	C. Durability	D. Atomicity	d	Violation of atomicity means transactions were not fully executed or rolled back as required.	MOCKDISA	1,973	41	MOCKDISA
183. The BEST method of proving the accuracy of a system tax calculation is by:	A. detailed visual review and analysis of the source code of the calculation programs	B. recreating program logic using generalized audit software to calculate monthly totals.	C. preparing simulated transactions for processing and comparing the results to predetermined results.	D. automatic flowcharting and analysis of the source code of the calculation programs.	c	Simulating transactions and comparing results ensures accuracy of tax calculations effectively.	MOCKDISA	1,974	97	MOCKDISA
184. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?	A. Personally delete all copies of the unauthorized software.	B. Inform the auditee of the unauthorized software, and follow up to confirm deletion.	C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management.	D. Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.	c	Reporting to management about unauthorized software usage is appropriate for addressing the issue.	MOCKDISA	1,975	153	MOCKDISA
185. Which of the following is the GREATEST challenge in using test data?	A. Ensuring the program version tested is the same as the production program	B. Creating test data that covers all possible valid and invalid conditions	C. Minimizing the impact of additional transactions on the application being tested	D. Processing the test data under an auditor's supervision	b	Creating comprehensive test data that covers all conditions is critical for effective testing.	MOCKDISA	1,976	159	MOCKDISA
186. The BEST method of proving the accuracy of a system tax calculation is by:	A. detailed visual review and analysis of the source code of the calculation programs.	B. recreating program logic using generalized audit software to calculate monthly totals.	C. preparing simulated transactions for processing and comparing the results to predetermined results.	D. automatic flowcharting and analysis of the source code of the calculation programs.	c	Simulating transactions and comparing results ensures accuracy of tax calculations effectively.	MOCKDISA	1,977	64	MOCKDISA
187. Which of the following would BEST support 24/7 availability?	A. Daily backup	B. Offsite storage	C. Mirroring	D. Periodic testing	c	Mirroring provides immediate data availability, supporting continuous operations.	MOCKDISA	1,978	117	MOCKDISA
188. The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to:	A. achieve performance improvement.	B. provide user authentication.	C. ensure availability of data.	D. ensure the confidentiality of data.	c	RAID level 1 ensures data availability through disk mirroring.	MOCKDISA	1,979	202	MOCKDISA
189. Which of the following is the MOST important criterion for the selection of a location for an offsite storage facility for IS backup files? The offsite facility must be:	A. physically separated from the data center and not subject to the same risks.	B. given the same level of protection as that of the computer data center.	C. outsourced to a reliable third party.	D. equipped with surveillance capabilities.	a	Physical separation from primary risks is crucial to ensure backup integrity and availability.	MOCKDISA	1,980	130	MOCKDISA
190. If a database is restored using before-image dumps, where should the process be started following an interruption?	A. Before the last transaction	B. After the last transaction	C. As the first transaction after the latest checkpoint	D. As the last transaction before the latest checkpoint	a	Restarting before the last transaction ensures integrity when using before-image dumps for restoration.	MOCKDISA	1,981	87	MOCKDISA
191. In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems?	A. Maintaining system software parameters	B. Ensuring periodic dumps of transaction logs	C. Ensuring grandfather-father-son file backups	D. Maintaining important data at an offsite location	b	Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historical data. The volume of activity usually associated with an online system makes other more traditional methods of backup impractical.	MOCKDISA	1,982	11	MOCKDISA
192. As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files?	A. The previous day's backup file and the current transaction tape	B. The previous day's transaction file and the current transaction tape	C. The current transaction tape and the current hard copy transaction log	D. The current hard copy transaction log and the previous day's transaction file	a	The previous day's backup will be the most current historical backup of activity in the system. The current day's transaction file will contain all of the day's activity. Therefore, the combination of these two files will enable full recovery up to the point of interruption.	MOCKDISA	1,983	56	MOCKDISA
193. An offsite information processing facility:	A. should have the same amount of physical access restrictions as the primary processing site.	B. should be easily identified from the outside so that, in the event of an emergency, it can be easily found.	C. should be located in proximity to the originating site, so it can quickly be made operational.	D. need not have the same level of environmental monitoring as the originating site.	a	An offsite information processing facility should have the same amount of physical control as the originating site. It should not be easily identified from the outside to prevent intentional sabotage. The offsite facility should not be subject to the same natural disaster that could affect the originating site and thus should not be located in proximity of the original site, and the offsite facility should possess the same level of environmental monitoring and control as the originating site.	MOCKDISA	1,984	69	MOCKDISA
194. An IS auditor performing a review of the backup processing facilities should be MOST concerned that:	A. adequate fire insurance exists.	B. regular hardware maintenance is performed.	C. offsite storage of transaction and master files exists.	D. backup processing facilities are fully tested.	c	Adequate fire insurance and fully tested backup processing facilities are important elements for recovery, but without the offsite storage of transaction and master files, it is generally impossible to recover. Regular hardware maintenance does not relate to recovery.	MOCKDISA	1,985	80	MOCKDISA
195. Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist?	A. Reviewing program code	B. Reviewing operations documentation	C. Turning off the UPS, then the power	D. Reviewing program documentation	b	Operations documentation should contain recovery/restart procedures, so operations can return to normal processing in a timely manner. Turning off the uninterruptible power supply (UPS) and then turning off the power might create a situation for recovery and restart, but the negative effect on operations would prove this method to be undesirable. The review of program code and documentation generally does not provide evidence regarding recovery/restart procedures.	MOCKDISA	1,986	107	MOCKDISA
196. A company performs full backup of data and programs on a regular basis. The primary purpose of this practice is to:	A. maintain data integrity in the applications.	B. restore application processing after a disruption.	C. prevent unauthorized changes to programs and data.	D. ensure recovery of data processing in case of a disaster.	b	Backup procedures are designed to restore programs and data to a previous state prior to computer or system disruption. These backup procedures merely copy data and do not test or validate integrity. Backup procedures will also not prevent changes to program and data. On the contrary, changes will simply be copied. Although backup procedures are a necessary part of the recovery process following a disaster, they are not sufficient in themselves.	MOCKDISA	1,987	176	MOCKDISA
197. Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault?	A. There are three individuals with a key to enter the area.	B. Paper documents are also stored in the offsite vault.	C. Data files that are stored in the vault are synchronized.	D. The offsite vault is located in a separate facility.	c	Choice A is incorrect because more than one person would typically need to have a key to the vault to ensure that individuals responsible for the offsite vault can take vacations and rotate duties. Choice B is not correct because the IS auditor would not be concerned with whether paper documents are stored in the offsite vault. In fact, paper documents, such as procedural documents and a copy of the contingency plan, would most likely be stored in the offsite vault, and the location of the vault is important, but not as important as the files being synchronized.	MOCKDISA	1,988	99	MOCKDISA
198. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:	A. database integrity checks.	B. validation checks.	C. input controls.	D. database commits and rollbacks.	d	Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.	MOCKDISA	1,989	43	MOCKDISA
199. When developing a backup strategy, the FIRST step is to:	A. identify the data.	B. select the storage location.	C. specify the storage media.	D. define the retention period.	a	Archiving data and backups is essential for the continuity of business. Selection of the data to be backed up is the first step in the process. Once the data have been identified, an appropriate retention period, storage media and location can be selected.	MOCKDISA	1,990	89	MOCKDISA
200. To provide protection for media backup stored at an offsite location, the storage site should be:	A. located on a different floor of the building.	B. easily accessible by everyone.	C. clearly labeled for emergency access.	D. protected from unauthorized access.	d	The offsite storage site should always be protected against unauthorized accesses and at least have the same security requirements as the primary site. Choice A is incorrect because, if the backup is in the same building, it may suffer the same event and may be inaccessible. Choice B and C represent access risks.	MOCKDISA	1,991	48	MOCKDISA
1. An organization is reviewing its contract with a cloud computing provider. For which of the following reasons would the organization want to remove a lock-in clause from the contract?	A. Availability	B. Portability	C. Agility	D. Scalability	b	When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause. It may be important for the client to secure portability of their system assets, i.e., the right to transfer from one vendor to another.	MOCKDISA	1,992	135	MOCKDISA
2. The ________ model represents transactions between end users facilitated by a third party.	A. B2B	B. B2C	C. B2E	D. C2C	d		MOCKDISA	1,993	204	MOCKDISA
3. A computer manufacturing company selling computers directly to customers is known as________.	A. C2C	B. B2C	C. C2B	D. B2B	b		MOCKDISA	1,994	127	MOCKDISA
4. ________ is a form of electronic commerce that focuses on handling activities that take place within an organization.	A. B2C	B. C2C	C. B2B	D. B2E	d		MOCKDISA	1,995	179	MOCKDISA
5. In a LAN environment, which of the following minimizes the risk of data corruption during transmission?	A. Using end-to-end encryption for data communication	B. Using separate conduits for electrical and data cables	C. Using check sums for checking the corruption of data	D. Connecting the terminals using a star topology	b	Using separate conduits for data cables and electrical cables minimizes the risk of data corruption due to induced magnetic fields created by electrical current.	MOCKDISA	1,996	83	MOCKDISA
6. Which of the following is an operating system access control function?	A. Logging user activities	B. Logging data communication access activities	C. Verifying user authorization at the field level	D. Changing data files	a	General operating system access control functions include logging user activities.	MOCKDISA	1,997	167	MOCKDISA
7. A LAN can be best described as:	A. which connects computers of various types, terminals, printers and other devices within a limited proximity	B. which allows users to meet and share ideas	C. Tape library containing backed up tapes	D. TCP-IP	a		MOCKDISA	1,998	134	MOCKDISA
8. For Information security to be effective and complete:	A. only Network security needs to be implemented	B. ISO/OSI reference model should be implemented	C. Security policy should be prepared but should not be shared with the users	D. Users of all types and all levels should be made adequately aware of their roles and responsibilities.	d	Users of all types and all levels should be made adequately aware of their roles and responsibilities for information security to be effective and complete.	MOCKDISA	1,999	113	MOCKDISA
9. Which of the following types of transmission media provide the BEST security against unauthorized access?	A. Copper wire	B. Twisted pair	C. Fibre-optic cables	D. Coaxial cables	c	Fibre-optic cables have proven to be more secure than other media against unauthorized access.	MOCKDISA	2,000	84	MOCKDISA
10. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?	A. Sensitive data can be read by operators.	B. Data can be amended without authorization.	C. Unauthorized report copies can be printed.	D. Output can be lost in the event of system failure.	c	Unless controlled, spooling for offline printing may enable additional copies to be printed, posing the most serious exposure among the options given.	MOCKDISA	2,001	162	MOCKDISA
11. Which of the following would enable an enterprise to provide its business partners access to its intranet (i.e., extranet) across the Internet?	A. Virtual private network	B. Client-server	C. Dial-in access	D. Network service provider	a	Apart from being low cost, VPN rely on tunnelling techniques as a principal method of transport which allow the Internet-Protocol (IP) to carry a variety of different protocols (eg., SNA, IPX, NETBEUI).	MOCKDISA	2,002	79	MOCKDISA
12. Which of the following device/technique is used in a data communications system to fully use the capacity of a high-speed data communication line?	A. Multiplexing	B. Bridge	C. Coaxial Cable	D. Star Topology	a		MOCKDISA	2,003	8	MOCKDISA
13. A Digital Certificate verifies the	A. Private key of the subject	B. Public key of the subject	C. Integrity of the subject	D. Strength of the Encryption Algorithm	b	A Digital Certificate is a digital file used to cryptographically bind an entity's Public Key to specific attributes relating to its identity.	MOCKDISA	2,004	93	MOCKDISA
14. For subtraction, if a SUB statement is used instead of 10110111, the programmer is using _______________ language.	A. fourth-generation language (4GL)	B. Assembly Language	C. High-Level Language	D. Machine Language	b		MOCKDISA	2,005	108	MOCKDISA
15. The main components of the Central Processing Unit (CPU) of a computer are:	A. Semiconductors, printers and memory	B. Arithmetic-logic unit, control Unit and primary memory	C. Random access memory, read only memory and tape drive	D. Primary storage, input-output devices and hub	b		MOCKDISA	2,006	37	MOCKDISA
16. A packet filter router:	A. Checks the header of each incoming packet to determine whether it matches any of the packet filtering rules.	B. Decrypts the data	C. Is used as an application server	D. is a bastion host server	a		MOCKDISA	2,007	78	MOCKDISA
17. Application, Presentation and session layers in OSI model are mapped to	A. Application layer in TCP/IP model	B. Transport layer in TCP/IP model	C. Internet layer in TCP/IP model	D. Network Interface Layer in TCP/IP model	a		MOCKDISA	2,008	117	MOCKDISA
18. Brick-and-mortar companies have both physical and virtual stores.	A. True	B. False			b		MOCKDISA	2,009	58	MOCKDISA
19. A compiler translates the source code of a program to machine language:	A. True	B. False			a		MOCKDISA	2,010	16	MOCKDISA
20. _____________ refers to sharing information, developing and maintaining business relationships, and using telecommunications networks to conduct business.	A. E-Business	B. CRM	C. B2C	D. SEO	a		MOCKDISA	2,011	33	MOCKDISA
21. One of the following is not an example of computer software:	A. Operating system	B. Word processing package	C. Application software	D. Modem	d		MOCKDISA	2,012	173	MOCKDISA
22. Name the hardware that transforms the computer’s digital information into signals that can be sent over ordinary telephone lines is called	A. Router	B. IMAP	C. POP	D. Modem	d		MOCKDISA	2,013	60	MOCKDISA
23. Three basic tenets of Information Security are:	A. Encryption, Authentication, Backups	B. Confidentiality, Integrity, Availability	C. Topology, addressing, DMZ	D. Access control lists, application controls, Network controls	b		MOCKDISA	2,014	65	MOCKDISA
24. User Datagram Protocol (UDP)	A. is a unreliable connectionless protocol	B. is a reliable connectionless protocol	C. is used at application layer	D. Does handshaking	a	Unlike TCP, UDP lacks connection orientation and guaranteed delivery, making it lighter-weight with less overhead.	MOCKDISA	2,015	80	MOCKDISA
25. ARP is:	A. Resolution Protocol	B. Media Access protocol	C. Address Resolution protocol	D. User Datagram Protocol	c		MOCKDISA	2,016	155	MOCKDISA
26. An IP address is divided into	A. Network ID and Host ID	B. Seven layers	C. Four layers	D. Sub net mask	a		MOCKDISA	2,017	113	MOCKDISA
27. Asynchronous transmission happens when	A. Two devices with dissimilar speeds communicate	B. Two devices with similar speeds communication	C. OSI layers are used	D. BUS topology is used	a		MOCKDISA	2,018	53	MOCKDISA
28. In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?	A. Foreign key	B. Primary key	C. Secondary key	D. Public key	a	Foreign keys maintain referential integrity by preventing deletion of related rows.	MOCKDISA	2,019	39	MOCKDISA
29. A ring topology can be best described as:	A. All computers connected to a central hub	B. Each computer is connected to its neighbour and each link passes communications through its neighbour to the destination computer	C. All computers are connected to a backbone cable	D. All computers are connected to each other	b		MOCKDISA	2,020	78	MOCKDISA
30. A digital certificate is issued by:	A. Registration Authority	B. CERT	C. Digital certification Authority	D. Certificate Authority	d		MOCKDISA	2,021	185	MOCKDISA
31. Which of the following would provide the BEST protection against the hacking of a computer connected to the Internet?	A. A remote access server	B. A proxy server	C. A personal firewall	D. A password-generating token	c	A personal firewall is designed to define rules for permitted connections and offers strong protection against hacking attempts.	MOCKDISA	2,022	160	MOCKDISA
32. Digital signatures help in ensuring	A. Authentication, maintaining integrity, non-repudiation	B. Access to internet	C. Routing	D. Application security	a	Digital signatures provide authentication of the sender, maintain message integrity, and prevent the sender from denying the message.	MOCKDISA	2,023	21	MOCKDISA
33. When two devices communicate, the term described for data and control information to be transmitted and interpreted is:	A. Router	B. Synchronous communication	C. Cable	D. Communication protocol	d	Communication protocols define the rules and formats for data and control information exchanged between devices.	MOCKDISA	2,024	165	MOCKDISA
34. Factors that degrade a signal are	A. Bus topology	B. TCP-IP	C. Attenuation, Delay Distortion, noise	D. Multiplexing	c	Attenuation (signal weakening), delay distortion, and noise are factors that degrade signal quality during transmission.	MOCKDISA	2,025	129	MOCKDISA
35. To protect a Local Area Network from external attacks which of the following is used:	A. Passwords	B. Fiber Optic cables	C. Ring Topology	D. Firewalls	d	Firewalls are used to protect LANs from unauthorized external access and attacks.	MOCKDISA	2,026	38	MOCKDISA
36. A digital signature does not contain:	A. Certificate Serial Number	B. Issuer’s name	C. Subject’s name	D. Private key of the subject	d	A digital signature does not contain the private key of the subject; it is used for signing messages, not stored within the signature itself.	MOCKDISA	2,027	142	MOCKDISA
37. What should be done to the Hard disk to prevent access to the data residing on it?	A. Rewrite the hard disk with random 0s & 1s	B. Low-level format the disk	C. Demagnetize the disk	D. Physically destroy the disk	d	Physically destroying the disk ensures no data recovery, making it the most secure method to prevent access.	MOCKDISA	2,028	102	MOCKDISA
38. In IP address 122.35.0.56, which is the host id:	A. 122	B. 35	C. 35.0.56	D. 56	c	In the IP address 122.35.0.56, the host ID portion is 35.0.56.	MOCKDISA	2,029	117	MOCKDISA
39. In a full duplex mode of data transmission:	A. Data is always transmitted in one direction only	B. Data is transmitted in both direction but in only one direction at a time	C. Data is transmitted in both directions simultaneously	D. USB is an example of full – duplex	c	Full duplex allows data transmission in both directions simultaneously, enhancing communication efficiency.	MOCKDISA	2,030	183	MOCKDISA
40. In the OSI layers – Network layer is at number:	A. 1	B. 3	C. 7	D. 5	b	Layer 1 - Physical: Deals with the transmission of raw bits over a physical medium. Layer 2 - Data Link: Provides node-to-node data transfer and error correction. Layer 3 - Network: Responsible for routing, addressing, and traffic control between devices across different networks. Layer 4 - Transport: Ensures reliable data transfer and error correction. Layer 5 - Session: Manages sessions between applications. Layer 6 - Presentation: Handles data translation, encryption, and compression. Layer 7 - Application: Provides network services directly to user applications.	MOCKDISA	2,031	27	MOCKDISA
41. The susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls.	A. Inherent Risk	B. Control Risk	C. Detection Risk	D. Correction Risk	a	Inherent risk refers to the risk inherent in a process or business activity without considering internal controls.	MOCKDISA	2,032	56	MOCKDISA
42. The analysis of Past-due account reports is an example of	A. Preventive controls	B. Detective controls	C. Corrective controls	D. Compensating controls	b	Corrective controls are actions taken to address issues after they occur, such as dealing with past-due accounts.	MOCKDISA	2,033	28	MOCKDISA
43. The Internal Audit functions are examples of	A. Preventive controls	B. Detective controls	C. Corrective controls	D. Compensating controls	b	Internal audit functions primarily serve as detective controls by identifying issues and anomalies after they occur.	MOCKDISA	2,034	47	MOCKDISA
44. The process of paying someone else to assume the risk is	A. Risk transference	B. Risk mitigation	C. Risk acceptance	D. Inherent risk	a	Risk transference involves transferring risk to another party, typically through insurance or outsourcing.	MOCKDISA	2,035	90	MOCKDISA
45. Evidence gathering to evaluate the integrity of individual transactions, data or other information is typical of which of the following?	A. Substantive testing	B. Compliance testing	C. Detection testing	D. Control testing	a	Substantive testing focuses on verifying the accuracy and integrity of individual transactions or data.	MOCKDISA	2,036	58	MOCKDISA
46. What is the first action an IS auditor should take after identifying a weakness in a control?	A. Suggest a corrective action	B. Take the finding directly to the steering committee	C. Try and find a compensating control for the identified weakness	D. Take note of it for inclusion in the final audit report	c	After identifying a weakness, the IS auditor should first explore compensating controls to mitigate the risk before reporting it.	MOCKDISA	2,037	94	MOCKDISA
47. When planning an IS audit, which of the following factors is least likely to be relevant to the scope of the engagement?	A. The concerns of management for ensuring that controls are sufficient and working properly	B. The amount of controls currently in place	C. The type of business, management culture, and risk tolerance	D. The complexity of the technology used by the business in performing the business functions	b	The number of controls in place does not directly determine the scope of an audit; other factors like business type and technology complexity are more relevant.	MOCKDISA	2,038	167	MOCKDISA
48. Due care can best be described as	A. A level of diligence that a prudent and competent person would exercise under a given set of circumstances	B. A level of best effort provided by applying professional judgment	C. A guarantee that no wrong conclusions are made during the course of the audit work	D. Someone with a lesser skill level that provides a similar level of detail or quality of work	a	Due care refers to the reasonable level of care and diligence expected from a competent professional in similar circumstances.	MOCKDISA	2,039	110	MOCKDISA
49. In a risk-based audit approach, an IS auditor must consider the inherent risk and	A. How to eliminate the risk through an application of controls	B. Whether the risk is material, regardless of management’s tolerance for risk	C. The balance of the loss potential and the cost to implement controls	D. Residual risk being higher than the insurance coverage purchased	c	A risk-based audit approach involves assessing the balance between potential losses and the costs of implementing controls.	MOCKDISA	2,040	98	MOCKDISA
50. Which statement best describes the difference between a detective control and a corrective control?	A. Neither control stops errors from occurring. One control type is applied sooner than the other.	B. One control is used to keep errors from resulting in loss, and the other is used to warn of danger.	C. One is used as a reasonableness check, and the other is used to make management aware that an error has occurred.	D. One control is used to identify that an error has occurred and the other fixes the problems before a loss occurs.	d	Detective controls identify errors after they occur, while corrective controls are designed to fix errors and prevent losses.	MOCKDISA	2,041	109	MOCKDISA
51. One of the most important reasons for having the audit organization report to the audit committee of the board is because	A. Their budgets are more easily managed separate from the other budgets of the organization	B. The departments resources cannot easily be redirected and used for other projects	C. The internal audit function is to assist all parts of the organization and no one reporting manager should get priority on this help and support	D. The audit organization must be independent from influence from reporting structures that do not enable them to communicate directly with the audit committee	d	Independence from influence and reporting structures ensures the audit organization can report directly to the audit committee, maintaining objectivity and oversight.	MOCKDISA	2,042	95	MOCKDISA
52. Which of the following is not a method to identify risks?	A. Identify the risks, then determine the likelihood of occurrence and cost of a loss.	B. Identify the threats, their associated vulnerabilities, and the cost of losses.	C. Identify the vulnerabilities and effort to correct, based on the industry's best practices.	D. Seek managements risk tolerance and determine what threats exist that exceed that tolerance.	c	While identifying vulnerabilities and correcting based on industry best practices is important, it does not fully encompass risk identification, which involves understanding threats and vulnerabilities together.	MOCKDISA	2,043	81	MOCKDISA
53. Which of the following is not a reason to be concerned about auditor independence?	A. The auditor starts dating the change control librarian.	B. The auditor invests in the business spin-off of the company.	C. The auditor used to manage the same business process at a different company.	D. The auditor is working as consultant for the implementation portion of the project being audited.	c	While prior management of the same business process may raise concerns about familiarity, it does not inherently compromise independence; other options involve potential conflicts of interest.	MOCKDISA	2,044	55	MOCKDISA
54. An audit charter serves the following primary purpose:	A. To describe the audit process used by the auditors	B. To document the mission and business plan of the audit department	C. To explain the code of ethics used by the auditor	D. To provide a clear mandate to perform the audit function in terms of authority and responsibilities	d	An audit charter defines the authority and responsibilities of the audit function, establishing its mandate within the organization.	MOCKDISA	2,045	66	MOCKDISA
55. Control objectives are defined in an audit program to	A. Give the auditor a view of the big picture of what the key control issue are based on the risk and management input	B. Enable the auditor to scope the audit to only those issues identified in the control objective	C. Keep the management from changing the scope of the audit	D. Define what testing steps need to be performed in the program	a	Control objectives provide a strategic view of key control issues aligned with risk and management input, guiding the audit focus.	MOCKDISA	2,046	135	MOCKDISA
56. Some audit managements choose to use the element of surprise to	A. To check if the complacency has been built in and to see if there are procedures that can be used as a backup	B. Ensure that staffing is sufficient to manage an audit and daily processing simultaneously	C. Ensure that supervision is appropriate during surprise inspections	D. Ensure that policies and procedures coincide with the actual practices in place	a	Surprise audits help assess complacency and backup procedures, ensuring policies align with actual practices.	MOCKDISA	2,047	202	MOCKDISA
57. When identifying the potential for irregularities, the auditor should consider	A. If a vacation policy exists that requires fixed periods of vacation to be mandatory	B. How much money is devoted to the payroll	C. Whether the best practices are deployed in the IS environment	D. What kind of firewall is installed at the Internet	a	A vacation policy without mandatory fixed periods can facilitate fraudulent schemes, indicating potential irregularities.	MOCKDISA	2,048	193	MOCKDISA
58. When an audit finding is considered material, it means that	A. In terms of all possible risk and management risk tolerance, this finding is significant.	B. It has actual substance in terms of hard assets.	C. It is important to the audit in terms of the audit objectives and findings related to them.	D. Management cares about this kind of finding so it needs to be reported regardless of the risk.	a	Materiality in audit findings considers the significance in relation to risk and management tolerance, impacting audit conclusions.	MOCKDISA	2,049	7	MOCKDISA
59. In order to meet the requirements of audit, evidence sampling must be	A. Of a 95 percent or higher confidence level, based on repeated pulls of similar sample sizes	B. Sufficient, reliable, relevant, and useful, and supported by the appropriate analysis	C. Within two standard deviations of the mean for the entire population of the data	D. A random selection of the population in which every item has an equal chance of being selected	b	Effective audit evidence sampling must meet criteria of sufficiency, reliability, relevance, and usefulness, supported by appropriate analysis.	MOCKDISA	2,050	118	MOCKDISA
60. Audit evidence can take many forms. When determining the types required for an audit, the auditor must consider	A. CAATs, flowcharts, and narratives	B. Interviews, observations, and re-performance testing	C. The best evidence available that is consistent with the importance of the audit objectives	D. Inspection, confirmation, and substantive testing	c	Audit evidence selection prioritizes the best available evidence aligning with audit objectives' importance, ensuring audit effectiveness.	MOCKDISA	2,051	201	MOCKDISA
61. The primary thing to consider when planning for the use of CAATs in an audit program is	A. Whether the sampling error will be at an unacceptable level	B. Whether you can trust the programmer who developed the tools of the CAATs	C. Whether the source and object codes of the programs of the CAATs match	D. The extent of the invasive access necessary to the production environment	d	CAATs (Computer-Assisted Audit Techniques) require careful planning regarding their impact on live data, making option D the correct choice due to potential risks associated with invasive access.	MOCKDISA	2,052	194	MOCKDISA
62. The most important aspect of drawing conclusions in an audit report is to	A. Prove your initial assumptions were correct.	B. Identify control weakness based on test work performed.	C. Obtain the goals of the audit objectives and to form an opinion on the sufficiency of the control environment.	D. Determine why the client is at risk at the end of each step.	c	Drawing conclusions in an audit report is primarily about assessing audit objectives, control sufficiency, and forming an informed opinion, making option C the correct choice.	MOCKDISA	2,053	68	MOCKDISA
63. Some things to consider when determining what reportable findings should be are	A. How many findings there are and how long the report would be if all findings were included	B. The materiality of the findings in relevance to the audit objectives and management's tolerance for risk	C. How the recommendations will affect the process and future audit work	D. Whether the test samples were sufficient to support the conclusions	b	Reportable findings in audits are primarily based on materiality, relevance to audit objectives, and management's risk tolerance, making option B the correct choice.	MOCKDISA	2,054	161	MOCKDISA
64. The primary objective of performing a root cause analysis is to	A. Ask why three times.	B. Perform an analysis that justifies the recommendations.	C. Determine the costs and benefits of the proposed recommendations.	D. Ensure that you are not trying to address symptoms rather than the real problem that needs to be solved.	d	Root cause analysis aims to identify and address underlying issues rather than symptoms, making option D the correct objective.	MOCKDISA	2,055	67	MOCKDISA
65. The primary reason for reviewing audit work is to	A. Ensure that the conclusions, testing, and results were performed with due professional care.	B. Ensure that the findings are sufficient to warrant the final report rating.	C. Ensure that all of the work is completed and checked by a supervisor.	D. Ensure that all of the audits are consistent in style and technique.	a	Reviewing audit work primarily ensures that it was conducted with due professional care, aligning with standards of competence and thoroughness, making option A the correct reason.	MOCKDISA	2,056	138	MOCKDISA
66. Which criteria would an IS auditor consider to be the most important aspect of an organization's IS strategy?	A. It includes a mission statement.	B. It identifies a mechanism for charging for its services.	C. It includes a Web-based e-commerce strategy.	D. It supports the business objectives.	d	An IS strategy's primary importance lies in its alignment with and support of the organization's business objectives, making option D the correct criteria.	MOCKDISA	2,057	100	MOCKDISA
67. The development of an IS security policy is ultimately the responsibility of the:	A. IS department.	B. Security committee.	C. Security administrator.	D. Board of directors.	d	The board of directors or top management typically holds ultimate responsibility for framing IS security policies, ensuring alignment with organizational goals and directives, making option D the correct choice.	MOCKDISA	2,058	122	MOCKDISA
68. Involvement of senior management is MOST important in the development of:	A. Strategic plans.	B. IS policies.	C. IS procedures.	D. Standards and guidelines.	a	Senior management's involvement is crucial in shaping strategic plans that guide the organization's overall direction and goals, making option A the most critical area for their input.	MOCKDISA	2,059	150	MOCKDISA
69. The output of the risk management process is an input for making:	A. business plans.	B. audit charters.	C. security policy decisions.	D. software design decisions.	c	Risk management outputs inform decisions related to security policies, ensuring measures align with identified risks and organizational needs, making option C the correct input use.	MOCKDISA	2,060	23	MOCKDISA
70. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:	A. destruction policy.	B. security policy.	C. archive policy.	D. audit policy.	c	An archive policy for e-mails ensures systematic retention and access, reducing risks associated with electronic evidence management, making option C the most effective risk mitigation strategy.	MOCKDISA	2,061	101	MOCKDISA
71. An IT steering committee should review information systems PRIMARILY to assess:	A. whether IT processes support business requirements.	B. if proposed system functionality is adequate.	C. the stability of existing software.	D. the complexity of installed technology.	a	The primary role of an IT steering committee is to ensure IT processes align with business requirements, making option A the correct focus.	MOCKDISA	2,062	151	MOCKDISA
72. An IS auditor reviewing an organization's IT strategic plan should FIRST review:	A. the existing IT environment.	B. the business plan.	C. the present IT budget.	D. current technology trends.	b	The IT strategic plan should first align with the organization's business plan, ensuring IT supports broader business objectives, making option B the initial priority.	MOCKDISA	2,063	10	MOCKDISA
73. As an outcome of information security governance, strategic alignment provides:	A. security requirements driven by enterprise requirements.	B. baseline security following best practices.	C. institutionalized and commoditized solutions.	D. an understanding of risk exposure.	a	Strategic alignment in information security governance ensures security measures meet enterprise-specific requirements, aligning security with overall business goals, making option A the correct outcome.	MOCKDISA	2,064	148	MOCKDISA
74. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:	A. compute the amortization of the related assets.	B. calculate a return on investment (ROI).	C. apply a qualitative approach.	D. spend the time needed to define exactly the loss amount.	c	When projecting difficult-to-quantify financial losses, a qualitative approach allows for subjective evaluation based on risk impact factors, making option C the appropriate method.	MOCKDISA	2,065	142	MOCKDISA
75. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:	A. financial results.	B. customer satisfaction.	C. internal process efficiency.	D. innovation capacity.	a	The IT balanced scorecard focuses on non-financial IT performance metrics like customer satisfaction, internal processes, and innovation capacity, excluding financial results, making option A the correct exclusion.	MOCKDISA	2,066	70	MOCKDISA
76. Establishing the level of acceptable risk is the responsibility of:	A. quality assurance management.	B. senior business management.	C. the chief information officer.	D. the chief security officer.	b	Senior business management is ultimately responsible for determining acceptable risk levels aligned with organizational goals and objectives, making option B the correct role.	MOCKDISA	2,067	149	MOCKDISA
77. Which of the following is the MOST critical for the successful implementation and maintenance of a security policy?	A. Assimilation of the framework and intent of a written security policy by all appropriate parties	B. Management support and approval for the implementation and maintenance of a security policy	C. Enforcement of security rules by providing punitive actions for any violation of security rules	D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	Successful security policy implementation hinges on understanding and adhering to policy intent across all levels, making option A crucial for policy effectiveness.	MOCKDISA	2,068	170	MOCKDISA
78. To ensure an organization is complying with privacy requirements, the IS auditor should FIRST review:	A. the IT infrastructure.	B. the organization's policies, standards and procedures.	C. legal and regulatory requirements.	D. the adherence to organizational policies, standards and procedures.	c	Compliance with privacy requirements starts with understanding legal and regulatory obligations, guiding the development and review of organizational policies, making option C the initial focus.	MOCKDISA	2,069	97	MOCKDISA
79. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?	A. Ensuring that invoices are paid to the provider	B. Participating in systems design with the provider	C. Renegotiating the provider's fees	D. Monitoring the outsourcing provider's performance	d	Monitoring the performance of an outsourcing provider ensures service delivery meets organizational needs and standards, making option D the primary responsibility.	MOCKDISA	2,070	105	MOCKDISA
80. Before implementing an IT balanced scorecard, an organization must:	A. deliver effective and efficient services.	B. define key performance indicators.	C. provide business value to IT projects.	D. control IT expenses.	b	Implementing an IT balanced scorecard requires defining key performance indicators (KPIs) to measure IT effectiveness aligned with business objectives, making option B the necessary precursor.	MOCKDISA	2,071	186	MOCKDISA
81. The MOST likely effect of the lack of senior management commitment to IT strategic planning is:	A. a lack of investment in technology.	B. a lack of a methodology for systems development.	C. the technology not aligning with the organization's objectives.	D. an absence of control over technology contracts.	c	Senior management commitment ensures IT strategies align with organizational goals; without it, technology may not support organizational objectives, making option C the likely consequence.	MOCKDISA	2,072	30	MOCKDISA
82. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?	A. User management coordination does not exist.	B. Specific user accountability cannot be established.	C. Unauthorized users may have access to originate, modify or delete data.	D. Audit recommendations may not be implemented.	c	Without clear ownership policies, unauthorized access to sensitive data is a significant risk, making option C the greatest concern.	MOCKDISA	2,073	174	MOCKDISA
83. Effective IT governance will ensure that the IT plan is consistent with the organization's:	A. business plan.	B. audit plan.	C. security plan.	D. investment plan.	a	IT governance ensures IT plans align with business goals, making option A the primary alignment objective.	MOCKDISA	2,074	69	MOCKDISA
84. Which of the following is a function of an IS steering committee?	A. Monitoring vendor-controlled change control and testing	B. Ensuring a separation of duties within the information's processing environment	C. Approving and monitoring major projects, the status of IS plans and budgets	D. Liaising between the IS department and the end users	c	IS steering committees oversee major projects and IS plans, ensuring alignment with organizational goals, making option C a typical function.	MOCKDISA	2,075	179	MOCKDISA
85. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?	A. Response	B. Correction	C. Detection	D. Monitoring	a	A response program is crucial for handling suspected intrusions promptly and effectively, making option A the likely inclusion in security policies.	MOCKDISA	2,076	197	MOCKDISA
86. An organization has outsourced its software development. Which of the following is the responsibility of the organization's IT management?	A. Paying for provider services	B. Participating in systems design with the provider	C. Managing compliance with the contract for the outsourced services	D. Negotiating contractual agreement with the provider	c	IT management ensures compliance with outsourced service contracts to uphold service standards and terms, making option C their responsibility.	MOCKDISA	2,077	153	MOCKDISA
87. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining if IS:	A. has all the personnel and equipment it needs.	B. plans are consistent with management strategy.	C. uses its equipment and personnel efficiently and effectively.	D. has sufficient excess capacity to respond to changing directions.	b	Aligning IS plans with management strategy ensures they support organizational objectives, making option B the best assessment criterion.	MOCKDISA	2,078	118	MOCKDISA
88. Which of the following is the PRIMARY objective of an IT performance measurement process?	A. Minimize errors.	B. Gather performance data.	C. Establish performance baselines.	D. Optimize performance.	d	IT performance measurement aims to optimize IT operations and effectiveness, making option D the primary objective.	MOCKDISA	2,079	88	MOCKDISA
89. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:	A. ensure the employee maintains a good quality of life, which will lead to greater productivity.	B. reduce the opportunity for an employee to commit an improper or illegal act.	C. provide proper cross-training for another employee.	D. eliminate the potential disruption caused when an employee takes vacation one day at a time.	b	Mandatory vacations reduce the risk of misconduct and provide opportunities for detecting irregularities, making option B the primary reason.	MOCKDISA	2,080	22	MOCKDISA
90. In reviewing the IS short-range (tactical) plan, the IS auditor should determine whether:	A. there is an integration of IS and business staffs within projects.	B. there is a clear definition of the IS mission and vision.	C. there is a strategic information technology planning methodology in place.	D. the plan correlates business objectives to IS goals and objectives.	a	Integration of IS and business staff ensures tactical plans support overall business goals effectively, making option A a key evaluation criterion.	MOCKDISA	2,081	39	MOCKDISA
91. Which of the following goals would you expect to find in an organization's strategic plan?	A. Test a new accounting package.	B. Perform an evaluation of information technology needs.	C. Implement a new project planning system within the next 12 months.	D. Become the supplier of choice for the product offered.	d	Strategic plans focus on overarching business objectives like becoming a preferred supplier, aligning with broader business goals, as explained in the justification.	MOCKDISA	2,082	93	MOCKDISA
92. Assessing IT risks is BEST achieved by:	A. evaluating threats associated with existing IT assets and IT projects.	B. using the firm's past actual loss experience to determine current exposure.	C. reviewing published loss statistics from comparable organizations.	D. reviewing IT control weaknesses identified in audit reports.	a	Evaluating threats associated with current IT assets and projects is crucial for effective IT risk assessment, as detailed in the justification.	MOCKDISA	2,083	164	MOCKDISA
93. Network Penetration testing is also called as:	A. Ethical Hacking	B. Handshaking	C. Cracking a User password	D. Social Engineering	a	Network penetration testing is commonly known as ethical hacking, aligning with its purpose and approach in cybersecurity testing.	MOCKDISA	2,084	39	MOCKDISA
94. One of the following is not a physical access control technique	A. Bolting door locks	B. Combination of cipher locks	C. Biometric Door locks	D. Public Key Infrastructure	d	Public Key Infrastructure (PKI) is not a physical access control technique but a framework for digital signatures and encryption, as clarified in the justification.	MOCKDISA	2,085	135	MOCKDISA
95. An audit review of physical and environmental security of a CRITICAL area, like data centre, will not cover the following:	A. Authorization, authentication and access controls in the operating systems and application systems.	B. Availability of identification sign boards for approach to the critical areas	C. Physical access controls to the critical areas	D. Environmental controls like adequacy of UPS, temperature and humidity controls, fire and smoke detection system	a	Authorization, authentication, and access controls within operating systems and applications are logical access controls, not part of physical audits, as explained in the justification.	MOCKDISA	2,086	23	MOCKDISA
96. One of the following is not a password attack:	A. Password guessing	B. Brute force	C. Dictionary attack	D. Password Encryption	d	Password encryption is a security measure, not an attack method, as clarified in the justification.	MOCKDISA	2,087	129	MOCKDISA
97. To exercise controls over physical access to facilities following technique is not used:	A Identification badges	B. Manual logging	C. Security guards	D. Hardening of operating systems	d	Hardening of operating systems is related to logical access controls, not physical security practices, as explained in the justification.	MOCKDISA	2,088	22	MOCKDISA
98. One of the main advantages of employing biometric access controls is:	A. It helps to restrict the access by authorized persons only	B. Sharing password is restricted	C. Passwords can be encrypted	D. Audit trails can be enabled	a	Biometric access controls ensure access is restricted to authorized individuals, enhancing security, as detailed in the justification.	MOCKDISA	2,089	13	MOCKDISA
99. User ID and password is a:	A. Encryption control	B. Logical access control	C. Backup control	D. Environmental control	b	User ID and password are examples of logical access controls used to protect digital resources, as explained in the justification.	MOCKDISA	2,090	203	MOCKDISA
100. A Biometrics authentication like fingerprint or voice recognition needs to be calibrated so that:	A. False positives and false negatives are low and the results are as accurate as possible	B. Encrypt the credentials	C. Create audit trails	D. Corrective control	a	Calibration ensures biometric systems minimize errors (false positives and negatives) for accurate authentication, as clarified in the justification.	MOCKDISA	2,091	56	MOCKDISA
101. Which of the following provides the strongest authentication for physical access control?	A. Sign-in logs	B. Dynamic passwords	C. Key verification	D. Biometrics	d	Biometrics provide strong authentication for physical access control due to unique biological traits, as explained in the justification.	MOCKDISA	2,092	148	MOCKDISA
102. During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:	A. enrollment.	B. identification.	C. verification.	D. storage.	a	Enrolling users into the biometrics system is the initial step, capturing and storing their unique traits for subsequent verification, as detailed in the justification.	MOCKDISA	2,093	136	MOCKDISA
103. A penetration test performed as part of evaluating network security:	A. provides assurance that all vulnerabilities are discovered.	B. should be performed without warning the organization’s management.	C. exploits the existing vulnerabilities to gain unauthorized access.	D. would not damage the information assets when performed at network perimeters.	c	Penetration tests aim to identify vulnerabilities by exploiting them to gain unauthorized access, as clarified in the justification.	MOCKDISA	2,094	183	MOCKDISA
104. Which of the following penetration tests would MOST effectively evaluate incident handling and response capabilities of an organization?	A. Targeted testing	B. External testing	C. internal testing	D. Double-blind testing	d	Double-blind testing, where neither administrators nor security staff are aware of the test, provides the most realistic assessment of incident handling, as explained in the justification.	MOCKDISA	2,095	3	MOCKDISA
105. An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?	A. The tools used to conduct the test	B. Certifications held by the IS auditor	C. Permission from the data owner of the server	D. An intrusion detection system (IDS) is enabled	c	Obtaining permission from the server's data owner is crucial to ensure legal and ethical testing practices, as detailed in the justification.	MOCKDISA	2,096	119	MOCKDISA
106. An IS auditor doing penetration testing during an audit of internet connections would:	A. evaluate configurations.	B. examine security settings.	C. ensure virus-scanning software is in use.	D. use tools and techniques available to a hacker.	d	Penetration testing involves using hacker-like tools and techniques to simulate real-world attacks, as clarified in the justification.	MOCKDISA	2,097	140	MOCKDISA
107. The MOST important success factor in planning a penetration test is:	A. the documentation of the planned testing procedure.	B. scheduling and deciding on the timed length of the test.	C. the involvement of the management of the client organization.	D. the qualifications and experience of staff involved in the test.	c	Management involvement ensures alignment with organizational goals and ethical considerations, critical for a successful penetration test, as explained in the justification.	MOCKDISA	2,098	60	MOCKDISA
108. Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power?	A. Power line conditioners	B. Surge protective devices	C. Alternative power supplies	D. Interruptible power supplies	a	Power line conditioners stabilize power fluctuations to protect against short-term power reductions, as detailed in the justification.	MOCKDISA	2,099	176	MOCKDISA
109. During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. What should the IS auditor do next?	A. Look for compensating controls.	B. Review financial transactions logs.	C. Review the scope of the audit.	D. Ask the administrator to disable these accounts.	a	Finding shared user accounts requires assessing compensating controls to mitigate risks, as explained in the justification.	MOCKDISA	2,100	165	MOCKDISA
110. An organization has been recently downsized, in light of this, an IS auditor decides to test logical access controls. The IS auditor’s PRIMARY concern should be that:	A. all system access is authorized and appropriate for an individual’s role and responsibilities.	B. management has authorized appropriate access for all newly-hired individuals.	C. only the system administrator has authority to grant or modify access to individuals.	D. access authorization forms are used to grant or modify access to individuals.	a	After downsizing, ensuring access aligns with roles and responsibilities is critical to maintaining security and compliance, as clarified in the justification.	MOCKDISA	2,101	184	MOCKDISA
111. Which of the following is an example of the defense in-depth security principle?	A. Using two firewalls of different vendors to consecutively check the incoming network traffic	B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic	C. Having no physical signs on the outside of a computer center building	D. Using two firewalls in parallel to check different types of incoming traffic	b	Defense in-depth involves using multiple security layers. Logical access controls complement firewalls by providing additional protection if traffic bypasses the firewall.	MOCKDISA	2,102	30	MOCKDISA
112. Which of the following provides the framework for designing and developing logical access controls?	A. Information systems security policy	B. Access control lists	C. Password management	D. System configuration files	a	The security policy guides the development and implementation of logical access controls within an organization.	MOCKDISA	2,103	165	MOCKDISA
113. The PRIMARY objective of a logical access control review is to:	A. review access controls provided through software.	B. ensure access is granted per the organization’s authorities.	C. walk through and assess the access provided in the IT environment.	D. provide assurance that computer hardware is adequately protected against abuse.	b	The main goal of a logical access control review is to verify that access is granted according to organizational authorizations.	MOCKDISA	2,104	111	MOCKDISA
114. During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:	A. an unauthorized user may use the ID to gain access.	B. user access management is time consuming.	C. passwords are easily guessed.	D. user accountability may not be established.	d	Shared user accounts undermine accountability, making it impossible to trace actions to specific users.	MOCKDISA	2,105	148	MOCKDISA
115. Which of the following is a guiding best practice for implementing logical access controls?	A. Implementing the Biba Integrity Model	B. Access is granted on a least-privilege basis, per the organization’s data owners	C. Implementing the Take-Grant access control model	D. Classifying data according to the subject’s requirements	b	Least-privilege access ensures that users only have access necessary for their roles, reducing risk.	MOCKDISA	2,106	126	MOCKDISA
116. What are often the primary safeguards for systems software and data?	A. Administrative access controls	B. Logical access controls	C. Physical access controls	D. Detective access controls	b	Logical access controls form a fundamental layer of protection for systems and data.	MOCKDISA	2,107	162	MOCKDISA
117. Which of the following physical access controls effectively reduces the risk of piggybacking?	A. Biometric door locks	B. Combination door locks	C. Dead man doors	D. Bolting door locks	c	Dead man doors prevent unauthorized entry by requiring sequential individual access.	MOCKDISA	2,108	151	MOCKDISA
118. In the context of physical access control, what is known as the process of verifying user identities?	A. Authentication	B. Authorization	C. Accounting	D. Encryption	a	Authentication confirms the identity of a user seeking access to a system or facility.	MOCKDISA	2,109	145	MOCKDISA
119. Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?	A. Statistical-based	B. Signature-based	C. Neural network	D. Host-based	a	Statistical-based IDSs can flag normal network behavior as suspicious due to deviations from expected patterns.	MOCKDISA	2,110	107	MOCKDISA
120. What is the BEST approach to mitigate the risk of a phishing attack?	A. Implement an intrusion detection system (IDS)	B. Assess web site security	C. Strong authentication	D. User education	d	Educating users to recognize and avoid phishing attempts is the most effective defense against such attacks.	MOCKDISA	2,111	118	MOCKDISA
121. The network of an organization has been the victim of several intruders’ attacks. Which of the following measures would allow for the early detection of such incidents?	A. Antivirus software	B. Hardening the servers	C. Screening routers	D. Honey pots	d	Honey pots, by simulating vulnerable systems, attract attackers and provide early detection of attack trends and tools.	MOCKDISA	2,112	57	MOCKDISA
122. Which of the following potentially blocks hacking attempts?	A. Intrusion detection system	B. Honey pot system	C. Intrusion prevention system	D. Network security scanner	c	An intrusion prevention system (IPS) actively blocks intrusion attempts, unlike other systems that detect or simulate attacks.	MOCKDISA	2,113	38	MOCKDISA
123. An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:	A. IDS sensors are placed outside of the firewall.	B. a behavior-based IDS is causing many false alarms.	C. a signature-based IDS is weak against new types of attacks.	D. the IDS is used to detect encrypted traffic.	d	IDS cannot effectively detect attacks within encrypted traffic, which is a critical concern during review.	MOCKDISA	2,114	174	MOCKDISA
124. When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following?	A. Number of nonthreatening events identified as threatening	B. Attacks not being identified by the system	C. Reports/logs being produced by an automated tool	D. Legitimate traffic being blocked by the system	b	Undetected attacks pose a higher risk as they indicate gaps in security monitoring and response.	MOCKDISA	2,115	171	MOCKDISA
125. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the:	A. Firewall and the organization’s network.	B. Internet and the firewall.	C. Internet and the web server.	D. Web server and the firewall.	a	Placing an IDS between the firewall and internal network detects attacks missed by the firewall's perimeter defenses.	MOCKDISA	2,116	5	MOCKDISA
126. E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:	A. alert the appropriate staff.	B. create an entry in the log.	C. close firewall-2.	D. close firewall-1.	c	Closing firewall-2 stops further potential damage to the internal network until the issue can be resolved, protecting against unauthorized traffic.	MOCKDISA	2,117	35	MOCKDISA
127. Which of the following is a feature of an intrusion detection system (IDS)?	A. Gathering evidence on attack attempts	B. Identifying weaknesses in the policy definition	C. Blocking access to particular sites on the Internet	D. Preventing certain users from accessing specific servers	a	IDS captures data on intrusion attempts, aiding in post-incident analysis and response.	MOCKDISA	2,118	107	MOCKDISA
128. Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?	A. Analyzer	B. Administration console	C. User interface	D. Sensor	d	Sensors gather data on network activity, which is then analyzed by the IDS for potential threats.	MOCKDISA	2,119	6	MOCKDISA
129. Which of the following would MOST effectively reduce social engineering incidents?	A. Security awareness training	B. Increased physical security measures	C. E-mail monitoring policy	D. Intrusion detection systems	a	Security awareness training helps employees recognize and resist social engineering tactics, reducing successful incidents.	MOCKDISA	2,120	151	MOCKDISA
130. Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?	A. Intrusion detection systems	B. Data mining techniques	C. Firewalls	D. Packet filtering routers	b	Data mining techniques analyze transaction patterns to detect anomalies that suggest fraudulent credit card use.	MOCKDISA	2,121	51	MOCKDISA
131. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?	A. Utilization of an intrusion detection system to report incidents	B. Mandating the use of passwords to access all software	C. Installing an efficient user log system to track the actions of each user	D. Training provided on a regular basis to all current and new employees.	d	Security awareness programs primarily focus on educating employees about security practices, making training the most appropriate choice.	MOCKDISA	2,122	17	MOCKDISA
132. An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure?	A. The corporate network is using an intrusion prevention system (IPS)	B. This part of the network is isolated from the corporate network	C. A single sign-on has been implemented in the corporate network	D. Antivirus software is in place to protect the corporate network	b	Active network ports in conference rooms pose a security risk; isolating this network segment prevents unauthorized access to the corporate network.	MOCKDISA	2,123	69	MOCKDISA
133. When auditing the requirements phase of a software acquisition, the IS auditor should:	A. assess the feasibility of the project timetable.	B. assess the vendor’s proposed quality processes.	C. ensure that the best software package is acquired.	D. review the completeness of the specifications.	d	In the requirements phase, ensuring the completeness and accuracy of specifications is critical to successful software acquisition.	MOCKDISA	2,124	76	MOCKDISA
134. Which of the following is critical to the selection and acquisition of the correct operating system software?	A. Competitive bids	B. User department approval	C. Hardware configuration analysis	D. Purchasing department approval	c	Compatibility with existing hardware is crucial in selecting the correct operating system software.	MOCKDISA	2,125	190	MOCKDISA
135. Assumptions while planning an IS project involve a high degree of risk because they are:	A. based on known constraints.	B. based on objective past data.	C. a result of a lack of information.	D. often made by unqualified people.	c	Assumptions are risky as they are made in the absence of complete information, leading to potential project risks.	MOCKDISA	2,126	14	MOCKDISA
136. When implementing an acquired system in a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact the desktop environment?	A. Sociability testing	B. Parallel testing	C. White box testing	D. Validation testing	a	Sociability testing ensures the system's compatibility and performance in the target environment without adverse impacts.	MOCKDISA	2,127	126	MOCKDISA
137. The IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort?	A. Program evaluation review technique (PERT)	B. Counting source lines of code (SLOC)	C. Function point analysis	D. White box testing	c	Function point analysis measures application size based on complexity and inputs/outputs, suitable for complex systems like the one described.	MOCKDISA	2,128	5	MOCKDISA
138. A System Development Life Cycle can be best described as	A. A process used by programmers to document compliance	B. A methodology used to guide the process of software creation project management	C. A system design methodology that includes all the steps in problem definition, solution identification, testing, implementation, and maintenance of the solution	D. A process used to manage change control and approval cycles in a development environment	c	SDLC encompasses all stages from problem definition to solution maintenance, making it a comprehensive design methodology.	MOCKDISA	2,129	168	MOCKDISA
139. During the problem analysis and solution design phases of an SDLC methodology, which of the following steps would you be most concerned with finding?	A. Current state analysis and documentation processes	B. Entity relationship diagramming and process flow definitions	C. Pilot testing of planned solutions	D. Gathering of functional requirements from business sponsors	a	Pilot testing occurs in later phases; initial phases focus on analysis and design rather than testing solutions.	MOCKDISA	2,130	39	MOCKDISA
140. An organization's software-development projects are planned according to formal software Development Life Cycle (SDLC) processes. In which of the following phases would the software-development project's baselines and scope be established?	A. Feasibility	B. Requirements definition	C. Design	D. Development	c	Baselines and scope are established during the design phase to ensure clarity and prevent scope creep.	MOCKDISA	2,131	194	MOCKDISA
141. Which of the following processes are performed during the design phase of the systems-development life cycle (SDLC) model?	A. Develop test plans.	B. Baseline procedures to prevent scope creep.	C. Define the need that requires resolution, and map to the major requirements of the solution.	D. Program and test the new system. The tests verify and validate what has been developed.	b	Procedures to prevent scope creep are established in the design phase of the SDLC.	MOCKDISA	2,132	98	MOCKDISA
142. The application test plans are developed in which of the following systems development life cycle (SDLC) phases?	A. Design	B. Testing	C. Requirement	D. Development	a	Test plans for applications are typically developed during the design phase to prepare for subsequent testing.	MOCKDISA	2,133	126	MOCKDISA
143. Change control procedures to prevent scope creep during an application development project should be defined during:	A. design.	B. feasibility.	C. implementation.	D. requirements definition.	a	Change control procedures specific to scope creep prevention should be outlined during the design phase of the SDLC.	MOCKDISA	2,134	31	MOCKDISA
144. When a systems development life cycle (SDLC) methodology is inadequate, the MOST serious immediate risk is that the new system will:	A. be completed late.	B. exceed the cost estimates.	C. not meet business and user needs.	D. be incompatible with existing systems.	c	The primary risk of an inadequate SDLC methodology is that the resulting system may fail to meet the essential needs of the business and users.	MOCKDISA	2,135	99	MOCKDISA
145. In which of the following phases of the system development life cycle (SDLC) is it the MOST important for the IS auditor to participate?	A. Design	B. Testing	C. Programming	D. Implementation	a	Controls should be integrated during the design phase to ensure system integrity and security from inception.	MOCKDISA	2,136	36	MOCKDISA
146. When selecting software, which of the following business and technical issues is the MOST important to be considered?	A. Vendor reputation	B. Requirements of the organization	C. Cost factors	D. Installed base	b	Understanding and defining organizational requirements is crucial before considering other factors like vendor reputation or cost.	MOCKDISA	2,137	146	MOCKDISA
147. Functionality is a characteristic associated with evaluating the quality of software products throughout their lifecycle, and is BEST described as the set of attributes that bear on the:	A. existence of a set of functions and their specified properties.	B. ability of the software to be transferred from one environment to another.	C. capability of software to maintain its level of performance under stated conditions.	D. relationship between the performance of the software and the amount of resources used.	a	Functionality refers to the existence and properties of functions in software, addressing specific or implied needs.	MOCKDISA	2,138	126	MOCKDISA
148. When assessing the potential scope of an application-development project, which of the following provides the most reliable estimate of the size of an information system?	A. Critical path analysis	B. Function point analysis	C. Program evaluation review technique	D. Rapid application development	b	Function point analysis (FPA) is a reliable method for estimating the scope and cost of software development projects based on functionality and complexity.	MOCKDISA	2,139	12	MOCKDISA
149. What is a reliable technique for estimating the scope and cost of a software-development project?	A. Function point analysis (FPA)	B. Feature point analysis (FPA)	C. GANTT	D. PERT	a	Function point analysis (FPA) remains a dependable technique for estimating software development scope and cost.	MOCKDISA	2,140	65	MOCKDISA
150. Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects?	A. Function Point Analysis (FPA)	B. GANTT	C. Rapid Application Development (RAD)	D. PERT	d	PERT (Program Evaluation Review Technique) is designed to handle various scenarios in project planning and control, ensuring comprehensive evaluation.	MOCKDISA	2,141	73	MOCKDISA
151. Who is ultimately responsible for providing requirement specifications to the software-development team?	A. The project sponsor	B. The project members	C. The project leader	D. The project steering committee	a	The project sponsor holds ultimate responsibility for providing requirement specifications to the software-development team.	MOCKDISA	2,142	125	MOCKDISA
152. Above almost all other concerns, what often results in the greatest negative impact on the implementation of new application software?	A. Failing to perform user acceptance testing	B. Lack of user training for the new system	C. Lack of software documentation and run manuals	D. Insufficient unit, module, and systems testing	a	Failing to perform user acceptance testing is cited as causing the greatest negative impact on new application software implementation.	MOCKDISA	2,143	174	MOCKDISA
153. An IS auditor, performing a review of an application’s controls, discovers a weakness in system software, which could materially impact the application. The IS auditor should:	A. Disregard these control weaknesses as a system software review is beyond the scope of this review.	B. Conduct a detailed system software review and report the control weaknesses.	C. Include in the report a statement that the audit was limited to a review of the application’s controls.	D. Review the system software controls as relevant and recommend a detailed system software review.	d	The IS auditor should review relevant system software controls and recommend a detailed review where necessary, rather than disregarding the findings.	MOCKDISA	2,144	201	MOCKDISA
154. The use of a GANTT chart can:	A. aid in scheduling project tasks.	B. determine project checkpoints.	C. ensure documentation standards.	D. direct the post-implementation review.	a	GANTT charts are primarily used to aid in scheduling project tasks.	MOCKDISA	2,145	190	MOCKDISA
155. What is used to develop strategically important systems faster, reduce development costs, and still maintain high quality? Choose the BEST answer.	A. Rapid application development (RAD)	B. GANTT	C. PERT	D. Decision trees	a	Rapid application development (RAD) is designed to achieve strategic system development goals efficiently.	MOCKDISA	2,146	162	MOCKDISA
156. Which of the following uses a prototype that can be updated continually to meet changing user or business requirements?	A. PERT	B. Rapid application development (RAD)	C. Function point analysis (FPA)	D. GANTT	b	Rapid application development (RAD) utilizes iterative prototyping to adapt to evolving requirements.	MOCKDISA	2,147	181	MOCKDISA
157. Which of the following methodologies is appropriate for planning and control activities and resources in a system project?	A. Critical path methodology (CPM)	B. Program evaluation review technique (PERT)	C. Gantt charts	D. Function point analysis	a	PERT is specifically designed for planning and controlling project activities and resources.	MOCKDISA	2,148	25	MOCKDISA
158. An organization planning to purchase a software package asks the IS auditor for a risk assessment. Which of the following is the MAJOR risk?	A. Unavailability of the source code	B. Lack of a vendor-quality certification	C. Absence of vendor/client references	D. Little vendor experience with the package	a	The major risk in purchasing software includes the unavailability of source code, impacting future updates and maintenance.	MOCKDISA	2,149	140	MOCKDISA
159. During unit testing, the test strategy applied is:	A. black box.	B. white box.	C. bottom-up.	D. top-down.	b	Unit testing typically employs a white box strategy, examining internal structures for thorough testing.	MOCKDISA	2,150	150	MOCKDISA
160. Good quality software is BEST achieved:	A. through thorough testing.	B. by finding and quickly correcting programming errors.	C. by determining the amount of testing using the available time and budget.	D. by applying well-defined processes and structured reviews throughout the project.	d	Quality software is best achieved by adhering to well-defined processes and structured reviews throughout the project lifecycle.	MOCKDISA	2,151	71	MOCKDISA
161. A decision support system (DSS):	A. is aimed at solving highly structured problems.	B. combines the use of models with non-traditional data access and retrieval functions.	C. emphasizes flexibility in the decision-making approach of users.	D. supports only structured decision-making tasks.	c	A decision support system (DSS) emphasizes flexibility in decision-making approaches, supporting less structured problems and integrating models with data access functions.	MOCKDISA	2,152	30	MOCKDISA
162. Which of the following is an advantage of an integrated test facility (ITF)?	A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction.	B. Periodic testing does not require separate test processes.	C. It validates application systems and tests the ongoing operation of the system.	D. The need to prepare test data is eliminated.	b	An integrated test facility (ITF) allows periodic testing without separate test processes, enhancing efficiency in validation without eliminating the need for careful planning and isolated test data.	MOCKDISA	2,153	148	MOCKDISA
163. Which of the following online auditing techniques is most effective for the early detection of errors or irregularities?	A. Embedded audit module	B. Integrated test facility	C. Snapshots	D. Audit hooks	d	Audit hooks are embedded in application systems to detect errors or irregularities early, enhancing proactive auditing capabilities.	MOCKDISA	2,154	110	MOCKDISA
164. Which of the following is best suited for searching for address field duplications?	A. Text search forensic utility software	B. Generalized audit software	C. Productivity audit software	D. Manual review	b	Generalized audit software is effective for searching address field duplications within data sets.	MOCKDISA	2,155	145	MOCKDISA
165. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:	A. test data to validate data input.	B. test data to determine system sort capabilities.	C. generalized audit software to search for address field duplications.	D. generalized audit software to search for account field duplications.	c	Generalized audit software is suitable for detecting address field duplications caused by variations in customer names during file reviews.	MOCKDISA	2,156	123	MOCKDISA
166. In a review of a software acquisition process, the IS auditor will typically not review the following:	A. Whether the decision to acquire the software flows from the feasibility study.	B. Whether the RFP (Request for Proposal) is adequately detailed for transaction volume, database size, turnaround time, and response time requirements and vendor responsibilities are clearly specified in the RFP.	C. Whether Program change history exists.	D. Whether sufficient documentation is available to justify the selection of the final vendor/product	c	Program change history review is not typically part of a software acquisition audit, unlike other crucial aspects such as RFP adequacy and vendor/product selection justification.	MOCKDISA	2,157	42	MOCKDISA
167. Auditing around the computer is also called	A. White Box Approach	B. Black Box Approach	C. Yellow Box Approach	D. Red Box Approach	b	Auditing around the computer is synonymous with the Black Box Approach, focusing on system inputs and outputs rather than internal workings.	MOCKDISA	2,158	194	MOCKDISA
168. Input controls in Application systems are:	A. To prevent unauthorized access to application and application data	B. To prevent unauthorized physical access to the Data center	C. To ensure accuracy and completeness of data and instruction input into an application system,	D. For User Acceptance Testing	c	Input controls in application systems are designed to ensure the accuracy and completeness of data and instructions entered into the system, crucial for data integrity and processing reliability.	MOCKDISA	2,159	142	MOCKDISA
169. An IS auditor should use statistical sampling and not judgment (non-statistical) sampling, when:	A. the probability of error must be objectively quantified.	B. the auditor wishes to avoid sampling risk.	C. generalized audit software is unavailable.	D. the tolerable error rate cannot be determined.	a	Statistical sampling objectively quantifies error probabilities, unlike judgment sampling, which is subjective and less reliable for quantifying audit findings.	MOCKDISA	2,160	10	MOCKDISA
170. The BEST method of proving the accuracy of a system tax calculation is by:	A. detailed visual review and analysis of the source code of the calculation programs	B. recreating program logic using generalized audit software to calculate monthly totals.	C. preparing simulated transactions for processing and comparing the results to predetermined results.	D. automatic flowcharting and analysis of the source code of the calculation programs.	c	Proving the accuracy of a system tax calculation is best achieved by preparing simulated transactions and comparing the results to predetermined outcomes, ensuring computational correctness and regulatory compliance.	MOCKDISA	2,161	90	MOCKDISA
171. What is used as a control to detect loss, corruption, or duplication of data?	A. Redundancy check	B. Reasonableness check	C. Hash totals	D. Accuracy check	c	Hash totals are specifically used as a control mechanism to detect loss, corruption, or duplication of data.	MOCKDISA	2,162	194	MOCKDISA
172. Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data?	A. Redundancy check	B. Completeness check	C. Accuracy check	D. Parity check	a	A redundancy check detects transmission errors by appending calculated bits to data segments for error detection.	MOCKDISA	2,163	32	MOCKDISA
173. Parity bits are a control used to validate:	A. Data authentication	B. Data completeness	C. Data source	D. Data accuracy	b	Parity bits validate data completeness by ensuring data integrity during transmission or storage.	MOCKDISA	2,164	137	MOCKDISA
174. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks?	A. Check digit	B. Existence check	C. Completeness check	D. Reasonableness check	d	A reasonableness check ensures that a field contains meaningful data, not zeros or blanks, by comparing it to expected ranges or patterns.	MOCKDISA	2,165	162	MOCKDISA
175. What is an edit check to determine whether a field contains valid data?	A. Completeness check	B. Accuracy check	C. Redundancy check	D. Reasonableness check	a	A completeness check verifies whether a field contains valid data by ensuring it is not empty or improperly formatted.	MOCKDISA	2,166	175	MOCKDISA
176. What is a data validation edit control that matches input data to an occurrence rate? Choose the BEST answer.	A. Accuracy check	B. Completeness check	C. Reasonableness check	D. Redundancy check	c	A reasonableness check matches input data against expected occurrence rates to ensure data validity.	MOCKDISA	2,167	84	MOCKDISA
177. Which of the following is a data validation edit and control?	A. Hash totals	B. Reasonableness checks	C. Online access controls	D. Before and after image reporting	b	Reasonableness checks are used as data validation edits to ensure data falls within expected ranges or conditions.	MOCKDISA	2,168	112	MOCKDISA
178. Which of the following is an implementation risk within the process of decision support systems?	A. Management control	B. Semi-structured dimensions	C. Inability to specify purpose and usage patterns	D. Changes in decision processes	c	The inability to specify purpose and usage patterns poses an implementation risk for decision support systems, impacting their effectiveness and alignment with business needs.	MOCKDISA	2,169	5	MOCKDISA
179. When should an application-level edit check to verify that availability of funds was completed at the electronic funds transfer (EFT) interface?	A. Before transaction completion	B. Immediately after an EFT is initiated	C. During run-to-run total testing	D. Before an EFT is initiated	d	Verifying fund availability should occur before initiating an EFT to prevent processing transactions without adequate funds.	MOCKDISA	2,170	158	MOCKDISA
180. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?	A. There could be a question regarding the legal jurisdiction.	B. Having a provider abroad will cause excessive costs in future audits.	C. The auditing process will be difficult because of the distance.	D. There could be different auditing norms.	a	Outsourcing to another country raises concerns about legal jurisdiction over data privacy, security, and regulatory compliance, making it a primary concern for the IS auditor.	MOCKDISA	2,171	157	MOCKDISA
181. When using an integrated test facility (ITF), an IS auditor should ensure that:	A. production data are used for testing.	B. test data are isolated from production data.	C. a test data generator is used.	D. master files are updated with the test data.	b	When using an ITF, it's crucial to isolate test data from production data to prevent unintended impacts on operational systems.	MOCKDISA	2,172	194	MOCKDISA
182. An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated data. True or false?	A. True	B. False			b	An integrated test facility is indeed considered a useful audit tool because it allows comparison of processing output with independently calculated data.	MOCKDISA	2,173	89	MOCKDISA
183. Database snapshots can provide an excellent audit trail for an IS auditor. True or false?	A. True	B. False			a	Database snapshots can provide an excellent audit trail by capturing the state of the database at a specific point in time, aiding in audit activities.	MOCKDISA	2,174	100	MOCKDISA
184. An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor?	A. implemented a specific control during the development of the application system.	B. designed an embedded audit module exclusively for auditing the application system.	C. participated as a member of the application system project team, but did not have operational responsibilities.	D. provided consulting advice concerning application system best practices.	a	Implementing a control during development could impair independence as the auditor is auditing their own work.	MOCKDISA	2,175	76	MOCKDISA
185. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:	A. report the error as a finding and leave further exploration to the auditee’s discretion.	B. attempt to resolve the error.	C. recommend that problem resolution be escalated.	D. ignore the error, as it is not possible to get objective evidence for the software error.	c	The auditor should recommend escalating problem resolution to ensure issues are addressed properly before deployment.	MOCKDISA	2,176	65	MOCKDISA
186. What is the MOST effective method of preventing unauthorized use of data files?	A. Automated file entry	B. Tape librarian	C. Access control software	D. Locked library	c	Access control software effectively prevents unauthorized access to data files by enforcing permissions and authentication.	MOCKDISA	2,177	19	MOCKDISA
187. Which of the following is the MOST important consideration when defining recovery point objectives (RPOs)?	A. Minimum operating requirements	B. Acceptable data loss	C. Mean time between failures	D. Acceptable time for recovery	b	The primary consideration for RPOs is the acceptable amount of data loss an organization can tolerate.	MOCKDISA	2,178	183	MOCKDISA
188. Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly?	A. Backup time would steadily increase	B. Backup operational cost would significantly increase	C. Storage operational cost would significantly increase	D. Server recovery work may not meet the recovery time objective (RTO)	d	Improper management of storage growth can lead to longer recovery times during server failures, potentially failing to meet RTO commitments.	MOCKDISA	2,179	141	MOCKDISA
189. In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy?	A. Disaster tolerance is high.	B. Recovery time objective is high.	C. Recovery point objective is low.	D. Recovery point objective is high.	c	Data mirroring is best suited when the RPO is low, minimizing data loss in case of a failure.	MOCKDISA	2,180	134	MOCKDISA
190. An organization has a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to 1 minute for a critical system. This implies that the system can tolerate:	A. a data loss of up to 1 minute, but the processing must be continuous.	B. a 1-minute processing interruption but cannot tolerate any data loss.	C. a processing interruption of 1 minute or more.	D. both a data loss and a processing interruption longer than 1 minute.	a	With an RTO of zero and RPO of 1 minute, the system can tolerate a brief interruption in processing as long as data loss is minimized to within 1 minute.	MOCKDISA	2,181	143	MOCKDISA
191. Regarding a disaster recovery plan, the role of an IS auditor should include:	A. identifying critical applications.	B. determining the external service providers involved in a recovery test.	C. observing the tests of the disaster recovery plan.	D. determining the criteria for establishing a recovery time objective (RTO).	c	The IS auditor should observe tests of the disaster recovery plan to ensure effectiveness and efficiency of recovery procedures.	MOCKDISA	2,182	79	MOCKDISA
192. A lower recovery time objective (RTO) results in:	A. higher disaster tolerance.	B. higher cost.	C. wider interruption windows.	D. more permissive data loss.	b	Lower RTO requires quicker recovery, often involving more costly technologies and processes.	MOCKDISA	2,183	193	MOCKDISA
193. If the recovery time objective (RTO) increases:	A. the disaster tolerance increases.	B. the cost of recovery increases.	C. a cold site cannot be used.	D. the data backup frequency increases.	a	Higher RTO means the organization can tolerate longer downtime, potentially reducing recovery costs.	MOCKDISA	2,184	84	MOCKDISA
194. \Which of the following is the MOST important consideration when defining recovery point objectives (RPOs)?	A. Minimum operating requirements	B. Acceptable data loss	C. Mean time between failures	D. Acceptable time for recovery	b	RPO defines acceptable data loss, crucial for determining backup and recovery strategies.	MOCKDISA	2,185	84	MOCKDISA
195. If the recovery time objective (RTO) increases:	A. the disaster tolerance increases.	B. the cost of recovery increases.	C. a cold site cannot be used.	D. the data backup frequency increases.	a	Increased RTO means higher tolerance for downtime, potentially reducing recovery costs.	MOCKDISA	2,186	198	MOCKDISA
196. A Disaster can be BEST defined as:	A. A planned interruption of normal business process	B. Catastrophe	C. Local Incidence	D. An Unplanned interruption of normal business process	d	A disaster refers to an unplanned disruption of normal business operations.	MOCKDISA	2,187	111	MOCKDISA
197. To address an organization’s disaster recovery requirements, backup intervals should not exceed the:	A. service level objective (SLO).	B. recovery time objective (RTO).	C. recovery point objective (RPO).	D. maximum acceptable outage (MAO).	c	Backup intervals should align with the RPO to minimize potential data loss during recovery.	MOCKDISA	2,188	83	MOCKDISA
198. Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?	A. Resuming critical processes	B. Recovering sensitive processes	C. Restoring the site	D. Relocating operations to an alternative site	a	Priority in BCP is to resume critical processes swiftly to minimize business impact.	MOCKDISA	2,189	80	MOCKDISA
199. The PRIMARY purpose of a business impact analysis (BIA) is to:	A. provide a plan for resuming operations after a disaster.	B. identify the events that could impact the continuity of an organization’s operations.	C. publicize the commitment of the organization to physical and logical security.	D. provide the framework for an effective disaster recovery plan.	b	BIA identifies events impacting operations to inform BCP and recovery planning.	MOCKDISA	2,190	44	MOCKDISA
200. Which of the following should be of MOST concern to an IS auditor reviewing the BCP?	A. The disaster levels are based on scopes of damaged functions, but not on duration.	B. The difference between low-level disaster and software incidents is not clear.	C. The overall BCP is documented, but detailed recovery steps are not specified.	D. The responsibility for declaring a disaster is not identified.	d	Lack of clarity on who declares a disaster can hinder timely invocation of the BCP, impacting response efficiency.	MOCKDISA	2,191	114	MOCKDISA
1. In a data warehouse, data quality is achieved by:	A. cleansing.	B. restructuring.	C. source data credibility.	D. transformation.	c	Data quality in a data warehouse hinges on the credibility and reliability of the source data.	MOCKDISA	2,192	99	MOCKDISA
2. Which of the following is the GREATEST risk when implementing a data warehouse?	A. Increased response time on the production systems	B. Access controls that are not adequate to prevent data modification	C. Data duplication	D. Data that is not updated or current	b	In a data warehouse, preventing unauthorized data modification is crucial, as it ensures data integrity and reliability.	MOCKDISA	2,193	12	MOCKDISA
3. Which of the following is critical to the selection and acquisition of the operating system software?	A. Competitive bids	B. User department approval	C. Hardware configuration analysis	D. Purchasing department approval	c	Compatibility with existing hardware is essential when selecting operating system software.	MOCKDISA	2,194	120	MOCKDISA
4. Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime?	A. Utilization reports	B. Hardware error reports	C. System logs	D. Availability reports	d	Availability reports specifically track uptime, essential for SLA compliance monitoring.	MOCKDISA	2,195	134	MOCKDISA
5. A benefit of quality of service (QoS) is that the:	A. entire network's availability and performance will be significantly improved.	B. telecom carrier will provide the company with accurate service-level compliance reports.	C. participating applications will have guaranteed service levels.	D. communications link will be supported by security controls to perform secure online transactions.	c	QoS ensures specific applications receive prioritized network performance, guaranteeing service levels for critical applications.	MOCKDISA	2,196	114	MOCKDISA
6. For an online transaction processing system, transactions per second is a measure of:	A. throughput.	B. response time.	C. turnaround time.	D. uptime.	a	Transactions per second measure the throughput or productivity of an online transaction processing system.	MOCKDISA	2,197	118	MOCKDISA
7. Which of the following is MOST important when assessing services provided by an Internet service provider (ISP)?	A. Performance reports generated by the ISP	B. The service level agreement (SLA)	C. Interviews with the provider	D. Interviews with other clients of the ISP	b	SLA defines the expected service levels, crucial for evaluating ISP services.	MOCKDISA	2,198	117	MOCKDISA
8. Which of the following would normally be found in application run manuals?	A. Details of source documents	B. Error codes and their recovery actions	C. Program flowcharts and file definitions	D. Change records for the application source code	b	Application run manuals typically include error codes and recovery procedures for operational staff.	MOCKDISA	2,199	86	MOCKDISA
9. Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?	A. The use of diskless workstations	B. Periodic checking of hard drives	C. The use of current antivirus software	D. Policies that result in instant dismissal if violated	b	Periodic checking of hard drives is effective in detecting unauthorized software installations on a network.	MOCKDISA	2,200	115	MOCKDISA
10. An IS auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late-night shift a month as the senior computer operator. The MOST appropriate course of action for the IS auditor is to:	A. advise senior management of the risk involved.	B. agree to work with the security officer on these shifts as a form of preventative control.	C. develop a computer-assisted audit technique to detect instances of abuses of this arrangement.	D. review the system log for each of the late-night shifts to determine whether any irregular actions occurred.	a	Advising senior management about the risk of violating separation of duties is crucial for maintaining control and security protocols.	MOCKDISA	2,201	125	MOCKDISA
11. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:	A. the setup is geographically dispersed.	B. the network servers are clustered in a site.	C. a hot site is ready for activation.	D. diverse routing is implemented for the network.	b	Clustering network servers in one site increases vulnerability to disruptions compared to geographically dispersed setups or diverse routing options.	MOCKDISA	2,202	47	MOCKDISA
12. To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review?	A. System access log files	B. Enabled access control software parameters	C. Logs of access control violations	D. System configuration files for control options used	d	Reviewing system configuration files provides insights into which users have privileged supervisory state access, essential for security and control assessments.	MOCKDISA	2,203	137	MOCKDISA
13. A Ping command is used to measure:	A. attenuation.	B. throughput,	C. delay distortion.	D. latency.	d	The Ping command measures latency, indicating the delay in transmitting data packets between source and destination.	MOCKDISA	2,204	160	MOCKDISA
14. Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program?	A. A system downtime log	B. Vendors' reliability figures	C. Regularly scheduled maintenance log	D. A written preventive maintenance schedule	a	A system downtime log provides direct insights into the performance and effectiveness of preventive maintenance activities.	MOCKDISA	2,205	109	MOCKDISA
15. Which of the following is the MOST effective means of determining which controls are functioning properly in an operating system?	A. Consulting with the vendor	B. Reviewing the vendor installation guide	C. Consulting with the system programmer	D. Reviewing the system generation parameters	d	Reviewing system generation parameters directly assesses how controls are configured and operating within the system environment.	MOCKDISA	2,206	75	MOCKDISA
16. Capacity monitoring software is used to ensure:	A. maximum use of available capacity.	B. that future acquisitions meet user needs.	C. concurrent use by a large number of users.	D. continuity of efficient operations.	d	Capacity monitoring software ensures efficient operations by monitoring usage against available capacity, preventing overload.	MOCKDISA	2,207	197	MOCKDISA
17. An independent software program that connects two otherwise separate applications sharing computing resources across heterogeneous technologies is known as:	A. middleware.	B. firmware.	C. application software.	D. embedded systems.	a	Middleware connects disparate applications across different technologies, integrating their functionality.	MOCKDISA	2,208	28	MOCKDISA
18. IS management has recently informed the IS auditor of its decision to disable certain referential integrity controls in the payroll system to provide users with a faster report generator. This will MOST likely increase the risk of:	A. data entry by unauthorized users.	B. a nonexistent employee being paid.	C. an employee receiving an unauthorized raise.	D. duplicate data entry by authorized users.	b	Disabling referential integrity controls increases the risk of nonexistent employees being paid due to lack of data validation.	MOCKDISA	2,209	191	MOCKDISA
19. Following a reorganization of a company's legacy database, it was discovered that records were accidentally deleted. Which of the following controls would have MOST effectively detected this occurrence?	A. Range check	B. Table lookups	C. Run-to-run totals	D. One-for-one checking	c	Run-to-run totals provide effective detection of accidental record deletions during database reorganization.	MOCKDISA	2,210	44	MOCKDISA
20. The method of routing traffic through split-cable facilities or duplicate-cable facilities is called:	A. alternative routing.	B. diverse routing.	C. redundancy.	D. circular routing.	b	Diverse routing routes traffic via split or duplicate cable facilities to ensure continuity and reliability in network communication.	MOCKDISA	2,211	129	MOCKDISA
21. Which of the following is widely accepted as one of the critical components in networking management?	A. Configuration management	B. Topological mappings	C. Application of monitoring tools	D. Proxy server troubleshooting	a	Configuration management is crucial for establishing and managing network functionality and performance.	MOCKDISA	2,212	30	MOCKDISA
22. An IS auditor needs to link his/her microcomputer to a mainframe system that uses binary synchronous data communications with block data transmission. However, the IS auditor's microcomputer, as presently configured, is capable of only asynchronous ASCII character data communications. Which of the following must be added to the IS auditor's computer to enable it to communicate with the mainframe system?	A. Buffer capacity and parallel port	B. Network controller and buffer capacity	C. Parallel port and protocol conversion	D. Protocol conversion and buffer capability	d	Protocol conversion and buffer capability are necessary to facilitate communication between asynchronous ASCII and binary synchronous data formats.	MOCKDISA	2,213	162	MOCKDISA
23. The interface that allows access to lower- or higher-level network services is called:	A. firmware.	B. middleware.	C. X.25 interface.	D. utilities.	b	Middleware provides access to different network services and facilitates client-server interactions across heterogeneous systems.	MOCKDISA	2,214	194	MOCKDISA
24. Which of the following controls will detect MOST effectively the presence of bursts of errors in network transmissions?	A. Parity check	B. Echo check	C. Block sum check	D. Cyclic redundancy check	d	Cyclic redundancy check (CRC) is effective in detecting bursts of errors in transmitted data blocks, ensuring data integrity.	MOCKDISA	2,215	124	MOCKDISA
25. Which of the following types of firewalls provide the GREATEST degree and granularity of control?	A. Screening router	B. Packet filter	C. Application gateway	D. Circuit gateway	c	Application gateways offer detailed control by inspecting and filtering traffic at the application layer, providing high granularity compared to other firewall types.	MOCKDISA	2,216	127	MOCKDISA
26. Which of the following reports is a measure of telecommunication transmissions and determines whether transmissions are completed accurately?	A. Online monitor reports	B. Downtime reports	C. Help desk reports	D. Response-time reports	a	Online monitor reports assess telecommunication transmissions for accuracy and completion, essential for network performance evaluation.	MOCKDISA	2,217	188	MOCKDISA
27. Which of the following is MOST directly affected by network performance monitoring tools?	A. Integrity	B. Availability	C. Completeness	D. Confidentiality	b	Network performance monitoring tools primarily impact availability by ensuring continuous and reliable network operations.	MOCKDISA	2,218	200	MOCKDISA
28. Checking for authorized software baselines is an activity addressed within which of the following?	A. Project management	B. Configuration management	C. Problem management	D. Risk management	b	Configuration management oversees software baselines to ensure authorized versions are in use, crucial for maintaining system integrity.	MOCKDISA	2,219	193	MOCKDISA
29. Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?	A. Firewalls	B. Routers	C. Layer 2 switches	D. VLANs	a	Firewalls are designed to prevent unauthorized access between network segments, making them a primary security measure.	MOCKDISA	2,220	184	MOCKDISA
30. To evaluate the referential integrity of a database, an IS auditor should review the:	A. composite keys.	B. indexed fields.	C. physical schema.	D. foreign keys.	d	Foreign keys ensure referential integrity by linking tables, verifying relationships between data entries in a database.	MOCKDISA	2,221	95	MOCKDISA
31. Which of the following operating system mechanisms checks each request by a subject (user process) to access and use an object (e.g., file, device, program) to ensure that the request complies with a security policy?	A. Address Resolution Protocol	B. Access control analyzer	C. Reference monitor	D. Concurrent monitor	c	A reference monitor verifies requests to access objects against security policies, crucial for enforcing access controls.	MOCKDISA	2,222	32	MOCKDISA
32. Which of the following is an operating system access control function?	A. Logging user activities	B. Logging data communication access activities	C. Verifying user authorization at the field level	D. Changing data files	a	Logging user activities is a fundamental access control function that tracks user actions for auditing and security purposes.	MOCKDISA	2,223	74	MOCKDISA
33. An IS auditor is PRIMARILY concerned about electromagnetic emissions from a cathode ray tube (CRT) because they may:	A. cause health disorders (such as headaches) and diseases.	B. be intercepted and information may be obtained from them.	C. cause interference in communications.	D. cause errors in the motherboard.	b	CRT emissions can be intercepted to obtain information, posing a significant security risk known as TEMPEST attacks.	MOCKDISA	2,224	144	MOCKDISA
34. Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device?	A. Filters	B. Switches	C. Routers	D. Firewalls	b	Switches direct packets to specific devices, reducing the risk of interception by unauthorized devices.	MOCKDISA	2,225	40	MOCKDISA
35. In a database management system (DBMS), the location of data and the method of accessing the data are provided by the:	A. data dictionary.	B. metadata.	C. directory system.	D. data definition language.	c	The directory system in a DBMS specifies data location and access methods, facilitating efficient data management.	MOCKDISA	2,226	154	MOCKDISA
36. In a client-server system, which of the following control techniques is used to inspect activity from known or unknown users?	A. Diskless workstations	B. Data encryption techniques	C. Network monitoring devices	D. Authentication systems	c	Network monitoring devices inspect and log activities, helping detect unauthorized access attempts in client-server environments.	MOCKDISA	2,227	74	MOCKDISA
37. When reviewing system parameters, an IS auditor's PRIMARY concern should be that:	A. they are set to meet security and performance requirements.	B. changes are recorded in an audit trail and periodically reviewed.	C. changes are authorized and supported by appropriate documents.	D. access to parameters in the system is restricted.	a	Setting system parameters correctly ensures they meet security and performance needs, critical for operational integrity.	MOCKDISA	2,228	33	MOCKDISA
38. By establishing a network session through an appropriate application, a sender transmits a message by breaking it into packets, but the packets may reach the receiver out of sequence. Which OSI layer addresses the out-of-sequence message through segment sequencing?	A. Network layer	B. Session layer	C. Application layer	D. Transport layer	d	The transport layer handles segment sequencing to ensure packets are correctly ordered upon arrival at the receiver.	MOCKDISA	2,229	10	MOCKDISA
39. Which of the following is a control over component communication failure/errors?	A. Restricting operator access and maintaining audit trails	B. Monitoring and reviewing system engineering activity	C. Providing network redundancy	D. Establishing physical barriers to the data transmitted over the network	c	Network redundancy mitigates communication failures by providing alternate paths for data transmission, ensuring reliability.	MOCKDISA	2,230	100	MOCKDISA
40. An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable?	A. Electromagnetic interference (EMI)	B. Cross-talk	C. Dispersion	D. Attenuation	d	Attenuation increases with cable length, potentially leading to signal loss and communication issues in UTP networks exceeding 100 meters.	MOCKDISA	2,231	131	MOCKDISA
41. Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?	A. A substantive test of program library controls	B. A compliance test of program library controls	C. A compliance test of the program compiler controls	D. A substantive test of the program compiler controls	b	A compliance test ensures that program library controls are functioning correctly as per management policies and procedures.	MOCKDISA	2,232	182	MOCKDISA
42. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can:	A. Identify high-risk areas that might need a detailed review later	B. Reduce audit costs	C. Reduce audit time	D. Increase audit accuracy	c	CSA techniques help organizations streamline their audit processes by internally assessing controls, thus reducing the time required for external audits.	MOCKDISA	2,233	49	MOCKDISA
43. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?	A. Integrated test facility (ITF)	B. Continuous and intermittent simulation (CIS)	C. Audit hooks	D. Snapshots	d	Snapshots provide a snapshot of system states at specific times, essential for auditing purposes to reconstruct events and actions.	MOCKDISA	2,234	44	MOCKDISA
44. An IS auditor performing a review of an application's controls would evaluate the:	A. efficiency of the application in meeting the business processes.	B. impact of any exposures discovered.	C. business processes served by the application.	D. application's optimization.	b	The review focuses on evaluating controls and identifying any vulnerabilities or exposures that could impact security and operations.	MOCKDISA	2,235	20	MOCKDISA
45. Which of the following is a substantive test?	A. Checking a list of exception reports	B. Ensuring approval for parameter changes	C. Using a statistical sample to inventory the tape library	D. Reviewing password history reports	c	Substantive tests verify the accuracy and completeness of data processing, such as inventorying the tape library to ensure records match physical inventory.	MOCKDISA	2,236	184	MOCKDISA
46. An audit charter should:	A. be dynamic and change often to coincide with the changing nature of technology and the audit profession.	B. clearly state audit objectives for and the delegation of authority to the maintenance and review of internal controls.	C. document the audit procedures designed to achieve the planned audit objectives.	D. outline the overall authority, scope and responsibilities of the audit function.	d	An audit charter provides the framework for audit activities, outlining authority, scope, and responsibilities to ensure consistent audit practices.	MOCKDISA	2,237	96	MOCKDISA
47. Which of the following is an advantage of an integrated test facility (ITF)?	A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction.	B. Periodic testing does not require separate test processes.	C. It validates application systems and tests the ongoing operation of the system.	D. It eliminates the need to prepare test data.	b	ITF allows simultaneous testing with live data, reducing the need for separate test processes and improving efficiency in testing application systems.	MOCKDISA	2,238	180	MOCKDISA
48. An integrated test facility is considered a useful audit tool because it:	A. is a cost-efficient approach to auditing application controls.	B. enables the financial and IS auditors to integrate their audit tests.	C. compares processing output with independently calculated data.	D. provides the IS auditor with a tool to analyze a large range of information.	c	ITF compares actual processing output against independently calculated data, ensuring accuracy and reliability of application controls.	MOCKDISA	2,239	123	MOCKDISA
49. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:	A. of the point at which controls are exercised as data flow through the system.	B. that only preventive and detective controls are relevant.	C. that corrective controls can only be regarded as compensating.	D. that classification allows an IS auditor to determine which controls are missing.	a	Understanding when controls operate in a process flow helps auditors assess effectiveness in preventing, detecting, and correcting errors and vulnerabilities.	MOCKDISA	2,240	52	MOCKDISA
50. An IS auditor reviews an organizational chart PRIMARILY for:	A. an understanding of workflows.	B. investigating various communication channels.	C. understanding the responsibilities and authority of individuals.	D. investigating the network connected to different employees.	c	Organizational charts clarify reporting structures and responsibilities, aiding auditors in assessing segregation of duties and organizational control effectiveness.	MOCKDISA	2,241	31	MOCKDISA
51. Which of the following BEST describes an integrated test facility?	A. A technique that enables the IS auditor to test a computer application for the purpose of verifying processing	B. The utilization of hardware and/or software to review and test the functioning of a computer system	C. A method of using special programming options to permit the printout of the path through a computer program taken to process a specific transaction	D. A procedure for tagging and extending transactions and master records that are used by an IS auditor for tests	a	An integrated test facility allows continuous testing of an application to verify processing integrity.	MOCKDISA	2,242	69	MOCKDISA
52. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:	A. evaluate the record retention plans for off-premises storage.	B. interview programmers about the procedures currently being followed.	C. compare utilization records to operations schedules.	D. review data file access records to test the librarian function.	b	Interviewing programmers provides direct insight into access controls over program documentation.	MOCKDISA	2,243	95	MOCKDISA
53. Which of the following sampling methods is MOST useful when testing for compliance?	A. Attribute sampling	B. Variable sampling	C. Stratified mean per unit	D. Difference estimation	a	Attribute sampling is ideal for compliance testing to verify the presence or absence of a specific quality (attribute) in a population.	MOCKDISA	2,244	88	MOCKDISA
54. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?	A. Multiple cycles of backup files remain available.	B. Access controls establish accountability for e-mail activity.	C. Data classification regulates what information should be communicated via e-mail.	D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.	a	Multiple backup cycles often retain deleted emails, serving as evidence in litigation.	MOCKDISA	2,245	99	MOCKDISA
55. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?	A. Discussion with management	B. Review of the organization chart	C. Observation and interviews	D. Testing of user access rights	c	Observing and interviewing staff provides firsthand insight into actual duties and segregation within the IS department.	MOCKDISA	2,246	73	MOCKDISA
56. An IS auditor has evaluated the controls for the integrity of the data in a financial application. Which of the following findings would be the MOST significant?	A. The application owner was unaware of several changes applied to the application by the IT department.	B. The application data are backed up only once a week.	C. The application development documentation is incomplete.	D. Information processing facilities are not protected by appropriate fire detection systems.	a	Lack of awareness of changes impacts data integrity and suggests inadequate change control.	MOCKDISA	2,247	99	MOCKDISA
57. Overall business risk for a particular threat can be expressed as:	A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.	B. the magnitude of the impact should a threat source successfully exploit the vulnerability.	C. the likelihood of a given threat source exploiting a given vulnerability.	D. the collective judgment of the risk assessment team.	a	Business risk considers both the likelihood and impact of a threat exploiting a vulnerability.	MOCKDISA	2,248	42	MOCKDISA
58. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were ly authorized. This is an example of:	A. variable sampling.	B. substantive testing.	C. compliance testing.	D. stop-or-go sampling.	c	Checking authorization of recent forms aligns with compliance testing to ensure adherence to policies and procedures.	MOCKDISA	2,249	107	MOCKDISA
59. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:	A. can identify high-risk areas that might need a detailed review later.	B. allows IS auditors to independently assess risk.	C. can be used as a replacement for traditional audits.	D. allows management to relinquish responsibility for control.	a	CSA helps proactively identify high-risk areas, enhancing audit focus and effectiveness.	MOCKDISA	2,250	80	MOCKDISA
60. Data flow diagrams are used by IS auditors to:	A. order data hierarchically.	B. highlight high-level data definitions.	C. graphically summarize data paths and storage.	D. portray step-by-step details of data generation.	c	Data flow diagrams summarize data paths and storage visually, aiding in understanding system flows and storage locations.	MOCKDISA	2,251	25	MOCKDISA
61. The use of statistical sampling procedures helps minimize:	A. sampling risk.	B. detection risk.	C. inherent risk.	D. control risk.	b	Detection risk is minimized by statistical sampling, quantifying sample representation and error probability.	MOCKDISA	2,252	168	MOCKDISA
62. What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?	A. Business risk	B. Detection risk	C. Residual risk	D. Inherent risk	b	Detection risk arises from inadequate test procedures leading to erroneous conclusions.	MOCKDISA	2,253	166	MOCKDISA
63. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?	A. Inherent	B. Detection	C. Control	D. Business	b	IS auditor's actions directly impact detection risks through audit procedures.	MOCKDISA	2,254	38	MOCKDISA
64. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines?	A. Domain integrity test	B. Relational integrity test	C. Referential integrity test	D. Parity checks	a	Domain integrity tests validate data conformity and routine effectiveness.	MOCKDISA	2,255	72	MOCKDISA
65. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?	A. Evaluate physical access test results.	B. Determine the risks/threats to the data center site.	C. Review business continuity procedures.	D. Test for evidence of physical access at suspect locations.	b	Initial step involves assessing risks/threats to the data center site in planning.	MOCKDISA	2,256	108	MOCKDISA
66. The PRIMARY purpose of audit trails is to:	A. improve response time for users.	B. establish accountability and responsibility for processed transactions.	C. improve the operational efficiency of the system.	D. provide useful information to auditors who may wish to track transactions.	b	Audit trails primarily establish accountability by tracking transactions.	MOCKDISA	2,257	61	MOCKDISA
67. Which of the following would BEST provide assurance of the integrity of new staff?	A. Background screening	B. References	C. Bonding	D. Qualifications listed on a resume	a	Background screening is key to ensuring new staff integrity.	MOCKDISA	2,258	164	MOCKDISA
68. To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the:	A. enterprise data model.	B. IT balanced scorecard (BSC).	C. IT organizational structure.	D. historical financial statements.	b	IT balanced scorecard evaluates IT asset management effectiveness.	MOCKDISA	2,259	187	MOCKDISA
69. The advantage of a bottom-up approach to the development of organizational policies is that the policies:	A. are developed for the organization as a whole.	B. are more likely to be derived as a result of a risk assessment.	C. will not conflict with overall corporate policy.	D. ensure consistency across the organization.	b	Bottom-up policies derive from operational needs and risk assessments.	MOCKDISA	2,260	140	MOCKDISA
70. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each Answer represents a complete solution. Choose all that apply.	A. Facilitating the sharing of security risk-related information among authorizing officials	B. Preserving high-level communications and working group relationships in an organization	C. Establishing effective continuous monitoring program for the organization	D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan	a	CIO responsibilities include facilitating security risk information sharing among officials.	MOCKDISA	2,261	62	MOCKDISA
71. A data administrator is responsible for:	A. maintaining database system software.	B. defining data elements, data names and their relationship.	C. developing physical database structures.	D. developing data dictionary system software.	b	Data administrators define data elements and relationships, distinct from DBA roles.	MOCKDISA	2,262	123	MOCKDISA
72. Before implementing an IT balanced scorecard, an organization must:	A. deliver effective and efficient services.	B. define key performance indicators.	C. provide business value to IT projects.	D. control IT expenses.	b	Defining KPIs precedes IT balanced scorecard implementation.	MOCKDISA	2,263	89	MOCKDISA
73. A local area network (LAN) administrator normally would be restricted from:	A. having end-user responsibilities.	B. reporting to the end-user manager.	C. having programming responsibilities.	D. being responsible for LAN security administration.	c	LAN administrators typically do not handle programming tasks.	MOCKDISA	2,264	198	MOCKDISA
74. The initial step in establishing an information security program is the:	A. development and implementation of an information security standards manual.	B. performance of a comprehensive security control review by the IS auditor.	C. adoption of a corporate information security policy statement.	D. purchase of security access control software.	c	Adopting a security policy sets the foundation for the security program.	MOCKDISA	2,265	70	MOCKDISA
75. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?	A. Response	B. ion	C. Detection	D. Monitoring	a	Response programs are crucial in handling suspected intrusions effectively.	MOCKDISA	2,266	18	MOCKDISA
76. The MOST likely effect of the lack of senior management commitment to IT strategic planning is:	A. a lack of investment in technology.	B. a lack of a methodology for systems development.	C. the technology not aligning with the organization's objectives.	D. an absence of control over technology contracts.	c	Senior management commitment ensures IT aligns with organizational objectives.	MOCKDISA	2,267	150	MOCKDISA
77. When an organization is outsourcing their information security function, which of the following should be kept in the organization?	A. Accountability for the corporate security policy	B. Defining the corporate security policy	C. Implementing the corporate security policy	D. Defining security procedures and guidelines	a	Accountability for security policy cannot be outsourced.	MOCKDISA	2,268	51	MOCKDISA
78. An organization has outsourced its software development. Which of the following is the responsibility of the organization's IT management?	A. Paying for provider services	B. Participating in systems design with the provider	C. Managing compliance with the contract for the outsourced services	D. Negotiating contractual agreement with the provider	c	IT management ensures compliance with outsourced service contracts.	MOCKDISA	2,269	170	MOCKDISA
79. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that:	A. this lack of knowledge may lead to unintentional disclosure of sensitive information	B. information security is not critical to all functions.	C. IS audit should provide security training to the employees.	D. the audit finding will cause management to provide continuous training to staff.	a	Lack of awareness can lead to unintentional data disclosure, necessitating training.	MOCKDISA	2,270	120	MOCKDISA
80. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the _______________. (fill-in-the-blank)	A. Security administrator	B. Systems auditor	C. Board of directors	D. Financial auditor	c	Board of directors hold ultimate responsibility for BCP and DRP plans.	MOCKDISA	2,271	55	MOCKDISA
81. IT control objectives are useful to IS auditors, as they provide the basis for understanding the:	A. desired result or purpose of implementing specific control procedures.	B. best IT security control practices relevant to a specific entity.	C. techniques for securing information.	D. security policy.	a	An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.	MOCKDISA	2,272	48	MOCKDISA
82. Which of the following is the PRIMARY objective of an IT performance measurement process?	A. Minimize errors.	B. Gather performance data.	C. Establish performance baselines.	D. Optimize performance.	d	The primary objective of an IT performance measurement process is to optimize performance. This process involves measuring and managing products/services, assuring accountability, and making budget decisions. While minimizing errors is an aspect of performance management, it is not the primary objective. Gathering performance data and establishing baselines are steps in the process of performance measurement rather than the primary objective itself.	MOCKDISA	2,273	68	MOCKDISA
83. Which of the following would provide a mechanism whereby IS management can determine if the activities of the organization have deviated from the planned or expected levels?	A. Quality management	B. IS assessment methods	C. Management principles	D. Industry standards/benchmarking	b	IS assessment methods provide a mechanism whereby IS management can determine if the activities of the organization have deviated from planned or expected levels. These methods include IS budgets, capacity and growth planning, industry standards/benchmarking, financial management practices, and goal accomplishment. Quality management focuses on controlling, measuring, and improving IS processes. Management principles cover various aspects such as people, change, processes, and security. Industry standards/benchmarking helps in comparing performance levels with similar information processing facility environments.	MOCKDISA	2,274	28	MOCKDISA
84. Which of the following is the MOST critical for the successful implementation and maintenance of a security policy?	A. Assimilation of the framework and intent of a written security policy by all appropriate parties	B. Management support and approval for the implementation and maintenance of a security policy	C. Enforcement of security rules by providing punitive actions for any violation of security rules	D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	The assimilation of the framework and intent of a written security policy by all appropriate parties is critical for successful implementation and maintenance of the security policy. Without the understanding and acceptance of security policies by system users, even the best security measures may fail. While management support is important, user education and compliance are equally vital. Enforcement of security rules and stringent implementation are necessary but effective only when users understand the policy's intent and importance.	MOCKDISA	2,275	134	MOCKDISA
85. The PRIMARY objective of an audit of IT security policies is to ensure that:	A. they are distributed and available to all staff.	B. security and control policies support business and IT objectives.	C. there is a published organizational chart with functional descriptions.	D. duties are appropriately segregated.	b	The primary objective of an audit of IT security policies is to verify that security and control policies support business and IT objectives. It ensures that the IT security framework is aligned with organizational goals and objectives, enhancing overall business performance and security posture. While distribution to staff, organizational charts, and segregation of duties are components of effective policy implementation, they are not the primary focus of an IT security policy audit.	MOCKDISA	2,276	51	MOCKDISA
86. Which of the following is MOST critical for the successful implementation and maintenance of a security policy?	A. Assimilation of the framework and intent of a written security policy by all appropriate parties	B. Management support and approval for the implementation and maintenance of a security policy	C. Enforcement of security rules by providing punitive actions for any violation of security rules	D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	Assimilation of the framework and intent of a written security policy by the users of the system is critical to its successful implementation and maintenance. Without user understanding and adherence, security policies can easily be circumvented or misunderstood, rendering them ineffective. While management support and enforcement are essential, they are complemented by user education and compliance. Stringent implementation and monitoring ensure policy adherence but rely on user awareness for effectiveness.	MOCKDISA	2,277	105	MOCKDISA
87. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties?	A. Sequence check	B. Check digit	C. Source documentation retention	D. Batch control reconciliations	d	Batch control reconciliations serve as compensating controls to mitigate risks arising from inadequate segregation of duties. They help ensure that batch processes are correctly executed and reconciled, reducing the risk of errors or fraud in scenarios where segregation of duties is not fully implemented. Sequence checks and check digits are data validation techniques, ensuring data accuracy but not specifically compensating for segregation issues. Source documentation retention is a data integrity control, ensuring the availability of supporting documents but not directly compensating for segregation concerns.	MOCKDISA	2,278	63	MOCKDISA
88. Which of the following reduces the potential impact of social engineering attacks?	A. Compliance with regulatory requirements	B. Promoting ethical understanding	C. Security awareness programs	D. Effective performance incentives	c	Security awareness programs are the most effective defense against social engineering attacks because they educate users about potential threats and how to respond to them. By increasing user vigilance and knowledge, these programs help mitigate the success of social engineering tactics that rely on manipulating human behavior. While regulatory compliance, ethical promotion, and performance incentives are important, they do not directly address the psychological and behavioral aspects targeted by social engineering attacks.	MOCKDISA	2,279	111	MOCKDISA
89. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?	A. O/S and hardware refresh frequencies	B. Gain-sharing performance bonuses	C. Penalties for noncompliance	D. Charges tied to variable cost metrics	b	Gain-sharing performance bonuses incentivize outsourcers to minimize costs and improve service levels by rewarding them with a percentage of the achieved savings. This clause encourages outsourcers to go beyond minimum requirements and find innovative ways to deliver better service at lower costs. Refresh frequencies and penalties for noncompliance focus on contract enforcement rather than performance improvement. Charges tied to variable cost metrics may not necessarily drive efficiency gains that benefit the client.	MOCKDISA	2,280	51	MOCKDISA
90. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:	A. recovery.	B. retention.	C. rebuilding.	D. reuse.	b	An effective e-mail policy should include guidelines on the retention of messages to ensure compliance with legal and regulatory requirements. Retention policies dictate how long emails should be kept for legal, business, and compliance purposes, balancing the need for storage against the risk of litigation or audits. Addressing retention in the e-mail policy also facilitates recovery, rebuilding, and reuse of messages as necessary, supporting both operational continuity and legal compliance.	MOCKDISA	2,281	150	MOCKDISA
91. When are benchmarking partners identified within the benchmarking process?	A. In the design stage	B. In the testing stage	C. In the research stage	D. In the development stage	c	Benchmarking partners are identified in the research stage of the benchmarking process.	MOCKDISA	2,282	146	MOCKDISA
92. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?	A. Optimized	B. Managed	C. Defined	D. Repeatable	b	When IT security responsibilities are clearly assigned and enforced, and risk and impact analysis is consistent, the organization is at the "managed" level in the information security governance maturity model.	MOCKDISA	2,283	157	MOCKDISA
93. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?	A. Sensitive data can be read by operators.	B. Data can be amended without authorization.	C. Unauthorized report copies can be printed.	D. Output can be lost in the event of system failure.	c	The most serious exposure in spooling for offline printing is the potential for unauthorized copies of sensitive reports to be printed.	MOCKDISA	2,284	163	MOCKDISA
94. Applying a retention date on a file will ensure that:	A. data cannot be read until the date is set.	B. data will not be deleted before that date.	C. backup copies are not retained after that date.	D. datasets having the same name are differentiated.	b	A retention date on a file ensures that data will not be deleted before the specified date.	MOCKDISA	2,285	160	MOCKDISA
95. Which of the following can be used to verify output results and control totals by matching them against the input data and control totals?	A. Batch header forms	B. Batch balancing	C. Data conversion error ions	D. Access controls over print spools	b	Batch balancing is used to verify output results and control totals by comparing them with input data and control totals.	MOCKDISA	2,286	154	MOCKDISA
96. Which of the following would an IS auditor expect to find in a console log?	A. Names of system users	B. Shift supervisor identification	C. System errors	D. Data edit errors	c	Console logs typically contain records of system errors.	MOCKDISA	2,287	46	MOCKDISA
97. A network diagnostic tool that monitors and records network information is a(n):	A. online monitor.	B. downtime report.	C. help desk report.	D. protocol analyzer.	d	A protocol analyzer is a network diagnostic tool that monitors and records network information.	MOCKDISA	2,288	156	MOCKDISA
98. Which of the following will help detect changes made by an intruder to the system log of a server?	A. Mirroring the system log on another server	B. Simultaneously duplicating the system log on a write-once disk	C. Write-protecting the directory containing the system log	D. Storing the backup of the system log offsite	b	Duplicating the system log on a write-once disk helps detect changes made by intruders because the original log can be compared with the duplicate for discrepancies.	MOCKDISA	2,289	183	MOCKDISA
99. During an audit of the tape management system at a data center, an IS auditor discovered that parameters are set to bypass or ignore the labels written on tape header records. The IS auditor also determined that effective staging and job setup procedures were in place. In this situation, the IS auditor should conclude that the:	A. tape headers should be manually logged and checked by the operators.	B. staging and job setup procedures are not appropriate compensating controls.	C. staging and job setup procedures compensate for the tape label control weakness.	D. tape management system parameters must be set to check all labels.	c	Effective staging and job setup procedures can compensate for weaknesses in tape label control by ensuring proper handling and setup of jobs despite parameter settings that bypass tape labels.	MOCKDISA	2,290	18	MOCKDISA
100. IT operations for a large organization have been outsourced. An IS auditor reviewing the outsourced operation should be MOST concerned about which of the following findings?	A. The outsourcing contract does not cover disaster recovery for the outsourced IT operations.	B. The service provider does not have incident handling procedures.	C. Recently a corrupted database could not be recovered because of library management problems.	D. Incident logs are not being reviewed.	a	The absence of disaster recovery provisions in the outsourcing contract is a critical concern for the IS auditor, as it poses significant risk to business continuity and IT service availability.	MOCKDISA	2,291	195	MOCKDISA
101. Which of the following BEST ensures the integrity of a server's operating system?	A. Protecting the server in a secure location	B. Setting a boot password	C. Hardening the server configuration	D. Implementing activity logging	c	Hardening a system means to configure it in the most secure manner to prevent non-privileged users from gaining control of the entire machine, jeopardizing the OS's integrity. Protecting the server in a secure location and setting a boot password are good practices, but do not ensure that logical vulnerabilities are prevented. Activity logging is a detective control and can be bypassed by an attacker with privileged access.	MOCKDISA	2,292	181	MOCKDISA
102. An IS auditor detected that several PCs connected to the Internet have a low security level that is allowing for the free recording of cookies. This creates a risk because cookies locally store:	A. information about the Internet site.	B. information about the user.	C. information for the Internet connection.	D. Internet pages.	b	Cookies locally store information about the user, which can pose privacy risks if not controlled properly.	MOCKDISA	2,293	10	MOCKDISA
103. Which of the following is the MOST probable cause for a mail server being used to send spam?	A. Installing an open relay server	B. Enabling Post Office Protocol (POP3)	C. Using Simple Mail Transfer Protocol (SMTP)	D. Activating user accounting	a	An open relay server allows unauthorized users to route spam through the mail server.	MOCKDISA	2,294	33	MOCKDISA
104. Which of the following is the MOST probable cause for a mail server being used to send spam?	A. Installing an open relay server	B. Enabling Post Office Protocol (POP3)	C. Using Simple Mail Transfer Protocol (SMTP)	D. Activating user accounting	a	An open relay server allows unauthorized users to route spam through the mail server.	MOCKDISA	2,295	192	MOCKDISA
105. The MOST significant security concern when using flash memory (e.g., USB removable disk) is that the:	A. contents are highly volatile.	B. data cannot be backed up.	C. data can be copied.	D. device may not be compatible with other peripherals.	c	Flash memory allows easy copying of data, which can lead to unauthorized access or leakage of sensitive information.	MOCKDISA	2,296	125	MOCKDISA
106. The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in:	A. loss of confidentiality.	B. increased redundancy.	C. unauthorized accesses.	D. application malfunctions.	b	Denormalizing tables increases redundancy, which can lead to increased storage requirements and potentially slower performance in certain scenarios.	MOCKDISA	2,297	170	MOCKDISA
107. Web and e-mail filtering tools are PRIMARILY valuable to an organization because they:	A. protect the organization from viruses and non-business materials.	B. maximize employee performance.	C. safeguard the organization's image.	D. assist the organization in preventing legal issues	a	Web and e-mail filtering tools primarily protect organizations from malware, viruses, and non-business related content, reducing security risks.	MOCKDISA	2,298	71	MOCKDISA
108. Which of the following is the GREATEST risk related to the monitoring of audit logs?	A. Logs are not backed up periodically.	B. Routine events are recorded.	C. Procedures for enabling logs are not documented.	D. Unauthorized system actions are recorded but not investigated.	d	Failing to investigate unauthorized actions recorded in audit logs renders the logs ineffective in detecting and responding to security breaches.	MOCKDISA	2,299	116	MOCKDISA
109. An organization wants to enforce data integrity principles and achieve faster performance/execution in a database application. Which of the following design principles should be applied?	A. User (customized) triggers	B. Data validation at the front end	C. Data validation at the back end	D. Referential integrity	d	Referential integrity ensures data consistency and can enhance database performance by enforcing relationships between tables.	MOCKDISA	2,300	151	MOCKDISA
110. To share data in a multivendor network environment, it is essential to implement program-to-program communication. With respect to program-to-program communication features, that can be implemented in this environment, which of the following makes implementation and maintenance difficult?	A. User isolation	B. Controlled remote access	C. Transparent remote access	D. The network environments	d	The complexity of the network environments can significantly impact the implementation and maintenance of program-to-program communication features across multiple vendors.	MOCKDISA	2,301	10	MOCKDISA
111. An IS auditor is reviewing the database administration (DBA) function to ascertain whether adequate provision has been made for controlling data. The IS auditor should determine that the:	A. function reports to data processing operations.	B. responsibilities of the function are well defined.	C. database administrator is a competent systems programmer.	D. audit software has the capability of efficiently accessing the database.	b	The IS auditor should ensure that the responsibilities of the DBA function are well defined, ensuring independence and authority, which is crucial for effective data control. Reporting to data processing or being a systems programmer are not primary requirements.	MOCKDISA	2,302	66	MOCKDISA
112. Which of the following is a control over database administration activities?	A. A database checkpoint to restart processing after a system failure	B. Database compression to reduce unused space	C. Supervisory review of access logs	D. Backup and recovery procedures to ensure database availability	c	Supervisory review of access logs provides oversight and control over database administration activities, ensuring accountability and proper use of database tools.	MOCKDISA	2,303	139	MOCKDISA
113. To maximize the performance of a large database in a parallel processing environment, which of the following is used for separating indexes?	A. Disk partitioning	B. Mirroring	C. Hashing	D. Duplexing	c	Hashing is used to partition independent indexes in a large database for optimal performance in parallel processing environments.	MOCKDISA	2,304	36	MOCKDISA
114. Which of the following will prevent dangling tuples in a database?	A. Cyclic integrity	B. Domain integrity	C. Relational integrity	D. Referential integrity	d	Referential integrity ensures that all foreign keys in a table have corresponding primary keys in another table, preventing dangling tuples or orphaned records.	MOCKDISA	2,305	171	MOCKDISA
115. The objective of concurrency control in a database system is to:	A. restrict updating of the database to authorized users.	B. prevent integrity problems, when two processes attempt to update the same data at the same time.	C. prevent inadvertent or unauthorized disclosure of data in the database.	D. ensure the accuracy, completeness and consistency of data.	b	Concurrency control prevents data integrity issues that occur when multiple processes attempt to update the same data simultaneously, ensuring data consistency.	MOCKDISA	2,306	114	MOCKDISA
116. A referential integrity constraint consists of:	A. ensuring the integrity of transaction processing.	B. ensuring that data are updated through triggers.	C. ensuring controlled user updates to the database.	D. rules for designing tables and queries.	b	Referential integrity constraints ensure that changes to primary key values are propagated to corresponding foreign key values through triggers, maintaining data consistency.	MOCKDISA	2,307	48	MOCKDISA
117. Which of the following controls would provide the GREATEST assurance of database integrity?	A. Audit log procedures	B. Table link/reference checks	C. Query/table access time checks	D. Rollback and rollforward database features	b	Table link/reference checks detect and prevent table linking errors, ensuring the highest level of database integrity by verifying data completeness and accuracy.	MOCKDISA	2,308	111	MOCKDISA
118. The database administrator has decided to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of:	A. loss of audit trails.	B. redundancy of data.	C. loss of data integrity.	D. unauthorized access to data.	b	Disabling normalization controls increases the risk of data redundancy within the database, impacting data integrity and potentially complicating data management.	MOCKDISA	2,309	30	MOCKDISA
119. In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?	A. Automated logging of changes to development libraries	B. Additional staff to provide separation of duties	C. Procedures that verify that only approved program changes are implemented	D. Access controls to prevent the operator from making program modifications	c	Implementing procedures to verify and approve program changes ensures control and oversight in a small organization where strict separation of duties may not be feasible.	MOCKDISA	2,310	42	MOCKDISA
120. Vendors have released patches fixing security flaws in their software. Which of the following should the IS auditor recommend in this situation?	A. Assess the impact of patches prior to installation.	B. Ask the vendors for a new software version with all fixes included.	C. Install the security patch immediately.	D. Decline to deal with these vendors in the future.	a	Before installing patches, assessing their impact ensures compatibility and minimizes disruption to operations, safeguarding against unintended consequences of patch installation.	MOCKDISA	2,311	15	MOCKDISA
121. A programmer, using firecall IDs, as provided in the manufacture's manual, gained access to the production environment and made an unauthorized change. Which of the following could have prevented this from happening?	A. Deactivation	B. Monitoring	C. Authorization	D. Resetting	d	The vendor supplied firecall IDs should be reset at the time of implementing the system and new IDs generated. Deactivation may cause the disruption of a critical production job. Without resetting the vendor provided firecall IDs, monitoring and authorization of such IDs are not effective controls.	MOCKDISA	2,312	184	MOCKDISA
122. One of the purposes of library control software is to allow:	A. programmers access to production source and object libraries.	B. batch program updating.	C. operators to update the control library with the production version before testing is completed.	D. read-only access to source code.	d	An important purpose of library control software is to allow read-only access to source code. Choices A, B and C are activities which library control software should help to prevent or prohibit.	MOCKDISA	2,313	117	MOCKDISA
123. An organization is moving its application maintenance in-house from an outside source. Which of the following should be the main concern of an IS auditor?	A. Regression testing	B. Job scheduling	C. User manuals	D. Change control procedures	d	It is essential for the maintenance and control of software that change control procedures be in place. Regression testing is completed after changes are made to the software, and since the software is already being used, the job schedule must be in place and may be reviewed later. This change does not affect user manuals and any associated risks.	MOCKDISA	2,314	92	MOCKDISA
124. Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?	A. Release-to-release source and object comparison reports	B. Library control software restricting changes to source code	C. Restricted access to source code and object code	D. Date and time-stamp reviews of source and object code	d	Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.	MOCKDISA	2,315	136	MOCKDISA
125. An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?	A. Allow changes to be made only with the DBA user account.	B. Make changes to the database after granting access to a normal user account	C. Use the DBA user account to make changes, log the changes and review the change log the following day.	D. Use the normal user account to make changes, log the changes and review the change log the following day.	c	The use of a database administrator (DBA) user account is (should be) normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.	MOCKDISA	2,316	184	MOCKDISA
126. Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures?	A. Review software migration records and verify approvals.	B. Identify changes that have occurred and verify approvals.	C. Review change control documentation and verify approvals.	D. Ensure that only appropriate staff can migrate changes into production.	b	The most effective method is to determine through code comparisons what changes have been made and then verify that they have been approved. Change control records and software migration records may not have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key control process, but in itself does not verify compliance.	MOCKDISA	2,317	169	MOCKDISA
127. After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?	A. Differential reporting	B. False-positive reporting	C. False-negative reporting	D. Less-detail reporting	c	False-negative reporting on weaknesses means the control weaknesses in the network are not identified and, hence, may not be addressed, leaving the network vulnerable to attack. False-positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.	MOCKDISA	2,318	23	MOCKDISA
128. The FIRST step in managing the risk of a cyber attack is to:	A. assess the vulnerability impact.	B. evaluate the likelihood of threats.	C. identify critical information assets.	D. estimate potential damage.	c	The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages.	MOCKDISA	2,319	125	MOCKDISA
129. Which of the following is the MOST effective method for dealing with the spreading of a network worm that exploits a vulnerability in a protocol?	A. Install the vendor's security fix for the vulnerability.	B. Block the protocol traffic in the perimeter firewall.	C. Block the protocol traffic between internal network segments.	D. Stop the service until an appropriate security fix is installed.	d	Stopping the service until a security fix is installed halts the worm's spread and prevents further exploitation of the vulnerability. If the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective. Blocking the protocol on the perimeter does not stop the worm from spreading to the internal network(s). Blocking the protocol helps to slow down the spreading but also prohibits every software that utilizes it from working between segments.	MOCKDISA	2,320	53	MOCKDISA
130. Which of the following is the BEST control to detect internal attacks on IT resources?	A. Checking of activity logs	B. Reviewing firewall logs	C. Implementing a security policy	D. Implementing appropriate segregation of duties	a	Verification of individual activity logs will detect the misuse of IT resources. Depending on the configuration, firewall logs can help in detecting attacks passing through the firewall. Implementation of a security policy and segregation of duties are deterrent controls that might prevent the misuse of IT resources.	MOCKDISA	2,321	198	MOCKDISA
121. A programmer, using firecall IDs, as provided in the manufacture's manual, gained access to the production environment and made an unauthorized change. Which of the following could have prevented this from happening?	A. Deactivation	B. Monitoring	C. Authorization	D. Resetting	d	Explanation: The vendor supplied firecall IDs should be reset at the time of implementing the system and new IDs generated. Deactivation may cause the disruption of a critical production job. Without resetting the vendor provided firecall IDs, monitoring and authorization of such IDs are not effective controls.	MOCKDISA	2,322	12	MOCKDISA
122. One of the purposes of library control software is to allow:	A. programmers access to production source and object libraries.	B. batch program updating.	C. operators to update the control library with the production version before testing is completed.	D. read-only access to source code.	d	Explanation: An important purpose of library control software is to allow read-only access to source code. Choices A, B and C are activities which library control software should help to prevent or prohibit.	MOCKDISA	2,323	130	MOCKDISA
123. An organization is moving its application maintenance in-house from an outside source. Which of the following should be the main concern of an IS auditor?	A. Regression testing	B. Job scheduling	C. User manuals	D. Change control procedures	d	Explanation: It is essential for the maintenance and control of software that change control procedures be in place. Regression testing is completed after changes are made to the software, and since the software is already being used, the job schedule must be in place and may be reviewed later. This change does not affect user manuals and any associated risks.	MOCKDISA	2,324	55	MOCKDISA
124. Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?	A. Release-to-release source and object comparison reports	B. Library control software restricting changes to source code	C. Restricted access to source code and object code	D. Date and time-stamp reviews of source and object code	d	Explanation: Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.	MOCKDISA	2,325	68	MOCKDISA
125. An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?	A. Allow changes to be made only with the DBA user account.	B. Make changes to the database after granting access to a normal user account	C. Use the DBA user account to make changes, log the changes and review the change log the following day.	D. Use the normal user account to make changes, log the changes and review the change log the following day.	c	Explanation: The use of a database administrator (DBA) user account is (should be) normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.	MOCKDISA	2,326	107	MOCKDISA
126. Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures?	A. Review software migration records and verify approvals.	B. Identify changes that have occurred and verify approvals.	C. Review change control documentation and verify approvals.	D. Ensure that only appropriate staff can migrate changes into production.	b	Explanation: The most effective method is to determine through code comparisons what changes have been made and then verify that they have been approved. Change control records and software migration records may not have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key control process, but in itself does not verify compliance.	MOCKDISA	2,327	112	MOCKDISA
127. After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?	A. Differential reporting	B. False-positive reporting	C. False-negative reporting	D. Less-detail reporting	c	Explanation: False-negative reporting on weaknesses means the control weaknesses in the network are not identified and, hence, may not be addressed, leaving the network vulnerable to attack. False-positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.	MOCKDISA	2,328	63	MOCKDISA
128. The FIRST step in managing the risk of a cyber attack is to:	A. assess the vulnerability impact.	B. evaluate the likelihood of threats.	C. identify critical information assets.	D. estimate potential damage.	c	Explanation: The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages.	MOCKDISA	2,329	41	MOCKDISA
129. Which of the following is the MOST effective method for dealing with the spreading of a network worm that exploits a vulnerability in a protocol?	A. Install the vendor's security fix for the vulnerability.	B. Block the protocol traffic in the perimeter firewall.	C. Block the protocol traffic between internal network segments.	D. Stop the service until an appropriate security fix is installed.	d	Explanation: Stopping the service and installing the security fix is the safest way to prevent the worm from spreading. If the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective. Blocking the protocol on the perimeter does not stop the worm from spreading to the internal network(s). Blocking the protocol helps to slow down the spreading but also prohibits every software that utilizes it from working between segments.	MOCKDISA	2,330	95	MOCKDISA
130. Which of the following is the BEST control to detect internal attacks on IT resources?	A. Checking of activity logs	B. Reviewing firewall logs	C. Implementing a security policy	D. Implementing appropriate segregation of duties	a	Explanation: Verification of individual activity logs will detect the misuse of IT resources. Depending on the configuration, firewall logs can help in detecting attacks passing through the firewall. Implementation of a security policy and segregation of duties are deterrent controls that might prevent the misuse of IT resources.	MOCKDISA	2,331	78	MOCKDISA
131. A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern?	A. Most employees use laptops.	B. A packet filtering firewall is used.	C. The IP address space is smaller than the number of PCs.	D. Access to a network port is not restricted.	d	Explanation: Given physical access to a port, anyone can connect to the internal network. The other choices do not present the exposure that access to a port does. DHCP provides convenience (an advantage) to the laptop users. Sharing IP addresses and the existence of a firewall can be security measures.	MOCKDISA	2,332	195	MOCKDISA
132. An IS auditor is performing a network security review of a telecom company that provides Internet connection services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer's payment information. The IS auditor should be MOST concerned, if a hacker:	A. compromises the Wireless Application Protocol (WAP) gateway.	B. installs a sniffing program in front of the server.	C. steals a customer's PDA.	D. listens to the wireless transmission.	a	Explanation: In a WAP gateway, the encrypted messages from customers must be decrypted to transmit over the Internet and vice versa. Therefore, if the gateway is compromised all of the messages would be exposed. SSL protects the messages from sniffing on the Internet, limiting disclosure of the customer's information. WTLS provides authentication, privacy and integrity and prevents messages from eavesdropping.	MOCKDISA	2,333	40	MOCKDISA
133. Analysis of which of the following would MOST likely enable the IS auditor to determine if an unapproved program attempted to access sensitive data?	A. Abnormal job termination reports	B. Operator problem reports	C. System logs	D. Operator work schedules	c	Explanation: System logs are automated reports that identify most of the activities performed on the computer. Many programs that analyze the system log to report on specifically defined items have been developed. Abnormal job termination reports identify application jobs that were terminated before successful completion. Operator problem reports are used by operators to log computer operations problems and their solutions. Operator work schedules are maintained by IS management to assist in human resource planning.	MOCKDISA	2,334	145	MOCKDISA
134. A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives?	A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies	B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing	C. Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format	D. Reengineering the existing processing and redesigning the existing system	c	Explanation: EDI is the best Answer. Properly implemented (e.g., agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls) EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.	MOCKDISA	2,335	184	MOCKDISA
135. A number of system failures are occurring when ions to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing?	A. Unit testing	B. Integration testing	C. Design walk-throughs	D. Configuration management	b	Explanation: A common system maintenance problem is that errors are often ed quickly (especially when deadlines are tight); units are tested by the programmer and then transferred to the acceptance test area; this often results in system problems that should have been detected during integration or system testing. Integration testing aims at ensuring that the major components of the system interface ly.	MOCKDISA	2,336	117	MOCKDISA
136. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?	A. Comparing source code	B. Reviewing system log files	C. Comparing object code	D. Reviewing executable and source code integrity	b	Explanation: Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. Source and object code comparisons are ineffective, because the original programs were restored and do not exist. Reviewing executable and source code integrity is an ineffective control, because integrity between the executable and source code is automatically maintained.	MOCKDISA	2,337	131	MOCKDISA
137. An employee is responsible for updating daily the interest rates in a finance application, including interest rate exceptions for preferred customers. Which of the following is the BEST control to ensure that all rate exceptions are approved?	A. A supervisor must enter his/her password before a rate exception is validated.	B. Rates outside the normal range require prior management approval.	C. The system beeps an alarm when rate exceptions are entered.	D. All interest rates must be logged and verified every 30 days.	b	Explanation: Prior approval of management for rates outside the normal range would be a proper control. Entering the password of a supervisor does not ensure authorization. A system alarm upon entry of a rate exception is only a warning. Logging of exceptions is a detective control.	MOCKDISA	2,338	7	MOCKDISA
138. An IS auditor is conducting a review of an application system after users have completed acceptance testing. What should be the IS auditor’s major concern?	A. Determining whether test objectives were documented	B. Assessing whether users documented expected test results	C. Reviewing whether test problem logs were completed	D. Determining if there are unresolved issues	d	Explanation: In assessing the overall success or failure of the acceptance test, the IS auditor should determine whether the test plans were documented and whether actual results were compared with expected results as well as review the test problem log to confirm resolution of identified test issues. The IS auditor should then determine the impact of the unresolved issues on system functionality and usability.	MOCKDISA	2,339	161	MOCKDISA
139. By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:	A. reliable products are guaranteed.	B. programmers' efficiency is improved.	C. security requirements are designed.	D. predictable software processes are followed.	d	Explanation: By evaluating the organization's development projects against the CMM, the IS auditor determines whether the development organization follows a stable, predictable software process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls.	MOCKDISA	2,340	46	MOCKDISA
140. Ideally, stress testing should be carried out in a:	A. test environment using test data.	B. production environment using live workloads.	C. test environment using live workloads.	D. production environment using test data.	c	Explanation: Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices B and D), and if only test data is used, there is no certainty that the system was stress tested adequately.	MOCKDISA	2,341	89	MOCKDISA
141. In an EDI process, the device which transmits and receives electronic documents is the:	A. communications handler.	B. EDI translator.	C. application interface.	D. EDI interface.	a	A communications handler transmits and receives electronic documents between trading partners and/or wide area networks (WANs). An EDI translator translates data between the standard format and a trading partner's proprietary format. An application interface moves electronic transactions to or from the application system and performs data mapping. An EDI interface manipulates and routes data between the application system and the communications handler.	MOCKDISA	2,342	136	MOCKDISA
142. In an electronic fund transfer (EFT) system, which of the following controls would be useful in detecting a duplication of messages?	A. Message authentication code	B. Digital signature	C. Authorization sequence number	D. Segregation of authorization	c	The authorization sequence number is the control that will detect the duplication of a message. A message authentication code detects unauthorized modifications, a digital signature ensures non-repudiation, and the segregation of the creation of the message and the authorization will avoid dummy messages.	MOCKDISA	2,343	179	MOCKDISA
143. Information for detecting unauthorized input from a terminal would be BEST provided by the:	A. console log printout.	B. transaction journal.	C. automated suspense file listing.	D. user error report.	b	The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, and the user error report would only list input that resulted in an edit error.	MOCKDISA	2,344	92	MOCKDISA
144. Peer reviews to detect software errors during a program development activity are called:	A. emulation techniques.	B. structured walk-throughs.	C. modular program techniques.	D. top-down program construction.	b	A structured walk-through is a management tool for improving productivity. Structured walk-throughs can detect an error or improper interpretation of the program specifications. This, in turn, improves the quality of system testing and acceptance testing. The other choices are methods or tools in the overall systems development process.	MOCKDISA	2,345	92	MOCKDISA
145. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically:	A. result in a capture of requirements.	B. ensure that desirable application controls have been implemented.	C. produce ergonomic and user-friendly interfaces.	D. generate efficient code.	a	The principal concern should be to ensure an alignment of the application with business needs and user requirements. While the CASE being used may provide tools to cover this crucial initial phase, a cooperative user-analyst interaction is always needed. Choice B should be the next concern. If the system meets business needs and user requirements, it should also incorporate all desirable controls. Controls have to be specified since CASE can only automatically incorporate certain, rather low-level, controls (such as type of input data, e.g., date, expected). CASE will not (choice C) automatically generate ergonomic and user-friendly interfaces, but it should provide tools for easy (and automatically documented) tuning. CASE applications (choice D) generally come short of optimizing the use of hardware and software resources, precisely because they are designed to optimize other elements, such as developers' effort or documentation.	MOCKDISA	2,346	18	MOCKDISA
146. The request for proposal (RFP) for the acquisition of an application system would MOST likely be approved by the:	A. project steering committee.	B. project sponsor.	C. project manager.	D. user project team.	a	A project steering committee usually consists of a senior representative from each function that will be affected by the new system and would be the most appropriate group to approve the RFP. The project sponsor provides funding for the project. The project manager and user project team are responsible for drafting the RFP.	MOCKDISA	2,347	130	MOCKDISA
147. The use of a GANTT chart can:	A. aid in scheduling project tasks.	B. determine project checkpoints.	C. ensure documentation standards.	D. direct the post implementation review.	a	A GANTT chart is used in project control. It may aid in the identification of needed checkpoints, but its primary use is in scheduling. It will not ensure the completion of documentation nor will it provide direction for the post-implementation review.	MOCKDISA	2,348	126	MOCKDISA
148. Which of the following is a characteristic of timebox management? It:	A. is not suitable for prototyping or rapid application development (RAD).	B. eliminates the need for a quality process.	C. prevents cost overruns and delivery delays.	D. separates system and user acceptance testing.	c	Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate the need for a quality process.	MOCKDISA	2,349	181	MOCKDISA
149. Which of the following is an implementation risk within the process of decision support systems?	A. Management control	B. Semistructured dimensions	C. Inability to specify purpose and usage patterns	D. Changes in decision processes	c	The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B, and D are not risks, but characteristics of a DSS.	MOCKDISA	2,350	38	MOCKDISA
150. Which of the following is the FIRST step in a business process reengineering (BPR) project?	A. Defining the areas to be reviewed	B. Developing a project plan	C. Understanding the process under review	D. Reengineering and streamlining the process under review	a	On the basis of the evaluation of the entire business process, ly defining the areas to be reviewed is the first step in a BPR project. On the basis of the definition of the areas to be reviewed, the project plan is developed. Understanding the process under review is important, but the subject of the review must be defined first. Thereafter, the process can be reengineered, streamlined, implemented, and monitored for continuous improvement.	MOCKDISA	2,351	83	MOCKDISA
151. Which of the following is used to ensure that batch data is completely and accurately transferred between two systems?	A. Control total	B. Check digit	C. Check sum	D. Control account	a	A control total is frequently used as an easily recalculated control. The number of invoices in a batch or the value of invoices in a batch are examples of control totals. They provide a simple way of following an audit trail from a general ledger summary item to an individual transaction, and back. A check digit is a method of verifying the accuracy of a single data item, such as a credit card number. Although a check sum is an excellent control over batch completeness and accuracy, it is not easily recalculated and, therefore, is not as commonly used in financial systems as a control total. Check sums are frequently used in data transfer as part of encryption protocols. Control accounts are used in financial systems to ensure that components that exchange summary information, such as a sales register and a general ledger, can be reconciled.	MOCKDISA	2,352	50	MOCKDISA
152. Which of the following should be included in a feasibility study for a project to implement an EDI process?	A. The encryption algorithm format	B. The detailed internal control procedures	C. The necessary communication protocols	D. The proposed trusted third-party agreement	c	Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications, if new hardware and software are involved, and risk implications, if the technology is new to the organization.	MOCKDISA	2,353	14	MOCKDISA
153. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern?	A. Acceptance testing is to be managed by users.	B. A quality plan is not part of the contracted deliverables.	C. Not all business functions will be available on initial implementation.	D. Prototyping is being used to confirm that the system meets business requirements.	b	A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet their requirements. If the system is large, a phased-in approach to implementing the application is a reasonable approach. Prototyping is a valid method of ensuring that the system will meet business requirements.	MOCKDISA	2,354	18	MOCKDISA
154. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced?	A. Verifying production to customer orders	B. Logging all customer orders in the ERP system	C. Using hash totals in the order transmitting process	D. Approving (production supervisor) orders prior to production	a	Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming, manual process that does not guarantee proper control.	MOCKDISA	2,355	92	MOCKDISA
155. A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?	A. Key verification	B. One-for-one checking	C. Manual recalculations	D. Functional acknowledgements	d	Functional acknowledgements act as an audit trail for EDI transactions and are a main control used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company.	MOCKDISA	2,356	13	MOCKDISA
156. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be the IS auditor's main concern about the new process?	A. Are key controls in place to protect assets and information resources?	B. Does it address the corporate customer requirements?	C. Does the system meet the performance goals (time and resources)?	D. Have owners been identified who will be responsible for the process?	a	The audit team must advocate the inclusion of key controls and verify that they are in place before implementing the new process. Choices B, C, and D are objectives that the BPR process should achieve, but they are not the auditor's primary concern.	MOCKDISA	2,357	201	MOCKDISA
157. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy:	A. Payroll reports should be compared to input forms.	B. Gross payroll should be recalculated manually.	C. Checks (cheques) should be compared to input forms.	D. Checks (cheques) should be reconciled with output reports.	a	Comparing payroll reports with input forms is the best way to confirm data accuracy when input is provided by the company and output is generated by the bank. Recalculating gross payroll manually would only verify whether the processing is accurate, not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible, as checks (cheques) contain processed information and input forms contain input data. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.	MOCKDISA	2,358	33	MOCKDISA
158. A data validation edit that matches input data to an occurrence rate is a:	A. Limit check	B. Reasonableness check	C. Range check	D. Validity check	b	A reasonableness check matches input data to predetermined reasonable limits or occurrence rates. Limit checks verify data do not exceed a predetermined amount. Range checks verify data are within a predetermined range. Validity checks test data validity according to predetermined criteria.	MOCKDISA	2,359	172	MOCKDISA
159. A data warehouse is:	A. Object-oriented	B. Subject-oriented	C. Departmental specific	D. A volatile database	b	Data warehouses are subject-oriented, designed to support decision-making across departments within an organization. They are nonvolatile and store historical data. Object orientation and volatility are not characteristics of data warehouses.	MOCKDISA	2,360	40	MOCKDISA
160. A debugging tool, which reports on the sequence of steps executed by a program, is called a(n):	A. Output analyzer	B. Memory dump	C. Compiler	D. Logic path monitor	d	A logic path monitor reports on the sequence of steps executed by a program, helping programmers identify logic errors. An output analyzer checks program results against expected outcomes. A memory dump captures the content of a computer's memory at a specific point, useful for diagnosing system crashes or errors. A compiler translates code into machine-readable format but isn't primarily a debugging tool.	MOCKDISA	2,361	84	MOCKDISA
161. A decision support system (DSS):	A. is aimed at solving highly structured problems.	B. combines the use of models with nontraditional data access and retrieval functions.	C. emphasizes flexibility in the decision-making approach of users.	D. supports only structured decision-making tasks.	c	DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving less-structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semi-structured decision-making tasks.	MOCKDISA	2,362	71	MOCKDISA
162. Which of the following is a check (control) for completeness?	A. Check digits	B. Parity bits	C. One-for-one checking	D. Prerecorded input	b	Parity bits are used to check for completeness of data transmissions. Choice A (check digits) verifies accuracy, not completeness. Choice C (one-for-one checking) matches documents but does not ensure all are received. Choice D (prerecorded input) reduces input errors but isn't a completeness check.	MOCKDISA	2,363	134	MOCKDISA
163. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks?	A. Check digit	B. Existence check	C. Completeness check	D. Reasonableness check	c	A completeness check verifies if a field contains data and not zeros or blanks. A check digit ensures data integrity. An existence check confirms data presence. A reasonableness check compares data against expected values.	MOCKDISA	2,364	151	MOCKDISA
164. Which of the following types of controls is designed to provide the ability to verify data and record values through the stages of application processing?	A. Range checks	B. Run-to-run totals	C. Limit checks on calculated amounts	D. Exception reports	b	Run-to-run totals verify data values through application processing stages, ensuring data acceptance and updates.	MOCKDISA	2,365	154	MOCKDISA
165. The editing/validation of data entered at a remote site would be performed MOST effectively at the:	A. central processing site after running the application system.	B. central processing site during the running of the application system.	C. remote processing site after transmission of the data to the central processing site.	D. remote processing site prior to transmission of the data to the central processing site.	d	Editing data at the remote site before transmission ensures errors are caught early, reducing processing overhead and ensuring data integrity.	MOCKDISA	2,366	131	MOCKDISA
166. To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is:	A. during data preparation.	B. in transit to the computer.	C. between related computer runs.	D. during the return of the data to the user department.	a	Implementing control totals during data preparation is crucial to catch errors early and maintain data integrity throughout processing.	MOCKDISA	2,367	204	MOCKDISA
167. Functional acknowledgements are used:	A. as an audit trail for EDI transactions.	B. to functionally describe the IS department.	C. to document user roles and responsibilities.	D. as a functional description of application software.	a	Functional acknowledgements in EDI serve as audit trails confirming receipt of electronic documents between trading partners.	MOCKDISA	2,368	47	MOCKDISA
168. The impact of EDI on internal controls will be:	A. that fewer opportunities for review and authorization will exist.	B. an inherent authentication.	C. a proper distribution of EDI transactions while in the possession of third parties.	D. that IPF management will have increased responsibilities over data center controls.	a	EDI streamlines processes but reduces manual intervention, potentially reducing opportunities for review and authorization.	MOCKDISA	2,369	132	MOCKDISA
169. Sales orders are automatically numbered sequentially at each of a retailer's multiple outlets. Small orders are processed directly at the outlets, with large orders sent to a central production facility. The MOST appropriate control to ensure that all orders transmitted to production are received and processed would be to:	A. send and reconcile transaction counts and totals.	B. have data transmitted back to the local site for comparison.	C. compare data communications protocols with parity checking.	D. track and account for the numerical sequence of sales orders at the production facility.	a	Reconciling transaction counts and totals ensures all orders sent to production are received and processed, maintaining accuracy and completeness.	MOCKDISA	2,370	156	MOCKDISA
170. Which of the following ensures completeness and accuracy of accumulated data?	A. Processing control procedures	B. Data file control procedures	C. Output controls	D. Application controls	a	Processing control procedures ensure completeness and accuracy of accumulated data through processes like editing and run-to-run totals.	MOCKDISA	2,371	30	MOCKDISA
171. A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:	A. reasonableness check.	B. parity check.	C. redundancy check.	D. check digits.	c	A redundancy check detects transmission errors by appending calculated bits onto data segments. It ensures data integrity during transmission.	MOCKDISA	2,372	60	MOCKDISA
172. Which of the following integrity tests examines the accuracy, completeness, consistency and authorization of data?	A. Data	B. Relational	C. Domain	D. Referential	a	Data integrity testing examines accuracy, completeness, consistency, and authorization of data, ensuring data quality and reliability.	MOCKDISA	2,373	120	MOCKDISA
173. Which of the following data validation edits is effective in detecting transposition and transcription errors?	A. Range check	B. Check digit	C. Validity check	D. Duplicate check	b	Check digits are appended to data to detect transposition and transcription errors by ensuring original data integrity.	MOCKDISA	2,374	190	MOCKDISA
174. Which of the following data validation edits could be used by a bank, to ensure the accuracy of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors?	A. Sequence check	B. Validity check	C. Check digit	D. Existence check	c	Check digits verify bank account number accuracy by preventing transposition and transcription errors.	MOCKDISA	2,375	181	MOCKDISA
175. During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend?	A. Implement data backup and recovery procedures.	B. Define standards	C. Monitor for compliance	D. Authorize database updates	a	Implementing data backup and recovery procedures is a corrective control to address corrupted data by restoring from backups.	MOCKDISA	2,376	58	MOCKDISA
176. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?	A. Log all table update transactions.	B. Implement before-and-after image reporting.	C. Use tracing and tagging	D. Implement integrity constraints	d	Implementing integrity constraints in the database prevents out-of-range data by enforcing predefined rules or tables for data entry.	MOCKDISA	2,377	86	MOCKDISA
177. When assessing the portability of a database application, the IS auditor should verify that:	A. a structured query language (SQL) is used.	B. information import and export procedures exist with other systems.	C. indexes are used.	D. all entities have a significant name and identified primary and foreign keys.	a	Using a structured query language (SQL) ensures database application portability across different systems and environments.	MOCKDISA	2,378	56	MOCKDISA
178. In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:	A. isolation.	B. consistency.	C. atomicity.	D. durability.	c	Atomicity ensures that a transaction is fully completed or fully rolled back in case of failure, maintaining data integrity in online transaction processing systems.	MOCKDISA	2,379	99	MOCKDISA
179. Which of the following would help to ensure the portability of an application connected to a database? The:	A. verification of database import and export procedures.	B. usage of a structured query language (SQL).	C. analysis of stored procedures/triggers.	D. synchronization of the entity-relation model with the database physical schema.	b	Using a structured query language (SQL) facilitates application portability by standardizing database interactions across different platforms.	MOCKDISA	2,380	141	MOCKDISA
180. A single digitally signed instruction was given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited the account three times. Which of the following would be the MOST appropriate control against such multiple credits?	A. Encrypting the hash of the payment instruction with the public key of the financial institution	B. Affixing a time stamp to the instruction and using it to check for duplicate payments	C. Encrypting the hash of the payment instruction with the private key of the instructor	D. Affixing a time stamp to the hash of the instruction before having it digitally signed by the instructor	b	Affixing a time stamp to the instruction prevents duplicate payments by ensuring uniqueness of each transaction instance, avoiding multiple credits due to replay attacks.	MOCKDISA	2,381	63	MOCKDISA
181. An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action?	A. Analyze the need for the structural change.	B. Recommend restoration to the originally designed structure.	C. Recommend the implementation of a change control process.	D. Determine if the modifications were properly approved.	d	The IS auditor should first determine if the modifications were properly approved before deciding on further actions.	MOCKDISA	2,382	68	MOCKDISA
182. An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated?	A. Consistency	B. Isolation	C. Durability	D. Atomicity	d	Atomicity ensures that either the entire transaction is processed or none of it, ensuring data integrity. Partial execution without rollback violates this principle.	MOCKDISA	2,383	39	MOCKDISA
183. The BEST method of proving the accuracy of a system tax calculation is by:	A. detailed visual review and analysis of the source code of the calculation programs.	B. recreating program logic using generalized audit software to calculate monthly totals.	C. preparing simulated transactions for processing and comparing the results to predetermined results.	D. automatic flowcharting and analysis of the source code of the calculation programs.	c	Simulating transactions and comparing results to expected outcomes is the most effective method to ensure accuracy in tax calculations.	MOCKDISA	2,384	204	MOCKDISA
184. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?	A. Personally delete all copies of the unauthorized software.	B. Inform the auditee of the unauthorized software, and follow up to confirm deletion.	C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management.	D. Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.	c	Reporting unauthorized software use and recommending prevention to management is appropriate to address compliance and risk.	MOCKDISA	2,385	81	MOCKDISA
185. Which of the following is the GREATEST challenge in using test data?	A. Ensuring the program version tested is the same as the production program	B. Creating test data that covers all possible valid and invalid conditions	C. Minimizing the impact of additional transactions on the application being tested	D. Processing the test data under an auditor's supervision	b	Creating comprehensive test data that covers all possible scenarios is crucial to effectively testing system controls.	MOCKDISA	2,386	20	MOCKDISA
186. The BEST method of proving the accuracy of a system tax calculation is by:	A. detailed visual review and analysis of the source code of the calculation programs.	B. recreating program logic using generalized audit software to calculate monthly totals.	C. preparing simulated transactions for processing and comparing the results to predetermined results.	D. automatic flowcharting and analysis of the source code of the calculation programs.	c	Simulating transactions and comparing results to expected outcomes is the most effective method to ensure accuracy in tax calculations.	MOCKDISA	2,387	124	MOCKDISA
187. Which of the following would BEST support 24/7 availability?	A. Daily backup	B. Offsite storage	C. Mirroring	D. Periodic testing	c	Mirroring ensures continuous availability by maintaining real-time duplicate copies of critical data or systems.	MOCKDISA	2,388	45	MOCKDISA
188. The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to:	A. achieve performance improvement.	B. provide user authentication.	C. ensure availability of data.	D. ensure the confidentiality of data.	c	RAID level 1 (mirroring) ensures data availability by maintaining duplicate copies of data across disks.	MOCKDISA	2,389	37	MOCKDISA
189. Which of the following is the MOST important criterion for the selection of a location for an offsite storage facility for IS backup files? The offsite facility must be:	A. physically separated from the data center and not subject to the same risks.	B. given the same level of protection as that of the computer data center.	C. outsourced to a reliable third party.	D. equipped with surveillance capabilities.	a	Offsite storage should be physically separate from the data center to mitigate risks affecting both locations simultaneously.	MOCKDISA	2,390	171	MOCKDISA
190. If a database is restored using before-image dumps, where should the process be started following an interruption?	A. Before the last transaction	B. After the last transaction	C. As the first transaction after the latest checkpoint	D. As the last transaction before the latest checkpoint	a	Restoring from before-image dumps requires starting before the last transaction to ensure data consistency from the dump point.	MOCKDISA	2,391	90	MOCKDISA
191. In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems?	A. Maintaining system software parameters	B. Ensuring periodic dumps of transaction logs	C. Ensuring grandfather-father-son file backups	D. Maintaining important data at an offsite location	b	Periodic dumps of transaction logs are crucial for preserving timely historical data in online systems, given the high volume of activity.	MOCKDISA	2,392	147	MOCKDISA
192. As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files?	A. The previous day's backup file and the current transaction tape	B. The previous day's transaction file and the current transaction tape	C. The current transaction tape and the current hard copy transaction log	D. The current hard copy transaction log and the previous day's transaction file	a	Using the previous day's backup and the current day's transaction tape allows full recovery up to the interruption point, covering both historical and current data.	MOCKDISA	2,393	1	MOCKDISA
193. An offsite information processing facility:	A. should have the same amount of physical access restrictions as the primary processing site.	B. should be easily identified from the outside so that, in the event of an emergency, it can be easily found.	C. should be located in proximity to the originating site, so it can quickly be made operational.	D. need not have the same level of environmental monitoring as the originating site.	a	Offsite facilities should maintain equivalent physical access restrictions to ensure security parity with the primary site.	MOCKDISA	2,394	67	MOCKDISA
194. An IS auditor performing a review of the backup processing facilities should be MOST concerned that:	A. adequate fire insurance exists.	B. regular hardware maintenance is performed.	C. offsite storage of transaction and master files exists.	D. backup processing facilities are fully tested.	c	Offsite storage of transaction and master files is critical for recovery; without it, full restoration may be impossible in case of data loss.	MOCKDISA	2,395	4	MOCKDISA
195. Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist?	A. Reviewing program code	B. Reviewing operations documentation	C. Turning off the UPS, then the power	D. Reviewing program documentation	b	Operations documentation typically includes detailed recovery and restart procedures, providing the best insight into an organization's readiness for disruptions.	MOCKDISA	2,396	100	MOCKDISA
196. A company performs full backup of data and programs on a regular basis. The primary purpose of this practice is to:	A. maintain data integrity in the applications.	B. restore application processing after a disruption.	C. prevent unauthorized changes to programs and data.	D. ensure recovery of data processing in case of a disaster.	b	Full backups enable restoring application processing to a previous state following disruptions.	MOCKDISA	2,397	71	MOCKDISA
197. Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault?	A. There are three individuals with a key to enter the area.	B. Paper documents are also stored in the offsite vault.	C. Data files that are stored in the vault are synchronized.	D. The offsite vault is located in a separate facility.	c	Lack of synchronization in data files stored offsite could compromise data integrity during recovery efforts.	MOCKDISA	2,398	194	MOCKDISA
198. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:	A. database integrity checks.	B. validation checks.	C. input controls.	D. database commits and rollbacks.	d	Database commits ensure data persistence, while rollbacks protect against incomplete transaction processing, preserving transaction integrity.	MOCKDISA	2,399	13	MOCKDISA
199. When developing a backup strategy, the FIRST step is to:	A. identify the data.	B. select the storage location.	C. specify the storage media.	D. define the retention period.	a	Identifying critical data is the initial step in creating a comprehensive backup strategy, ensuring essential data is safeguarded.	MOCKDISA	2,400	33	MOCKDISA
200. To provide protection for media backup stored at an offsite location, the storage site should be:	A. located on a different floor of the building.	B. easily accessible by everyone.	C. clearly labeled for emergency access.	D. protected from unauthorized access.	d	Offsite storage locations must be secured against unauthorized access to safeguard backup media integrity and confidentiality.	MOCKDISA	2,401	137	MOCKDISA
The primary purpose and existence of an audit charter is to:	Document the audit process used by the enterprise	Formally document the audit department’s plan of action.	Document a code of professional conduct for the auditor.	Describe the authority and responsibilities of the audit department	d	It is like the constitution for the IS Audit function as it mandates the authority, scope and responsibility of IS Audit in the organization.	M1C1	1	107.000	M1C1
Which of the following control classifications identify the cause of a problem and minimize the impact of threat	Administrative Controls	Detective Controls	Preventive Controls	Corrective Controls	d	Corrective Controls classifications identify the cause of a problem and minimize the impact of threat. The Goal of these controls is to identify the root cause of an issue whenever possible and eliminate the potential for that occurring again. The other controls are useful but perform other functions instead.	M1C1	2	169.000	M1C1
Which of the following is NOT generally considered a category of Audit Risk?	Detection Risk	Scoping Risk	Inherent Risk	Control Risk	b	Scoping risk is not generally considered as a category of audit risk. The other risk categories are also possible types of risk; however, they are not the one that the question demands.	M1C1	3	79.000	M1C1
Which of the following are most commonly used to mitigate risks discovered by organizations?	Controls	Personnel	Resources	Threats	a	Controls are most commonly used to mitigate risks discovered by organizations. This is what organizations implement as a result of the risks an organization discovers. Resources and personnel are often expended to implement controls.	M1C1	4	88.000	M1C1
Which of the following is not a type of internal controls?	Detective	Corrective	Preventive	Administrative	d	Administrative is not a type of internal controls. Detective is designed to detect errors or irregularities that may have occurred. Corrective is designed to correct errors or irregularities that have been detected. Preventive is designed to keep errors or irregularities from occurring.	M1C1	5	109.000	M1C1
What means the rate at which opinion of the IS Auditor would change if he selects a larger sample size?	Audit Risk	Materiality	Risk Based Audit	Controls	a	Audit risk means the rate at which the opinion of the IS Auditor would change if he selects a larger sample size. Audit risk can be high, moderate, or low depending on the sample size selected by the IS Auditor. A risk-based audit approach is usually adapted to develop and improve the continuous audit process. Materiality means the importance of information to the users. It is totally the matter of the professional judgment of the IS Auditor to decide whether the information is material or immaterial.	M1C1***	6	158.000	M1C1***
Which of the following cannot be classified as Audit Risk?	Inherent Risk	Detection Risk	Controllable Risk	Administrative Risk	d	Inherent risk means overall risk of management which is on account of entity’s business operations as a whole. Controllable risk is the risk present in the internal control system and the enterprise can control this risk completely and eliminate it from the system. Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk or the controllable risk.	M1C1	7	89.000	M1C1
After you enter a purchase order in an on-line system, you get the message, “The request could not be processed due to lack of funds in your budget”. This is an example of error?	Detection	Correction	Prevention	Recovery	c	To stop or prevent a wrong entry is a function of error prevention. Rest all options work after an error. Prevention works before an occurring of error.	M1C1	8	120.000	M1C1
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:	controls needed to mitigate risks are in place.	vulnerabilities and threats are identified.	audit risks are considered.	a gap analysis is appropriate	b	In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. Gap analysis would normally be done to compare the actual state to an expected or desirable state.	M1C1***	9	143.000	M1C1***
Reviewing management's long-term strategic plans helps the IS auditor:	Gains an understanding of an organization's goals and objectives.	Tests the enterprise's internal controls.	Assess the organization's reliance on information systems.	Determine the number of audit resources needed.	a	Strategic planning sets corporate or departmental objectives into motion. Reviewing long-term strategic plans would not achieve the objectives expressed by the other choices.	M1C1	10	8.000	M1C1
Which of the following forms of evidence would be considered to be the most reliable when assisting an IS Auditor develop audit conclusion?	A confirmation letter received from a third party for the verification of an account balance.	Assurance via a control self-assessment received from the management that an application is working as designed.	Trend data obtained from WorldWideWeb (Internet) sources.	Ratio analysis developed by an IS Auditor from reports supplied by line management	a	The IS Auditor requires documented evidence to be submitted during audit procedures. Control self-assessment though is a good control but it cannot work as evidence. Trend and ratio analysis can be used to justify some conclusion but cannot be considered as conclusive evidence whereas a confirmation letter is.	M1C2	11	72.000	M1C2
During the review of the controls over the process of defining IT service levels, an IS Auditor would most likely interview the	Systems programmer	Legal Staff	Business Unit Manager	Programmer	c	Business unit manager is the owner of that business unit and is the right authority to provide the required information in this context. The first point of interview should be with the person related to business, not the programmer or legal staff.	M1C2	12	145.000	M1C2
Which of the following procedures would an IS Auditor not perform during pre-audit planning to gain an understanding of the overall environment under review?	Tour Key organization activities	Interview key members of management to understand business risks	Perform compliance tests to determine if regulatory requirements are met	Review prior audit reports	c	During pre-audit planning, there is no question of doing any compliance test. Compliance tests start during the process of audit. All other options are processes of collecting information during the pre-audit process.	M1C2	13	98.000	M1C2
The first step the IS Audit Manager should take when preparing the annual IS audit plan is to:	Meet with the audit committee members to discuss the IS audit plan for the upcoming year	Ensure that the IS audit staff is competent in areas that are likely to appear on the plan and provide training as necessary.	Perform a risk ranking of the current and proposed application systems to prioritize the IS audits to be conducted.	Begin with the prior year's IS audit plan and carry over any IS audits that had not been accomplished.	c	IS audit services should be expended only if the risk warrants it. Answers a, b, and d occur after c has been completed. Answer "b" is NOT correct because the IS Audit Manager does not know what areas are to appear on the IS audit plan until a risk analysis is completed and discussions are held with the audit committee members. Answer "a" is NOT correct because the IS Audit Manager would not meet with the audit committee until a risk analysis of areas of exposure has been completed. Answer "d" is NOT correct because a risk analysis would be the first step before any IS audit services are expended.	M1C2	14	2.000	M1C2
The purpose of compliance tests is to provide reasonable assurance that:	Controls are working as prescribed.	Documentation is accurate and current.	The duties of users and data processing personnel are segregated.	Exposures are defined and quantified.	a	Compliance tests determine whether prescribed controls are working. Answer "b" is NOT the best choice since current and accurate documentation may be a good procedure but it is only one type of control procedure, therefore, answer a is a better choice as more control procedures are evaluated. Answer "c" is NOT the best choice because segregation of duties is only one type of control procedure, therefore, answer a is a better choice as more control procedures are evaluated. Answer "d" is NOT the correct choice. Exposures are defined and quantified to determine audit scope. Compliance tests provide reasonable assurance that controls are working as prescribed.	M1C2	15	116.000	M1C2
IS Auditors are most likely to perform tests of internal controls if, after their evaluation of such controls, they conclude that:	A substantive approach to the audit are cost-effective	The control environment is poor.	Inherent risk is low.	Control risks are within the acceptable limits.	b	IS auditor will most probably perform the test of internal control when the control environment is poor. When inherent risks are low and control risks are within acceptable limit, likelihood of testing internal controls gets reduced. Concluding the cost-effectiveness of substantive approach is not the outcome of testing internal controls.	M1C2	16	5.000	M1C2
Which of the following is the least important factor in determining the need for an IS Auditor to be involved in a new system development project?	The cost of the system	The value of the system to the organization.	The potential benefits of the system.	The number of lines of code to be written.	d	The size financial of the system is the least important of the factors listed. All other factors have specific implications and an IS Auditor can be used to help mitigate the risk to the corporation with the development of a new system.	M1C2	17	9.000	M1C2
Each of the following is a general control concern EXCEPT:	Organization of the IS Department.	Documentation procedures within the IS Department.	Balancing of daily control totals.	Physical access controls and security measures.	c	Balancing of daily control totals relates to specific applications and is not considered an overall general control concern. Answer "b" is NOT the best answer since documentation procedures within the IS Department are an important general control concern. Answer "a" is NOT the best answer since organization of the IS Department is an important general control concern. Answer "d" is NOT the best answer since physical access controls and security measures are important general control concerns.	M1C2	18	23.000	M1C2
Which of the following types of audits requires the highest degree of technical expertise?	Systems software audits	General controls reviews	Microcomputer application audits	Mainframe application audits	a	The IS Auditor needs specialized education in hardware and operating systems software for systems software audits. Answers b, c, and d can be performed when an IS Auditor has a basic level of technical knowledge and usually requires no special training.	M1C2	19	40.000	M1C2
A manufacturing company has implemented a new client/server system enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following controls would BEST ensure that the orders are accurately entered and the corresponding products produced?	Verifying production to customer orders	Logging all customer orders in the ERP system	Using hash totals in the order transmitting process	Approving (production supervisor) orders prior to production	a	Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming manual process that does not guarantee proper control.	M1C2	20	145.000	M1C2
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Identification of exceptional transactions based upon set criteria	Projections on future trends for specific parameters	Carrying out employees’ reference checks	Carry out employee appraisals	a	One of the many key tests that can be carried out by CAATs is identification of exceptional transactions based upon set criteria. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M1C3***	21	51.000	M1C3***
Find out the best process carried out using Computer Assisted Audit Tools (CAATs)?	Carry out employee appraisals of Information Systems Assurances Services	Identify potential areas of fraud	Projections on future trends for specific parameters	Carrying out employees’ reference checks	b	One of the many key tests that can be carried out by CAATs is identification of potential areas of fraud. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, C and D above.	M1C3***	22	137.000	M1C3***
What can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Carry out employee appraisals	Projections on future trends for specific parameters	Identify data which is inconsistent or erroneous	Carrying out employees’ reference checks	c	One of the many key tests that can be carried out by CAATs is identification of data which is inconsistent or erroneous. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, B and D above. Hence, option C is correct.	M1C3	23	23.000	M1C3
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools?	Carry out employee appraisals	Projections on future trends for specific parameters	Carrying out employees’ reference checks	Perform various types of statistical analysis	d	One of the many key tests that can be carried out by CAATs is the carrying out of various types of statistical analysis which could throw up areas of inconsistencies, defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A to C above. Hence, option D is correct.	M1C3***	24	22.000	M1C3***
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Establishing whether the set controls are working as prescribed	Carry out employee appraisals	Projections on future trends for specific parameters	Estimation of competitor activity	a	One of the many key tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above.	M1C3	25	125.000	M1C3
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Carry out market surveys for a new product launch	Establishing relationship between two or more areas & identify duplicate transactions	Projections on future trends for specific parameters	Estimation of competitor activity	b	One of the many key tests that can be carried out by CAATs is establishing relationship between two or more areas & identify duplicate transactions. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options A, C and D above.	M1C3	26	188.000	M1C3
Which is one of the most effective tools and techniques to combat fraud?	Computer Assisted Audit Techniques (CAAT)	Threats of severe punishment	Validation by the I.T. dept. of the police	Use of authenticated hard copies	a	CAAT is one of the tools useful for carrying out the detection of suspicious transactions as a preemptive or post-fraud activity. Hence, answer at Option A is correct.	M1C3	27	196.000	M1C3
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to review the data processing files for possible duplicate payments. Which of the following techniques/tools would be useful to the IS Auditor?	An integrated test facility	Statistical sampling	Generalized audit software	The Audit Review File	c	Generalized Audit software is mainly used to find duplicate data. Options A and D are online application audit tools and statistical sampling may not be able to find duplicates.	M1C3***#	28	88.000	M1C3***#
Many automated tools are designed for testing and evaluating computer systems. Which one of the following such tools impact the systems performance with a greater load and stress on the system?	Test data generators	Statistical software packages	Test drivers	Network traffic analyzers	b	Statistical software packages use all data resources impacting the processing time and response time. Network traffic analyzers also use the system resources but not putting stress on production data. Test data generator is not resource-intensive and test drivers are for specific use without impacting much resources.	M1C3***	29	76.000	M1C3***
The most appropriate type of CAAT tool the auditor should use to test security configuration settings for the entire application systems of any organization is:	Generalized Audit Software	Test Data	Utility Software	Expert System	c	Utility Software would be most appropriate for testing security configuration settings as it is designed to handle such tasks effectively.	M1C3***	30	105.000	M1C3***
Application controls shall include all except	Application controls are a subset of internal controls.	The purpose is to collect timely, accurate and reliable information.	It is part of the IS Auditor’s responsibility to implement the same.	It is part of business application software.	c	Represents what auditor’s verifies but not that what he/she implements. Rest is part of definition and purpose of application controls.	M1C4	31	77.000	M1C4
As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of bank need to submit their PAN or form 60/61 (a form as per Income Tax Act/Rules). Bank in its account opening form, has not updated the need for form 60/61 in case PAN is not there. This defines which control lapse as per COBIT.	Source Data Preparation and Authorization	Source Data Collection and Entry	Accuracy, Completeness and Authenticity Checks	Processing Integrity and Validity	a	Source data capture is not proper. Ensure that source documents are prepared by authorized and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimized through good input form design.	M1C4***	32	128.000	M1C4***
In a public sector bank while updating master data for advances given, the bank employee does not update “INSURANCE DATA”. This includes details of Insurance Policy, Amount Insured, Expiry Date of Insurance and other related information. This defines which control lapse as per COBIT.	Source Data Preparation and Authorization	Source Data Collection and Entry	Accuracy, Completeness and Authenticity Checks	Processing Integrity and Validity	c	Ensure transactions are accurate, complete, and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.	M1C4	33	151.000	M1C4
An IS Auditor observed that users are occasionally granted the authority to change system data. The elevated system access is not consistent with company policy yet is required for smooth functioning of business operations. Which of the following controls would the IS Auditor most likely recommend for long term resolution?	Redesign the controls related to data authentication	Implement additional segregation of duties controls	Review policy to see if a formal exception process is required	Implement additional logging controls	c	When an exception is a regular requirement, modify the policy accordingly.	M1C4	34	78.000	M1C4
An IS Auditor processes a dummy transaction to check whether the system is allowing cash payments in excess of Rs. 20,000/-. This check by auditor represents which of the following evidence collection technique?	Inquiry and confirmation	Re-calculation	Inspection	Re-performance	d	IS Auditor may process test data on application controls to see how it responds.	M1C4	35	168.000	M1C4
An IS Auditor is performing a post-implementation review of an organization’s system and identified output errors within an accounting application. The IS Auditor determined that this was caused by input errors. Which of the following controls should the IS Auditor recommend to management?	Recalculations	Limit Checks	Run-to-run total	Reconciliation	d	For finding the anomaly between input and output, reconciliation is the best option.	M1C4***	36	187.000	M1C4***
RBI instructed banks to stop cash retraction in all ATMs across India from April 1, 013. This was a result of a few ATM frauds detected. This action by RBI can be best classified as:	Creation	Rectification	Repair	None of above	b	Action by RBI is based on fraud detection and is rectifying a detected issue.	M1C4	37	190.000	M1C4
A central antivirus system determines whether each personal computer has the latest signature files and installs the latest signature file before allowing a PC to connect to the network. This is an example of a:	Directive Control	Corrective Control	Compensating Control	Detective Control	b	B. is the correct answer. After detecting the deficiency, it is correcting the situation hence it is a corrective control.	M1C4	38	42.000	M1C4
Company’s billing system does not allow billing to those dealers who have not paid advance amount against proforma invoice. This check is best called as:	Limit Check	Dependency Check	Range Check	Duplicate Check	b	Dependency check is one where the value of one field is related to that of another.	M1C4	39	57.000	M1C4
While posting a message on FACEBOOK, if the user posts the same message again, FACEBOOK gives a warning. The warning indicates which control?	Limit Check	Dependency Check	Range Check	Duplicate Check	d	This is a duplicate check.	M1C4	40	4.000	M1C4
Which of the following business purposes can be met by implementing Data warehouse in an organisation?	Business continuity can be ensured in case of disaster.	Data in the data warehouse can work as a backup.	The data in the warehouse can be used for meeting regulatory requirements.	Business decisions can be taken and future policies can be framed based on actual transactional data.	d	The primary purpose of a data warehouse is to support business decisions and formulate future policies based on analyzed transactional data. It is not intended for backup, business continuity, or regulatory compliance.	M1C5	41	133.000	M1C5
Which of the following is a characteristic of a decision support system (DSS)?	DSS is aimed at solving highly structured problem.	DSS combines the use of models with non-traditional data access and retrieval functions.	DSS emphasizes flexibility in decision making approach of users.	DSS supports only structured decision-making tasks.	b	A key characteristic of DSS is its use of models along with non-traditional data access and retrieval functions, providing flexibility in decision-making processes.	M1C5	42	125.000	M1C5
Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?	Integrated test facility (ITF)	Continuous and intermittent simulation (CIS)	Audit hooks	Snapshots	d	Snapshots are useful for capturing evidence through image capturing, making them highly valuable when an audit trail is needed. ITF and CIS serve different purposes related to test transactions and selective process examination, respectively.	M1C5	43	159.000	M1C5
A retail company recently installed data warehousing client software in multiple, geographically diverse sites. Due to time zone differences between the sites, updates to the warehouse are not synchronized. This will affect which of the following most?	Data availability	Data completeness	Data redundancy	Data accuracy	b	Synchronization issues due to time zone differences impact data completeness, as updates may not reflect all transactions from different locations simultaneously, leading to incomplete data for decision-making purposes.	M1C5	44	17.000	M1C5
The cashier of a company has rights to create bank master in TALLY. This error is a reflection of poor definition for which type of control:	User Controls	Application Control	Input Control	Output Control	a	The issue described reflects poor user controls, indicating inadequate definition and management of user profiles based on roles and responsibilities.	M1C5	45	133.000	M1C5
An employee has left the company. The first thing to do is to:	Hire a replacement employee.	Disable his/her access rights.	Ask the employee to clear all dues/advances.	Escort employee out of company premises.	b	Disabling access rights of the departed employee is crucial to prevent unauthorized access and potential fraud. Other actions may follow but are not immediate priorities.	M1C5	46	4.000	M1C5
As part of auditing Information Security of a multinational bank, an auditor wants to assess the security of information in ATM facilities. Under which privacy policy should he look for details pertaining to security guards and CCTV surveillance of ATMs?	Physical Access and Security Policy	Acceptable use of Information Assets Policy	Asset Management Policy	Business Continuity Management Policy	a	Physical security policies encompass measures like CCTV surveillance and security guard protocols, which are essential for securing physical facilities such as ATMs.	M1C5***	47	180.000	M1C5***
Neural Networks and Fuzzy Logics are classified under which category of Artificial intelligence?	Cognitive Science	Robotics	Natural Sciences	Virtual Reality	a	Neural Networks and Fuzzy Logics fall under Cognitive Science, focusing on human brain processes and learning, integral to AI applications like Expert Systems and Learning Systems.	M1C5	48	37.000	M1C5
In an inter school competition on Artificial Intelligence, four children develop software which performs the following different functions respectively. Which of them is a correct example of the use of basic Artificial Intelligence?	Predictive & self-learning word-processing software	A calculation software which arrives at the arithmetic total of figures keyed in	A password system which allows access based upon keying in of the correct password	A software which rejects invalid dates like 32nd March 2019.	a	The word-processing software demonstrates basic AI by suggesting and learning from user input, unlike the other options which perform simple, non-learning tasks.	M1C5	49	115.000	M1C5
Which are the business activities which are strong contenders for conversion to e-commerce?	Those that are paper-based, time consuming & inconvenient for customers	Those relating to software development	Those relating to the ‘electronic’ aspects of commerce	Those that are not paper-based, speedy & convenient for customers.	a	E-commerce benefits most from converting paper-based, cumbersome activities to online operations, enhancing convenience and efficiency for customers.	M1C5	50	23.000	M1C5
Which of the following factors should not be considered in establishing the priority of audits included in an annual audit plan?	Prior audit findings	The time period since the last audit	Auditee procedural changes	Use of audit software	d	The use of audit software is a technique rather than a factor influencing the priority of audits in the annual plan.	M1C6	51	131.000	M1C6
Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application systems?	Volume of transactions	Likelihood of error	Value of transactions	Extent of existing controls	b	Errors, while relevant, are less directly linked to assessing fraud risk compared to transaction volume, value, and control effectiveness.	M1C6***	52	131.000	M1C6***
An IS auditor discovers evidence of fraud perpetrated with a manager's user ID. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the:	Manager’s assistant perpetrated the fraud.	Perpetrator cannot be established beyond doubt.	Fraud must have been perpetrated by the manager.	System administrator perpetrated the fraud.	b	Weak password controls mean other scenarios are possible; the evidence doesn't conclusively implicate anyone.	M1C6	53	134.000	M1C6
Which of the following situations would increase the likelihood of fraud?	Application programmers are implementing changes to production programs.	Application programmers are implementing changes to test programs.	Operations support staff are implementing changes to batch schedules.	Database administrators are implementing changes to data structures.	a	Changes to production programs can impact live data processing, presenting a greater fraud risk if controls are inadequate.	M1C6***	54	123.000	M1C6***
Neural networks are effective in detecting fraud, because they can:	Discover new trends since they are inherently linear.	Solve problems where large and general sets of training data are not obtainable.	Attack problems that require consideration of a large number of input variables.	Make assumptions about the shape of any curve relating variables to the output.	c	Neural networks excel at handling complex problems with numerous input variables, aiding in detecting patterns indicative of fraud.	M1C6***	55	135.000	M1C6***
The FIRST step in managing the risk of a cyber-attack is to:	Assess the vulnerability impact.	Evaluate the likelihood of threats.	Identify critical information assets.	Estimate potential damage.	c	Identifying and prioritizing critical information assets is fundamental to understanding cyber risks before assessing vulnerabilities and threats.	M1C6	56	199.000	M1C6
Which of the following refers to imaging of original media in presence of an independent third party?	Identify	Preserve	Analyze	Present	b	Preservation involves imaging original media in the presence of a third party to maintain the integrity and authenticity of evidence.	M1C6	57	132.000	M1C6
As a measure of IT General controls, an organization decides to separate those who can input data from those that can reconcile or approve data. Is this a good move? Why?	Yes, it is a good move; it can help prevent unauthorized data entry.	No, it is not a good move; the person who inputs the data is the best person to approve the data too.	Yes, it is a good move; inputting data & reconciling data requires different skills.	No, it is not a good move; data entry errors would be compounded.	a	Segregation of duties reduces fraud risk by preventing one person from both entering and approving data independently, enhancing control and accuracy.	M1C6	58	58.000	M1C6
A holistic approach to deterrence & prevention of fraud would be:	Strengthening of Governance and Management framework	Focusing on integrity of new recruits	Establishing severe punishment for fraud	Compensating employees adequately to minimize temptation	a	Strengthening governance and management frameworks provides a comprehensive approach to fraud prevention, addressing root causes and organizational integrity.	M1C6	59	29.000	M1C6
After initial investigation, an IS auditor has reasons to believe that there is a possibility of fraud, the IS auditor has to:	Expand activities to determine whether an investigation is warranted.	Report the matter to the audit committee.	Report the possibility of fraud to top management and ask how they would like to proceed.	Consult with external legal counsel to determine the course of action to be taken.	a	Upon detecting fraud indicators, the IS auditor's initial step is to gather further evidence and determine if an investigation is necessary before escalating to management or legal counsel.	M1C6	60	183.000	M1C6
The primary purpose and existence of an audit charter is to:	Document the audit process used by the enterprise	Formally document the audit department’s plan of action	Document a code of professional conduct for the auditor	Describe the authority and responsibilities of the audit department	d	An audit charter describes the authority, responsibility of the audit department. These are established by the senior management. Correct answer is D.	M1C1	61	145.000	M1C1
Which of the following control classifications identify the cause of a problem and minimize the impact of threat?	Administrative Controls	Detective Controls	Preventive Controls	Corrective Controls	d	Corrective Controls classification identify the cause of a problem and minimize the impact of threat. The goal of these controls is to identify the root cause of an issue whenever possible and eliminate the potential for that occurring again. The other controls are useful but perform other functions instead. Correct answer is D.	M1C1***	62	116.000	M1C1***
To conduct a system audit, the IS auditor should	Be technically at par with client’s technical staff	Be able to understand the system that is being audited	Possess knowledge in the area of current technology	Only possess a knowledge of auditing.	b	To conduct IS Audit by the IS Auditor, the primary requirement is that he should be able to understand the system and technology being audited. He is not required to be the expert in all subjects. There is no comparison of his knowledge with that of auditee’s staff. He should have the knowledge of audit along with the technology in the related subject of audit. Correct answer is B.	M1C1	63	143.000	M1C1
Which of the following are most commonly used to mitigate risks discovered by organizations?	Controls	Personnel	Resources	Threats	a	Controls are most commonly used to mitigate risks discovered by organizations. This is what organizations implement as a result of the risks an organization discovers. Resources and personnel are often expended to implement controls. Correct answer is A.	M1C1	64	37.000	M1C1
The rate of change in technology increases the importance of:	Outsourcing the IS function	Implementing and enforcing good processes	Hiring personnel willing to make a career within the organisation	Meeting user requirements	b	Rate of change of technology increases the importance of implementing and enforcing good practices. Correct answer is B.	M1C1	65	168.000	M1C1
What means the rate at which opinion of the IS Auditor would change if he selects a larger sample size?	Audit Risk	Materiality	Risk Based Audit	Controls	a	Audit risk means the rate at which opinion of the IS Auditor would change if he selects a larger sample size. Audit risk can be high, moderate or low depending on the sample size selected by the IS Auditor. A risk-based audit approach is usually adapted to develop and improve the continuous audit process. Materiality means importance of information to the users. It is totally the matter of the professional judgment of the IS Auditor to decide whether the information is material or immaterial. Correct answer is A.	M1C1	66	132.000	M1C1
Which of the following cannot be classified as Audit Risk?	Inherent Risk	Detection Risk	Controllable Risk	Administrative Risk	d	Inherent risk means overall risk of management which is on account of entity’s business operations as a whole. Controllable risk is the risk present in the internal control system and the enterprise can control this risk completely and eliminate it from the system. Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk or the controllable risk. Correct answer D	M1C1	67	125.000	M1C1
After you enter a purchase order in an on-line system, you get the message, “The request could not be processed due to lack of funds in your budget”. This is an example of error?	Detection	Correction	Prevention	Recovery	c	To stop or prevent a wrong entry is a function of error prevention. All other options work after an error. Prevention works before occurrence of error. Correct answer is C.	M1C1	68	40.000	M1C1
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:	Controls needed to mitigate risks are in place.	Vulnerabilities and threats are identified.	Audit risks are considered.	Gap analysis is appropriate	b	In developing a risk-based audit strategy, risks and vulnerabilities are to be understood. This determines areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. Gap analysis would normally be done to compare the actual state to an expected or desirable state. Correct answer B.	M1C1	69	155.000	M1C1
Reviewing management's long-term strategic plans helps the IS auditor:	Gains an understanding of an organization's goals and objectives.	Tests the enterprise's internal controls.	Assess the organization's reliance on information systems.	Determine the number of audit resources needed.	a	Strategic planning sets corporate or departmental objectives into motion. It is time and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans will not achieve objectives by other choice. Correct answer is A.	M1C1	70	76.000	M1C1
Which of the following forms of evidence would be considered to be the most reliable when assisting an IS Auditor develop audit conclusion?	A confirmation letter received from a third party for the verification of an account balance.	Assurance via a control self-assessment received from the management that an application is working as designed.	Trend data obtained from World Wide Web (Internet) sources.	Ratio analysis developed by an IS Auditor from reports supplied by line management	a	The IS Auditor requires documented evidence to be submitted during audit procedures. Control self-assessment though is a good control but it cannot work as an evidence. Trend and ratio analysis can be used to justify some conclusion but cannot be considered as a conclusive evidence whereas a confirmation letter is.	M1C2	71	127.000	M1C2
During a review of the controls over the process of defining IT service levels, an IS auditor would most likely interview the:	Systems programmer	Legal staff	Business Unit Manager	Programmer	c	Business unit manager is the owner of that business unit and he is the right authority to provide the required information in this context. First point of interview should be with the person related to business not the programmer or legal staff.	M1C2	72	189.000	M1C2
Which of the following procedures would an IS Auditor not perform during pre-audit planning to gain an understanding of the overall environment under review?	Tour key organisation activities	Interview key members of management to understand business risks	Perform compliance tests to determine if regulatory requirements are met.	Review prior audit reports.	c	During pre-audit planning there is no question of doing any compliance test. Compliance test starts during the process of audit. All other options are the process of collecting information during pre-audit process.	M1C2	73	167.000	M1C2
The first step IS Auditor should take when preparing the annual IS audit plan is to:	Meet with the audit committee members to discuss the IS audit plan for the upcoming year.	Ensure that the IS audit staff is competent in areas that are likely to appear on the plan and provide training as necessary.	Perform a risk ranking of the current and proposed application systems to prioritize the IS audits to be conducted.	Begin with the prior year's IS audit plan and carry over any IS audits that had not been accomplished.	c	IS audit services should be expended only if the risk warrants it. Answers A, B and D occur after C has been completed. Answer "B" is NOT correct because the IS Audit Manager does not know what areas are to appear on the IS audit plan until a risk analysis is completed and discussions are held with the Audit Committee members. Answer "A" is NOT correct because the IS Audit Manager would not meet with the audit committee until a risk analysis of areas of exposure has been completed. Answer "D" is NOT correct because a risk analysis would be the first step before any IS audit services are expended.	M1C2***	74	191.000	M1C2***
The purpose of compliance tests is to provide reasonable assurance that:	Controls are working as prescribed.	Documentation is accurate and current.	The duties of users and data processing personnel are segregated.	Exposures are defined and quantified.	a	The compliance tests determine whether prescribed controls are working as intended. Answer "B" is NOT the best choice. Current and accurate documentation may be a good procedure but it is only one type of control procedure, therefore, answer 'A' is a better choice as more control procedures are evaluated. Answer "C" is NOT the best choice because segregation of duties is only one type of control procedure; therefore, answer 'A' is a better choice as more control procedures are evaluated. Answer "D" is NOT the correct choice. Exposures are defined and quantified to determine audit scope. Compliance tests provide reasonable assurance that controls are working as prescribed.	M1C2	75	182.000	M1C2
IS Auditors being most likely to perform tests of internal controls if, after their evaluation of such controls, they conclude that:	A substantive approach to the audit is cost-effective	The control environment is poor.	Inherent risk is low.	Control risks are within the acceptable limits.	b	IS auditor will most probably perform the test of internal control when control environment is poor. When inherent risks are low and control risks are within acceptable limit, likelihood of testing internal controls get reduced. Concluding the cost-effectiveness of substantive approach is not the outcome of testing internal controls.	M1C2	76	128.000	M1C2
Which of the following is the least important factor in determining the need for an IS Auditor to be involved in a new system development project?	The cost of the system	The value of the system to the organization.	The potential benefits of the system.	The number of lines of code to be written.	d	The size of the system is the least important of the factors listed. All other factors have specific financial implications and an IS Auditor can be used to help mitigate the risk to the corporation with the development of a new system.	M1C2	77	80.000	M1C2
Each of the following is a general control concern EXCEPT:	Organization of the IS Department.	Documentation procedures within the IS Department.	Balancing of daily control totals.	Physical access controls and security measures	c	Balancing of daily control totals relates to specific applications and is not considered an overall general control concern. Answer "B" is NOT the correct answer since documentation procedures within the IS Department are an important general control concern. Answer "A" is NOT the correct answer since organization of the IS Department is an important general control concern. Answer "D" is NOT the correct answer since physical access controls and security measures are important general control concerns.	M1C2	78	192.000	M1C2
Which of the following types of audits requires the highest degree of data processing expertise?	Systems software audits	General controls reviews	Microcomputer application audits	Mainframe application audits	a	The IS Auditor needs specialized type of education in hardware and operating system software. Options at B, C and D can be performed when an IS auditor has a basic level of data processing technical knowledge and usually requires no special training.	M1C2	79	110.000	M1C2
A manufacturing company has implemented a new client/server system enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following controls would BEST ensure that the orders are accurately entered and the corresponding products produced?	Verifying production to customer orders	Logging all customer orders in the ERP system	Using hash totals in the order transmitting process	Approving (production supervisor) orders prior to production	a	Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming manual process that does not guarantee proper control.	M1C2	80	31.000	M1C2
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Identification of exceptional transactions based upon set criteria	Projections on future trends for specific parameters	Carrying out employees’ reference checks	Carry out employee appraisals Key	a	One of the many key tests that can be carried out by CAATs is identification of exceptional transactions based upon set criteria. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur on the basis of the controls which presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M1C3	81	92.000	M1C3
Find out the best process carried out using Computer Assisted Audit Tools (CAATs)?	Identify potential areas of fraud	Carry out employee appraisals of Information Systems Assurances Services	Projections on future trends for specific parameters	Carrying out employees’ reference checks Key	a	One of the many key tests that can be carried out by CAATs is identification of potential areas of fraud. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur on the basis of presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Correct answer is A.	M1C3	82	163.000	M1C3
What can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Identify data which is inconsistent or erroneous	Carry out employee appraisals	Projections on future trends for specific parameters	Carrying out employees’ reference checks Key.	a	One of the many key tests that can be carried out by CAATs is identification of data which is inconsistent or erroneous. The IS auditor can set the criteria based upon the sort of data which are not expected to occur on the basis of the controls which presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M1C3***	83	202.000	M1C3***
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Perform various types of statistical analysis	Carry out employee appraisals	Projections on future trends for specific parameters	Carrying out employees’ reference checks Key	a	One of the many key tests that can be carried out by CAATs is the carrying out of various types of statistical analysis which could throw up areas of inconsistencies, defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M1C3***	84	135.000	M1C3***
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Establishing whether the set controls are working as prescribed	Carry out employee appraisals	Projections on future trends for specific parameters	Estimation of competitor activity Key.	a	One of the many key tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M1C3***	85	134.000	M1C3***
What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?	Establishing relationship between two or more areas & identify duplicate transactions	Carry out market surveys for a new product launch	Projections on future trends for specific parameters	Estimation of competitor activity Key	a	One of the many key tests that can be carried out by CAATs is establishing relationship between two or more areas & identify duplicate transactions. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.	M1C3***	86	7.000	M1C3***
Which is one of the most effective tools and techniques to combat fraud?	Computer Assisted Audit Techniques (CAAT)	Threats of severe punishment	Validation by the I.T. dept. of the police	Use of authenticated hard copies Key	a	CAAT is one of the tools useful for carrying out the detection of suspicious transactions as a pre-emptive or post fraud activity. Hence, answer at Option A is correct.	M1C3***	87	186.000	M1C3***
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to review the data processing files for possible duplicate payments. Which of the following techniques/tools would be useful to the IS Auditor?	An integrated test facility.	Statistical sampling.	Generalized audit software.	The Audit Review File.	c	Generalised Audit software is mainly used to find duplicate data. Options A and D are on line application audit tools and statistical sampling may not be able to find duplicates. Correct answer is C.	M1C3	88	182.000	M1C3
Many automated tools are designed for testing and evaluating computer systems. Which one of the following such tools impact the systems performance with a greater load and stress on the system?	Test data generators	Statistical software packages	Test drivers	Network traffic analyzers	b	Statistical software packages use all data resources impacting the processing time and response time. Network traffic analyzers also use the system resources but not putting stress on production data. Test data generator is not resource intensive and test drivers are for specific use without impacting much resources. Correct answer is B.	M1C3	89	198.000	M1C3
The most appropriate type of CAAT tool the auditor should use to test security configuration settings for the entire application systems of any organization is:	Generalised Audit Software	Test Data	Utility Software	Expert System	c	When testing the security of the entire application system including operating system, database and application security, the auditor will most likely use a utility software that assists in reviewing the configuration settings. In contrast, the Auditor may use GAS to perform a substantive testing of data and configuration files of the application. Test data are normally used to check the integrity of the data and expert systems are used to inquire on specific topics. Hence correct answer is C.	M1C3	90	52.000	M1C3
Application controls shall include all except	Application controls are a subset of internal controls.	The purpose is to collect timely, accurate and reliable information.	It is part of the IS Auditor’s responsibility to implement the same.	It is part of business application software.	c	C. It represents what auditor verifies but not that what he/she implements. Rest is part of the definition and purpose of application controls.	M1C4***	91	5.000	M1C4***
As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of banks need to submit their PAN or form 60/61(a form as per Income Tax Act/Rules). A bank in its account opening form, has not updated the need for form 60/61 in case PAN is not there. This defines which control lapse as per COBIT.	Source Data Preparation and Authorisation	Source Data Collection and Entry	Accuracy, Completeness and Authenticity Checks	Processing Integrity and Validity	a	A. is the correct answer as the source data capture is not proper. Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design.	M1C4***#	92	201.000	M1C4***#
In a public sector bank while updating master data for advances given, the bank employee does not update “INSURANCE DATA”. This includes details of Insurance Policy, Amount Insured, Expiry Date of Insurance and other related information. This defines which control lapse as per COBIT.	Source Data Preparation and Authorisation	Source Data Collection and Entry	Accuracy, Completeness and Authenticity Checks	Processing Integrity and Validity	c	C. This ensures that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.	M1C4***#	93	152.000	M1C4***#
An IS Auditor observed that users are occasionally granted the authority to change system data. The elevated system access is not consistent with company policy yet is required for smooth functioning of business operations. Which of the following controls would the IS Auditor most likely recommend for long term resolution?	Redesign the controls related to data authentication	Implement additional segregation of duties controls	Review policy to see if a formal exception process is required	Implement additional logging controls.	c	C. is the correct answer. Policy is not a static document. When an exception is a regular requirement, the best control is to modify the policy accordingly.	M1C4***	94	106.000	M1C4***
An IS Auditor, processes a dummy transaction to check whether the system is allowing cash payments in excess of Rs.20,000/-. This check by auditor represents which of the following evidence collection technique?	Inquiry and confirmation	Re-calculation	Inspection	Re-performance	d	D. is the correct answer. The IS Auditor may process test data on application controls to see how it responds.	M1C4***	95	188.000	M1C4***
An IS Auditor is performing a post implementation review of an organisation’s system and identified output errors within an accounting application. The IS Auditor determined that this was caused by input errors. Which of the following controls should the IS Auditor recommend to management?	Recalculations	Limit Checks	Run-to-run total	Reconciliation	d	D is correct. For finding the anomaly between input and output, reconciliation is the best option. Re-calculation and run-to-run total will provide the same result as earlier and limit check is a data validation control.	M1C4	96	144.000	M1C4
RBI instructed banks to stop cash retraction in all ATMs across India from April 1, 2013. This was result of few ATM frauds detected. This action by RBI can be best classified as:	Creation	Rectification	Repair	None of above	b	B. is the right answer. A, is not an answer as action by RBI is based on fraud detection. Repair is done to rectify an error which has occurred in a working system.	M1C4	97	122.000	M1C4
A central antivirus system determines whether each personal computer has the latest signature files and installs the latest signature file before allowing a PC to connect to the network. This is an example of a:	Directive control	Corrective Control	Compensating Control	Detective Control	b	B. is the correct answer. After detecting the deficiency, it is correcting the situation hence it is a corrective control.	M1C4	98	150.000	M1C4
Company’s billing system does not allow billing to those dealers who have not paid advance amount against proforma invoice. This check is best called as:	Limit Check	Dependency Check	Range Check	Duplicate Check	b	Dependency check is one where value of one field is related to that of another.	M1C4	99	72.000	M1C4
While posting message on FACEBOOK, if user posts the same message again, FACEBOOK gives a warning. The warning indicates which control.	Limit Check	Dependency Check	Range Check	Duplicate Check	d	D. is the answer as this is a duplicate check.	M1C4	100	204.000	M1C4
Which of the following business purposes can be met by implementing Data warehouse in an organisation?	Business continuity can be ensured in case of disaster.	Data in the data ware house can work as a backup	The data in the warehouse can be used for meeting regulatory requirements.	Business decisions can be taken and future policies can be framed based on actual transactional data.	d	Correct answer is D. Purpose of Data warehouse is to take business decisions and frame future policies based on the analysis of transactional data. It cannot act as an alternative to backup. Purpose of the data ware house is not for business continuity nor is it for regulatory requirements.	M1C5***#	101	126.000	M1C5***#
Which of the following is a characteristic of a decision support system (DSS)?	DSS is aimed at solving highly structured problem.	DSS combines the use of models with non-traditional data access and retrieval functions.	DSS emphasizes flexibility in decision making approach of users.	DSS supports only structured decision-making tasks.	b	Correct answer is B. It goes with the purpose and definition of decision support system.	M1C5***#	102	61.000	M1C5***#
Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?	Integrated test facility (ITF)	Continuous and intermittent simulation (CIS)	Audit hooks	Snapshots	d	Correct answer is D. Snapshot is the right answer as in this technique, IS auditor can create evidence through IMAGE capturing. A snapshot tool is most useful when an audit trail is required. ITF can be used to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined.	M1C5***	103	138.000	M1C5***
A retail company recently installed data warehousing client software in multiple, geographically diverse sites. Due to time zone differences between the sites, updates to the warehouse are not synchronized. This will affect which of the following most?	Data availability	Data completeness	Data redundancy	Data accuracy	b	Correct answer is B. One of the major bottlenecks in data ware house is time synchronisation as the data of different time zones is merged in data ware house. It ultimately results in in-complete data for decision making purposes.	M1C5	104	20.000	M1C5
The cashier of a company has rights to create bank master in TALLY. This error is a reflection of poor definition for which type of control:	User Controls	Application Control	Input Control	Output Control	a	Correct answer is A. User controls are not properly defined. User controls need to be defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a greater problem of improper assessment of user profiles created in the system.	M1C5	105	63.000	M1C5
An employee has left the company. The first thing to do is to:	Hire a replacement employee.	Disable his/her access rights.	Ask the employee to clear all dues/advances.	Escort employee out of company premises	b	Correct answer is B. the first thing to do as soon as an employee leaves the company is to disable his/her access rights in system. This needs to be done to prevent frauds being committed. Other answers may be valid but are not the first thing to do.	M1C5	106	162.000	M1C5
As part of auditing Information Security of a multinational bank, an auditor wants to assess the security of information in ATM facilities. Under which privacy policy should he look for details pertaining to security guards and CCTV surveillance of ATM’s?	Physical Access and Security Policy	Acceptable use of Information Assets Policy	Asset Management Policy	Business Continuity Management Policy Key.	a	Correct answer is A. Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, Biometric access, RFID cards, access cards protective barriers, locks, access control protocols, and many other techniques. B is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. C is incorrect – This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organization- owned or leased. D is incorrect – This policy defines the requirements to ensure continuity of business-critical operations. It is designed to minimize the impact of an unforeseen event (or disaster) and to facilitate return of business to normal levels.	M1C5	107	176.000	M1C5
Neural Networks and Fuzzy Logics are classified under which category of Artificial intelligence?	Cognitive Science	Robotics	Natural Sciences	Virtual Reality	a	Correct answer is A. Cognitive Science. This is an area based on research in disciplines such as biology, neurology, psychology, mathematics and allied disciplines. It focuses on how human brain works and how humans think and learn. Applications of AI in the cognitive science are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and Fuzzy Logic. B, C and D are incorrect. B. Robotics: This technology produces robot machines with computer intelligence and human-like physical capabilities. This area includes applications that give robots visual perception, capabilities to feel by touch, dexterity and locomotion. C. Natural Languages: Being able to 'converse' with computers in human languages is the goal of research in this area. Interactive voice response and natural programming languages, closer to human conversation, are some of the applications. D. Virtual reality is another important application that can be classified under natural interfaces.	M1C5	108	165.000	M1C5
In an inter school competition on Artificial Intelligence, four children develop software which performs the following different functions respectively. Which of them is a correct example of the use of basic Artificial Intelligence?	Predictive & self-learning word-processing software	A calculation software which arrives at the arithmetic total of figures keyed in	A password system which allows access based upon keying in of the correct password	A software which rejects invalid dates like 32nd March 2019.	a	Correct answer is A. The word-processing software pops up suggested words based upon the first few words keyed in by the user. Also, when the user keys in a new word which is not available in its repertoire, it adds it to its collection & reflects it as an option the next time similar letters are initiated. In effect, the software is able to observe & record patterns and improves through ‘learning’. The other answers in Options B to D involve the basic computing functions of a computer which are based on a ‘go / no-go’ logic which does not involve pattern recognition or further learning. Hence, the correct answer is only as in Option A which displays characteristics of artificial intelligence.	M1C5	109	191.000	M1C5
Which are the business activities which are strong contenders for conversion to e-commerce?	Those that are paper-based, time consuming & inconvenient for customers	Those relating to software development	Those relating to the ‘electronic’ aspects of commerce	Those that are not paper-based, speedy & convenient for customers.	a	Correct answer is A. Maximum mileage can be gained from e-commerce by converting those business activities which are paper-based, time consuming & inconvenient for customers as indicated in Option A. This will help us reduce paperwork, accelerate delivery & make it convenient for customers to operate from the comfort of their homes as also at any other place of their convenience. Hence, the other options are wrong.	M1C5***	110	83.000	M1C5***
Which of the following factors should not be considered in establishing the priority of audits included in an annual audit plan?	Prior audit findings	The time period since the last audit	Auditee procedural changes	Use of audit software	d	Use of audit software merely refers to a technique that can be used in performing an audit. It has no relevance to the development of the annual audit plan.	M1C6	111	70.000	M1C6
Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application systems?	Volume of transactions	Likelihood of error	Value of transactions	Extent of existing controls	b	An error is the least likely element to contribute to the potential for fraud. Answer A and C are incorrect since volume and value of transactions give an indication of the maximum potential loss through fraud. Answer D is incorrect since gross risk less existing controls give net risk.	M1C6	112	170.000	M1C6
An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the password, inside his/her desk drawer. The IS auditor should conclude that the:	Manager’s assistant perpetrated the fraud.	Perpetrator cannot be established beyond doubt.	Fraud must have been perpetrated by the manager.	System administrator perpetrated the fraud.	b	The password control weaknesses mean that any of the other three options could be true. Password security would normally identify the perpetrator. In this case, it does not establish guilt beyond doubt.	M1C6	113	12.000	M1C6
Which of the following situations would increase the likelihood of fraud?	Application programmers are implementing changes to production programs.	Application programmers are implementing changes to test programs.	Operations support staff are implementing changes to batch schedules.	Database administrators are implementing changes to data structures.	a	Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of controls in this area could result in application programs being modified to manipulate the data.	M1C6	114	176.000	M1C6
Neural networks are effective in detecting fraud, because they can:	Discover new trends since they are inherently linear.	Solve problems where large and general sets of training data are not obtainable.	Attack problems that require consideration of a large number of input variables.	Make assumptions about shape of any curve relating variables of output	c	Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, and they will not discover new trends. Neural networks are inherently nonlinear and make no assumption about the shape of any curve relating variables to the output.	M1C6	115	80.000	M1C6
The FIRST step in managing the risk of a cyber-attack is to:	Assess the vulnerability impact.	Evaluate the likelihood of threats.	Identify critical information assets.	Estimate potential damage.	c	The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages.	M1C6	116	26.000	M1C6
Which of the following refers to imaging of original media in presence of an independent third party?	Identify	Preserve	Analyze	Present	b	Preserve refers to practice of retrieving identified information and preserving it as evidence. This practice generally includes the imaging of original media in presence of an independent third party.	M1C6***	117	99.000	M1C6***
As a measure of IT General controls, an organization decides to separate those who can input data from those that can reconcile or approve data. Is this a good move? Why?	Yes, it is a good move; it can help prevent unauthorized data entry.	No, it is not a good move; the person who inputs the data is the best person to approve the data too.	Yes, it is a good move; inputting data & reconciling data requires different skills.	No, it is not a good move; data entry errors would be compounded.	a	Segregation of duties is an important control tool whereby conflicting roles are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with another.	M1C6	118	176.000	M1C6
A holistic approach to deterrence & prevention of fraud would be:	Strengthening of Governance and Management framework	Focusing on integrity of new recruits	Establishing severe punishment for fraud	Compensating employees adequately to minimize temptation	a	A holistic approach to deterrence and prevention of fraud would require strengthening of governance and management framework. The answers in options B to D address the issue in bits and pieces and, hence, are not the right answers.	M1C6	119	67.000	M1C6
After initial investigation, IS auditor has reasons to believe that there is possibility of fraud, the IS auditor has to:	Expand activities to determine whether an investigation is warranted.	Report the matter to the audit committee.	Report the possibility of fraud to top management and ask how they would like to proceed.	Consult with external legal counsel to determine the course of action to be taken.	a	An IS auditor’s responsibility for detecting fraud includes evaluating fraud indicators and deciding whether any additional action is necessary or whether an additional investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation.	M1C6***	120	156.000	M1C6***
Q. 1. Who is responsible for establishing the right structure of decision-making accountabilities?	Senior management	Operational management	Chief information officer	IT steering committee	a	The senior management is responsible for ensuring the right structure of decision-making accountabilities. The operational management is responsible for ensuring that operations of the enterprise are run as per enterprise policy. The chief information officer is responsible for ensuring IT-enabled investments provide business value, and the IT steering committee is responsible for steering IT-enabled projects toward the successful completion of objectives.	M2C1	121	131.000	M2C1
Q. 2. The MOST important benefit of implementing Governance of Enterprise IT is:	Monitor and measure enterprise performance	Provide guidance to IT to achieve business objectives	Run the companies to meet shareholders’ interest	Ensure strategic alignment of IT with business	d	The MOST important benefit of implementing Governance of Enterprise IT is that it helps in ensuring the strategic alignment of IT with business. Alignment of IT strategy in tune with enterprise strategy ensures value delivery from IT-enabled investments. The monitoring and measuring of enterprise performance is one of the key processes of EGIT. GETI does not provide guidance to IT to achieve business objectives but provides an overall framework and setting for IT to achieve business objectives. Although EGIT is often implemented from a regulatory perspective and enables enterprises to meet corporate governance requirements, it does not directly focus on running the enterprises based on shareholders’ interest. Shareholders are one of the key stakeholders whose objectives are considered while formulating enterprise goals.	M2C1	122	160.000	M2C1
Q. 3. The primary objective of Corporate Governance is:	Reduce IT cost in line with enterprise objectives and performance.	Optimise implementation of IT Controls in line with business needs	Implement security policies and procedures using best practices.	Increase shareholder value by enhancing economic performance.	c	The primary objective of Corporate Governance is to implement security policies and procedures using best practices. Corporate governance requirements are best met by using best practices which are globally accepted. The focus of implementing corporate governance is on ensuring regulatory compliance and this does not look at cost aspects. Hence, reducing IT cost in line with enterprise objectives and performance is not an objective. Further, optimising the implementation of IT Controls in line with business needs has to be considered as part of EGIT and is not directly the objective of corporate governance. There are multiple stakeholders whose interests are sought to be protected by regulations of corporate governance. One of the stakeholders is shareholders. However, the regulations do not consider how to increase shareholder value by enhancing economic performance but to protect their interests.	M2C1***#	123	124.000	M2C1***#
Q. 4. The ultimate objective of Governance of Enterprise IT is to ensure that IT activities in an enterprise are directed and controlled to achieve business objectives for meeting the needs of:	Shareholders	Stakeholders	Investors	Regulators	b	The ultimate objective of Enterprise Governance of Information Technology (EGIT) is to ensure that IT activities in an enterprise are directed and controlled to achieve business objectives for meeting the needs of the stakeholders. There are multiple stakeholders, and EGIT requires balancing the needs of these stakeholders. Shareholders, Investors, and Regulators are some of the stakeholders.	M2C1	124	167.000	M2C1
Q. 5. Which of the following is a key component of Corporate Governance?	Employee rights	Security policy	Transparency	Risk assessment	c	One of the key components of Corporate Governance is ensuring transparency. This promotes effective governance through establishing, communication, and monitoring of performance. Employee rights are not the focus of corporate governance. Security policy as prepared by the IT as applicable for the enterprise is approved by the board. Corporate governance requirements do not provide any specific details of risk assessment but only outline the need for implementing risk management as appropriate for the enterprise.	M2C1	125	52.000	M2C1
Q. 6. Enterprise governance and Governance of Enterprise IT governance require a balance between:	Compliance and return on investment expected by shareholders	Profit maximization and wealth maximization as decided by the board	IT risks and cost of implementing IT controls as set by IT	Conformance and performance goals as directed by the board.	c	Enterprise governance and Governance of Enterprise IT governance require a balance between IT risks and cost of implementing IT controls as set by IT. Risk appetite and Risk tolerance are set by the Board and this is based on risks that are acceptable and the limit to which these are acceptable. The compliance and return on investment expected by shareholders are not relevant as shareholders do not have a stake in deciding this. The last two options about profit maximization and wealth maximization as decided by the board and conformance and performance goals directed by the board are translated through the overall enterprise strategy which is then translated into business and IT strategy.	M2C1***#	126	203.000	M2C1***#
Q. 7. Business Governance helps the Board by enabling them to understand:	Enterprise functions	Risk assessment	Key performance drivers	Key controls	c	The primary objective of Business Governance is to ensure performance and hence the focus by the Board is to understand and implement key performance drivers. The other options are related to operational areas which are dealt with by management at their level as required.	M2C1***	127	137.000	M2C1***
Q. 8. The effectiveness of the IT governance structure and processes are directly dependent upon the level of involvement of	Heads of Business units	Internal auditor department	Technology management	Board/senior management	d	The Board/senior management play the most critical role in ensuring the effectiveness of the IT governance structure and processes. Hence, the effectiveness of Governance is directly dependent upon their level of involvement. The head of business units work on implementing the directions of the board and are focused on management. The internal auditor department plays an important role in evaluating how well IT governance is implemented but their role is providing guidance. The technology management is responsible for aligning IT strategy in line with the enterprise strategy and implementing IT solutions that help meet enterprise objectives.	M2C1	128	110.000	M2C1
Q. 9. Which of the following is one of the key benefits of EGIT?	Identification of relevant laws, regulations and policies requiring compliance.	Improved transparency and understanding of IT’s contribution to business	Better utilization of human resources by using automation	Increased revenues and higher Return on investments.	b	Implementing EGIT requires active collaboration between the board/senior management in directing IT towards enterprise objectives and putting a governance framework in place. Hence, the key benefit of EGIT is the improved transparency and understanding of IT’s contribution to business which is reflected in the performance management system. Although the identification of relevant laws, regulations, and policies requiring compliance is important in implementing EGIT, this is not the primary benefit. Directly, the focus of EGIT is neither on better utilization of human resources by using automation nor on increased revenues and higher returns on investments although they are considered as required. Enterprise Governance of Information Technology (EGIT)	M2C1	129	153.000	M2C1
Q. 10. Which of the following is the primary objective for implementing ERM?	Implement right level of controls.	Better availability of information.	Tighter security at lower cost.	Implement IT best practices.	a	The primary objective for implementing ERM is it helps in deciding and implementing the right level of controls. The other 3 options are indirect benefits of implementing ERM.	M2C1***#	130	47.000	M2C1***#
Q. 1. The most important requirement for IT governance function to be effective is:	Monitoring	Evaluation	Directing	Managing	c	Directing is the most critical of the Governance function which can be performed by the Board. Although, governance has three critical functions: Evaluate, direct, and monitor, evaluation and monitoring can be performed against directions.	M2C2	131	118.000	M2C2
Q. 2. The MOST important benefit of implementing IT risk management process is that it helps in:	optimizing internal control framework.	ensuring residual risk is at acceptable level.	prioritizing business functions for audit planning.	complying with regulatory requirements.	b	The primary function of IT risk management process is to support value creation by reducing the risk to an acceptable level. The other options are secondary benefits of IT risk management.	M2C2	132	203.000	M2C2
Q. 3. Which of the following is a major risk factor?	Existence of inflationary trends.	Vendor launches new software.	Board of directors elects new chairman.	Change in government post elections.	d	Risk factors are conditions that affect the risk profile of organization. Change in government is one of the major risk factors as compared with other options.	M2C2	133	109.000	M2C2
Q. 4. The level to which an enterprise can accept financial loss from a new initiative is:	Risk tolerance	Risk management	Risk appetite	Risk acceptance	c	Risk appetite denotes the level of risk acceptable by management. Risk tolerance is the time up to which an organization can afford to accept the risk. Risk management is a process of risk mitigation and risk acceptance is a decision of the management and is considered as risk response.	M2C2	134	49.000	M2C2
Q. 5. Designing and implementing a control to reduce the likelihood and/or impact of risk materializing is a:	Risk acceptance	Risk transfer	Risk treatment	Risk transfer	c	Implementing control is a risk treatment.	M2C2	135	187.000	M2C2
Q. 6. Which of the following is a valid risk statement?	Network service provider is unable to meet bandwidth.	Hacker attempts to launch attack on web site.	Application server crash due to power failure.	Delay in servicing customers due to network congestion.	d	Options A, B, and C are threats and not risks.	M2C2	136	34.000	M2C2
Q. 7. Which of the following is the primary reason for periodic review of risk? The changes in:	risk factors	risk appetite	budget	risk strategy	a	Changes in risk factors are the primary reason for reviewing changes in risk levels for an organization. The other options are secondary reasons.	M2C2***#	137	73.000	M2C2***#
Q. 8. Which of the following is a strategic IT risk?	IS audit may not identify critical non-compliance.	Non-availability of networks impacting services to customers.	New application may not achieve expected benefits.	Defer replacement of obsolete hardware.	d	Deferring replacement of obsolete hardware is a strategic decision and hence it is a strategic IT risk. Others are operational IT risks.	M2C2***	138	66.000	M2C2***
Q. 9. Which of the following is the most essential action after evaluation of inherent risks?	Evaluate implemented controls.	Update risk register.	Prepare heat map.	Prioritize evaluated risk.	a	Once risks are evaluated it is necessary to find out the current state of risk mitigation (gaps in controls) by evaluating the existing controls. This helps in identifying gaps and implementing controls so as to reduce the total exposure within acceptable limits. Other activities are required but not as essential as identifying gaps in controls.	M2C2	139	188.000	M2C2
Q. 1. Which of the following is most important resource of the organization?	Policies and procedures	IT infrastructure and applications	Information and data	Culture, ethics and behaviour	c	Entire EGIT implementation focuses on Information and data. Policies are defined based on nature of information and data, culture and behaviour. IT infrastructure and applications store, process, and communicate information.	M2C3	140	192.000	M2C3
Q. 2. Which of the following is most important characteristic of policies?	Must be limited in number.	Requires framework to implement.	Reviewed periodically.	Non-intrusive and logical.	d	Policies are vehicles to communicate the intent of management and hence must be clear and easy to implement to be effective. B and C are requirements to maintain policies and A is a characteristic of principles.	M2C3	141	21.000	M2C3
Q. 3. Primary function of a process is to:	Act on input and generate output.	Define activities to be performed.	Focus on achieving business goals.	Comply with adopted standards.	a	The primary function of a process is to process received inputs and generate outputs to achieve process goals. While processes are defined to achieve business goals, they are broken down to arrive at process goals. Compliance with standards may need certain processes, but the primary function is to process input.	M2C3	142	33.000	M2C3
Q. 4. Effective organization structure focuses on:	Defining designations.	Delegating responsibility.	Defining escalation path.	Deciding span of control.	b	The effectiveness of the organization structure depends on the right level of delegation of responsibilities. Defining designation is only naming a specific role which is not directly relevant. Other options depend upon the level of delegation.	M2C3	143	148.000	M2C3
Q. 5. Prioritization of IT initiatives within the organization is primarily based on:	Results of risk assessments	Expected benefit realization	Recommendations of CIO	Rate of obsolescence of IT	b	Although the IT steering committee considers all inputs, the primary consideration is the expected benefits to the organization.	M2C3	144	22.000	M2C3
Q. 6. Primary objective of IT steering committee is to:	Align IT initiatives with business	Approve and manage IT projects	Supervise IT and business operations	Decide IT strategy for organization	a	The primary objective of appointing an IT steering committee is to ensure that IT initiatives are in line with business objectives. D is the objective of the IT strategy committee. B and C are secondary objectives derived from A.	M2C3***	145	53.000	M2C3***
Q. 7. Which of the following is best control for building requisite skills and competencies within organization?	Hiring only highly qualified people	Outsourcing the critical operations	Conducting skill enhancement training	Defining skill requirements in job description	c	The best control for building requisite skills and competencies within an organization is to ensure skill enhancement training is provided.	M2C3***	146	108.000	M2C3***
Q. 1. Which of the following is best approach for monitoring the performance of IT resources?	Compare lag indicators against expected thresholds	Monitor lead indicators with industry best practices	Define thresholds for lag indicators based on long term plan	Lead indicators have corresponding lag indicator	b	Lead indicators are proactive approaches for ensuring performance and hence are defined using industry best practices. Lag indicators are useful after the fact (A). Thresholds based on long term plans may not provide input on performance during execution (C). All lead indicators may not have lag indicators.	M2C4	147	157.000	M2C4
Q. 2. Performance monitoring using balance score card is most useful since it primarily focuses on:	Management perspective	Product and services	Customer perspectives	Service delivery processes	c	The Balance Score Card (BSC) focuses on Financial, Customer, internal, and learning perspectives.	M2C4	148	14.000	M2C4
Q. 3. Which of the following is considered as an example of a lead indicator?	Number of gaps with respect to industry standard	Comparative market position of organization	Percentage of growth achieved over three years	Improvement in customer satisfaction survey	a	Lead indicators are proactive in nature and help management in planning. Identification of gaps with respect to industry standard is the beginning of the process of implementing best practices. Other indicators are results of past performance.	M2C4	149	92.000	M2C4
Q. 4. The PRIMARY objective of baselining IT resource performance with business process owners is to:	Define and implement lead and lag indicators	Ensure resource planning is aligned with industry	Assess cost effectiveness of outsourcing contracts	Benchmark expected performance measurement	d	In order to plan resources, the performance of the resource must be determined and compared with business expectations from IT. This helps management in implementing performance measures against expected performance. Other options use baselines.	M2C4***#	150	166.000	M2C4***#
Q. 5. Which of the following is BEST measure to optimize performance of skilled IT human resources?	Include personal development plan in job description	Document personal expectations during exit interviews	Implement ‘Bring Your Own Device (BYOD)’ policy	Monitor performance measure against baseline	a	Motivation helps human resources perform better. Career progression planning included in job descriptions along with performance norms shall help in motivating human resources.	M2C4***	151	109.000	M2C4***
Q. 6. IT resource optimization plan should primarily focus on:	Reducing cost of resources	Ensuring availability	Conducting training programs	Information security issues	b	Resource optimization plans primarily focus on the availability of the right resources at the right time. Other requirements are secondary.	M2C4	152	123.000	M2C4
Q. 7. The PRIMARY objective of implementing performance measurement metrics for information assets is to:	Decide appropriate controls to be implemented to protect IT assets	Compare performance of IT assets with industry best practices	Determine contribution of assets to achievement of process goals	Determine span of control during life cycle of IT assets	c	Resource performance is essential to measure the performance of business and IT processes so as to monitor the level of contribution in achieving process goals and hence business objectives. Performance measurement is performed to measure this contribution.	M2C4	153	55.000	M2C4
Q. 8. Which of the following is the PRIMARY purpose of optimizing the use of IT resources within an enterprise?	To increase likelihood of benefit realization	To ensure readiness for future change	To reduce cost of IT investments	To address dependency on IT capabilities	a	IT resource optimization within an enterprise must primarily focus on increasing benefit realization from IT so as to deliver value to business. Ensuring readiness for future change is essential but not the primary purpose. Resource optimization may or may not reduce IT costs, but it will help in increasing return on IT investment. Business dependency on IT depends on capabilities of IT to deliver services to business. Resource optimization is one of the processes to address this dependency, not the objective.	M2C4	154	43.000	M2C4
Q. 9. While monitoring the performance of IT resources the PRIMARY focus of senior management is to ensure that:	IT sourcing strategies focus on using third party services	IT resource replacements are approved as per IT strategic plan	Key goals and metrics for all IT resources are identified	Resources are allocated in accordance with expected performance	d	Management must monitor the performance of IT resources to ensure that the expected benefits from IT are being realized as per planned performance. This is done by allocating IT resources in accordance with the planned performance of business processes cascaded down to IT resources supporting business processes.	M2C4	155	45.000	M2C4
Q. 10. Organization considering deploying application using cloud computing services provided by third party service provider. The MAIN advantage of this arrangement is that it will:	Minimize risks associated with IT	Help in optimizing resource utilization	Ensure availability of skilled resources	Reduce investment in IT infrastructure	b	Outsourcing helps organizations optimize the use of existing IT resources by outsourcing, which in turn helps focus on more critical business requirements and hence improve benefit realization. However, outsourcing may or may not minimize risks associated with IT. Ensuring the availability of skilled resources is not the main advantage. Outsourcing may or may not reduce investment in IT; it may reduce the need for acquisition of IT infrastructure, but there is a cost associated with outsourcing and additional costs for SLA monitoring.	M2C4	156	27.000	M2C4
Q. 1. Which of the following is MOST important to have in a disaster recovery plan?	Backup of compiled object programs	Reciprocal processing agreement	Phone contact list	Supply of special forms	a	A backup of compiled object programs is the most important in a successful recovery. A reciprocal processing agreement is less critical, as alternative equipment can be sourced post-disaster. A phone contact list and special forms are helpful immediately after a disaster, but not as crucial as having the required programs.	M2C5	157	59.000	M2C5
Q. 2. Which of the following BEST describes the difference between a DRP and a BCP? The DRP:	works for natural disasters whereas BCP works for unplanned operating incidents such as technical failures.	works for business process recovery and information systems whereas BCP works only for information systems.	defines all needed actions to restore to normal operation after an unplanned incident whereas BCP only deals with critical operations needed to continue working after an unplanned incident.	is the awareness process for employees whereas BCP contains procedures to recover the operation?	c	The DRP recovers all operations, whereas the BCP focuses on business continuity (minimum requirements to provide services to customers). Choices A, B, and D are incorrect as the type of plan is independent of the disaster or process, and includes both awareness campaigns and procedures.	M2C5	158	105.000	M2C5
Q. 3. The MOST significant level of BCP program development effort is generally required during the:	Early stages of planning.	Evaluation stage.	Maintenance stage.	Testing Stage.	a	The most significant level of program development effort occurs during the early stages of planning. This levels out as the BCP program moves into maintenance, testing, and evaluation stages. During planning, an IS Auditor plays a crucial role in securing senior management's commitment to resources and assigning BCP responsibilities.	M2C5	159	32.000	M2C5
Q. 4. An advantage of the use of hot sites as a backup alternative is:	The costs related to hot sites are low.	Hot sites can be used for a long amount of time.	Hot sites do not require that equipment and systems software be compatible with the primary installation being backed up.	Hot sites can be made ready for operation within a short span of time.	d	Hot sites can be operational within hours, which is a significant advantage. However, they are expensive, should not be considered a long-term solution, and require compatible equipment and systems software with the primary installation.	M2C5	160	55.000	M2C5
Q. 5. All of the following are security and control concerns associated with disaster recovery procedures EXCEPT:	Loss of audit trail.	Insufficient documentation of procedures.	Inability to restart under control.	Inability to resolve system deadlock.	a	The inability to resolve system deadlock is a control concern in the design of database management systems, not disaster recovery procedures. The other options are control concerns associated with disaster recovery procedures.	M2C5***	161	43.000	M2C5***
Q. 6. As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up onto tape. During the backup procedure, the disk drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files?	The previous day's backup file and the current transaction tape	The previous day's transaction file and the current transaction tape	The current transaction tape and the current hardcopy transaction log	The current hardcopy transaction log and the previous day's transaction file	a	The previous day's backup is the most current historical backup of system activity. The current day's transaction file contains all of the day's activity. The combination of these two files allows full recovery up to the point of interruption.	M2C5***	162	112.000	M2C5***
Q. 7. An IS auditor reviewing an organization's information systems disaster recovery plan should verify that it is:	Tested every 1 month.	Regularly reviewed and updated.	Approved by the chief executive officer	Approved by the top management	b	The plan must be reviewed at appropriate intervals to ensure its effectiveness. While it should receive senior management approval, it doesn't necessarily need the CEO's approval if another executive officer is more appropriate. The plan should be tested regularly, but the frequency depends on the organization's nature and the importance of IS.	M2C5	163	32.000	M2C5
Q. 8. Which of the following offsite information processing facility conditions would cause an IS auditor the GREATEST concern?	Company name is clearly visible on the facility.	The facility is located outside city limits from the originating city.	The facility does not have any windows.	The facility entrance is located in the back of the building rather than the front.	a	The offsite facility should not be easily identified from the outside to prevent intentional sabotage. The facility should not be subject to the same natural disaster that affected the originating site and must be secured and controlled just as the originating site.	M2C5	164	107.000	M2C5
Q. 9. Which of the following methods of results analysis, during the testing of the business continuity plan (BCP), provides the BEST assurance that the plan is workable?	Quantitatively measuring the results of the test	Measurement of accuracy	Elapsed time for completion of prescribed tasks	Evaluation of the observed test results	a	Quantitatively measuring the results of the test involves a comprehensive assessment of all activities performed during BCP, providing the best assurance of an effective plan. Choices B and C are quantitative but relate to specific areas or a single viewpoint.	M2C5***	165	80.000	M2C5***
Who is responsible for establishing right structure of decision-making accountabilities?	A. Senior management	B. Operational management	C. Chief information officer	D. IT steering committee	a	The senior management is responsible for ensuring right structure of decision-making accountabilities. The operational management is responsible for ensuring that operations of the enterprise are run as per enterprise policy. The chief information officer is responsible for ensuring IT enabled investments provide business value and the IT steering committee is responsible for steering IT enabled projects toward successful completion of objectives.	M2C1***	166	57.000	M2C1***
The MOST important benefit of implementing Governance of Enterprise IT is:	A. Monitor and measure enterprise performance	B. Provide guidance to IT to achieve business objectives	C. Run the companies to meet shareholders’ interest	D. Ensure strategic alignment of IT with business	d	The MOST important benefit of implementing Governance of Enterprise IT is that it helps in ensuring strategic alignment of IT with business. Alignment of IT strategy in tune with enterprise strategy ensures value delivery from IT enabled investments. The monitoring and measuring of enterprise performance is one of the key processes of EGIT. EGIT does not provide guidance to IT to achieve business objectives but provides overall framework and setting for IT to achieve business objectives. Although EGIT is often implemented from a regulatory perspective and enables enterprises to meet corporate governance requirements, it does not directly focus on running the enterprises based on shareholders’ interest. Shareholders are one of the key stakeholders whose objectives are considered while formulating enterprise goals.	M2C1	167	110.000	M2C1
The primary objective of Corporate Governance is:	A. Reduce IT cost in line with enterprise objectives and performance.	B. Optimise implementation of IT Controls in line with business needs	C. Implement security policies and procedures using best practices.	D. Increase shareholder value by enhancing economic performance.	c	The primary objective of Corporate Governance is increasing shareholder value by enhancing economic performance. Reducing IT cost in line with enterprise objectives and performance is not an objective. Further, optimise implementation of IT Controls in line with business needs has to be considered as part of EGIT and is not directly objective of corporate governance. Implementing security policies and procedures using best practices is not the primary objective of corporate governance.	M2C1***	168	61.000	M2C1***
The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an enterprise are directed and controlled to achieve business objectives for meeting the needs of:	A. Shareholders	B. Stakeholders	C. Investors	D. Regulators	b	The ultimate objective Enterprise Governance of Information Technology (EGIT) is to ensure that IT activities in an enterprise are directed and controlled to achieve business objectives for meeting the needs of the stakeholders. There are multiple stakeholders and EGIT requires balancing the needs of these stakeholders. Shareholders, Investors and Regulators are some of the stakeholders.	M2C1	169	52.000	M2C1
Which of the following is a key component of Corporate Governance?	A. Employee rights	B. Security policy	C. Transparency	D. Risk assessment	c	One of the key components of Corporate Governance is ensuring transparency. This promotes effective governance through establishing, communication and monitoring of performance. Employee rights are not the focus of corporate governance. Security policy as prepared by the IT as applicable for the enterprise is approved by the board. Corporate governance requirements do not provide any specific details of risk assessment but only outline need for implementing risk management as appropriate for the enterprise.	M2C1***	170	7.000	M2C1***
Effective Governance of Enterprise IT requires processes to ensure that:	A. risk is maintained at a level acceptable for IT management	B. the business strategy is derived from an IT strategy	C. IT governance is separate and distinct from the overall governance	D. the IT strategy extends the organization's strategies and objectives.	d	Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives, and that the strategy is aligned with business strategy. Risk acceptance levels are set by senior management, not by IT management. The business strategy drives the IT strategy, not the other way around. IT governance is not an isolated discipline; it must become an integral part of the overall enterprise governance.	M2C1	171	33.000	M2C1
Business Governance helps the Board by enabling them to understand:	A. enterprise functions	B. risk assessment	C. key performance drivers	D. Key controls	c	The primary objective of Business Governance is to ensure performance and hence the focus by Board is to understand and implement key performance drivers. The other options are related to operational areas which are dealt by management at their level as required.	M2C1***	172	81.000	M2C1***
The effectiveness of the IT governance structure and processes are directly dependent upon level of involvement of	A. Heads of Business units	B. Internal auditor department	C. Technology management	D. Board/senior management	d	The Board/senior management play the most critical role in ensuring the effectiveness of the IT governance structure and processes. Hence, the effectiveness of Governance is directly dependent upon their level of involvement. The head of business units work on implementing the directions of the board and are focussed on management. The internal auditor department play an important role in evaluating how well IT governance is implemented but their role is providing guidance. The technology management is responsible for aligning IT strategy in line with the enterprise strategy and implementing IT solutions which help meet enterprise objectives.	M2C1	173	47.000	M2C1
Which of the following is one of the key benefits of EGIT?	A. Identification of relevant laws, regulations and policies requiring compliance.	B. Improved transparency and understanding of IT’s contribution to business	C. Better utilization of human resources by using automation	D. Increased revenues and higher Return on investments.	b	Implementing EGIT requires active collaboration between the board/senior management in directing IT towards enterprise objectives and putting a governance framework in place. Hence, the key benefit of EGIT is the improved transparency and understanding of IT’s contribution to business which is reflected in the performance management system. Although identification of relevant laws, regulations and policies requiring compliance is important in implementing EGIT, this is not the primary benefit. Directly, the focus of EGIT is neither on better utilization of human resources by using automation or on increased revenues and higher return on investments although they are considered as required.	M2C1	174	137.000	M2C1
Which of the following is the primary objective for implementing ERM?	A. Implement right level of controls.	B. Better availability of information.	C. Tighter security at lower cost.	D. Implement IT best practices.	a	The primary objective for implementing ERM is it helps in deciding and implementing the right level of controls. The other 3 options are indirect benefits of implementing ERM.	M2C1	175	42.000	M2C1
The most important requirement for IT governance function to be effective is:	A. Monitoring	B. Evaluation	C. Directing	D. Managing	c	Directing is the most critical of the Governance function which can be performed by the Board. Although, governance has three critical functions: Evaluate, direct and monitor, evaluation and monitoring can be performed against directions.	M2C2	176	31.000	M2C2
The MOST important benefit of implementing IT risk management process is that it helps in:	A. optimizing internal control framework.	B. ensuring residual risk is at acceptable level.	C. prioritizing business functions for audit planning.	D. complying with regulatory requirements.	b	The primary function of IT risk management process is to support value creation by reducing the risk to an acceptable level. The other options are secondary benefits of IT risk management.	M2C2	177	122.000	M2C2
Which of the following is a major risk factor?	A. Existence of inflationary trends.	B. Vendor launches new software.	C. Board of directors elects new chairman.	D. Change in government post elections.	d	Risk factors are conditions that affect the risk profile of organization. Change in government is one of major risk factor as compared with other options.	M2C2***	178	89.000	M2C2***
The level to which an enterprise can accept financial loss from a new initiative is:	A. Risk tolerance	B. Risk management	C. Risk appetite	D. Risk acceptance	c	Risk appetite denotes the level of risk acceptable by management. Risk tolerance is the time up to which an organization can afford to accept the risk. Risk management is a process of risk mitigation and risk acceptance is decision of the management and is considered as risk response.	M2C2	179	29.000	M2C2
Designing and implementing a control to reduce the likelihood and/or impact of risk materializing is a:	A. Risk acceptance	B. Risk transfer	C. Risk treatment	D. Risk transfer	c	Implementing control is a risk treatment.	M2C2	180	16.000	M2C2
Which of the following is a valid risk statement?	A. Network service provider is unable to meet bandwidth.	B. Hacker attempts to launch attack on web site.	C. Application server crash due to power failure.	D. Delay in servicing customers due to network congestion.	d	Options A, B and C are threats and not risks.	M2C2	181	88.000	M2C2
Which of the following is primary reason for periodic review of risk? The changes in:	A. risk factors	B. risk appetite	C. budget	D. risk strategy	a	Changes in risk factors is the primary reason for reviewing changes in risk levels for an organization. The other options are secondary reasons.	M2C2***	182	18.000	M2C2***
Which of the following is a strategic IT risk?	A. IS audit may not identify critical non-compliance.	B. Non-availability of networks impacting services to customers.	C. New application may not achieve expected benefits.	D. Defer replacement of obsolete hardware.	d	Deferring replacement of obsolete hardware is strategic decision and hence it is a strategic IT risk. Others are operational IT risks.	M2C2	183	56.000	M2C2
Which of the following is the most essential action after evaluation of inherent risks?	A. Evaluate implemented controls.	B. Update risk register.	C. Prepare heat map.	D. Prioritized evaluated risk.	a	Once risks are evaluated it is necessary to find out the current state of risk mitigation (gaps in controls) by evaluating the existing controls. This help in identifying gaps and implementing controls so as to reduce the total exposure within acceptable limits. Other activities are required but not as essential as identifying gaps in controls.	M2C2	184	48.000	M2C2
Which of the following is most important resource of the organization?	A. Policies and procedures	B. IT infrastructure and applications	C. Information and data	D. Culture, ethics and behaviour	c	Entire EGIT implementation focuses on Information and data. Policies are defined based on nature of information and data, culture and behaviour. IT infrastructure and applications stores, process and communicates information.	M2C3	185	51.000	M2C3
Which of the following is most important characteristic of policies?	A. Must be limited in number.	B. Requires framework to implement.	C. Reviewed periodically.	D. Non-intrusive and logical.	d	Policies are vehicle to communicate intent of management and hence must be clear and easy to implement that will make them effective. B and C are requirements to maintain policies and A is characteristic of principles.	M2C3	186	75.000	M2C3
Primary function of a process is to:	A. Act on input and generate output.	B. Define activities to be performed.	C. Focus on achieving business goals.	D. Comply with adopted standards.	a	Primary function of process is to process received inputs and generate output to achieve process goals. Process is a set of activities, but it is not primary function to define activities. Although processes are defined to achieve business goals, these are broken down to arrive at process goals. Compliance with standards may need certain processes but the primary function is to process input.	M2C3	187	150.000	M2C3
Effective organizational structure focuses on:	A. Defining designations.	B. Delegating responsibility.	C. Defining escalation path.	D. Deciding span of control.	b	Effectiveness of organization structure depends on right level of delegation of responsibilities. Defining designation is only naming of specific role which is not directly relevant. Other options depend upon level of delegation.	M2C3	188	126.000	M2C3
Prioritization of IT initiatives within organization is primarily based on:	A. Results of risk assessments	B. Expected benefit realization	C. Recommendations of CIO	D. Rate of obsolescence of IT	b	Although the IT steering committee considers all inputs, the primary consideration is expected benefits to the organization.	M2C3	189	79.000	M2C3
Primary objective of IT steering committee is to:	A. Align IT initiatives with business	B. Approve and manage IT projects	C. Supervise IT and business operations	D. Decide IT strategy for organization	a	The primary objective of appointing IT steering committee is to ensure that IT initiatives are in line with business objectives. D is objective of IT strategy committee. B and C are secondary objectives derived from A.	M2C3	190	107.000	M2C3
Which of the following is best control for building requisite skills and competencies within organization?	A. Hiring only highly qualified people	B. Outsourcing the critical operations	C. Conducting skill enhancement training	D. Defining skill requirements in job description	c	The best control for building requisite skills and competencies within organization is to ensure skill enhancement training is provided.	M2C3	191	187.000	M2C3
Which of the following is best approach for monitoring the performance of IT resources?	A. Compare lag indicators against expected thresholds	B. Monitor lead indicators with industry best practices	C. Define thresholds for lag indicators based on long term plan	D. Lead indicators have corresponding lag indicator.	b	Lead indicators are proactive approach for ensuring performance shall be as expected and hence are defined using industry best practices. Lag indicators are useful after the fact (A), Thresholds based on long term plan may not provide input on performance during execution. (C). All lead indicators may not have lag indicator.	M2C4***#	192	168.000	M2C4***#
Performance monitoring using balance score card is most useful since it primarily focuses on:	A. Management perspective	B. Product and services	C. Customer perspectives	D. Service delivery processes	c	The Balance score card (BSC) focuses on Financial, Customer, internal and learning perspective.	M2C4***	193	142.000	M2C4***
Which of the following is considered as an example of a lead indicator?	A. Number of gaps with respect to industry standard.	B. Comparative market position of organization.	C. Percentage of growth achieved over three years.	D. Improvement in customer satisfaction survey.	a	Lead indicators are proactive in nature and helps management in planning. Identification of gaps with respect to industry standard is beginning of process of implementing best practices. Other indicators are result of past performance.	M2C4***	194	201.000	M2C4***
The PRIMARY objective of base lining IT resource performance with business process owners is to:	A. define and implement lead and lag indicators.	B. ensure resource planning is aligned with industry.	C. assess cost effectiveness of outsourcing contracts.	D. benchmark expected performance measurement.	d	In order to plan resources performance of resource must be determined and compared with business expectation from IT. This will help management in implementing performance measures against expected performance. Other options use baselines.	M2C4	195	34.000	M2C4
Which of the following is BEST measure to optimize performance of skilled IT human resources?	A. Include personal development plan in job description.	B. Document personal expectations during exit interviews.	C. Implement ‘Bring Your Own Device (BYOD)’ policy.	D. Monitor performance measure against baseline.	a	Motivation helps human resources in performing better. Career progression planning including in job description along with performance norms shall help in motivating human resources.	M2C4	196	69.000	M2C4
IT resource optimization plan should primarily focus on:	A. Reducing cost of resources	B. Ensuring availability	C. Conducting training programs	D. Information security issues	b	Resource optimization plan primarily focus on availability of right resources at right time. Other requirements are secondary.	M2C4	197	91.000	M2C4
The PRIMARY objective of implementing performance measurement metrics for information assets is to:	A. decide appropriate controls to be implemented to protect IT assets.	B. compare performance of IT assets with industry best practices.	C. determine contribution of assets to achievement of process goals.	D. determine span of control during life cycle of IT assets.	c	Resource performance is essential to measure the performance of business and IT processes so as to monitor the level of contribution in achieving process goals and hence business objectives. Performance measurement is performed to measure this contribution.	M2C4	198	19.000	M2C4
Which of the following is the PRIMARY purpose of optimizing the use of IT resources within an enterprise?	A. To increase likelihood of benefit realization.	B. To ensure readiness for future change.	C. To reduce cost of IT investments.	D. To address dependency on IT capabilities.	a	IT resource optimization within an enterprise must primarily focus on increasing benefit realization from IT so as to deliver value to business. B. Ensuring readiness for future change is essential to meet the growing IT service delivery and is part of resource optimization requirements, but not the primary purpose. C. Resource optimization may or may not reduce IT costs, however it will help in increasing return on IT investment. D. Business dependency on IT depends on capabilities of IT to deliver services to business. Resource optimization is one of the processes to address this dependency not objective.	M2C4	199	144.000	M2C4
While monitoring the performance of IT resources the PRIMARY focus of senior management is to ensure that:	A. IT sourcing strategies focus on using third party services.	B. IT resource replacements are approved as per IT strategic plan.	C. key goals and metrics for all IT resources are identified.	D. resources are allocated in accordance with expected performance.	d	Management must monitor the performance of IT resources to ensure that the expected benefits from IT are being realized as per planned performance. This is done by allocating IT resources in accordance to the planned performance of business process cascaded down to IT resources supporting business processes.	M2C4	200	145.000	M2C4
Organization considering deploying application using cloud computing services provided by third party service provider. The MAIN advantage of this arrangement is that it will:	A. minimize risks associated with IT	B. help in optimizing resource utilization.	C. ensure availability of skilled resources.	D. reduce investment in IT infrastructure.	b	Outsourcing shall help organization in optimizing use of existing IT resources by outsourcing, which in turn shall help in focusing on more critical business requirements and hence improving benefit realization. However, outsourcing may or may not minimize risks associated with IT. i.e. it may minimize risks associated with own investment but may introduce risks associated with outsourcing. Although outsourcing helps in ensuring availability of skilled resources, it is not main advantage. Outsourcing may or may not reduce investment in IT, i.e. it may reduce need for acquisition of IT infrastructure, but there is cost associated with outsourcing and there is additional cost for SLA monitoring.	M2C4	201	195.000	M2C4
Which of the following is MOST important to have in a disaster recovery plan?	A. Backup of compiled object programs	B. Reciprocal processing agreement	C. Phone contact list	D. Supply of special forms	a	Of the choices, a backup of compiled object programs is the most important in a successful recovery. A reciprocal processing agreement is not as important, because alternative equipment can be found after a disaster occurs. A phone contact list may aid in the immediate aftermath, as would an accessible supply of special forms, but neither is as important as having access to required programs.	M2C5***	202	95.000	M2C5***
Which of the following BEST describes difference between a DRP and a BCP? The DRP:	A. works for natural disasters whereas BCP works for unplanned operating incidents such as technical failures.	B. works for business process recovery and information systems whereas BCP works only for information systems.	C. defines all needed actions to restore to normal operation after an un-planned incident whereas BCP only deals with critical operations needed to continue working after an un-planned incident.	D. is the awareness process for employees whereas BCP contains procedures to recover the operation?	c	The difference pertains to the scope of each plan. A disaster recovery plan recovers all operations, whereas a business continuity plan retrieves business continuity (minimum requirements to provide services to the customers or clients). Choices A, B and D are incorrect because the type of plan (recovery or continuity) is independent from the sort of disaster or process and it includes both awareness campaigns and procedures.	M2C5	203	165.000	M2C5
The MOST significant level of BCP program development effort is generally required during the:	A. Early stages of planning.	B. Evaluation stage.	C. Maintenance stage.	D. Testing Stage.	a	A company in the early stages of business continuity planning (BCP) will incur the most significant level of program development effort, which will level out as the BCP program moves into maintenance, testing and evaluation stages. It is during the planning stage that an IS Auditor will play an important role in obtaining senior management's commitment to resources and assignment of BCP responsibilities.	M2C5	204	203.000	M2C5
An advantage of the use of hot sites as a backup alternative is:	A. The costs related with hot sites are low.	B. That hot sites can be used for a long amount of time.	C. That hot sites do not require that equipment and systems software be compatible with the primary installation being backed up.	D. That hot sites can be made ready for operation within a short span of time.	d	Hot sites can be made ready for operation normally within hours. However, the use of hot sites is expensive, should not be considered as a long-term solution and does require that equipment and systems software be compatible with the primary installation being backed up.	M2C5	205	28.000	M2C5
All of the following are security and control concerns associated with disaster recovery procedures EXCEPT:	A. Loss of audit trail.	B. Insufficient documentation of procedures.	C. Inability to restart under control.	D. Inability to resolve system deadlock.	d	The inability to resolve system deadlock is a control concern in the design of database management systems, not disaster recovery procedures. All of the other choices are control concerns associated with disaster recovery procedures.	M2C5	206	92.000	M2C5
As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up onto tape. During the backup procedure, the disk drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files?	A. The previous day's backup file and the current transaction tape	B. The previous day's transaction file and the current transaction tape	C. The current transaction tape and the current hardcopy transaction log	D. The current hardcopy transaction log and the previous day's transaction file	a	The previous day's backup will be the most current historical backup of activity in the system. The current day's transaction file will contain all of the day's activity. Therefore, the combination of these two files will enable full recovery up to the point of interruption.	M2C5	207	90.000	M2C5
An IS auditor reviewing an organisation's information systems disaster recovery plan should verify that it is:	A. Tested every 1 month.	B. Regularly reviewed and updated.	C. Approved by the chief executive officer	D. Approved by the top management	b	The plan must be reviewed at appropriate intervals, depending upon the nature of the business and the rate of change of systems and personnel, otherwise it may quickly become out of date and may no longer be effective (for example, hardware or software changes in the live processing environment are not reflected in the plan). The plan must be subjected to regular testing, but the period between tests will depend on nature of the organisation and relative importance of IS. Three months or even annually may be appropriate in different circumstances. Although the disaster recovery plan should receive the approval of senior management, it need not be the CEO if another executive officer is equally, or more appropriate. For a purely IS-related plan, the executive responsible for technology may have approved the plan. the IS disaster recovery plan will usually be a technical document and relevant to IS and communications staff only.	M2C5	208	131.000	M2C5
Which of the following offsite information processing facility conditions would cause an IS auditor the GREATEST concern?	A. Company name is clearly visible on the facility.	B. The facility is located outside city limits from the originating city.	C. The facility does not have any windows.	D. The facility entrance is located in the back of the building rather than the front.	a	The offsite facility should not be easily identified from the outside. Signs identifying the company and the contents of the facility should not be present. This is to prevent intentional sabotage of the offsite facility should the destruction of the originating site be from malicious attack. The offsite facility should not be subject to the same natural disaster that affected the originating site. The offsite facility must also be secured and controlled just as the originating site. This includes adequate physical access controls such as locked doors, no windows and human surveillance.	M2C5	209	177.000	M2C5
Which of the following methods of results analysis, during the testing of the business continuity plan (BCP), provides the BEST assurance that the plan is workable?	A. Quantitatively measuring the results of the test	B. Measurement of accuracy	C. Elapsed time for completion of prescribed tasks	D. Evaluation of the observed test results	a	Quantitatively measuring the results of the test involves a generic statement measuring all the activities performed during BCP, which gives the best assurance of an effective plan. Although choices B and C are also quantitative, they relate to specific areas or an analysis of results from one viewpoint, namely the accuracy of the results and the elapsed time.	M2C5	210	130.000	M2C5
1. Who among the following is responsible for ongoing facilitation of a SDLC project?	Project Sponsor	Project Manager	Steering Committee	Board of Directors	a	The Project Sponsor coordinates stakeholders for project success. The Project Manager executes project activities. The Steering Committee monitors project progress. The Board of Directors provides direction.	M3C1***	211	168.000	M3C1***
2. A Multi-National organization has decided to implement an ERP solution across all geographical locations. The organization shall initiate a:	Project	Program	Portfolio	Feasibility study	b	A program oversees benefits from implementation across various units, broader than a project's scope. A portfolio includes both projects and programs. Option D: Feasibility study pertains to program initiation.	M3C1***	212	98.000	M3C1***
3. Which of the following primarily helps Project Manager in mitigating the risk associated with change in scope of software development project?	Change Management Process	Use of Prototyping	Revising Effort Estimates	Baselining requirements	d	Baselining requirements freezes scope, managing change effectively. Change management without baselining is less effective. Prototyping and revised effort estimates apply after scope is defined.	M3C1***#	213	79.000	M3C1***#
4. Monitoring which of the following aspect of SDLC project shall help organization in benefit realization over sustained period of time?	Quality	Budget	Schedule	Methodology	a	Quality minimizes errors impacting operations, crucial for sustained benefit. Budget, schedule, and methodology are monitored earlier in SDLC.	M3C1	214	172.000	M3C1
5. Which of the following tools and techniques primarily help in improving productivity of SDLC project team members?	Use of Standard Methodology	Software Sizing using FPA	Developers’ Workbench	Appropriate HR Policies	c	Developers’ Workbench automates and enhances productivity. Standard methodology ensures uniformity; software sizing aids cost estimation. HR policies support motivation but are secondary to productivity tools.	M3C1	215	126.000	M3C1
6. While performing mid-term review of SDLC project, the IS Auditor primarily focuses on:	Project Risk Management Process	Adherence to the schedule	Reviewing minutes of Steering Committee Meeting	Cost Management as per budget	a	IS Auditor focuses on risk management to impact all project aspects. Schedule, committee minutes, and budget confirm risk findings.	M3C1***	216	130.000	M3C1***
7. A Project Manager's main responsibility in a project meant to create a product is:	Ensuring it is high grade	To pack exciting features in the product	Ensuring it is high quality	Creating a product within allocated cost and schedule	c	Project Manager ensures product meets specifications and quality benchmarks, not just grading or features.	M3C1***	217	136.000	M3C1***
8. The Project Manager should be able to fulfill the role of:	An Integrator	A Functional Manager	A Line Manager	A Sponsor	a	Project Manager integrates project aspects from initiation to closure. Functional, line, and sponsor roles differ in focus from integration.	M3C1***	218	34.000	M3C1***
9. The most successful Project Manager usually:	Works his/her way up from Assistants in the project office to full-fledged Project Managers, supplementing that experience with formal education.	Comes right from Harvard's MBA program into managing very large projects.	Are the Technical Experts.	Have considerable experience as a Functional Manager before moving into the Project Management arena.	a	Success often stems from varied project roles, supported by education. Direct MBA entry, technical expertise, and functional management experience are secondary factors.	M3C1	219	36.000	M3C1
1. SDLC primarily refers to the process of:	Developing IT based solution to improve business service delivery.	Acquiring upgraded version of hardware for existing applications.	Redesigning network infrastructure as per service provider’s needs.	Understanding expectations of business managers from technology.	a	SDLC primarily focuses on identifying IT based solution to improve business processes delivering services to customers. Other activities may be part of SDLC however, these are IT projects not SDLC projects.	M3C2	220	88.000	M3C2
2. Organizations should adopt programming/coding standards mainly because, it:	Is a requirement for programming using High Level Languages.	Helps in maintaining and updating System Documentation.	Is required for Security and Quality Assurance function of SDLC.	Has been globally accepted practice by large organizations.	c	Adopting coding standards helps organization in ensuring quality of coding and in minimizing the errors. It also helps in reducing obvious errors which may lead to vulnerabilities in application. A is not true since it is required for all languages; B is partially true but is not main reason. D is not main reason.	M3C2***	221	85.000	M3C2***
3. An organization decided to purchase a configurable application product instead of developing in-house. Outcome of which of the following SDLC phase helped organization in this decision?	Requirement Definition	Feasibility Study	System Analysis	Development Phase	b	Make or buy decision is the outcome of feasibility study where technical, economical and social feasibilities are considered. Option A is a statement that indicates what a system needs to do in order to provide a capability. Options C and D are the phases of developing a software.	M3C2***	222	68.000	M3C2***
4. In which of the following phases of SDLC, controls for security must be considered FIRST?	Requirement Definition	Feasibility Study	System Design	Implementation	a	Security requirements must be considered during requirement definition. Option B is a phase in which technical, economical and social feasibilities are considered. Option C is the phase during which, the nature of controls to be implemented for security must be considered first. This will ensure that necessary security controls are built while developing application.	M3C2***	223	139.000	M3C2***
5. IS Auditor has been part of SDLC project team. Which of the following situation does not prevent IS Auditor from performing post implementation review? The IS Auditor has:	Designed the Security Controls.	Implemented Security Controls.	Selected Security Controls.	Developed IntegratedTest facility.	d	Active role of IS Auditor in design and development of controls affects the independence. Hence, IS Auditor cannot perform review or audit of the application system. However, developing integrated test facility within the application is not a control, but a facility to be used by auditors in future. Hence, this does not impact independence of IS auditor. Options A, B and C affect independence of an ISAuditor.	M3C2***	224	100.000	M3C2***
6. An organization has implemented an IT based solutions to support business function. Which of the following situation shall indicate the need to initiate SDLC project?	Vendor has launched a new hardware which is faster.	Organizations has unused surplus budget for IT.	Regulators have requested additional reports from business.	Competitor has launched an efficient IT based service.	d	When a competitor launches new IT based efficient service, it becomes necessary for management to consider the impact in market place and in order to remain in competition organization should provide similar or better services. Option A and C may not require SDLC since it can be adopted with change management process. B may help in deciding for D, but is not the reason for initiating SDLC project.	M3C2***	225	105.000	M3C2***
7. A “Go or No Go” decision for SDLC project is primarily based on:	Feasibility Study	Business Case	Budget Provision	Market Situation	b	Business case is a document that narrates all aspect including benefit realization, cost and effort estimates, outcome of feasibility study, available budget. That helps management in decision on the need of the SDLC project. Rest are secondary aspects.	M3C2	226	23.000	M3C2
8. Which of the following is the primary reason for organization to outsource the SDLC project? Non-availability of:	Skilled Resources	BudgetaryApprovals	Security Processes	Infrastructure	a	Non availability of skilled resources required for application development is primary reason for outsourcing the SDLC project. Other reasons can be addressed. i.e. (B) budget can be made available; (C) security processes can be established. (D) Infrastructure can be acquired, depending upon design of new application and hence it is not a reason.	M3C2***	227	1.000	M3C2***
9. Which of the following is an example of addressing social feasibility issue in SDLC project?	Organization decides to use existing infrastructure.	Beta version of the application is made available to users.	Configuration of purchased software requires more cost.	Allowing employees to access social media sites.	b	In order to ensure the acceptability by users, beta version of solution is made available to users. Based on feedback changes are made so that the solution can be socialized. Option A addresses technical feasibility, Option C addresses economic feasibility. Option D addresses IT policy that has nothing to do with SDLC.	M3C2	228	152.000	M3C2
10. Which of the following is not an indicator to assess benefit realization for internal application software developed in-house?	Increase in number of customers because of new application.	Decrease in audit findings related to regulatory non-compliance.	Reduced number of virus attacks after implementing new software.	Increase in productivity of employees after implementation.	c	Since the application is for internal use and developed in house it has nothing to do with reduction in virus attacks. This can be benefit realization for anti-virus solution.	M3C2***	229	125.000	M3C2***
1. Which of the following is main reason to perform User Acceptance Test (UAT)?	To train and educate users on features of new solution.	To confirm from users that solution meets requirements.	To complete formality of sign-off to mark end of project.	To finalize the implementation plan for new IT solution.	b	UAT is mainly conducted to confirm from the users and application owners that application meets their requirements. Option C is a formality to be completed only if requirements are met. Training and implementation planning are different activities which are not dependent on UAT.	M3C3	230	175.000	M3C3
2. An organization has developed a web based application for the use of internal users to be hosted on intranet. Before finalizing and making it live it was decided to make it available to users for providing feedback. This is an example of:	Internal Audit	Alpha Testing	Beta Testing	User Training	c	Beta testing is making product available to users for feedback before launching. Option A Internal Audits seek to identify any shortcomings in a company's internal controls. Option B Alpha Testing is performed by the developers to identify bugs before releasing the product to real or intended users. Option D User Training helps successful system implementation.	M3C3	231	15.000	M3C3
3. A major concern associated with using sanitized old production data for testing new application is that:	User may not provide sign off.	Production data may be leaked.	Integration testing cannot be performed.	All conditions cannot be tested.	d	Sanitized data generally may not cover all paths the data can take and hence system cannot be tested for all possible cases. Option B leakage of production data is not a major concern since data is sanitized. Options A and C are not concerns.	M3C3	232	84.000	M3C3
4. A tester is executing a test to evaluate that it complies with the user requirement that a certain field be populated by using a dropdown box containing a list of values. Tester is performing __________	White-Box Testing	Black-Box Testing	Load Testing	Regression Testing	b	Black Box testing focuses on the inputs and outputs without knowing their internal code implementation. Option A White Box testing evaluates the code and the internal structure of a program. Option C Load Testing is performed to determine a system's behaviour under both normal and at peak conditions. Option D Regression Testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features.	M3C3***	233	156.000	M3C3***
5. What is the order in which test levels are performed?	Unit, Integration, System, Acceptance	Unit, System, Integration, Acceptance	Unit, Integration, Acceptance, System	It depends on nature of a project	d	Test levels can be combined or reorganized depending upon nature of a project or system architecture. Unit testing refers to test a function, individual program or even a procedure. Integration Testing allows individuals to find interface defects between the modules/functions. System Testing is the first level in which the complete application is tested as a whole. Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release.	M3C3	234	204.000	M3C3
6. Which testing is concerned with behavior of whole product as per specified requirements?	Acceptance Testing	Component Testing	System Testing	Integration Testing	c	System Testing is based on Functional Requirement Specification (FRS), which tells about general behavior of a system. Acceptance testing (or User Acceptance Testing) determines whether the system is ready for release. Component Testing, also known as Unit, Module or Program Testing, is defined as a software testing type, in which the testing is performed on each individual component separately without integrating with other components. Integration testing allows individuals to find interface defects between the modules/functions.	M3C3***	235	184.000	M3C3***
7. Verifying that whether software components are functioning correctly and identifying the defects in them is objective of which level of testing?	Integration Testing	Acceptance Testing	Unit Testing	System Testing	c	Separately testable components are tested in Unit Testing or Component Testing. A Unit Testing tends to test a function, individual program or even a procedure. Option B Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release. Option A Integration Testing allows individuals to find interface defects between the modules/functions. Option D System Testing is the first level in which the complete application is tested as a whole.	M3C3***#	236	124.000	M3C3***#
8. Which technique is applied for usability testing?	White Box	Black Box	Grey Box	Combination of all	b	Usability Testing is mostly done by users. They are not familiar with internal structure of the system and hence Black Box technique is correct answer. Option A White Box testing evaluates the code and the internal structure of a program. Option C Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D does not exist.	M3C3	237	18.000	M3C3
9. If a company decides to migrate from Windows XP to Windows 7, which type of testing is done to ensure whether your software works on new platform?	Interoperability Testing	Portability Testing	Usability Testing	Performance Testing	b	Portability Testing shows the ease with which a computer software component or application can be moved from one environment to another, e.g. moving of any application from Windows XP to Windows 7. Option A Interoperability testing checks whether software can interoperate with other software component, softwares or systems. Option C Usability Testing, is a non-functional testing technique that is a measure of how easily the system can be used by end users. Option D Performance Testing is the process of determining the speed, responsiveness and stability of a computer, network, software program or device under a workload.	M3C3***	238	91.000	M3C3***
10. Boundary value analysis belongs to?	White Box Testing	Black Box testing	White Box & Black Box testing	None of the above	b	Boundary Value Analysis is based on testing at the boundaries between partitions and checks the output with expected output. Option A White Box testing evaluates the code and the internal structure of a program. Option C also known as Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D is not applicable.	M3C3***	239	76.000	M3C3***
1. A company’s labour distribution report requires extensive corrections each month because of labour hours charged to inactive jobs. Which of the following data processing input controls appears to be missing?	Completeness Test	Valid Code Check	Limit Test	Control Total	b	It may check the validity and concurrency of the job code. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is a figure calculated by the system, adding the values in one of the fields in a segment.	M3C4	240	144.000	M3C4
2. A customer inadvertently orders part number 1234-8 instead of 1243-8. Which of the following controls would detect this error during processing?	Hash Total	Check Digit	Limit Check	Financial Batch Total	b	It checks the transposition of the digits. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is used to check the integrity of all records.	M3C4	241	52.000	M3C4
3. Which of the following are not Application Controls?	Numerical Sequence Check	Access Security	Manual follow-up of Exception Reports	Chart of Accounts	b	Access Security is not part of application domain. However options A, C and D are part of the Application Controls.	M3C4	242	18.000	M3C4
4. Which of the following ensures completeness and accuracy of accumulated data?	Processing Control Procedures	Data File Control Procedures	Output Controls	Application Controls	a	Processing controls ensure the completeness and accuracy of accumulated data, for example, editing and run-to-run totals. Option B data file control procedures ensure that only authorized processing occurs to stored data, for example, transaction logs. Option C output controls ensure that data delivered to users will be presented, formatted and delivered in a consistent and secure manner. Option D "Application Controls" is a general term comprising all kinds of controls used in an application.	M3C4***#	243	27.000	M3C4***#
5. An integrated test facility is considered a useful audit tool because it:	Is a cost-efficient approach to auditing Application Controls.	Enables the financial and IS Auditors to integrate their audit tests.	Compares processing output with independently calculated data.	Provides the IS Auditor with a tool to analyze a large range of information.	c	Integrated test facility compares processing output with independently calculated data. An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. Option A, B and D are not the dimensions of integrated test facility.	M3C4	244	3.000	M3C4
Who among the following is responsible for ongoing facilitation of a SDLC project?	A. Project Sponsor	B. Project Manager	C. Steering Committee	D. Board of Directors	a	A is the correct answer. Project Sponsor is a stake holder having maximum interest / stake in the success of project and his primary responsibility is to coordinate with various stakeholders for success of project. Option B: Project Manager is responsible for executing the project activities. Option C: Steering Committee monitors project progress but is not ongoing activity. Option D: Board of Directors provides direction.	M3C1	245	41.000	M3C1
A Multi-National organization has decided to implement an ERP solution across all geographical locations. The organization shall initiate a:	A. Project	B. Program	C. Portfolio	D. Feasibility study	b	B is the correct answer. A program is concerned with the benefits received, from implementing it, whereas project deals with specific deliverables. The scope of the program is wider in comparison to the project. The project works on a single functional unit, while the program works on various functional units. A portfolio contains both projects and programs and is managed by a portfolio manager. Option D: Feasibility study either has been completed or shall be initiated as part of program.	M3C1	246	5.000	M3C1
Which of the following primarily helps Project Manager in mitigating the risk associated with change in scope of software development project?	A. Change Management Process	B. Use of Prototyping	C. Revising Effort Estimates	D. Baselining requirements	d	D is the correct answer. Scope Creep of continued changes in requirements during SDLC project is most common risk. If not properly handled the project may be delayed and benefit realization from the project shall be affected. The Project Manager therefore, must freeze the scope by base-lining requirements. Any change after base-lining shall follow. Option A: Change Management process without base-lining may not help. Project Manager may or may not. Option B: is used for freezing the requirements. Option D: revised effort estimate is applicable after change is approved.	M3C1	247	154.000	M3C1
Monitoring which of the following aspect of SDLC project shall help organization in benefit realization over sustained period of time?	A. Quality	B. Budget	C. Schedule	D. Methodology	a	A is the correct answer. Quality is most important aspect for SDLC project, since it minimizes errors that can impact operations. Options B, C and D are of prior to monitoring phase.	M3C1	248	11.000	M3C1
Which of the following tools and techniques primarily help in improving productivity of SDLC project team members?	A. Use of Standard Methodology	B. Software Sizing using FPA	C. Developers’ Workbench	D. Appropriate HR Policies	c	C is the correct answer. Automated tools help team in improving productivity as these tools help in managing mundane and structure activities and developers can focus on core activities. Developers’ workbench provides various functions that help in improving productivity. Option A: Use of standards help in following uniform methods and reducing rework. Option B: Software Sizing is the main input parameter to cost estimation models. Option D: HR policies may help in motivating team but it is secondary.	M3C1	249	50.000	M3C1
While performing mid-term review of SDLC project, the IS Auditor primarily focuses on:	A. Project Risk Management Process	B. Adherence to the schedule	C. Reviewing minutes of Steering Committee Meeting	D. Cost Management is as per budget	a	A is the correct answer. Auditor should primarily focus on risk management that will provide inputs on events that has impact on all aspects of project. Options B, C and D help in confirming the findings from review of Risk Management process.	M3C1	250	42.000	M3C1
A Project Manager's main responsibility in a project meant to create a product is:	A. Ensuring it is high grade	B. To pack exciting features in the product	C. Ensuring it is high quality	D. Creating a product within allocated cost and schedule	c	C is the correct answer. A Project Manager is responsible to ensure high quality in a way that the final product meets the specifications and quality benchmarks. Options A, B and C are not the main responsibility of a Project Manager.	M3C1	251	113.000	M3C1
The Project Manager should be able to fulfill the role of:	A. An Integrator	B. A Functional Manager	C. A Line Manager	D. A Sponsor	a	A is the correct answer. The Project Manager is responsible for collective project success. The Project Manager integrates a project as a whole. He/she unifies various aspects and processes of initiating, planning, executing, monitoring, control and closure. Options B, C and D is not the role of the Project Manager.	M3C1	252	114.000	M3C1
The most successful Project Manager usually:	A. Works his/her way up from Assistants in the project office to full-fledged Project Managers, supplementing that experience with formal education.	B. Comes right from Harvard's MBA program into managing very large projects.	C. Are the Technical Experts.	D. Have considerable experience as a Functional Manager before moving into the Project Management arena.	a	A is the correct answer. A Project Manager must have experience in working on projects in various roles including the role of a Project Manager. Options B, C and D are secondary aspect.	M3C1	253	28.000	M3C1
SDLC primarily refers to the process of:	A. Developing IT based solution to improve business service delivery.	B. Acquiring upgraded version of hardware for existing applications.	C. Redesigning network infrastructure as per service provider’s needs.	D. Understanding expectations of business managers from technology.	a	A is the correct answer. SDLC primarily focuses on identifying IT based solution to improve business processes delivering services to customers. Other activities may be part of SDLC however, these are IT projects not SDLC projects.	M3C2	254	1.000	M3C2
Organizations should adopt programming/coding standards mainly because, it:	A. Is a requirement for programming using High Level Languages?	B. Helps in maintaining and updating System Documentation.	C. Is required for Security and Quality Assurance function of SDLC.	D. Has been globally accepted practice by large organizations.	c	C is correct answer. Adopting coding standards helps organization in ensuring quality of coding and in minimizing the errors. It also helps in reducing obvious errors which may lead to vulnerabilities in application. A is not true since it is required for all languages; B is partially true but is not main reason. D is not main reason.	M3C2	255	103.000	M3C2
An organization decided to purchase a configurable application product instead of developing in-house. Outcome of which of the following SDLC phase helped organization in this decision?	A. Requirement Definition	B. Feasibility Study	C. System Analysis	D. Development Phase	b	B is the correct answer. Make or buy decision is the outcome of feasibility study where technical, economical and social feasibilities are considered. Option A is a statement that indicates what a system needs to do in order to provide a capability. Options C and D are the phases of developing a software.	M3C2	256	41.000	M3C2
In which of the following phases of SDLC, controls for security must be considered FIRST?	A. Requirement Definition	B. Feasibility Study	C. System Design	D. Implementation	a	A is the correct answer. Security requirements must be considered during requirement definition. Option B is a phase in which technical, economical and social feasibilities are considered. Option C is the phase during which, the nature of controls to be implemented for security must be considered first. This will ensure that necessary security controls are built while developing application.	M3C2	257	138.000	M3C2
IS Auditor has been part of SDLC project team. Which of the following situations does not prevent IS Auditor from performing post implementation review? The IS Auditor has:	A. Designed the Security Controls.	B. Implemented Security Controls.	C. Selected Security Controls.	D. Developed Integrated Test facility.	d	D is the correct answer. Active role of IS Auditor in design and development of controls affects the independence. Hence, IS Auditor cannot perform review or audit of the application system. However, developing integrated test facility within the application is not a control, but a facility to be used by auditors in future. Hence, this does not impact independence of IS auditor. Options A, B and C affect independence of an IS Auditor.	M3C2	258	121.000	M3C2
An organization has implemented an IT based solution to support business function. Which of the following situation shall indicate the need to initiate SDLC project?	A. Vendor has launched a new hardware which is faster.	B. Organizations has unused surplus budget for IT.	C. Regulators have requested additional reports from business.	D. Competitor has launched an efficient IT based service.	d	D is correct answer. When a competitor launches new IT based efficient service, it becomes necessary for management to consider the impact in market place and in order to remain in competition organization should provide similar or better services. Option A and C may not require SDLC since it can be adopted with change management process. B may help in deciding for D, but is not the reason for initiating SDLC project.	M3C2	259	49.000	M3C2
A “Go or No Go” decision for SDLC project is primarily based on:	A. Feasibility Study	B. Business Case	C. Budget Provision	D. Market Situation	b	B is the correct answer. Business case is a document that narrates all aspect including benefit realization, cost and effort estimates, outcome of feasibility study, available budget. That helps management in decision on the need of the SDLC project. Rest are secondary aspects.	M3C2	260	127.000	M3C2
Which of the following is the primary reason for organization to outsource the SDLC project? Non-availability of:	A. Skilled Resources	B. Budgetary Approvals	C. Security Processes	D. Infrastructure	a	A is correct answer. Non availability of skilled resources required for application development is primary reason for outsourcing the SDLC project. Other reasons can be addressed. i.e. (B) budget can be made available; (C) security processes can be established. (D) Infrastructure can be acquired, depending upon design of new application and hence it is not a reason.	M3C2	261	150.000	M3C2
Which of the following is an example of addressing social feasibility issue in SDLC project?	A. Organization decides to use existing infrastructure.	B. Beta version of the application is made available to users.	C. Configuration of purchased software requires more cost.	D. Allowing employees to access social media sites.	b	B is the correct answer. In order to ensure the acceptability by users, beta version of solution is made available to users. Based on feedback changes are made so that the solution can be socialized. Option A addresses technical feasibility, Option C addresses economic feasibility. Option D addresses IT policy that has nothing to do with SDLC.	M3C2	262	21.000	M3C2
Which of the following is not an indicator to assess benefit realization for internal application software developed in-house?	A. Increase in number of customers because of new application.	B. Decrease in audit findings related to regulatory non-compliance.	C. Reduced number of virus attacks after implementing new software.	D. Increase in productivity of employees after implementation.	c	C is the correct answer. Since the application is for internal use and developed in house it has nothing to do with reduction in virus attacks. This can be benefit realization for anti-virus solution.	M3C2	263	156.000	M3C2
Which of the following is main reason to perform User Acceptance Test (UAT)?	A. To train and educate users on features of new solution.	B. To confirm from users that solution meets requirements.	C. To complete formality of sign-off to mark end of project.	D. To finalize the implementation plan for new IT solution.	b	B is the correct answer. UAT is mainly conducted to confirm from the users and application owners that application meets their requirements. Option C is a formality to be completed only if requirements are met. Training and implementation planning are different activities which are not dependent on UAT.	M3C3	264	171.000	M3C3
An organization has developed a web-based application for the use of internal users to be hosted on intranet. Before finalizing and making it live it was decided to make it available to users for providing feedback. This is an example of:	A. Internal Audit	B. Alfa Testing	C. Beta Testing	D. User Training	c	C is the correct answer. Beta testing is making product available to users for feedback before launching. Option A Internal Audits seek to identify any shortcomings in a company's internal controls. Option B Alpha Testing is performed by the developers to identify bugs before releasing the product to real or intended users. Option D User Training helps successful system implementation.	M3C3	265	28.000	M3C3
A major concern associated with using sanitized old production data for testing new application is that:	A. User may not provide sign off.	B. Production data may be leaked.	C. Integration testing cannot be performed.	D. All conditions cannot be tested.	d	D is the correct answer. Sanitized data generally may not cover all paths the data can take and hence system cannot be tested for all possible cases. Option B leakage of production data is not a major concern since data is sanitized. Options A and C are not concerns.	M3C3	266	184.000	M3C3
A tester is executing a test to evaluate that it complies with the user requirement that a certain field be populated by using a dropdown box containing a list of values. Tester is performing __________	A. White-Box Testing	B. Black-Box Testing	C. Load Testing	D. Regression Testing	b	B is the correct answer. Black Box testing focuses on the inputs and outputs without knowing their internal code implementation. Option A White Box testing evaluates the code and the internal structure of a program. Option C Load Testing is performed to determine a system's behaviour under both normal and at peak conditions. Option D Regression Testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features.	M3C3	267	173.000	M3C3
What is the order in which test levels are performed?	A. Unit, Integration, System, Acceptance	B. Unit, System, Integration, Acceptance	C. Unit, Integration, Acceptance, System	D. It depends on nature of a project	d	D is the correct answer. Test levels can be combined or reorganized depending upon nature of a project or system architecture. Unit testing refers to test a function, individual program or even a procedure. Integration Testing allows individuals to find interface defects between the modules/functions. System Testing is the first level in which the complete application is tested as a whole. Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release.	M3C3	268	60.000	M3C3
Which testing is concerned with behavior of whole product as per specified requirements?	A. Acceptance Testing	B. Component Testing	C. System Testing	D. Integration Testing	c	C is the correct answer. System Testing is based on Functional Requirement Specification (FRS), which tells about general behavior of a system. Acceptance testing (or User Acceptance Testing) determines whether the system is ready for release. Component Testing, also known as Unit, Module or Program Testing, is defined as a software testing type, in which the testing is performed on each individual component separately without integrating with other components. Integration testing allows individuals to find interface defects between the modules/functions.	M3C3	269	167.000	M3C3
Verifying that whether software components are functioning correctly and identifying the defects in them is objective of which level of testing?	A. Integration Testing	B. Acceptance Testing	C. Unit Testing	D. System Testing	c	C is the correct answer. Separately testable components are tested in Unit Testing or Component Testing. A Unit Testing tends to test a function, individual program or even a procedure. Option B Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release. Option A Integration Testing allows individuals to find interface defects between the modules/functions. Option D System Testing is the first level in which the complete application is tested as a whole.	M3C3	270	12.000	M3C3
Which technique is applied for usability testing?	A. White Box	B. Black Box	C. Grey Box	D. Combination of all	b	B is the correct answer. Usability Testing is mostly done by users. They are not familiar with internal structure of the system and hence Black Box technique is correct answer. Option A White Box testing evaluates the code and the internal structure of a program. Option C Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D does not exist.	M3C3	271	78.000	M3C3
If a company decides to migrate from Windows XP to Windows 7, which type of testing is done to ensure whether your software works on new platform?	A. Interoperability Testing	B. Portability Testing	C. Usability Testing	D. Performance Testing	b	B is the correct answer. Portability Testing shows the ease with which a computer software component or application can be moved from one environment to another, e.g. moving of any application from Windows XP to Windows 7. Option A Interoperability testing checks whether software can inter-operate with other software component, software or systems. Option C Usability Testing, is a non-functional testing technique that is a measure of how easily the system can be used by end users. Option D Performance Testing is the process of determining the speed, responsiveness and stability of a computer, network, software program or device under a workload.	M3C3	272	85.000	M3C3
Boundary value analysis belongs to?	A. White Box Testing	B. Black Box testing	C. White Box & Black Box testing	D. None of the above	b	B is the correct answer. Boundary Value Analysis is based on testing at the boundaries between partitions and checks the output with expected output. Option A White Box testing evaluates the code and the internal structure of a program. Option C also known as Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D is not applicable.	M3C3	273	62.000	M3C3
A company’s labour distribution report requires extensive corrections each month because of labour hours charged to inactive jobs. Which of the following data processing input controls appears to be missing?	A. Completeness Test	B. Valid Code Check	C. Limit Test	D. Control Total	b	B is the correct answer. It may check the validity and concurrency of the job code. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is a figure calculated by the system, adding the values in one of the fields in a segment. This field is called the control totals key figure field.	M3C4	274	104.000	M3C4
A customer inadvertently orders part number 1234-8 instead of 1243-8. Which of the following controls would detect this error during processing?	A. Hash Total	B. Check Digit	C. Limit Check	D. Financial Batch Total	b	B is the correct answer. It checks the transposition of the digits. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is used to check the integrity of all records.	M3C4	275	117.000	M3C4
Which of the following are not Application Controls?	A. Numerical Sequence Check	B. Access Security	C. Manual follow-up of Exception Reports	D. Chart of Accounts	b	B is the correct answer. Access Security is not part of application domain. However options A, C and D are part of the Application Controls.	M3C4***#	276	142.000	M3C4***#
Which of the following ensures completeness and accuracy of accumulated data?	A. Processing Control Procedures	B. Data File Control Procedures	C. Output Controls	D. Application Controls	a	A is the correct answer. Processing controls ensure the completeness and accuracy of accumulated data, for example, editing and run-to-run totals. Option B data file control procedures ensure that only authorized processing occurs to stored data, for example, transaction logs. Option C output controls ensure that data delivered to users will be presented, formatted and delivered in a consistent and secure manner, for example, using report distribution. Option D "Application Controls" is a general term comprising all kinds of controls used in an application.	M3C4	277	194.000	M3C4
An integrated test facility is considered a useful audit tool because it:	A. Is a cost-efficient approach to auditing Application Controls.	B. Enables the financial and IS Auditors to integrate their audit tests.	C. Compares processing output with independently calculated data.	D. Provides the IS Auditor with a tool to analyze a large range of information.	c	C is the correct answer. Integrated test facility compares processing output with independently calculated data. Explanation: An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy. Option A, B and D are not the dimensions of integrated test facility.	M3C4	278	14.000	M3C4
1. IS management has decided to rewrite a legacy customer relations system using fourth generation languages (4GLs). Which of the following risks is MOST often associated with system development using 4GLs?	Inadequate screen/report design facilities	Complex programming language subsets	Lack of portability across operating systems	Inability to perform data intensive operations	d	Answer: D	MOCKCISA	279	113.000	MOCKCISA
2. Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly?	Field checks	Control totals	Reasonableness checks	A before-and-after maintenance report	d	Answer: D	MOCKCISA***	280	124.000	MOCKCISA***
3. Which of the following is a dynamic analysis tool for the purpose of testing software modules?	Blackbox test	Desk checking	Structured walk-through	Design and code	a	Answer: A	MOCKCISA	281	29.000	MOCKCISA
4. Which of the following is MOST likely to result from a business process reengineering (BPR) project?	An increased number of people using technology	Significant cost savings, through a reduction in the complexity of information technology	A weaker organizational structures and less accountability	Increased information protection (IP) risk will increase	a	Answer: A	MOCKCISA***	282	34.000	MOCKCISA***
5. Which of the following devices extends the network and has the capacity to store frames and act as a storage and forward device?	Router	Bridge	Repeater	Gateway	b	Answer: B	MOCKCISA***	283	48.000	MOCKCISA***
6. Which of the following is a benefit of using callback devices?	Provide an audit trail	Can be used in a switchboard environment	Permit unlimited user mobility	Allow call forwarding	a	Answer: A	MOCKCISA	284	83.000	MOCKCISA
7. A call-back system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and:	dials back to the user machine based on the user id and password using a telephone number from its database.	dials back to the user machine based on the user id and password using a telephone number provided by the user during this connection.	waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using its database.	waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using the sender's database.	a	Answer: A	MOCKCISA	285	9.000	MOCKCISA
8. Structured programming is BEST described as a technique that:	provides knowledge of program functions to other programmers via peer reviews.	reduces the maintenance time of programs by the use of small-scale program modules.	makes the readable coding reflect as closely as possible the dynamic execution of the program.	controls the coding and testing of the high-level functions of the program in the development process.	b	Answer: B	MOCKCISA***	286	174.000	MOCKCISA***
9. Which of the following data validation edits is effective in detecting transposition and transcription errors?	Range check	Check digit	Validity check	Duplicate check	b	Answer: B	MOCKCISA***	287	54.000	MOCKCISA***
10. An offsite information processing facility having electrical wiring, air conditioning and flooring, but no computer or communications equipment is a:	cold site.	warm site.	dial-up site.	duplicate processing facility.	a	Answer: A	MOCKCISA	288	135.000	MOCKCISA
11. A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing?	Unit testing	Integration testing	Design walk-throughs	Configuration management	b	Answer: B	MOCKCISA	289	106.000	MOCKCISA
12. In an EDI process, the device which transmits and receives electronic documents is the:	communications handler.	EDI translator.	application interface.	EDI interface.	a	Answer: A	MOCKCISA***	290	46.000	MOCKCISA***
13. The MOST significant level of effort for business continuity planning (BCP) generally is required during the:	testing stage.	evaluation stage.	maintenance stage.	early stages of planning.	d	Answer: D	MOCKCISA	291	31.000	MOCKCISA
14. Which of the following network configuration options contains a direct link between any two host machines?	Bus	Ring	Star	Completely connected (mesh)	d	Answer: D	MOCKCISA	292	14.000	MOCKCISA
15. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks?	Check digit	Existence check	Completeness check	Reasonableness check	c	Answer: C	MOCKCISA	293	25.000	MOCKCISA
16. Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?	A substantive test of program library controls	A compliance test of program library controls	A compliance test of the program compiler controls	A substantive test of the program compiler controls	b	Answer: B	MOCKCISA	294	144.000	MOCKCISA
17. A data administrator is responsible for:	maintaining database system software.	defining data elements, data names and their relationship.	developing physical database structures.	developing data dictionary system software.	b	Answer: B	MOCKCISA	295	191.000	MOCKCISA
18. A database administrator is responsible for:	defining data ownership.	establishing operational standards for the data dictionary.	creating the logical and physical database.	establishing ground rules for ensuring data integrity and security.	c	Answer: C	MOCKCISA***	296	51.000	MOCKCISA***
19. An IS auditor reviewing the key roles and responsibilities of the database administrator (DBA) is LEAST likely to expect the job description of the DBA to include:	defining the conceptual schema.	defining security and integrity checks.	liaising with users in developing data model.	mapping data model with the internal schema.	d	Answer: D	MOCKCISA	297	164.000	MOCKCISA
20. To affix a digital signature to a message, the sender must first create a message digest by applying a cryptographic hashing algorithm against:	the entire message and thereafter enciphering the message digest using the sender's private key.	any arbitrary part of the message and thereafter enciphering the message digest using the sender's private key.	the entire message and thereafter enciphering the message using the sender's private key.	the entire message and thereafter enciphering the message along with the message digest using the sender's private key.	a	Answer: A	MOCKCISA	298	173.000	MOCKCISA
21. A sequence of bits appended to a digital document that is used to secure an e-mail sent through the Internet is called a:	digest signature.	electronic signature.	digital signature.	hash signature.	c	Answer: C	MOCKCISA	299	22.000	MOCKCISA
22. A critical function of a firewall is to act as a:	special router that connects the Internet to a LAN.	device for preventing authorized users from accessing the LAN.	server used to connect authorized users to private trusted network resources.	proxy server to increase the speed of access to authorized users.	b	Answer: B	MOCKCISA	300	74.000	MOCKCISA
23. Which of the following hardware devices relieves the central computer from performing network control, format conversion and message handling tasks?	Spool	Cluster controller	Protocol converter	Front end processor	d	Answer: D	MOCKCISA***	301	172.000	MOCKCISA***
24. The use of a GANTT chart can:	aid in scheduling project tasks.	determine project checkpoints.	ensure documentation standards.	direct the post-implementation review.	a	Answer: A	MOCKCISA	302	21.000	MOCKCISA
25. Which of the following translates e-mail formats from one network to another so that the message can travel through all the networks?	Gateway	Protocol converter	Front-end communication processor	Concentrator/multiplexor	a	Answer: A	MOCKCISA	303	16.000	MOCKCISA
26. Which of the following BEST describes the necessary documentation for an enterprise product reengineering (EPR) software installation?	Specific developments only	Business requirements only	All phases of the installation must be documented	No need to develop a customer specific documentation	c	Answer: C	MOCKCISA	304	117.000	MOCKCISA
27. A hub is a device that connects:	two LANs using different protocols.	a LAN with a WAN.	a LAN with a metropolitan area network (MAN).	two segments of a single LAN.	d	Answer: D	MOCKCISA	305	104.000	MOCKCISA
28. A LAN administrator normally would be restricted from:	having end-user responsibilities.	reporting to the end-user manager.	having programming responsibilities.	being responsible for LAN security administration.	c	Answer: C	MOCKCISA***	306	93.000	MOCKCISA***
29. Which of the following is a telecommunication device that translates data from digital form to analog form and back to digital?	Multiplexer	Modem	Protocol converter	Concentrator	b	Answer: B	MOCKCISA	307	195.000	MOCKCISA
30. Which of the following systems-based approaches would a financial processing company employ to monitor spending patterns to identify abnormal patterns and report them?	A neural network	Database management software	Management information systems	Computer assisted audit techniques	a	Answer: A	MOCKCISA	308	34.000	MOCKCISA
31. A hardware control that helps to detect errors when data are communicated from one computer to another is known as a:	duplicate check.	table lookup.	validity check.	parity check.	d	Answer: D	MOCKCISA	309	176.000	MOCKCISA
32. For which of the following applications would rapid recovery be MOST crucial?	Point-of-sale system	Corporate planning	Regulatory reporting	Departmental chargeback	a	Answer: A	MOCKCISA	310	74.000	MOCKCISA
33. The initial step in establishing an information security program is the:	development and implementation of an information security standards manual.	performance of a comprehensive security control review by the IS auditor.	adoption of a corporate information security policy statement.	purchase of security access control software.	c	Answer: C	MOCKCISA	311	116.000	MOCKCISA
34. A malicious code that changes itself with each file it infects is called a:	logic bomb.	stealth virus.	trojan horse.	polymorphic virus.	d	Answer: D	MOCKCISA	312	16.000	MOCKCISA
35. Which of the following is a continuity plan test that uses actual resources to simulate a system crash to cost-effectively obtain evidence about the plan's effectiveness?	Paper test	Post test	Preparedness test	Walk-through	c	Answer: C	MOCKCISA	313	158.000	MOCKCISA
36. An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost-effective test of the DRP?	Full operational test	Preparedness test	Paper test	Regression test	b	Answer: B	MOCKCISA	314	181.000	MOCKCISA
37. The IS auditor learns that when equipment was brought into the data center by a vendor, the emergency power shutoff switch was accidentally pressed and the UPS was engaged. Which of the following audit recommendations should the IS auditor suggest?	Relocate the shut off switch.	Install protective covers.	Escort visitors.	Log environmental failures.	b	Answer: B	MOCKCISA	315	105.000	MOCKCISA
38. Company.com has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern?	Acceptance testing is to be managed by users.	A quality plan is not part of the contracted deliverables.	Not all business functions will be available on initial implementation.	Prototyping is being used to confirm that the system meets business requirements.	b	Answer: B	MOCKCISA***	316	201.000	MOCKCISA***
39. In a public key infrastructure (PKI), the authority responsible for the identification and authentication of an applicant for a digital certificate (i.e., certificate subjects) is the:	registration authority (RA).	issuing certification authority (CA).	subject CA.	policy management authority.	a	Answer: A	MOCKCISA	317	7.000	MOCKCISA
40. Which of the following is a data validation edit and control?	Hash totals	Reasonableness checks	Online access controls	Before and after image reporting	b	Answer: B	MOCKCISA***	318	202.000	MOCKCISA***
41. A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:	reasonableness check.	parity check.	redundancy check.	check digits.	c	Answer: C	MOCKCISA***	319	15.000	MOCKCISA***
42. What is the primary objective of a control self-assessment (CSA) program?	Enhancement of the audit responsibility	Elimination of the audit responsibility	Replacement of the audit responsibility	Integrity of the audit responsibility	a	Answer: A	MOCKCISA	320	100.000	MOCKCISA
43. IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. True or false?	TRUE	FALSE			a	Answer: A	MOCKCISA	321	93.000	MOCKCISA
44. As compared to understanding an organization's IT process from evidence directly collected, how valuable are prior audit reports as evidence?	The same value.	Greater value.	Lesser value.	Prior audit reports are not relevant.	c	Answer: C	MOCKCISA	322	103.000	MOCKCISA
45. What is the PRIMARY purpose of audit trails?	To document auditing efforts	To correct data integrity errors	To establish accountability and responsibility for processed transactions	To prevent unauthorized access to data	c	Answer: C	MOCKCISA	323	68.000	MOCKCISA
46. How does the process of systems auditing benefit from using a risk-based approach to audit planning?	Controls testing starts earlier.	Auditing resources are allocated to the areas of highest concern.	Auditing risk is reduced.	Controls testing is more thorough.	b	Answer: B	MOCKCISA	324	44.000	MOCKCISA
47. After an IS auditor has identified threats and potential impacts, the auditor should:	Identify and evaluate the existing controls	Conduct a business impact analysis (BIA)	Report on existing controls	Propose new controls	a	Answer: A	MOCKCISA***	325	163.000	MOCKCISA***
48. The use of statistical sampling procedures helps minimize:	Detection risk	Business risk	Controls risk	Compliance risk	a	Answer: A	MOCKCISA	326	155.000	MOCKCISA
49. What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?	Business risk	Detection risk	Residual risk	Inherent risk	b	Answer: B	MOCKCISA	327	2.000	MOCKCISA
50. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can:	Identify high-risk areas that might need a detailed review later	Reduce audit costs	Reduce audit time	Increase audit accuracy	c	Answer: C	MOCKCISA	328	191.000	MOCKCISA
51. What type of approach to the development of organizational policies is often driven by risk assessment?	Bottom-up	Top-down	Comprehensive	Integrated	b	Answer: B. Top-down approach to policy development ensures policies are driven by risk assessment and strategic objectives. Option A: Bottom-up approach involves employees' input. Option C: Comprehensive is not a specific approach to policy development. Option D: Integrated approach focuses on combining different elements, not specifically policy development.	MOCKCISA	329	170.000	MOCKCISA
52. Who is accountable for maintaining appropriate security measures over information assets?	Data and systems owners	Data and systems users	Data and systems custodians	Data and systems auditors	a	Answer: A. Data and systems owners are responsible for ensuring security measures are in place. Option B: Users utilize systems but are not responsible for security measures. Option C: Custodians manage and protect information assets. Option D: Auditors assess and review security measures but are not responsible for their maintenance.	MOCKCISA	330	158.000	MOCKCISA
53. Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. True or false?	TRUE	FALSE			a	Answer: A. True. Proper segregation of duties prevents conflicting roles such as those between system analyst and quality assurance. Option B: False would indicate no conflict in duties.	MOCKCISA	331	86.000	MOCKCISA
54. What should an IS auditor do if he or she observes that project-approval procedures do not exist?	Advise senior management to invest in project-management training for the staff	Create project-approval procedures for future project implementations	Assign project leaders	Recommend to management that formal approval procedures be adopted and documented	d	Answer: D. IS auditors should recommend formal approval procedures to ensure structured project management. Option A: Training is not directly related to establishing procedures. Option B: Creating procedures is beyond auditor's role. Option C: Assigning leaders doesn't address procedural gaps.	MOCKCISA	332	172.000	MOCKCISA
55. Who is ultimately accountable for the development of an IS security policy?	The board of directors	Middle management	Security administrators	Network administrators	a	Answer: A. The board of directors holds ultimate accountability for organizational policies. Option B: Middle management may be involved but not primarily accountable. Option C: Security administrators implement policies. Option D: Network administrators manage network operations.	MOCKCISA	333	29.000	MOCKCISA
56. Proper segregation of duties normally does not prohibit a LAN administrator from also having programming responsibilities. True or false?	TRUE	FALSE			b	Answer: B. False. Proper segregation of duties prohibits conflicting roles such as LAN administration and programming. Option A: True would imply no conflict in duties.	MOCKCISA	334	12.000	MOCKCISA
57. A core tenant of an IS strategy is that it must:	Be inexpensive	Be protected as sensitive confidential information	Protect information confidentiality, integrity, and availability	Support the business objectives of the organization	d	Answer: D. An IS strategy must align with and support the business objectives of the organization. Option A: Inexpensiveness is not a core tenet. Option B: Protection is important but not the core tenet. Option C: Confidentiality, integrity, and availability are components, not the core tenet.	MOCKCISA***	335	50.000	MOCKCISA***
58. Batch control reconciliation is a (fill in the blank) control for mitigating risk of inadequate segregation of duties.	Detective	Corrective	Preventative	Compensatory	d	Answer: D. Compensatory controls mitigate risks associated with inadequate segregation of duties. Option A: Detective controls identify issues. Option B: Corrective controls fix issues. Option C: Preventative controls prevent issues.	MOCKCISA	336	192.000	MOCKCISA
59. Key verification is one of the best controls for ensuring that:	Data is entered correctly	Only authorized cryptographic keys are used	Input is authorized	Database indexing is performed properly	a	Answer: A. Key verification ensures data entry accuracy by confirming correctness. Option B: Cryptographic keys are managed differently. Option C: Authorization relates to access. Option D: Database indexing is unrelated to key verification.	MOCKCISA***	337	135.000	MOCKCISA***
60. If senior management is not committed to strategic planning, how likely is it that a company's implementation of IT will be successful?	IT cannot be implemented if senior management is not committed to strategic planning.	More likely.	Less likely.	Strategic planning does not affect the success of a company's implementation of IT.	c	Answer: C. Less likely. Senior management commitment to strategic planning is crucial for IT implementation success. Option A: Absolute statement is too extreme. Option B: Success is less likely, not more likely. Option D: Strategic planning significantly affects IT success.	MOCKCISA	338	139.000	MOCKCISA
61. Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST answer.	Lack of employee awareness of a company's information security policy	Failure to comply with a company's information security policy	A momentary lapse of reason	Lack of security policy enforcement procedures	a	Answer: A. Lack of employee awareness can lead to unintentional breaches of confidentiality. Option B: Non-compliance is deliberate. Option C: Lapse implies a temporary error, not unintentional loss. Option D: Enforcement affects policy adherence, not unintentional loss.	MOCKCISA	339	66.000	MOCKCISA
62. What topology provides the greatest redundancy of routes and the greatest network fault tolerance?	A star network topology	A mesh network topology with packet forwarding enabled at each host	A bus network topology	A ring network topology	b	Answer: B. Mesh network topology with packet forwarding offers the most redundant routes and fault tolerance. Option A: Star topology lacks direct interconnection. Option C: Bus topology shares a single communication line. Option D: Ring topology forms a closed loop.	MOCKCISA	340	113.000	MOCKCISA
63. An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence?	Evidence collected through personal observation	Evidence collected through systems logs provided by the organization's security administration	Evidence collected through surveys collected from internal staff	Evidence collected through transaction reports provided by the organization's IT administration	a	Answer: A. Personal observation provides direct evidence for an IS auditor. Option B: Logs are secondary evidence. Options C and D: Surveys and reports involve indirect evidence.	MOCKCISA	341	86.000	MOCKCISA
64. What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to ensure reliable communication?	Nonconnection-oriented protocols	Connection-oriented protocols	Session-oriented protocols	Nonsession-oriented protocols	b	Answer: B. Transport Layer provides connection-oriented protocols ensuring reliable communication. Option A: Nonconnection-oriented protocols are unreliable. Option C: Session-oriented protocols manage sessions, not connections. Option D: Nonsession-oriented is not a recognized term.	MOCKCISA	342	68.000	MOCKCISA
65. How is the time required for transaction processing review usually affected by properly implemented Electronic Data Interface (EDI)?	EDI usually decreases the time necessary for review.	EDI usually increases the time necessary for review.	Cannot be determined.	EDI does not affect the time necessary for review.	a	Answer: A. EDI typically decreases transaction processing review time due to automated data exchange. Option B: Increase would suggest inefficiency. Option C: Indeterminate implies uncertain impact. Option D: Incorrect as EDI streamlines processes.	MOCKCISA	343	115.000	MOCKCISA
66. What would an IS auditor expect to find in the console log? Choose the BEST answer.	Evidence of password spoofing	System errors	Evidence of data copy activities	Evidence of password sharing	b	Answer: B. Console logs typically record system errors for auditing and troubleshooting. Option A: Spoofing relates to security logs. Option C: Data copy activities might appear in other logs. Option D: Password sharing is a security concern, not logged in console logs.	MOCKCISA	344	69.000	MOCKCISA
67. Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. True or false?	TRUE	FALSE			a	Answer: A. True. Atomicity is a fundamental ACID property ensuring transaction completeness. Option B: False would misrepresent ACID compliance.	MOCKCISA	345	109.000	MOCKCISA
68. Why does the IS auditor often review the system logs?	To get evidence of password spoofing	To get evidence of data copy activities	To determine the existence of unauthorized access to data by a user or program	To get evidence of password sharing	c	Answer: C. System logs provide evidence of unauthorized data access, aiding in security assessments. Options A, B, and D: Logs serve other security purposes.	MOCKCISA	346	108.000	MOCKCISA
69. What is essential for the IS auditor to obtain a clear understanding of network management?	Security administrator access to systems	Systems logs of all hosts providing application services	A graphical map of the network topology	Administrator access to systems	c	Answer: C. A graphical map aids in understanding network layout, dependencies, and management needs. Option A: Access is limited to security measures. Option B: Logs are specific to operational data. Option D: Administrator access is broader but not specific to network overview.	MOCKCISA	347	29.000	MOCKCISA
70. How is risk affected if users have direct access to a database at the system level?	Risk of unauthorized access increases, but risk of untraceable changes to the database decreases.	Risk of unauthorized and untraceable changes to the database increases.	Risk of unauthorized access decreases, but risk of untraceable changes to the database increases.	Risk of unauthorized and untraceable changes to the database decreases.	b	Answer: B. Direct access increases both unauthorized access and changes, posing higher risks. Option A: Incorrect as risk of changes remains high. Option C: Access decreases but changes remain high. Option D: Incorrect, as both risks increase.	MOCKCISA	348	47.000	MOCKCISA
71. What is the most common purpose of a virtual private network implementation?	A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet.	A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a dedicated T1 connection.	A virtual private network (VPN) helps to secure access within an enterprise when communicating over a dedicated T1 connection between network segments within the same facility.	A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a wireless connection.	a	Answer: A. VPNs primarily secure external communications over insecure networks like the Internet. Options B, C, and D: Incorrect as they describe different scenarios or locations.	MOCKCISA	349	189.000	MOCKCISA
72. What benefit does using capacity-monitoring software to monitor usage patterns and trends provide to management? Choose the BEST answer.	The software can dynamically readjust network traffic capabilities based upon current usage.	The software produces nice reports that really impress management.	It allows users to properly allocate resources and ensure continuous efficiency of operations.	It allows management to properly allocate resources and ensure continuous efficiency of operations.	d	Answer: D. Capacity monitoring aids management in allocating resources for ongoing operational efficiency. Option A: Overstates software capabilities. Option B: Reports are secondary to resource allocation. Option C: Users allocate resources, not software.	MOCKCISA	350	181.000	MOCKCISA
73. What can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program? Choose the BEST answer.	Network-monitoring software	A system downtime log	Administration activity reports	Help-desk utilization trend reports	b	Answer: B. Downtime logs provide direct evidence of maintenance program effectiveness. Option A: Monitors network activity, not maintenance. Options C and D: Focus on different operational aspects.	MOCKCISA	351	195.000	MOCKCISA
74. What are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information? Choose the BEST answer.	Referential integrity controls	Normalization controls	Concurrency controls	Run-to-run totals	a	Answer: C. Concurrency controls manage simultaneous data access, preventing conflicts and corruption. Option A: Maintains data relationships. Option B: Organizes data structure. Option D: Summarizes processed data.	MOCKCISA	352	144.000	MOCKCISA
75. What increases encryption overhead and cost the most?	A long symmetric encryption key	A long asymmetric encryption key	A long Advance Encryption Standard (AES) key	A long Data Encryption Standard (DES) key	b	Answer: B. Asymmetric encryption keys, due to complexity, increase overhead and costs. Option A: Symmetric keys are simpler and cheaper. Options C and D: AES and DES refer to encryption standards, not key lengths.	MOCKCISA	353	187.000	MOCKCISA
76. Which of the following best characterizes "worms"?	Malicious programs that can run independently and can propagate without the aid of a carrier program such as email	Programming code errors that cause a program to repeatedly dump data	Malicious programs that require the aid of a carrier program such as email	Malicious programs that masquerade as common applications such as screensavers or macro-enabled Word documents	a	Answer: A. Worms are self-propagating malware requiring no carrier, spreading autonomously. Option B: Describes programming bugs. Option C: Relates to email-borne malware. Option D: Refers to different types of malware.	MOCKCISA	354	14.000	MOCKCISA
77. What is an initial step in creating a proper firewall policy?	Assigning access to users according to the principle of least privilege	Determining appropriate firewall hardware and software	Identifying network applications such as mail, web, or FTP servers	Configuring firewall access rules	c	Answer: C. Identifying network applications helps define firewall policy rules and scope. Option A: Part of policy implementation. Option B: Precedes policy definition. Option D: Follows policy definition.	MOCKCISA	355	7.000	MOCKCISA
78. What type of cryptosystem is characterized by data being encrypted by the sender using the recipient's public key, and the data then being decrypted using the recipient's private key?	With public-key encryption, or symmetric encryption	With public-key encryption, or asymmetric encryption	With shared-key encryption, or symmetric encryption	With shared-key encryption, or asymmetric encryption	b	Answer: B. Public-key encryption uses sender's public and recipient's private keys for secure communication. Option A: Symmetric encryption uses one key. Options C and D: Shared-key terms are inaccurate in describing encryption types.	MOCKCISA	356	145.000	MOCKCISA
79. How does the SSL network protocol provide confidentiality?	Through symmetric encryption such as RSA	Through asymmetric encryption such as Data Encryption Standard, or DES	Through asymmetric encryption such as Advanced Encryption Standard, or AES	Through symmetric encryption such as Data Encryption Standard, or DES	d	Answer: D. SSL uses symmetric encryption (e.g., DES) for data confidentiality during transmission. Options A, B, and C: Incorrectly identify SSL encryption methods.	MOCKCISA	357	16.000	MOCKCISA
80. What are used as the framework for developing logical access controls?	Information systems security policies	Organizational security policies	Access Control Lists (ACL)	Organizational charts for identifying roles and responsibilities	a	Answer: A. Information systems security policies guide development and implementation of logical access controls. Option B: General policies not specific to access controls. Option C: Lists specific permissions but not framework. Option D: Charts identify roles but not access controls.	MOCKCISA***	358	38.000	MOCKCISA***
81. Which of the following are effective controls for detecting duplicate transactions such as payments made or received?	Concurrency controls	Reasonableness checks	Time stamps	Referential integrity controls	c	Answer: C. Time stamps uniquely identify transactions, aiding in detecting duplicates. Option A: Manages simultaneous data access. Option B: Verifies data accuracy but not duplication. Option D: Maintains data relationships.	MOCKCISA	359	168.000	MOCKCISA
82. Which of the following is a good control for protecting confidential data residing on a PC?	Personal firewall	File encapsulation	File encryption	Host-based intrusion detection	c	Answer: C. File encryption secures data on PC by converting plaintext into ciphertext. Option A: Shields against network threats. Option B: Protects files from accidental changes. Option D: Monitors and responds to suspicious activities.	MOCKCISA	360	109.000	MOCKCISA
83. Which of the following is a guiding best practice for implementing logical access controls?	Implementing the Biba Integrity Model	Access is granted on a least-privilege basis, per the organization's data owners	Implementing the Take-Grant access control model	Classifying data according to the subject's requirements	b	Answer: B. Least-privilege access aligns access rights with data owners' requirements, enhancing security. Option A: Defines data integrity levels. Option C: Models privilege assignment differently. Option D: Focuses on data classification, not access control.	MOCKCISA	361	131.000	MOCKCISA
84. What does PKI use to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions?	A combination of public-key cryptography and digital certificates and two-factor authentication	A combination of public-key cryptography and two-factor authentication	A combination of public-key cryptography and digital certificates	A combination of digital certificates and two-factor authentication	c	Answer: C. PKI employs public-key cryptography and digital certificates to secure Internet transactions. Option A: Incorrect, as it adds two-factor authentication. Options B and D: Incorrect, omitting digital certificates or two-factor authentication.	MOCKCISA	362	153.000	MOCKCISA
85. Which of the following do digital signatures provide?	Authentication and integrity of data	Authentication and confidentiality of data	Confidentiality and integrity of data	Authentication and availability of data	a	Answer: A. Digital signatures verify sender identity and data integrity, ensuring authenticity. Option B: Ensures secrecy but not integrity. Option C: Verifies integrity but not authentication. Option D: Ensures data accessibility, not authentication.	MOCKCISA	363	164.000	MOCKCISA
86. Regarding digital signature implementation, which of the following answers is correct?	A digital signature is created by the sender to prove message integrity by encrypting the message with the sender's private key. Upon receiving the data, the recipient can decrypt the data using the sender's public key.	A digital signature is created by the sender to prove message integrity by encrypting the message with the recipient's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's public key.	A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it.	A digital signature is created by the sender to prove message integrity by encrypting the message with the sender's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's private key.	c	Answer: C. Digital signatures use hashing to ensure message integrity, verifiable by the recipient. Option A: Incorrect, misstates key roles. Option B: Incorrect, inaccurately describes encryption process. Option D: Incorrect, misidentifies decryption key roles.	MOCKCISA***	364	134.000	MOCKCISA***
87. Which of the following would provide the highest degree of server access control?	A mantrap-monitored entryway to the server room	Host-based intrusion detection combined with CCTV	Network-based intrusion detection	A fingerprint scanner facilitating biometric access control	d	Answer: D. Biometric access control uniquely verifies users, enhancing server security. Option A: Physical barrier, not user authentication. Option B: Monitors and alerts but lacks direct access control. Option C: Monitors network traffic, not physical access.	MOCKCISA	365	198.000	MOCKCISA
88. What are often the primary safeguards for systems software and data?	Administrative access controls	Logical access controls	Physical access controls	Detective access controls	b	Answer: B. Logical access controls restrict system and data access to authorized users. Option A: Manages administrative rights, not system-wide access. Option C: Secures physical premises, not data. Option D: Detects unauthorized access, not preventing it.	MOCKCISA	366	117.000	MOCKCISA
89. Which of the following BEST characterizes a mantrap or deadman door, which is used as a deterrent control for the vulnerability of piggybacking?	A monitored double-doorway entry system	A monitored turnstile entry system	A monitored doorway entry system	A one-way door that does not allow exit after entry	a	Answer: A. Mantraps restrict access to one person at a time, preventing unauthorized entry. Option B: Manages controlled entry, not preventing multiple entries. Option C: Access management, not preventing piggybacking. Option D: Restricts exit, not entry.	MOCKCISA	367	8.000	MOCKCISA
90. Which of the following is an effective method for controlling downloading of files via FTP? Choose the BEST answer.	An application-layer gateway, or proxy firewall, but not stateful inspection firewalls	An application-layer gateway, or proxy firewall	A circuit-level gateway	A first-generation packet-filtering firewall	b	Answer: B. Proxy firewalls control FTP file transfers by verifying and filtering content. Option A: Incorrect, as stateful inspection also controls traffic. Options C and D: Insufficiently control FTP file transfers.	MOCKCISA	368	162.000	MOCKCISA
91. Which of the following provides the strongest authentication for physical access control?	A. Sign-in logs	B. Dynamic passwords	C. Key verification	D. Biometrics	d		MOCKCISA	369	17.000	MOCKCISA
92. What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Choose the BEST answer.	A. Employee security awareness training	B. Administrator alerts	C. Screensaver passwords	D. Close supervision	c		MOCKCISA	370	107.000	MOCKCISA
93. What can ISPs use to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources? Choose the BEST answer.	A. OSI Layer 2 switches with packet filtering enabled	B. Virtual Private Networks	C. Access Control Lists (ACL)	D. Point-to-Point Tunneling Protocol	c		MOCKCISA	371	25.000	MOCKCISA
94. What is the key distinction between encryption and hashing algorithms?	A. Hashing algorithms ensure data confidentiality	B. Hashing algorithms are irreversible	C. Encryption algorithms ensure data integrity	D. Encryption algorithms are not irreversible	b		MOCKCISA	372	59.000	MOCKCISA
95. Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry?	A. Data diddling	B. Skimming	C. Data corruption	D. Salami attack	a		MOCKCISA	373	9.000	MOCKCISA
96. Which of the following is used to evaluate biometric access controls?	A. FAR	B. EER	C. ERR	D. FRR	b		MOCKCISA	374	36.000	MOCKCISA
97. Who is ultimately responsible and accountable for reviewing user access to systems?	A. Systems security administrators	B. Data custodians	C. Data owners	D. Information systems auditors	c		MOCKCISA	375	108.000	MOCKCISA
98. Establishing data ownership is an important first step for which of the following processes? Choose the BEST answer.	A. Assigning user access privileges	B. Developing organizational security policies	C. Creating roles and responsibilities	D. Classifying data	d		MOCKCISA	376	37.000	MOCKCISA
99. Which of the following is MOST is critical during the business impact assessment phase of business continuity planning?	A. End-user involvement	B. Senior management involvement	C. Security administration involvement	D. IS auditing involvement	a		MOCKCISA***	377	103.000	MOCKCISA***
100. What type of BCP test uses actual resources to simulate a system crash and validate the plan's effectiveness?	A. Paper	B. Preparedness	C. Walk-through	D. Parallel	b		MOCKCISA	378	109.000	MOCKCISA
101. Which of the following typically focuses on making alternative processes and resources available for transaction processing?	A. Cold-site facilities	B. Disaster recovery for networks	C. Diverse processing	D. Disaster recovery for systems	d	Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing in case of a disaster.	MOCKCISA	379	104.000	MOCKCISA
102. Which type of major BCP test only requires representatives from each operational area to meet to review the plan?	A. Parallel	B. Preparedness	C. Walk-through	D. Paper	c	A walk-through is a major BCP test that involves representatives from each operational area meeting to review the plan and identify any issues or gaps.	MOCKCISA	380	12.000	MOCKCISA
103. What influences decisions regarding criticality of assets?	A. The business criticality of the data to be protected	B. Internal corporate politics	C. The business criticality of the data to be protected, and the scope of the impact upon the organization as a whole	D. The business impact analysis	c	Decisions regarding criticality of assets are influenced by both the business criticality of the data and the scope of its impact on the organization as a whole.	MOCKCISA	381	129.000	MOCKCISA
104. Of the three major types of off-site processing facilities, what type is characterized by at least providing for electricity and HVAC?	A. Cold site	B. Alternate site	C. Hot site	D. Warm site	a	A cold site is an off-site processing facility that provides at least electricity and HVAC (Heating, Ventilation, and Air Conditioning), but lacks pre-configured IT infrastructure.	MOCKCISA	382	42.000	MOCKCISA
105. With the objective of mitigating the risk and impact of a major business interruption, a disaster recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false?	A. True	B. False			a	True. A well-implemented disaster recovery plan (DRP) aims to minimize recovery time and costs, often justifying increased operational costs with reduced business impact and recovery costs.	MOCKCISA	383	147.000	MOCKCISA
106. Of the three major types of off-site processing facilities, what type is often an acceptable solution for preparing for recovery of noncritical systems and data?	A. Cold site	B. Hot site	C. Alternate site	D. Warm site	a	A cold site is often used for noncritical systems and data as it provides basic facilities without the cost of a fully operational hot or warm site.	MOCKCISA	384	136.000	MOCKCISA
107. Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following? Choose the BEST answer.	A. IT strategic plan	B. Business continuity plan	C. Business impact analysis	D. Incident response plan	b	Changes in systems assets, like hardware replacements, should be recorded in the business continuity plan's asset inventory to maintain accurate tracking and management of critical resources.	MOCKCISA***	385	186.000	MOCKCISA***
108. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the . (fill-in-the-blank)	A. Security administrator	B. Systems auditor	C. Board of directors	D. Financial auditor	c	Executive management, such as the board of directors, holds ultimate responsibility and accountability for Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) despite implementation by others in the organization.	MOCKCISA	386	128.000	MOCKCISA
109. Obtaining user approval of program changes is very effective for controlling application changes and maintenance. True or false?	A. True	B. False			a	True. User approval of program changes helps in controlling application changes and ensuring that modifications meet operational needs and standards.	MOCKCISA	387	113.000	MOCKCISA
110. Library control software restricts source code to:	A. Read-only access	B. Write-only access	C. Full access	D. Read-write access	a	Library control software typically restricts source code to read-only access to prevent unauthorized modifications and ensure version control integrity.	MOCKCISA	388	36.000	MOCKCISA
111. When is regression testing used to determine whether new application changes have introduced any errors in the remaining unchanged code?	A. In program development and change management	B. In program feasibility studies	C. In program development	D. In change management	a	Regression testing in program development and change management verifies that new changes do not affect existing, unchanged code adversely.	MOCKCISA***	389	159.000	MOCKCISA***
112. What is often the most difficult part of initial efforts in application development? Choose the BEST answer.	A. Configuring software	B. Planning security	C. Determining time and resource requirements	D. Configuring hardware	c	Determining time and resource requirements is crucial in the initial stages of application development, influencing project feasibility and success.	MOCKCISA	390	69.000	MOCKCISA
113. What is a primary high-level goal for an auditor who is reviewing a system development project?	A. To ensure that programming and processing environments are segregated	B. To ensure that proper approval for the project has been obtained	C. To ensure that business objectives are achieved	D. To ensure that projects are monitored and administrated effectively	c	The primary goal of reviewing a system development project is to ensure that it aligns with achieving business objectives, ensuring its relevance and value to the organization.	MOCKCISA	391	104.000	MOCKCISA
114. Whenever an application is modified, what should be tested to determine the full impact of the change? Choose the BEST answer.	A. Interface systems with other applications or systems	B. The entire program, including any interface systems with other applications or systems	C. All programs, including interface systems with other applications or systems	D. Mission-critical functions and any interface systems with other applications or systems	b	Testing the entire program, including interfaces, ensures that all aspects affected by the modification are thoroughly validated for correct functionality and integration.	MOCKCISA	392	21.000	MOCKCISA
115. The quality of the metadata produced from a data warehouse is in the warehouse's design. Choose the BEST answer.	A. Often hard to determine because the data is derived from a heterogeneous data environment	B. The most important consideration	C. Independent of the quality of the warehoused databases	D. Of secondary importance to data warehouse content	b	The quality of metadata in a data warehouse heavily depends on its initial design, ensuring accurate and useful metadata for effective data management and analysis.	MOCKCISA***	393	65.000	MOCKCISA***
116. Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system's inputs and outputs. True or false?	A. True	B. False			b	Function Point Analysis (FPA) estimates system size based on inputs, outputs, and other factors, not solely on their number and complexity, making the statement false.	MOCKCISA	394	186.000	MOCKCISA
117. Who assumes ownership of a systems-development project and the resulting system?	A. User management	B. Project steering committee	C. IT management	D. Systems developers	a	User management typically assumes ownership of systems-development projects and their outcomes, ensuring alignment with business needs and usability.	MOCKCISA***	395	6.000	MOCKCISA***
118. If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further:	A. Documentation development	B. Comprehensive integration testing	C. Full unit testing	D. Full regression testing	b	Positive results in module testing warrant comprehensive integration testing to validate interactions and dependencies between components, ensuring system integrity.	MOCKCISA	396	63.000	MOCKCISA
119. When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false?	A. True	B. False			b	IS auditors should ensure both system controls and adequate documentation exist for systems-development projects to maintain compliance, security, and operational clarity, making the statement false.	MOCKCISA***	397	66.000	MOCKCISA***
120. What is a reliable technique for estimating the scope and cost of a software-development project?	A. Function point analysis (FPA)	B. Feature point analysis (FPA)	C. GANTT	D. PERT	a	Function Point Analysis (FPA) provides a reliable estimate of software-development scope and cost based on functional aspects, aiding in project planning and resource allocation.	MOCKCISA***	398	155.000	MOCKCISA***
121. Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects?	A. Function Point Analysis (FPA)	B. GANTT	C. Rapid Application Development (RAD)	D. PERT	d	PERT (Program Evaluation and Review Technique) considers various scenarios for planning and controlling projects, enhancing project management efficiency and flexibility.	MOCKCISA***	399	44.000	MOCKCISA***
122. If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do? Choose the BEST answer.	A. Lack of IT documentation is not usually material to the controls tested in an IT audit.	B. The auditor should at least document the informal standards and policies. Furthermore, the IS auditor should create formal documented policies to be implemented.	C. The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented.	D. The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should create formal documented policies to be implemented.	c	Documenting informal standards and policies, testing for compliance, and recommending formal documented policies to management ensure alignment with best practices and regulatory requirements in IS auditing.	MOCKCISA	400	76.000	MOCKCISA
Which of the following is a common feature for all the policies?	A. Encryption	B. Standards	C. Acceptable use policy	D. Process	c	The correct answer is C. An Acceptable use policy is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. It must be abided by all employees of the organization. Choices A, B, and D are not common to all policies.	M4C1	401	175.000	M4C1
Which of the following is not an HRM function?	A. Recruitment	B. Cyber security training	C. Security Policy approval	D. Appraisal	c	The correct answer is C. Approval of the Policy is responsibility of the Governing Board of the organization. All other options are the functions of the HRM.	M4C1	402	15.000	M4C1
Which of the following training an employee can acquire while working on his/her desk in the office?	A. E-learning	B. Simulator based training	C. Instructor led training	D. Hands on training	a	The correct answer is A. E-learning is a learning environment which uses information and communication technologies (ICT's) as a platform for teaching and learning activities. Rest of the trainings require in person attendance and cannot be done from the office desk.	M4C1	403	182.000	M4C1
For an unexpected and sudden changes in technology, organisations need to be	A. Innovative	B. Agile	C. Expert	D. Doer	b	The correct answer is B. Agility is the organization's ability to quickly or proactively react to technological changes. Choices A, C, and D are based on the need of the organization and not necessarily due to change in technology or the environment in which the organization operates.	M4C1	404	178.000	M4C1
Who owns the data in a department?	A. System owner	B. Process owner	C. Data custodian	D. Data owner	d	The correct answer is D. The data owner has the ability to create, edit, modify, share and restrict access to the data. Data ownership also defines the data owner’s ability to assign, share or surrender all of these privileges to a third party. The IT Department acts as the Data Custodian, responsible for the safe custody, transport, storage of the data and implementation of business rules. System Owner is a person or department having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system. Process Owner is a person, who is accountable for the performance of the process and manages the process on a daily basis.	M4C1	405	151.000	M4C1
The GREATEST challenge in outsourcing data processing is	A. Data confidentiality	B. Distance	C. Data integrity	D. Cost	a	The correct answer is A. The main challenge while choosing outsourcing data processing is data confidentiality. Companies feel comfortable in sharing data, only with employees whom they trust or who are bounded by the contractual commitments to keep the data undisclosed. Majority of the outsourcing firms sign a strict non disclosure agreement with the companies which assures that the data would be kept confidential and any breach on the agreement would be punishable under the law. Choices B and D are advantages of outsourcing. Data integrity is the overall completeness, accuracy and consistency of data. Data integrity although very important but does not pose a greater challenge than data confidentiality.	M4C1	406	102.000	M4C1
Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?	A. Network administrators are responsible for quality assurance	B. Security administrators are system programmers	C. End users are security administrators for critical applications	D. Systems analysts are database administrators	b	The correct answer is B. When individuals serve multiple roles, this represents a separation of duties problem and is associated with risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system. The other combinations of roles are valid from a separation of duties perspective. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. In some distributed environments, especially with small staffing levels, users may also manage security. While a database administrator is a very privileged position and it would not be in conflict with the role of a systems analyst.	M4C1	407	165.000	M4C1
Accountability for the maintenance of appropriate security measures over information assets resides with:	A. Security administrator	B. Systems administrator	C. Data and systems owners	D. Systems operations group	c	The correct answer is C. Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery / operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.	M4C1***	408	146.000	M4C1***
The decision-making environment of an operational level manager can be characterized as:	A. Structured	B. Semi-structured	C. Unstructured	D. None of these	a	The correct answer is A. Operational level manager is the lowest level of manager and engaged in day-to-day activities, which require detailed information. Hence the decision-making environment is required to be structured. For administrative and top management, the decision-making environment is semi-structured and unstructured respectively.	M4C1	409	43.000	M4C1
Which department is MOST LIKELY to store Personally identifiable information (PII) data?	A. Management	B. Information System Department	C. Marketing Department	D. Human Resource Department	d	The correct answer is D. Personally, identifiable information (PII) is any information about an individual that can be used to distinguish or trace an individual's identity, such as name, PAN, Aadhaar Number, date and place of birth, mother's maiden name, or biometric records. The HRM System stores PII of all employee data. Choices A, B, C do not store or process employee personal information, they have operations or transaction data.	M4C1	410	101.000	M4C1
Why should organizations want to manage logs?	A. To be informed when something unusual happens involving a system or application	B. To be able to do take action in response to a security event	C. To keep a record of all the responses to security events	D. All of the above	d	The correct answer is D. Log management systems provide insight into a variety of incidents/issues with systems and devices, as well as being a compliance requirement under many regulations. For all of the above reasons, log management is a necessity for enterprise security.	M4C2	411	196.000	M4C2
When implementing a log management program, it's BEST to start with:	A. Technology from a trusted vendor	B. The same program and process that organizations with similar business are using	C. List of top-three vendors from a published report	D. A careful review of the organization's log management and reporting needs	d	The correct answer is D. Without understanding what logging capabilities the organization has (or doesn't have) and what information is needed from those logs, it's impossible to implement an effective log management program. Choice A, B, and C may help in selecting the vendor but are not the starting points.	M4C2	412	51.000	M4C2
The security principle of least privilege is:	A. The practice of limiting permissions to the minimal level that will allow users to perform their jobs.	B. The practice of increasing permissions to a level that will allow users to perform their jobs and those of their supervisor.	C. The practice of limiting permissions to a level that will allow users to perform their jobs and those of their immediate colleagues.	D. The practice of increasing permissions to a level that will allow users to use the cloud services of their choice in order to get their jobs done more quickly.	a	The correct answer is A. The principle of least privilege is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Enforcing least privilege plays a key role in limiting the damage that malicious users may cause. Choice B, C, and D do not accurately describe the principle of least privilege.	M4C2	413	176.000	M4C2
Why does privilege creep pose a security risk?	A. Users privileges don't match their job or role and responsibilities.	B. Because with more privileges there are more responsibilities.	C. Users have more privileges than they need and may use them to perform actions outside of their job description.	D. Auditors may question about a mismatch between an individual's responsibilities and their privileges and access rights.	c	The correct answer is C. Privilege creep occurs when users accumulate access rights beyond what they need to perform their jobs, increasing the risk of misuse or abuse of those privileges. Choice A, B, and D do not adequately describe the security risk posed by privilege creep.	M4C2	414	123.000	M4C2
Software Configuration management is the discipline for systematically controlling	A. Changes due to the evolution of work products as the project progresses	B. The changes required due to defects being found which are to be fixed	C. Changes necessary due to change in requirements	D. All of the above	d	The correct answer is D. Software Configuration Management involves managing changes to software items throughout the Software Development Life Cycle (SDLC). This includes changes due to evolving work products, defect fixes, and changes in requirements. Therefore, all options are part of Software Configuration Management.	M4C2	415	128.000	M4C2
Which of the following is the top priority that companies planning to implement an asset management system should examine?	A. The visual appeal of websites, internal search pages and marketing collateral	B. Number of videos, audio files and other multimedia assets available	C. Specific data needs and the business problems to be solved	D. All of the above	c	The correct answer is C. When implementing an asset management system, it's crucial to first assess specific data needs and align them with business objectives. This ensures that the system addresses core business challenges effectively. Choices A and B may influence system selection but are not top priority considerations.	M4C2	416	191.000	M4C2
Self-service assistance to users provided by help-desk such as resetting passwords etc. is considered which level of assistance?	A. Level 4	B. Level 0	C. Level 2	D. Level 1	b	The correct answer is B. Level 0 assistance is characterized by self-service options where users can resolve basic issues independently, such as resetting passwords. Choices A, C, and D involve varying levels of assistance provided by help desk operators.	M4C2	417	124.000	M4C2
During development of a software system, which of the following will be used to maintain software integrity?	A. Configuration Management	B. Version Control	C. Change Management	D. None of the above	b	The correct answer is B. Version Control ensures software integrity by managing changes to source code and other artifacts, tracking versions, and facilitating collaboration among developers. Choices A and C are related but precede version control in the development process.	M4C2	418	175.000	M4C2
Who of the following would approve or reject major changes in configuration?	A. Management	B. Change control board	C. User	D. System Administrator	b	The correct answer is B. A Change Control Board is responsible for evaluating and approving/rejecting major changes in configuration to ensure they align with project goals and do not introduce unnecessary risks. Choices A, C, and D do not typically have authority over major configuration changes.	M4C2	419	201.000	M4C2
A transaction in a database management system should be atomic in nature. An Atomic Transaction is:	A. Transaction should be submitted by a user	B. Transaction should be either completed or not completed at all	C. Transaction should fail	D. Transaction can be in-between fail and complete	b	The correct answer is B. An Atomic Transaction in a database management system is indivisible and must be either fully completed or fully aborted (rolled back). Choices A, C, and D do not accurately describe atomicity in transactions.	M4C2	420	170.000	M4C2
The main focus of acceptance testing is	A. Ensuring that the system is acceptable to management	B. Accepting errors & bugs in the system	C. Ensuring that the system is acceptable to users	D. Ensuring that the system is acceptable to auditors	c	The correct answer is C. Acceptance testing verifies that the software system meets business requirements and is acceptable to end users. Choices A, B, and D do not accurately describe the focus of acceptance testing.	M4C3	421	114.000	M4C3
Which of the following tests would be carried out when individual software modules are combined together as a group?	A. Integration testing	B. Unit testing	C. System testing	D. White box testing	a	The correct answer is A. Integration testing involves testing integrated units/modules to expose faults in their interaction. Choices B, C, and D refer to different testing levels or types.	M4C3	422	153.000	M4C3
Which of the following should be reviewed to provide assurance of the database referential integrity?	A. Field definition	B. Master table definition	C. Composite keys	D. Foreign key structure	d	The correct answer is D. Referential integrity in a relational database is ensured through foreign key relationships. Options A, B, and C are related to database structure but do not directly ensure referential integrity.	M4C3***	423	20.000	M4C3***
When evaluating the effectiveness and adequacy of a preventive computer maintenance program, which of the following would be considered to be MOST helpful to an IS Auditor?	A. A system downtime log	B. Vendors' reliability figures	C. Regularly scheduled maintenance log	D. A written preventive maintenance schedule	a	The correct answer is A. A system downtime log provides direct evidence of the effectiveness of preventive maintenance. Options B, C, and D are related to preventive maintenance but do not directly measure its effectiveness.	M4C3	424	184.000	M4C3
In a relational DBMS a record refers to which of the following	A. Tuple	B. Rows	C. Column	D. Transaction	a	The correct answer is A. In a relational database, a record is referred to as a tuple. Choices B, C, and D do not accurately represent a record in this context.	M4C3***	425	82.000	M4C3***
Which of the following will ensure that a column in one table will have a valid value or shall be “null” in another table’s column?	A. Primary key	B. Secondary key	C. SQL	D. Foreign key	d	The correct answer is D. A foreign key constraint ensures referential integrity between tables by requiring values in one table to match values in another table's primary key or unique key. Choices A, B, and C do not enforce this relationship.	M4C3	426	127.000	M4C3
Database normalization is	A. Data redundancy optimization	B. Data logging and accountability	C. Streamlining data process	D. Deleting temporary files	a	The correct answer is A. Database normalization organizes data to minimize redundancy and dependency, improving data integrity and reducing anomalies. Choices B, C, and D describe other database-related activities but not normalization.	M4C3***	427	68.000	M4C3***
Which of the following is NOT a property of database transactions?	A. Consistency	B. Atomicity	C. Insulation	D. Durability	c	The correct answer is C. The correct property is Isolation, not Insulation. ACID properties of database transactions are Atomicity, Consistency, Isolation, and Durability.	M4C3	428	127.000	M4C3
After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?	A. Stress	B. Black box	C. Interface	D. System	d	The correct answer is D. System testing is appropriate to verify all functionalities and interfaces affected by the patch across modules. Options A, B, and C test specific aspects but do not cover the entire system affected by the patch.	M4C3	429	195.000	M4C3
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:	A. Apply the patch according to the patch's release notes.	B. Ensure that a good change management process is in place.	C. Thoroughly test the patch before sending it to production.	D. Approve the patch after doing a risk assessment.	b	The correct answer is B. Ensuring a robust change management process includes thorough testing, risk assessment, and adherence to procedures to prevent future incidents. Options A, C, and D are steps within the change management process but do not address process robustness directly.	M4C3	430	165.000	M4C3
Basic operation of the SIEM tools, on the logs collected from the devices is	A. Correlating the log	B. Collecting the log	C. Analysing the log	D. Live Correlating the log	d	The correct answer is D. SIEM tools primarily perform live correlation of logs, analyzing patterns and sequences in real-time. Options A, B, and C are related to different aspects of log handling but do not fully describe the core operation of SIEM.	M4C4	431	158.000	M4C4
Which of the following is not a part of SIEM tools?	A. Sensor	B. Collector	C. Agent	D. Log	c	The correct answer is C. SIEM tools integrate sensors, collectors, and logs to gather and analyze security data. An agent, although part of IT infrastructure, is not typically classified as part of SIEM. Options A, B, and D are integral components of SIEM tools.	M4C4***	432	14.000	M4C4***
Which one is not the part of SIEM application?	A. Risk assessment	B. Vulnerability Scanning	C. Real time monitoring	D. Normalization	d	The correct answer is D. Normalization is a database design concept unrelated to SIEM applications. SIEM focuses on real-time monitoring, event correlation, and security management functions. Options A, B, and C are relevant to SIEM applications.	M4C4	433	54.000	M4C4
How does a SIEM tool handle the issue of Completeness of log?	A. Encryption	B. Hashing	C. Digital Signing	D. Time stamping	b	The correct answer is B. Hashing ensures the integrity and completeness of logs by detecting tampering or modification. Encryption, digital signing, and time stamping serve other security purposes but do not specifically address log completeness.	M4C4	434	135.000	M4C4
The computer security incident response team (CSIRT) of an organization publishes detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may:	A. Use this information to launch attacks	B. Forward the security alert	C. Implement individual solutions	D. Fail to understand the threat	a	The correct answer is A. Disseminating threat details can inadvertently empower attackers if users misuse the information. Options B, C, and D describe less severe concerns or outcomes.	M4C4***	435	2.000	M4C4***
The main goal of Security Operation Centre (SOC) is	A. Detect, analyse and report	B. Detect, analyse and respond	C. Collect, analyse and report	D. Collect, analyse and respond	b	The correct answer is B. SOC's primary objective is to detect security incidents, analyze their impact, and respond promptly to mitigate risks. Reporting, while important, is secondary to response in SOC operations.	M4C4	436	158.000	M4C4
What is the primary purpose of an incident management program?	A. Identify and assess incidents	B. Conduct lessons learned sessions	C. Alert key individuals	D. Assign responsibility	a	The correct answer is A. Incident management aims to identify, assess, and manage incidents to minimize impact and restore services quickly. Options B, C, and D are activities that may follow incident identification but are not primary objectives.	M4C4***	437	81.000	M4C4***
SOC shall be ineffective without the support of –	A. Risk	B. Budget	C. Top management	D. Quality	c	The correct answer is C. Effective SOC operations require strong support from top management to establish strategy, allocate resources, and drive organizational change. Options A, B, and D are important but do not ensure SOC effectiveness as much as top management support does.	M4C4	438	23.000	M4C4
Phases of an incident management program	A. Prepare, Respond, and follow up	B. Plan, prepare, and respond	C. Plan, prepare and follow up	D. Prepare, plan and respond	a	The correct answer is A. Incident management typically involves phases of preparation, response, and follow-up to ensure incidents are managed comprehensively. Options B, C, and D do not present the phases in the correct order or completeness.	M4C4	439	154.000	M4C4
Within an Incident Response Management program, the Containment phase aims to	A. Block the event	B. Reduce the impact	C. Remove the event	D. Rise the event	b	The correct answer is B. During containment, the goal is to minimize the impact of the incident and prevent further damage. Options A, C, and D describe actions that may be part of incident response but do not define the containment phase specifically.	M4C4	440	113.000	M4C4
Which of the following is a common feature for all the policies?	A. Encryption	B. Standards	C. Acceptable use policy	D. Process	c	The correct answer is C. An Acceptable use policy is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. It must be abided by all employees of the organization. Choices A, B, and D are not common to all policies.	M4C1	441	6.000	M4C1
Which of the following is not an HRM function?	A. Recruitment	B. Cyber security training	C. Security Policy approval	D. Appraisal	c	The correct answer is C. Approval of the Policy is the responsibility of the Governing Board of the organization. All other options are functions of HRM.	M4C1	442	81.000	M4C1
Which of the following training an employee can acquire while working on his/her desk in the office?	A. E-learning	B. Simulator based training	C. Instructor led training	D. Hands on training	a	The correct answer is A. E-learning is a learning environment which uses information and communication technologies (ICTs) as a platform for teaching and learning activities. Rest of the trainings require in-person attendance and cannot be done from the office desk.	M4C1	443	84.000	M4C1
For an unexpected and sudden changes in technology, organisations need to be	A. Innovative	B. Agile	C. Expert	D. Doer	b	The correct answer is B. Agility is the organization's ability to quickly or proactively react to technological changes. Choices A, C, and D are based on the need of the organization and not necessarily due to change in technology or the environment in which the organization operates.	M4C1	444	63.000	M4C1
Who owns the data in a department?	A. System owner	B. Process owner	C. Data custodian	D. Data owner	d	The correct answer is D. The data owner has the ability to create, edit, modify, share and restrict access to the data. Data ownership also defines the data owner’s ability to assign, share or surrender all of these privileges to a third party. The IT Department acts as the Data Custodian, responsible for the safe custody, transport, storage of the data and implementation of business rules. System Owner is a person or department having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system. Process Owner is a person, who is accountable for the performance of the process and manages the process on a daily basis.	M4C1	445	182.000	M4C1
The GREATEST challenge in outsourcing data processing is	A. Data confidentiality	B. Distance	C. Data integrity	D. Cost	a	The correct answer is A. The main challenge while choosing outsourcing data processing is data confidentiality. Companies feel comfortable in sharing data only with employees whom they trust or who are bounded by the contractual commitments to keep the data undisclosed. Majority of the outsourcing firms sign a strict non-disclosure agreement with the companies which assures that the data would be kept confidential and any breach on the agreement would be punishable under the law. Choices B and D are advantages of outsourcing. Data integrity is the overall completeness, accuracy and consistency of data. Data integrity although very important but does not pose a greater challenge than data confidentiality.	M4C1	446	145.000	M4C1
Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?	A. Network administrators are responsible for quality assurance	B. Security administrators are system programmers	C. End users are security administrators for critical applications	D. Systems analysts are database administrators	b	The correct answer is B. When individuals serve multiple roles, this represents a separation of duties problem and is associated with risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system. The other combinations of roles are valid from a separation of duties perspective. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. In some distributed environments, especially with small staffing levels, users may also manage security. While a database administrator is a very privileged position and it would not be in conflict with the role of a systems analyst.	M4C1***	447	61.000	M4C1***
Accountability for the maintenance of appropriate security measures over information assets resides with:	A. Security administrator	B. Systems administrator	C. Data and systems owners	D. Systems operations group	c	The correct answer is C. Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.	M4C1	448	113.000	M4C1
The decision-making environment of an operational level manager can be characterized as:	A. Structured	B. Semi-structured	C. Unstructured	D. None of these	a	The correct answer is A. Operational level manager is the lowest level of manager and engaged in day-to-day activities, which require detailed information. Hence the decision-making environment is required to be structured. For administrative and top management, the decision-making environment is semi-structured and unstructured respectively.	M4C1	449	163.000	M4C1
Which department is MOST LIKELY to store Personally identifiable information (PII) data?	A. Management	B. Information System Department	C. Marketing Department	D. Human Resource Department	d	The correct answer is D. Personally identifiable information (PII) is any information about an individual that can be used to distinguish or trace an individual's identity, such as name, PAN, Aadhaar Number, date and place of birth, mother's maiden name, or biometric records. The HRM System stores PII of all employee data. Choices A, B, C do not store or process employee personal information; they have operations or transaction data.	M4C1	450	50.000	M4C1
Why should organizations want to manage logs?	A. To be informed when something unusual happens involving a system or application	B. To be able to do take action in response to a security event	C. To keep a record of all the responses to security events	D. All of the above	d	Log management systems provide insight into a variety of incidents / issues with systems and devices, as well as being a compliance requirement under many regulations. For all of the above reasons, log management is a necessity for enterprise security.	M4C2	451	126.000	M4C2
When implementing a log management program, it's BEST to start with:	A. Technology from a trusted vendor	B. The same program and process that organizations with similar business are using	C. List of top-three vendors from a published report	D. A careful review of the organization's log management and reporting needs	d	Without understanding what logging capabilities, the organization has (or doesn't have) and what information is needed from those logs, it's impossible to implement an effective log management program. Choice A, B and C may help in selection of the vendor but are not the starting points.	M4C2	452	159.000	M4C2
The security principle of least privilege is:	A. The practice of limiting permissions to the minimal level that will allow users to perform their jobs.	B. The practice of increasing permissions to a level that will allow users to perform their jobs and those of their supervisor.	C. The practice of limiting permissions to a level that will allow users to perform their jobs and those of their immediate colleagues.	D. The practice of increasing permissions to a level that will allow users to use the cloud services of their choice in order to get their jobs done more quickly.	a	The principle of least privilege is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. The users are granted permission to read, write or execute only the files or resources they need to do their jobs, or restricting access rights for applications, systems, processes and devices to only those permissions required to perform authorized activities. Enforcing least privilege plays a key role in limiting (containing) the damage that malicious users may cause. Choice B, C and D do not indicate the principle of least privilege.	M4C2	453	144.000	M4C2
Why does privilege creep pose a security risk?	A. Users privileges don't match their job or role and responsibilities.	B. Because with more privileges there are more responsibilities.	C. Users have more privileges than they need and may use them to perform actions outside of their job description.	D. Auditors may question about a mismatch between an individual's responsibilities and their privileges and access rights.	c	Auditors certainly will question if they find that users have greater privileges than they need to perform their jobs, but the real risk is that a disgruntled user could abuse their elevated privileges, so C is the right answer and not A, B and D.	M4C2	454	191.000	M4C2
Software Configuration management is the discipline for systematically controlling	A. Changes due to the evolution of work products as the project progresses	B. The changes required due to defects being found which are to be fixed	C. Changes necessary due to change in requirements	D. All of the above	d	Software Configuration Management is defined as a process to systematically manage, organize, and control the changes in the software programs, documents, codes, and other entities during the Software Development Life Cycle. Any change in the software configuration Items will affect the final product. Therefore, changes to configuration items need to be controlled and managed. Hence all the options are important.	M4C2	455	14.000	M4C2
Which of the following is the top priority that, companies planning to implement an asset management system should examine?	A. The visual appeal of websites, internal search pages and marketing collateral	B. Number of videos, audio files and other multimedia assets available	C. Specific data needs and the business problems to be solved	D. All of the above	c	Asset Management is a process used to keep track of the equipment and inventory vital to day-to-day operation of the business. Asset management requirements should be aligned with the business objectives. Choice A and B may assist in selection of an appropriate system based on the needs of the organization but are not top priority requirements.	M4C2	456	46.000	M4C2
Self-service assistance to users provided by help-desk such as resetting passwords etc. is considered which level of assistance?	A. Level 4	B. Level 0	C. Level 2	D. Level 1	b	Level 0, because it is self-service. Choice A, C and D are those, where help desk operator would help the user.	M4C2	457	132.000	M4C2
During development of a software system, which of the following will be used to maintain software integrity?	A. Configuration Management	B. Version Control	C. Change Management	D. None of the above	b	Version Control. Choice A and C are steps before version control.	M4C2	458	72.000	M4C2
Who of the following would approve or reject major changes in configuration?	A. Management	B. Change control board	C. User	D. System Administrator	b	Projects receive multiple change requests and these must be evaluated by the change control board. A change control board is a group of individuals responsible for reviewing and analyzing change requests and recommending or making decisions on requested changes to the baselined work. Poor change control can significantly impact the project in terms of scope, cost, time, risk, and benefits. Choice A, C and D do not have authority to approve or reject major changes.	M4C2	459	146.000	M4C2
A transaction in a database management system should be atomic in nature. An Atomic Transaction is:	A. Transaction should be submitted by a user	B. Transaction should be either completed or not completed at all	C. Transaction should fail	D. Transaction can be in-between fail and complete	b	Atomicity is either a complete transaction or a failed transaction. It does not permit transient stage or partially complete transactions. Choice A, C and D are not correct.	M4C2	460	183.000	M4C2
The main focus of acceptance testing is	A. Ensuring that the system is acceptable to management	B. Accepting errors & bugs in the system	C. Ensuring that the system is acceptable to users	D. Ensuring that the system is acceptable to auditors	c	The correct answer is C. Acceptance testing is a testing technique performed to determine whether or not the software system has met the requirement specifications. The main purpose of this test is to evaluate the system's compliance with the business requirements and verify if it has met the required criteria for delivery to end users. Choices A, B, and D are not the focus of acceptance testing.	M4C3	461	152.000	M4C3
Which of the following test would be carried out when, individual software modules are combined together as a group?	A. Integration testing	B. Unit testing	C. System testing	D. White box testing	a	The correct answer is A. Integration testing is a level of software testing where individual units are combined and tested as a group. The purpose of this level of testing is to expose faults in the interaction between integrated units. Option B is module testing, while C is complete system testing, and Option D is testing of internal logic as well.	M4C3***	462	6.000	M4C3***
Which of the following should be reviewed to provide assurance of the database referential integrity	A. Field definition	B. Master table definition	C. Composite keys	D. Foreign key structure	d	The correct answer is D. Referential integrity in a relational database refers to consistency between linked tables. Referential integrity is usually enforced by the combination of a primary key and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table’s primary key. Option A Field definitions describe the layout of the table but are not directly related to referential integrity. Option B Master table definition describes the structure of the database but is not directly related to referential integrity. Option C Composite keys describe how the keys are created but are not directly related to referential integrity.	M4C3	463	203.000	M4C3
When evaluating the effectiveness and adequacy of a preventive computer maintenance program, which of the following would be considered to be MOST helpful to an IS Auditor?	A. A system downtime log	B. Vendors' reliability figures	C. Regularly scheduled maintenance log	D. A written preventive maintenance schedule	a	The correct answer is A. A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. Option B Vendor’s reliability figures are not an effective measure of a preventive maintenance program. Option C Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. Option D A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.	M4C3***	464	51.000	M4C3***
In a relational DBMS a record refers to which of the following	A. Tuple	B. Rows	C. Column	D. Transaction	a	The correct answer is A. Tuple. Record is called tuple. Choice B, C, and D do not represent a record. Choice B is many rows and not a single row.	M4C3	465	176.000	M4C3
Which of the following will ensure that a column in one table will have a valid value or shall be “null” in another table’s column?	A. Primary key	B. Secondary key	C. SQL	D. Foreign key	d	The correct answer is D. Foreign key. Primary key does not represent relation; it is the same key in another table and represents relation with the table where it is the primary key.	M4C3	466	157.000	M4C3
Database normalization is	A. Data redundancy optimization	B. Data logging and accountability	C. Streamlining data process	D. Deleting temporary files	a	The correct answer is A. Normalization is a database design technique that organizes tables in a manner that reduces redundancy and dependency of data. Normalization divides larger tables into smaller tables and links them using relationships. The purpose of Normalization is to eliminate redundant (useless) data and ensure data is stored logically. The main idea with this is that a table should be about a specific topic and only supporting topics included. By limiting a table to one purpose, you reduce the number of duplicate data contained within your database. This eliminates some issues stemming from database modifications.	M4C3	467	130.000	M4C3
Which of the following is NOT a property of database transactions?	A. Consistency	B. Atomicity	C. Insulation	D. Durability	c	The correct answer is C. It is isolation, not insulation. A transaction in a database should be designed in such a way that it satisfies the ACID property. A is Atomicity, C is Consistency, I is Isolation, and D is Durability. This means that when a programmer or DA defines a transaction (such as Insert or Update), it should be defined in such a way that it will satisfy the ACID test, i.e., the transaction will be atomic (not divisible further), when completed it will keep the database in a consistent state, it will be isolated while it is executing, and it will be written on a persistent (permanent) storage such as secondary storage.	M4C3	468	13.000	M4C3
After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?	A. Stress	B. Black box	C. Interface	D. System	d	The correct answer is D. Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. System testing will test all the functionality and interfaces between modules. Option A Stress testing relates to capacity and availability and does not apply in these circumstances. Option B Black box testing would be performed on the individual modules, but the entire system should be tested because more than one module was changed. Option C Interface testing would test the interaction with external systems, but would not validate the performance of the changed system.	M4C3	469	128.000	M4C3
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:	A. Apply the patch according to the patch's release notes.	B. Ensure that a good change management process is in place.	C. Thoroughly test the patch before sending it to production.	D. Approve the patch after doing a risk assessment	b	The correct answer is B. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.	M4C3***	470	113.000	M4C3***
Basic operation of the SIEM tools, on the logs collected from the devices is	A. Correlating the log	B. Collecting the log	C. Analysing the log	D. Live Correlating the log	d	The correct answer is D. Log correlation is about constructing rules that look for sequences and patterns in log events that are not visible in the individual log sources. The basic function of an SIEM is to correlate logs online and perform analysis that would otherwise be done by repetitive human analysis.	M4C4***	471	126.000	M4C4***
Which of the following is not a part of SIEM tools?	A. Sensor	B. Collector	C. Agent	D. Log	c	The correct answer is C. SIEM is defined as a complex set of technologies to provide real-time event collection, monitoring, correlating, and analyzing events across disparate sources, making it easier to monitor and troubleshoot IT infrastructure in real time. An Agent is third party tool for supporting devices. Options A, B and D are part of SIEM tools.	M4C4	472	84.000	M4C4
Which one is not the part of SIEM application?	A. Risk assessment	B. Vulnerability Scanning	C. Real time monitoring	D. Normalization	d	The correct answer is D. Normalization is a database design technique that organizes tables in a manner that reduces redundancy and dependency of data. Normalization divides larger tables into smaller tables and links them using relationships. Option D is not part of SIEM applications.	M4C4	473	4.000	M4C4
How does a SIEM tool handle the issue of Completeness of log?	A. Encryption	B. Hashing	C. Digital Signing	D. Time stamping	b	The correct answer is B. A privileged user with some knowledge on the internal structure of the SIEM data can easily delete logs, backdate logs, or modify existing logs. Hashing log files or log entries and storing the hash on disk for future verification ensuring integrity and completeness of the logs. For encryption, signing and time stamping you need a well-managed public key infrastructure (PKI) with secure hardware storage for keys.	M4C4***	474	170.000	M4C4***
The computer security incident response team (CSIRT) of an organization publishes detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may:	A. Use this information to launch attacks	B. Forward the security alert	C. Implement individual solutions	D. Fail to understand the threat	a	The correct answer is A. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. Option B Forwarding the security alert is not harmful to the organization. Option C Implementing individual solutions is unlikely and inefficient, but not a serious risk. Option D Users failing to understand the threat would not be a serious concern.	M4C4	475	174.000	M4C4
The main goal of Security Operation Centre (SOC) is	A. Detect, analyse and report	B. Detect, analyse and respond	C. Collect, analyse and report	D. Collect, analyse and respond	b	The correct answer is B. A Security Operation Centre (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to security incidents. Reporting is not the part of SOC.	M4C4	476	193.000	M4C4
What is the primary purpose of an incident management program?	A. Identify and assess incidents	B. Conduct lessons learned sessions	C. Alert key individuals	D. Assign responsibility	a	The correct answer is A. Incident Response Management Program aims to manage the lifecycle of all Incidents (unplanned interruptions or reductions in quality of IT services). The primary objective of this program is to identify, assess, analyze, and correct the incidents to prevent a future re-occurrence and to make available the IT service to users as quickly as possible.	M4C4	477	49.000	M4C4
SOC shall be ineffective without the support of –	A. Risk	B. Budget	C. Top management	D. Quality	c	The correct answer is C. Without clear executive support, a SOC may be ineffective, and its value will not be realized. Creating an effective SOC requires support to establish a clear mandate for the SOC and a long-term strategy, and also a strong SOC leader to drive organizational change and develop a culture of security. The SOC leader shall take care of Risks and Quality.	M4C4	478	35.000	M4C4
Phases of an incident management program	A. Prepare, Respond, and follow up	B. Plan, prepare, and respond	C. Plan, prepare and follow up	D. Prepare, plan and respond	a	The correct answer is A. Incident response program can be broken down into four broad phases: (1) Preparation; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post-Event Activity. Hence Option A Prepare, Respond, and follow up, are in correct order. Options B, C and D are incomplete.	M4C4***	479	13.000	M4C4***
Within an Incident Response Management program, the Containment phase aims to	A. Block the event	B. Reduce the impact	C. Remove the event	D. Rise the event	b	The correct answer is B. When a breach is first discovered, in the containment phase, the Incident Response team after having gathered the information and gained an understanding of the incident, will begin to combat the threat by taking actions to prevent further damage, such as closing ports or blocking IPs. Hence Option B is the correct answer.	M4C4	480	182.000	M4C4
Which of the following shall BEST help in deciding upon the protection level for information asset?	A. Location of asset.	B. Impact of risk.	C. Vulnerabilities in asset.	D. Inventory of threats	b	B is the correct answer. Other options i.e. location of asset, existing vulnerabilities in asset shall be covered during risk assessments. Inventory of threats only will not help; impact due to threat must be assessed.	M5C1	481	176.000	M5C1
Which of the following is a risk response option?	A. Determine likelihood of threat	B. Determine probability of risk	C. Deciding amount of insurance cover	D. Prepare risk profile report	c	C is the correct answer. Of the four main risk response options accept, avoid, mitigate and transfer, Insurance cover is a risk response option of risk transfer.	M5C1	482	140.000	M5C1
After a Tsunami, a business decides to shift the location of data centre from coastal area to mid land. Which type of risk response option it has exercised?	A. Accept	B. Avoid	C. Mitigate	D. Transfer	b	B is the correct answer. BY shifting location, the business has avoided the risk associated with Tsunami.	M5C1***	483	109.000	M5C1***
Organizations capacity to sustain loss due to uncertainty and expressed in monetary terms is best known as:	A. Risk appetite	B. Risk tolerance	C. Risk acceptance	D. Risk mitigation	a	A is the correct answer. It is the definition of risk appetite. Risk tolerance is capacity to tolerate down time due to risk materialization. Risk acceptance and risk mitigation are risk response decision based on risk appetite.	M5C1	484	36.000	M5C1
Main use of maintaining and updating risk register is to:	A. Define controls	B. Identify risk owner	C. Built risk profile	D. Maintain evidence	c	C is the correct answer. Main use of risk register is to develop risk profile of the organization for management’s review and enable risk informed decisions.	M5C1	485	181.000	M5C1
Of the following, who is accountable for deciding and implementing controls based on risk mitigation plan?	A. Chief risk officer	B. Risk owner	C. IT operations manager	D. Board of directors	b	B is the correct answer. Risk owner is primarily accountable for deciding and implementing on nature of controls. Generally, risk owner is process owner. Chief risk office guides risk owner, IT head is responsible for responding to risk owned by IT head. Although board of directors is ultimately accountable, for specific risk, risk owners are responsible.	M5C1***#	486	203.000	M5C1***#
Which of the following is a risk factor that may have impact on organization?	A. Management decides to acquire new application software.	B. A new application required by organization is released.	C. Vendor decides to stop supporting existing application.	D. Organization retires old application that is not in use.	c	C is the correct answer. Vendor decides to stop supporting existing software changes the market situation that will affect organization, since it has to take decision on replacing application. Release of new application though changes market; it may not affect the organization immediately as the organization may not need to take action. Options A and D are internal decisions and will be done after risk assessment and hence these are not risk factors.	M5C1	487	102.000	M5C1
While auditing risk monitoring process which of the following IS auditor should review FIRST?	A. Risk assessment process	B. Risk management framework	C. Alignment with business risks	D. Annual review of risk register	d	D is the correct answer. Risk monitoring refers to review of identified and assed risks based on changes, incidents, and periodically. Other options are part of risk management framework.	M5C1	488	127.000	M5C1
The quantum of risk after enterprise has implemented controls based on risk mitigation plan is:	A. Accepted risk	B. Residual risk	C. Inherent risk	D. Current risk	b	B is the correct answer. Accepted risk is where controls are not implemented is part of residual risk; Inherent risk is total risk before implementing controls. Current risk is residual risk at a point in time during control implementation.	M5C1***	489	11.000	M5C1***
Which of the following shall best help in aligning IT risk with enterprise risk?	A. Presenting IT risk results in business terms.	B. Conducting business impact analysis.	C. Making Chief risk officer accountable.	D. Align IT strategy with business strategy.	a	A is the correct answer. Expressing IT risk in business terms i.e. as impact on business will help business in understating relevance of IT risks. Business impact analysis may be useful however, it may or may not help depending upon scope of project. Making chief risk officer accountable may help but best is A. Aligning IT strategy with business strategy shall help in defining better IT plan, but it is at higher level.	M5C1	490	192.000	M5C1
The Primary objective of implementing Information security management is to:	A. Ensure reasonable security practices	B. Comply with internal audit requirements	C. Adopt globally recognized standards	D. Protect information assets	a	A is the correct answer. The primary objective of information security management is to provide adequate level of protection to information security assets.	M5C2	491	194.000	M5C2
Which of the following is primary function of information security policies?	A. Align information security practices with strategy	B. Communicate intent of management to stakeholders	C. Perform risk assessment of IT operations and assets	D. Ensure compliance with requirements of standards	b	B is the correct answer. Policies are vehicle to communicate management’s intent to all stakeholders. Information security practices are aligned with business objectives and not with the strategy. Information security policies are defined as outcome of risk assessment. Compliance with standard is not primary function of policies.	M5C2	492	73.000	M5C2
Information security policies are set of various policies addressing different information systems areas based on the IT infrastructure of organization. Which of the following policy is most common in all organizations?	A. Acceptable use policy	B. BYOD (Bring Your Own Device) policy	C. Data encryption policy	D. Biometric security policy	a	C is the correct answer. Acceptable use policy that address the use of information assets by users is most common in all organizations that depends upon IT. Policies in other option depend upon organization’s use of BYOD or Encryption or Biometric.	M5C2***#	493	12.000	M5C2***#
Protecting integrity of data primarily focuses on:	A. Intentional leakage of data	B. Accidental loss of data	C. Accuracy and completeness	D. Data backup procedures	c	C is the correct answer. Integrity primarily refers to reliability that is achieved by implementing controls to ensure accuracy and completeness of data.	M5C2	494	66.000	M5C2
Which of the following is primary reason for periodic review of security policy?	A. Compliance requirements	B. Changes on board of directors’	C. Changes in environment	D. Joining of new employees	c	C is the correct answer. Changes in environment introduce new risks. In order to address them it is necessary to review the information security policy based on assessment of new risks. Other options are secondary reasons.	M5C2	495	196.000	M5C2
Which of the following is best evidence indicting support and commitment of senior management for information security initiatives?	A. Directive for adopting global security standard	B. Higher percentage of budget for security projects	C. Assigning responsibilities for security to IT head	D. Information security is on monthly meeting agenda	d	D is the correct answer. Without senior management’s support, information security cannot have a success. Senior management is involved many activities in effective information security initiative. Reviewing progress of information security in monthly meeting is one of them. Other options may or may not indicate unless there is more evidence to conclude.	M5C2	496	157.000	M5C2
Which of the following is a concern for compliance with information security policy?	A. Decrease in low risk findings in audit report	B. High number of approved and open policy exceptions	C. Security policy is reviewed once in two years	D. Security policy is signed by Chief Information Officer	b	B is the correct answer. Policy exceptions are temporary and must be reviewed and closed as per defined plan. Increased number of exceptions indicates that the policy provisions may not be appropriate and hence need to be reviewed. Other options are not concerning.	M5C2	497	63.000	M5C2
Which of the following is Primary purpose of Information classification?	A. Comply with regulatory requirement	B. Assign owner to information asset	C. Provide appropriate level of protection	D. Reduce costs of data protection	c	C is the correct answer. Primary purpose of information classification is to provide appropriate level of protection to information assets. Options A, B and D are the secondary with respect to information classification.	M5C2	498	49.000	M5C2
Classification of information is primarily based on:	A. Where the information is stored?	B. Who has access to information?	C. What will happen if information is not available?	D. Why attachments to mail are encrypted?	c	C is the correct answer. It helps in assessing the risks associated and determine the protection level i.e. class of information. A, B and C are determined based on classification.	M5C2	499	45.000	M5C2
Which of the following best helps in classifying the information within organizations?	A. Using minimum classes in classification schema	B. Conducting training on classification schema	C. Labelling all information based on classification schema	D. Determining storage based on classification schema	b	B is the correct answer. Training users on how to classify information as per definition provided in classification schema shall best help users in classifying the information. A. Number of classes shall depend upon organization’s objectives. C and D are performed after classification of information.	M5C2	500	204.000	M5C2
Which of the following is first action when a fire detection system raises the alarm?	A. Turn off the air conditioner	B. Determine type of fire	C. Evacuate the facility	D. Turn off power supply	c	C is the correct answer. Life safety takes precedence. Although other answers are important steps, human life always is a priority.	M5C3	501	81.000	M5C3
Which of the following are most important controls for unmanned data center?	A. Access control for entry and exit for all doors	B. The humidity levels need not be maintained	C. The temperature must be at sub-zero level	D. Halon gas-based fire suppression system	a	A is the correct answer. Unmanned data center requires strong physical access controls and environmental access controls too. However, most essential are strong access controls. B, C, and D are inappropriate controls. Halon is an environmentally hazardous gas.	M5C3	502	200.000	M5C3
Primary purpose of access controlled dead man door, turnstile, mantrap is to:	A. Prevent unauthorized entry	B. Detect perpetrators	C. Meet compliance requirement	D. Reduce cost of guard	a	A is the correct answer. Primary purpose of all types of physical access control is to prevent unauthorized entry. Other objectives are secondary.	M5C3	503	169.000	M5C3
Which of the following is the main reason for appointing human guards at main entrance of facilities?	A. Address visitors’ requirements to visit	B. Issue the access cards to visitors	C. Cost of automation exceeds security budget	D. Deter the unauthorized persons	a	A is the correct answer. Human guard makes decisions and can address visitors’ requirements and direct them appropriately. Others are supplementary functions.	M5C3	504	94.000	M5C3
Which of the following is a major concern associated with biometric physical access control?	A. High acceptability	B. High false positives	C. High false negatives	D. High cost	b	B is the correct answer. False positive is a concern in biometric access security as it results in unauthorized access. Other options do not result in unauthorized access.	M5C3	505	173.000	M5C3
Which of the following evidence is best to provide assurance on automated environmental controls?	A. Annual maintenance contract with vendor	B. Simulation testing of devices during audit	C. Device implementation report by vendor	D. Documented results of periodic testing	d	D is the correct answer. Automated environmental controls must be tested periodically by an expert and provide a report on the effective performance of equipment. Simulated tests may not be possible for all controls. AMC is a contract; periodic testing is the performance of the contract.	M5C3***	506	152.000	M5C3***
What are the problems that may be caused by humidity in an area with electrical devices?	A. High humidity causes excess electricity, and low humidity causes corrosion	B. High humidity causes power fluctuations, and low humidity causes static electricity	C. High humidity causes corrosion, and low humidity causes static electricity	D. High humidity causes corrosion, and low humidity causes power fluctuations	c	C is the correct answer. High humidity can cause corrosion, and low humidity can cause excessive static electricity. Static electricity can short out devices or cause loss of information.	M5C3	507	21.000	M5C3
Automated access controls open doors based on access cards, pins, and/or biometric devices and are powered by electricity. Which of the following is the best policy in case of power failure?	A. Keep the door in locked state	B. Open door and appoint guard	C. Find root cause of power failure	D. Arrange for battery backup	b	B is the correct answer. Best policy is to keep the door open and appoint a guard temporarily for monitoring accesses. Keeping doors locked shall be a problem in evacuation in case of emergency. Finding root cause can be done independently. Arranging battery backup after power failure is not the right policy.	M5C3	508	86.000	M5C3
While selecting site for a data center which of the site is best to be selected?	A. On topmost floor to delay the unauthorized visitor to reach	B. In the basement not easily accessible to perpetrator	C. On ground floor so that users can access it easily	D. On middle floor to strike the balance for above concerns	d	D is the correct answer. Top floor and basement have risks of seepage and flooding. Ground floor has a risk of easy attack.	M5C3	509	116.000	M5C3
Which of the following is main reason for not allowing mobile devices into data center?	A. Unauthorized changes and access in configuration	B. Prevent photography of data center layout	C. User can provide information to attacker on phone	D. Mobile devices generate wireless communication	a	A is the correct answer. Mobile devices can be connected to servers, resulting in unauthorized changes. Other concerns are secondary.	M5C3	510	76.000	M5C3
Which of the following pair of authentications can be considered as two factors?	A. Password and passphrase	B. Passphrase and PIN	C. Token and access card	D. Access card and PIN	d	The three factors are what a user knows (PIN, Password, and Passphrase), what user possesses (Access card, Token) and what unique characteristics of user (Biometric). Use of any two factors for authentication is called two factors. Option A, B and C use only one factor.	M5C4	511	189.000	M5C4
Which of the following is primary requirement of granting user access to information asset?	A. Identification	B. Authorization	C. Authentication	D. Need to know	a	Identification of user is first and primary requirement of granting access. Next will be authentication method to be established and finally finding authorization levels based on role that also addresses need to know.	M5C4	512	176.000	M5C4
Mandatory access controls are those controls that are:	A. Based on global standards	B. Defined by security policy	C. Part of compliance requirements	D. Granted by asset owner	b	Mandatory accesses are those controls that are to be applied uniformly across organization and are defined by information security policy. D is discretionary access controls. B and C generally do not specify such requirements.	M5C4***#	513	150.000	M5C4***#
Which of the following is a major concern associated with Single-Sign-on?	A. Multiple passwords are noted	B. User may select easy password	C. It is a single point of failure	D. High maintenance cost	c	Single point of failure is a major concern. One password if compromised, all accesses for that user are available to perpetrator.	M5C4	514	63.000	M5C4
Which of the following non-compliance with information security policy is most difficult to detect or get evidence for?	A. Use of removable media	B. Password sharing by user	C. Access to banned web sites	D. Passing information over phone	b	Password sharing by user is most difficult to get evidence for or detect. Others can be monitored or enforced using technology.	M5C4	515	177.000	M5C4
Which of following processes in user access management is most essential to detect errors and omissions resulting in unauthorized or excess accesses to users?	A. Identification	B. Authentication	C. Authorization	D. Review	d	Periodic user access review helps in ensuring that all users have appropriate level of accesses. This happens due to changes in internal environment like role, emergency, resignation and retiring of employees. In such situations sometimes revocation of accesses is missed out, which can be corrected during review.	M5C4	516	18.000	M5C4
While auditing compliance with password policy, IS auditor observed that configuration of password parameters in system is as per information security policy. Which of the following the auditor should verify?	A. Review enforcement for sample users	B. Verify all assets have same configuration	C. Review log for password configuration	D. Interview users on policy enforcement	c	Review of log for password configuration may disclose the compliance of policy because policy is configured in the system through password configuration. This may also detect unwarranted changes made by a malicious user (who obtains administrative access) in the password configuration. However, option A and D may provide assurance for compliance of password policy configurations in the system, not the policy itself. Option D is not relevant.	M5C4	517	109.000	M5C4
One-time password is considered strong because they are:	A. Active for short period	B. Communicated on mobile	C. Unique for each user	D. Unique for session	a	Strength of one-time password is that it is active for short time, if user does not login during that time the one-time password expires. One-time password is unique for each session and user; however, it is not a strength. It can be communicated by suitable means.	M5C4	518	201.000	M5C4
Which of the following attack to break the user password is difficult to control?	A. Brute Force	B. Dictionary attack	C. Spoofing	D. Social engineering	d	In Social engineering attacks, the weakest link is unsuspecting human user. Attacker uses techniques to compel users to reveal passwords and other confidential information. For example, in Phishing. Other options are technology-based attacks and can be detected or controlled.	M5C4	519	178.000	M5C4
Which of the following is a primary objective of implementing logical access controls?	A. Identify users on the system	B. Fixing accountability of actions	C. Authorize users based on role	D. Compliance with policy	c	Primary objective of implementing access controls is to restrict access to authorized people. Fixing accountability of actions is the primary objective of audit trail. Others are means to implement access controls not objectives.	M5C4***#	520	121.000	M5C4***#
Which of the following is a method used to gather information about the communication network?	A. Reconnaissance	B. Brute force	C. Eavesdropping	D. Wiretapping	a	A is correct answer. Other methods are active attacks on network after getting information about networks.	M5C5	521	10.000	M5C5
Message digest helps organization in getting assurance on:	A. Communication delivery	B. Data availability	C. Data integrity	D. Data confidentiality	c	C is correct answer. Message digest is a hash function that helps in confirming integrity of data communicated over network.	M5C5	522	121.000	M5C5
While auditing organization’s network which of the following control IS auditor must verify first?	A. Encrypted communication	B. Network zoning	C. Firewall configuration	D. Penetration test report	b	B is correct answer. Network segmentation or zoning is first control to implement network security. Other controls depend upon segmentation.	M5C5	523	195.000	M5C5
Cryptographic checksum is a network control that:	A. Adds a parity bit after adding the data bits.	B. Translates data in a file into a hash value.	C. Transmits the data after encryption.	D. Translates the data into a parity checksum combination.	b	B is correct answer. Checksum is a type of hash that is used to check integrity of data after communication. It is different that parity bit that adds an extra bit for each byte and word.	M5C5***	524	201.000	M5C5***
Primary function of Security operations center (SOC) is to:	A. Define baseline	B. Configure firewall	C. Monitor logs	D. Implement Antivirus	c	C is correct answer. Primary function of SOC is to collect and monitor logs based on identified rules. It also defines correlation between various logs and identifies possible incidents, which are communicated to respective asset owners. A is role of security manager; B and D are roles of network team.	M5C5	525	159.000	M5C5
The intrusion detection monitoring on a host for data integrity attack by malicious software is a:	A. Technical control	B. Corrective control	C. Detective Control	D. Preventive Control	c	C is correct answer. Intrusion detection detects the possible intrusion attempt. It does not prevent or corrects it. It is a control implemented using technology.	M5C5	526	21.000	M5C5
Which of the following is most important while performing penetration testing?	A. Maintain secrecy about testing	B. Get consent from affected stakeholders	C. Report to be provided to all users	D. Perform test after office hours	b	B is correct answer. It is most essential to get consent from affected asset owners before performing test, so that they can ensure that operations are not affected. Maintaining secrecy shall depend upon type of test. Report must be kept confidential and accessed only by select few. Test generally is performed when it will have least impact, but is not most important.	M5C5	527	24.000	M5C5
Most web based application attacks can be prevented by:	A. Input validation	B. Encryption	C. Penetration test	D. Access controls	a	A is correct answer. Most web application attacks like SQL injection can be prevented by validating input, which can reject the attackers input that can exploit vulnerability. Encryption may or may not prevent an attack. Penetration test shall provide input on vulnerability that must be closed. Access controls may prevent some attacks.	M5C5	528	94.000	M5C5
Social engineering attacks can best be prevented by:	A. Intrusion detection system	B. Strong access controls	C. Two factor authentication	D. Awareness training	d	D is correct answer. Social engineering attack is attack on human and hence no technology can prevent it. Awareness training best prevents it.	M5C5	529	144.000	M5C5
Which of the following is a type of malware that does not use system resources for execution of malicious codes?	A. Virus	B. Logic bomb	C. Trojan	D. Worm	d	D is correct answer. Worms are self-executable. Rest of the options use system resources for execution of malicious codes.	M5C5	530	181.000	M5C5
1. Which of the following shall BEST help in deciding upon the protection level for information asset?	Location of asset.	Impact of risk.	Vulnerabilities in asset.	Inventory of threats	b	Other options i.e. location of asset, existing vulnerabilities in asset shall be covered during risk assessments. Inventory of threats only will not help, impact due to threat must be assessed.	M5C1	531	22.000	M5C1
2. Which of the following is a risk response option?	Determine likelihood of threat	Determine probability of risk	Deciding amount of insurance cover	Prepare risk profile report	c	Of the four main risk response options accept, avoid, mitigate and transfer, Insurance cover is a risk response option of risk transfer.	M5C1	532	13.000	M5C1
3. After a Tsunami, a business decides to shift the location of data centre from coastal area to mid land? Which type of risk response option it has exercised?	Accept	Avoid	Mitigate	Transfer	b	BY shifting location the business has avoided the risk associated with Tsunami.	M5C1	533	167.000	M5C1
4. Organizations capacity to sustain loss due to uncertainty and expressed in monetary terms is best known as:	Risk appetite	Risk tolerance	Risk acceptance	Risk mitigation	a	It is the definition of risk appetite. Risk tolerance is capacity to tolerate down time due to risk materialization. Risk acceptance and risk mitigation are risk response decision based on risk appetite.	M5C1	534	25.000	M5C1
5. Main use of maintaining and updating risk register is to:	Define controls	Identify risk owner	Built risk profile	Maintain evidence	c	Main use of risk register is to develop risk profile of the organization for management’s review and enable risk informed decisions.	M5C1	535	94.000	M5C1
6. Of the following who is accountable for deciding and implementing controls based on risk mitigation plan?	Chief risk officer	Risk owner	IT operations manager	Board of directors	b	Risk owner is primarily accountable for deciding and implementing on nature of controls. Generally risk owner is process owner. Chief risk office guides risk owner, IT head is responsible for responding to risk owned by IT head. Although board of directors is ultimately accountable, for specific risk, risk owners are responsible.	M5C1	536	164.000	M5C1
7. Which of the following is a risk factor that may have impact on organization?	Management decides to acquire new application software.	A new application required by organization is released.	Vendor decides to stop supporting existing application.	Organization retires old application that is not in use.	c	Vendor decides to stop supporting existing software changes the market situation that will affect organization, since it has to take decision on replacing application. Release of new application though changes market, it may not affect the organization immediately as the organization may not need to take action. Options A and D are internal decisions and will be done after risk assessment and hence these are not risk factors.	M5C1	537	62.000	M5C1
8. While auditing risk monitoring process which of the following IS auditor should review FIRST?	Risk assessment process	Risk management framework	Alignment with business risks	Annual review of risk register	d	Risk monitoring refers to review of identified and assed risks based on changes, incidents, and periodically. Other options are part of risk management framework.	M5C1***#	538	180.000	M5C1***#
9. The quantum of risk after enterprise has implemented controls based on risk mitigation plan is:	Accepted risk	Residual risk	Inherent risk	Current risk	b	Accepted risk is where controls are not implemented is part of residual risk, Inherent risk is total risk before implementing controls. Current risk is residual risk at a point in time during control implementation.	M5C1	539	172.000	M5C1
10. Which of the following shall best help in aligning IT risk with enterprise risk?	Presenting IT risk results in business terms.	Conducting business impact analysis.	Making Chief risk officer accountable.	Align IT strategy with business strategy.	a	Expressing IT risk in business terms i.e. as impact on business will help business in understating relevance of IT risks. Business impact analysis may be useful however it may or may not help depending upon scope of project. Making chief risk officer accountable may help but best is A. Aligning IT strategy with business strategy shall help in defining better IT plan, but it is at higher level.	M5C1***	540	72.000	M5C1***
1. The Primary objective of implementing Information security management is to:	Ensure reasonable security practices	Comply with internal audit requirements	Adopt globally recognized standards	Protect information assets	a	The primary objective of information security management is to provide adequate level of protection to information security assets.	M5C2***#	541	91.000	M5C2***#
2. Which of the following is primary function of information security policies?	Align information security practices with strategy	Communicate intent of management to stakeholders	Perform risk assessment of IT operations and assets	Ensure compliance with requirements of standards	b	Policies are vehicle to communicate management’s intent to all stakeholders. Information security practices are aligned with business objectives and not with the strategy. Information security policies are defined as outcome of risk assessment. Compliance with standard is not primary function of policies.	M5C2***#	542	98.000	M5C2***#
3. Information security policies are set of various policies addressing different information systems areas based on the IT infrastructure of organization. Which of the following policy is most common in all organizations?	Acceptable use policy	BYOD (Bring Your Own Device) policy	Data encryption policy	Biometric security policy	a	Acceptable use policy that address the use of information assets by users is most common in all organizations that depends upon IT. Policies in other option depend upon organization’s use of BYOD or Encryption or Biometric.	M5C2	543	157.000	M5C2
4. Protecting integrity of data primarily focuses on:	Intentional leakage of data	Accidental loss of data	Accuracy and completeness	Data backup procedures	c	Integrity primarily refers to reliability that is achieved by implementing controls to ensure accuracy and completeness of data.	M5C2	544	78.000	M5C2
5. Which of the following is primary reason for periodic review of security policy?	Compliance requirements	Changes on board of directors’	Changes in environment	Joining of new employees	c	Changes in environment introduce new risks. In order to address them it is necessary to review the information security policy based on assessment of new risks. Other options are secondary reasons.	M5C2	545	66.000	M5C2
6. Which of the following is best evidence indicating support and commitment of senior management for information security initiatives?	Directive for adopting global security standard	Higher percentage of budget for security projects	Assigning responsibilities for security to IT head	Information security is on monthly meeting agenda	d	Without senior management’s support information security can’t have a success. There are many activities senior management is involved in effective information security initiative. Reviewing progress of information security in monthly meeting is one of them. Other options may or may not indicate unless there is more evidence to conclude.	M5C2	546	140.000	M5C2
7. Which of the following is a concern for compliance with information security policy?	Decrease in low risk findings in audit report	High number of approved and open policy exceptions	Security policy is reviewed once in two years	Security policy is signed by Chief Information Officer	b	Policy exceptions are temporary and must be reviewed and closed as per defined plan. Increased number of exceptions indicates that the policy provisions may not be appropriate and hence need to be reviewed. Other options are not concerns.	M5C2	547	87.000	M5C2
8. Which of the following is Primary purpose of Information classification?	Comply with regulatory requirement	Assign owner to information asset	Provide appropriate level of protection	Reduce costs of data protection	c	Primary purpose of information classification is to provide appropriate level of protection to information assets. Options A, B and D are the secondary with respect to information classification.	M5C2***#	548	176.000	M5C2***#
9. Classification of information is primarily based on:	Where the information is stored?	Who has access to information?	What will happen if information is not available?	Why attachments to mail are encrypted?	c	It helps in assessing the risks associated and determine the protection level i.e. class of information. A, B and C are determined based on classification.	M5C2***#	549	131.000	M5C2***#
10. Which of the following best helps in classifying the information within organizations?	Using minimum classes in classification schema	Conducting training on classification schema	Labeling all information based on classification schema	Determining storage based on classification schema	b	Training users on how to classify information as per definition provided in classification schema shall best help users in classifying the information. A. Number of classes shall depend upon organization’s objectives. C and D are performed after classification of information.	M5C2	550	177.000	M5C2
1. Which of the following is first action when a fire detection system raises the alarm?	Turn off the air conditioner	Determine type of fire	Evacuate the facility	Turn off power supply	c	Life safety takes precedence. Although other answers are important steps human life always is a priority.	M5C3	551	146.000	M5C3
2. Which of the following are most important controls for unmanned data center?	Access control for entry and exit for all doors	The humidity levels need not be maintained	The temperature must be at sub-zero level	Halon gas based fire suppression system	a	Unmanned data center requires strong physical access controls and environmental access controls too. However most essential are strong access controls. B, C and D are inappropriate controls. Halon is environmentally hazardous gas.	M5C3	552	82.000	M5C3
3. Primary purpose of access controlled deadman door, turnstile, mantrap is to:	Prevent unauthorized entry	Detect perpetrators	Meet compliance requirement	Reduce cost of guard	a	Primary purpose of all types of physical access control is to prevent unauthorized entry. Other objectives are secondary.	M5C3	553	34.000	M5C3
4. Which of the following is the main reason for appointing human guards at main entrance of facilities?	Address visitors’ requirements to visit	Issue the access cards to visitors	Cost of automation exceeds security budget	Deter the unauthorized persons	a	Human guard makes decisions and can address visitor’s requirement and direct them appropriately. Others are supplementary functions.	M5C3***	554	180.000	M5C3***
5. Which of the following is major concern associated with biometric physical access control?	High acceptability	High false positives	High false negatives	High cost	b	False positive is a concern in biometric access security as it results in unauthorized access. Other option does not result in unauthorized access.	M5C3***	555	203.000	M5C3***
6. Which of the following evidence is best to provide assurance on automated environmental controls?	Annual maintenance contract with vendor	Simulation testing of devices during audit	Device implementation report by vendor	Documented results of periodic testing	d	Automated environmental controls must be tested periodically by expert and provide report on effective performance of equipment. Simulated tests may not be possible for all controls. AMC is a contract; periodic testing is performance of contract.	M5C3***	556	58.000	M5C3***
7. What are the problems that may be caused by humidity in an area with electrical devices?	High humidity causes excess electricity, and low humidity causes corrosion	High humidity causes power fluctuations, and low humidity causes static electricity	High humidity causes corrosion, and low humidity causes static electricity	High humidity causes corrosion, and low humidity causes power fluctuations.	c	High humidity can cause corrosion, and low humidity can cause excessive static electricity. Static electricity can short out devices or cause loss of information.	M5C3	557	143.000	M5C3
8. Automated access controls opens doors based on access cards, pins, and/or biometric devices and are powered by electricity. Which of the following is the best policy in case of power failure?	Keep the door in locked state	Open door and appoint guard	Find root cause of power failure	Arrange for battery backup	b	Best policy is to keep door open and appoint guard temporarily for monitoring accesses. Keeping doors locked shall be a problem in evacuation in case of emergency. Finding root cause can be done independently. Arranging Battery backup after power failure is not right policy.	M5C3	558	203.000	M5C3
9. While selecting site for a data center which of the site is best to be selected?	On topmost floor to delay the unauthorized visitor to reach	In the basement not easily accessible to perpetrator	On ground floor so that users can access it easily	On middle floor to strike the balance for above concerns	d	Top floor and basement has risk of seepage and flooding. Ground floor has risk of easy attack.	M5C3	559	158.000	M5C3
10. Which of the following is main reason for not allowing mobile devices into data center?	Unauthorized changes and access in configuration	Prevent photography of data center layout	User can provide information to attacker on phone	Mobile devices generate wireless communication	a	Mobile devices can be connected to servers, resulting in unauthorized changes. Other concerns are secondary.	M5C3	560	180.000	M5C3
1. Which of the following pair of authentication can be considered as two factor?	Password and passphrase	Passphrase and PIN	Token and access card	Access card and PIN	d	The three factors are what a user knows (PIN, Password, Passphrase), what user possesses (Access card, Token) and what unique characteristics of user (Biometric). Use of any two factors for authentication is called two factor. Option A, B and C use only one factor.	M5C4	561	40.000	M5C4
2. Which of the following is primary requirement of granting user access to information asset?	Identification	Authorization	Authentication	Need to know	a	Identification of user is first and primary requirement of granting access. Next will be authentication method to be established and finally finding authorization levels based on role that also addresses need to know.	M5C4***#	562	156.000	M5C4***#
3. Mandatory access controls are those controls that are:	Based on global standards	Defined by security policy	Part of compliance requirements	Granted by asset owner	b	Mandatory accesses are those controls that are to be applied uniformly across organization and are defined by information security policy. D is discretionary access controls. B and C generally do not specify such requirements.	M5C4	563	168.000	M5C4
4. Which of the following is a major concern associated with Single-Sign-on?	Multiple passwords are noted	User may select easy password	It is a single point of failure	High maintenance cost	c	Single point of failure is a major concern. One password if compromised, all accesses for that user are available to perpetrator.	M5C4	564	118.000	M5C4
5. Which of the following non-compliance with information security policy is most difficult to detect or get evidence for?	Use of removable media	Password sharing by user	Access to banned web sites	Passing information over phone	b	Password sharing by user is most difficult to get evidence for or detect. Others can be monitored or enforced using technology.	M5C4	565	26.000	M5C4
6. Which of following processes in user access management is most essential to detect errors and omissions resulting in unauthorized or excess accesses to users?	Identification	Authentication	Authorization	Review	d	Periodic user access review helps in ensuring that all users have appropriate level of accesses. This happens due to changes in internal environment like role, emergency situation, resignation and retiring of employees. In such situations sometimes revocation of accesses is missed out, which can be corrected during review.	M5C4***#	566	122.000	M5C4***#
7. While auditing compliance with password policy, IS auditor observed that configuration of password parameters in system is as per information security policy. Which of the following the auditor should verify?	Review enforcement for sample users	Verify all assets have same configuration	Review log for password configuration	Interview users on policy enforcement	c	Review of log for password configuration may disclose the compliance of policy because policy is configured in the system through password configuration. This may also detect unwarranted changes made by a malicious user (who obtains administrative access) in the password configuration. However, option A and D may provide assurance for compliance of password policy configurations in the system, not the policy itself. Option D is not relevant.	M5C4***#	567	4.000	M5C4***#
8. One time password is considered strong because they are:	Active for short period	Communicated on mobile	Unique for each user	Unique for session	a	Strength of one-time password is that it is active for short time, if user does not login during that time the one-time password expires. One-time password is unique for each session and user, however it is not strength. It can be communicated by suitable means.	M5C4	568	170.000	M5C4
9. Which of the following attack to break the user password is difficult to control?	Brute Force	Dictionary attack	Spoofing	Social engineering	d	In Social engineering attacks, the weakest link is unsuspecting human user. Attacker uses techniques to compel users to reveal passwords and other confidential information. For example in Phishing. Other options are technology based attacks and can be detected or controlled.	M5C4	569	62.000	M5C4
10. Which of the following is a primary objective of implementing logical access controls?	Identify users on the system	Fixing accountability of actions	Authorize users based on role	Compliance with policy	c	Primary objective of implementing access controls is to restrict access to authorized people. Fixing accountability of actions is the primary objective of audit trail. Others are means to implement access controls not objectives.	M5C4***#	570	79.000	M5C4***#
1. Which of the following is a method used to gather information about the communication network?	Reconnaissance	Brute force	Eavesdropping	Wiretapping	a	A is correct answer. Other methods are active attacks on network after getting information about networks.	M5C5	571	171.000	M5C5
2. Message digest helps organization in getting assurance on:	Communication delivery	Data availability	Data integrity	Data confidentiality	c	C is correct answer. Message digest is a hash function that helps in confirming integrity of data communicated over network.	M5C5	572	23.000	M5C5
3. While auditing organization’s network which of the following control IS auditor must verify first?	Encrypted communication	Network zoning	Firewall configuration	Penetration test report	b	B is correct answer. Network segmentation or zoning is first control to implement network security. Other controls depend upon segmentation.	M5C5	573	120.000	M5C5
4. Cryptographic checksum is a network control that:	Adds a parity bit after adding the data bits.	Translates data in a file into a hash value.	Transmits the data after encryption.	Translates the data into a parity checksum combination.	b	B is correct answer. Checksum is a type of hash that is used to check integrity of data after communication. It is different than parity bit that adds an extra bit for each byte and word.	M5C5	574	139.000	M5C5
5. Primary function of Security operations center (SOC) is to:	Define baseline	Configure firewall	Monitor logs	Implement Antivirus	c	C is correct answer. Primary function of SOC is to collect and monitor logs based on identified rules. It also defines correlation between various logs and identifies possible incidents, which are communicated to respective asset owners.	M5C5***	575	197.000	M5C5***
6. The intrusion detection monitoring on a host for data integrity attack by malicious software is a:	Technical control	Corrective control	Detective Control	Preventive Control	c	C is correct answer. Intrusion detection detects the possible intrusion attempt. It does not prevent or corrects it. It is a control implemented using technology.	M5C5	576	118.000	M5C5
7. Which of the following is most important while performing penetration testing?	Maintain secrecy about testing	Get consent from affected stakeholders	Report to be provided to all users	Perform test after office hours	b	B is correct answer. It is most essential to get consent from affected asset owners before performing test, so that they can ensure that operations are not affected. Maintaining secrecy shall depend upon type of test. Report must be kept confidential and accessed only by select few. Test generally is performed when it will have least impact, but is not most important.	M5C5	577	170.000	M5C5
8. Most web based application attacks can be prevented by:	Input validation	Encryption	Penetration test	Access controls	a	A is correct answer. Most web application attacks like SQL injection can be prevented by validating input, which can reject the attackers input that can exploit vulnerability. Encryption may or may not prevent an attack. Penetration test shall provide input on vulnerability that must be closed. Access controls may prevent some attacks.	M5C5	578	191.000	M5C5
9. Social engineering attacks can best be prevented by:	Intrusion detection system	Strong access controls	Two factor authentication	Awareness training	d	D is correct answer. Social engineering attack is attack on human and hence no technology can prevent it. Awareness training best prevents it.	M5C5	579	44.000	M5C5
10. Which of the following is a type of malware that does not use system resources for execution of malicious codes?	Virus	Logic bomb	Trojan	Worm	d	D is correct answer. Worms are self-executable. Rest of the options use system resources for execution of malicious codes.	M5C5***	580	81.000	M5C5***
What does P2P technology stand for?	a. Password to Password	b. Peer to Peer	c. Product to Product	d. Private Key to Public Key	b	Option b – Peer to Peer. P2P stands for Peer to Peer Technology where every participant acts as an individual peer in the network.	M6C	581	183.000	M6C
What is Blockchain?	a. A distributed ledger on a peer to peer network	b. A type of cryptocurrency	c. An exchange	d. A centralized ledger	a	Option a - A distributed ledger on a peer to peer network. Blockchain is a distributed ledger on a peer to peer network.	M6C	582	3.000	M6C
Which of the following is not a step involved in RPA?	a. Preparation of project	b. Development of business cases	c. Implementation of RPA	d. Data Cleaning	d	Option d – Data Cleaning. Data Cleaning is not an activity within RPA.	M6C***	583	66.000	M6C***
Which of the following statements about RPA is false?	a. It is walking talking robot	b. It is a computer coded software	c. These are programs that replace human repetitive tasks	d. These perform in cross functional platforms	a	Option a - It is walking talking robot. RPA is not a walking talking robot but rather a computer coded software that replaces human repetitive tasks and can perform in cross functional platforms.	M6C	584	117.000	M6C
Which of the following is a system of inter-connected and inter-related computing devices which have ability to transfer the data over network:	a. Blockchain	b. Internet of Things	c. Robotic Process Automation	d. Artificial Intelligence	b	Option b - Internet of Things. The Internet of Things (IoT) is a system of interrelated computing devices that transfer data over a network without requiring human-to-human or human-to-computer interaction.	M6C***	585	148.000	M6C***
Which one is simplest form of analytics?	a. Predictive	b. Descriptive	c. All of the mentioned	d. Prescriptive	b	Option b – Descriptive Analytics. Descriptive analytics summarizes historical data to yield useful information and prepare for further analysis.	M6C	586	6.000	M6C
The method by which companies analyze customer data or other types of information in an effort to identify patterns and discover relationships between different data elements is often referred to as:	a. Customer data management	b. Data mining	c. Data digging	d. None of the above	b	Option b – Data Mining. Data mining is used to identify patterns and relationships in data.	M6C	587	79.000	M6C
Which of the following is a central storage for all kinds of structured, semi structured or unstructured raw data collected from multiple sources even outside of company’s operational systems?	a. Data Warehouse	b. Data Lake	c. Database	d. Data marts	b	Option b – Data Lake. A Data Lake is a central storage for various types of raw data from multiple sources.	M6C	588	149.000	M6C
Which of the following tools best describe Predictive Analytics?	a. Simulation	b. Statistical Analysis	c. Machine Learning	d. Graphical reports	a	Option a – Simulation. Simulation is one of the techniques used in Predictive Analytics to analyze past behavior and predict future trends.	M6C	589	87.000	M6C
Which of the following is not a cloud deployment model?	a. Private	b. Public	c. IaaS	d. Hybrid	c	Option c – IaaS. IaaS (Infrastructure as a Service) is a cloud service model, not a deployment model.	M6C	590	183.000	M6C
Which of the following is not a stream of AI?	a. Machine Learning	b. Big Data	c. Speech Recognition	d. Natural language processing (NLP)	b	Option b – Big Data. Big Data refers to large and complex datasets, not a stream of AI.	M6C	591	164.000	M6C
Which of the following is not an example for AI Platform?	a. Watson	b. Tensor Flow	c. AWS AI	d. Microsoft Power BI	d	Option d – Microsoft Power BI. Microsoft Power BI is primarily a Data Analytics Platform, not an AI Platform. Watson, Tensor Flow, and AWS AI are examples of AI Platforms.	M6C	592	107.000	M6C
1. What does P2P technology stand for?	Password to Password	Peer to Peer	Product to Product	Private Key to Public Key	b	P2P stands for Peer to Peer Technology where every participant acts as an individual peer in the network.	M6C	593	203.000	M6C
2. What is a Blockchain?	A distributed ledger on a peer to peer network	A type of cryptocurrency	An exchange	A centralized ledger	a	A distributed ledger on a peer to peer network. Blockchain is a distributed ledger on a peer to peer network.	M6C	594	120.000	M6C
3. Which of the following is not a step involved in RPA?	Preparation of project	Development of business cases	Implementation of RPA	Data Cleaning	d	Data Cleaning is not an activity within RPA. Preparation of project, Development of business cases, and Implementation of RPA are steps within the RPA project.	M6C	595	113.000	M6C
4. Which of the following statement about RPA is false?	It is walking talking robot	It is a computer coded software	These are programs that replace human repetitive tasks	These perform in cross functional platforms	a	RPA is not a walking talking robot. It is instead a computer coded software that replaces human repetitive tasks and can perform in cross functional platforms.	M6C	596	85.000	M6C
5. Which of the following is a system of inter-connected and inter-related computing devices which have ability to transfer the data over network?	Blockchain	Internet of Things	Robotic Process Automation	Artificial Intelligence	b	The Internet of Things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.	M6C	597	55.000	M6C
6. Which one is simplest form of analytics?	Predictive	Descriptive	All of the mentioned	Prescriptive	b	Descriptive analytics is a preliminary stage of data processing that creates a summary of historical data to yield useful information and possibly prepare the data for further analysis.	M6C***	598	191.000	M6C***
7. The method by which companies analyze customer data or other types of information in an effort to identify patterns and discover relationships between different data elements is often referred to as:	Customer data management	Data mining	Data digging	None of the above	b	Data mining refers to a method where companies analyze customer data or other types of information in an effort to identify patterns and discover relationships between different data elements.	M6C***	599	96.000	M6C***
8. Which of the following is a central storage for all kinds of structured, semi structured or unstructured raw data collected from multiple sources even outside of company’s operational systems?	Data Warehouse	Data Lake	Database	Data marts	b	Data Lake is a central storage for all kinds of structured, semi structured or unstructured raw data collected from multiple sources even outside of company’s operational systems.	M6C***	600	15.000	M6C***
9. Which of the following tools best describe Predictive Analytics?	Simulation	Statistical Analysis	Machine Learning	Graphical reports	a	Predictive Analytics analyses the past behavior and makes predictions about the future to identify new trends. Simulation is one such technique used in predictive analytics.	M6C***	601	144.000	M6C***
10. Which of the following is not a cloud deployment model?	Private	Public	IaaS	Hybrid	c	Private, Public, and Hybrid are cloud deployment models. IaaS (Infrastructure as a Service) is a Cloud Service Model according to NIST categorization.	M6C	602	200.000	M6C
11. Which of the following is not a stream of AI?	Machine Learning	Big Data	Speech Recognition	Natural language processing (NLP)	b	Big Data refers to huge and voluminous data characterized by volume, variety, and velocity. Machine Learning, Speech recognition, and NLP are streams in AI.	M6C	603	127.000	M6C
12. Which of the following is not an example for AI Platform?	Watson	Tensor Flow	AWS AI	Microsoft Power BI	d	Microsoft Power BI is predominantly a Data Analytics Platform. Watson, Tensor Flow, and AWS AI are AI Platforms.	M6C	604	193.000	M6C
The internal audit department wrote some scripts that are used for continuous auditing of some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?	A Sharing the scripts is not permitted because it gives accurate, comprehensive audit.	B Sharing the scripts is required because IT must have the ability to review all programs and software that run on IS systems regardless of audit independence.	C Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.	D Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.	c	IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts, but they can still audit the systems.	CISAD1	605	74.000	CISAD1
Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?	A Complexity of the organization's operation	B Findings and issues noted from the prior year	C Purpose, objective and scope of the audit	D Auditor's familiarity with the organization	c	The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit.	CISAD1	606	189.000	CISAD1
An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?	A Audit the new systems as requested by management.	B Audit systems not included in last year's scope.	C Determine the highest-risk systems and plan accordingly.	D Audit both the systems not in last year's scope and the new systems.	c	The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk.	CISAD1	607	197.000	CISAD1
An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?	A Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.	B Publish a report omitting the areas where the evidence obtained from testing was inconclusive.	C Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.	D Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.	a	If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date.	CISAD1	608	202.000	CISAD1
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?	A Overlapping controls	B Boundary controls	C Access controls	D Compensating controls	d	Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.	CISAD1	609	198.000	CISAD1
What is the key benefit of a control self-assessment?	A Management ownership of the internal controls supporting business objectives is reinforced.	B Audit expenses are reduced when the assessment results are an input to external audit work.	C Fraud detection is improved because internal business staff are engaged in testing controls.	D Internal auditors can shift to a consultative approach by using the results of the assessment.	a	The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.	CISAD1***	610	169.000	CISAD1***
What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:	A Interface with various types of enterprise resource planning software and databases.	B Accurately capture data from the organization's systems without causing excessive performance problems.	C Introduce audit hooks into the organization's financial systems to support continuous auditing.	D Be customizable and support inclusion of custom programming to aid in investigative analysis.	b	The most critical requirement is that the tool works effectively on the systems of the organization being audited.	CISAD1	611	84.000	CISAD1
A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and:	A Length of service, because this will help ensure technical competence.	B Age, because training in audit techniques may be impractical.	C IT knowledge, because this will bring enhanced credibility to the audit function.	D Ability, as an IS auditor, to be independent of existing IT relationships.	d	Independence should be continually assessed by the auditor and management.	CISAD1	612	55.000	CISAD1
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?	A Use of computer-assisted audit techniques.	B Quarterly risk assessments	C Sampling of transaction logs	D Continuous auditing	d	The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.	CISAD1***	613	131.000	CISAD1***
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:	A Variable sampling.	B Substantive testing.	C Compliance testing.	D Stop-or-go sampling.	c	Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.	CISAD1***	614	49.000	CISAD1***
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?	Inherent	Detection	Control	Business	b	Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.	CISAD1	615	7.000	CISAD1
Which of the following is the MOST critical step when planning an IS audit?	Review findings from prior audits	Executive management's approval of the audit plan	Review information security policies and procedures	Perform a risk assessment	d	Performing a risk assessment is the most critical step. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: "IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements."	CISAD1	616	64.000	CISAD1
An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?	Understanding services and their allocation to business processes by reviewing the service repository documentation.	Sampling the use of service security standards as represented by the Security Assertions Markup Language.	Reviewing the service level agreements established for all system providers.	Auditing the core service and its dependencies on other systems.	a	A service-oriented architecture relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.	CISAD1***	617	3.000	CISAD1***
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?	Delete all copies of the unauthorized software.	Recommend an automated process to monitor for compliance with software licensing	Report the use of the unauthorized software and the need to prevent recurrence.	Warn the end users about the risk of using illegal software.	c	The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines. Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.	CISAD1	618	100.000	CISAD1
An audit charter should:	be dynamic and change to coincide with the changing nature of technology and the audit profession.	clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.	outline the overall authority, scope and responsibilities of the audit function.	document the audit procedures designed to achieve the planned audit objectives.	d	An audit charter should state management's objectives for and delegation of authority to IS auditors. It should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management.	CISAD1***	619	190.000	CISAD1***
An IS auditor finds a small number of user access requests that were not authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:	perform an additional analysis.	report the problem to the audit committee.	conduct a security risk assessment.	recommend that the owner of the identity management system fix the workflow issues.	a	The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and the factors that caused this incident.	CISAD1***	620	100.000	CISAD1***
Which of the following sampling methods is MOST useful when testing for compliance?	Attribute sampling	Variable sampling	Stratified mean-per-unit sampling	Difference estimation sampling	a	Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists.	CISAD1	621	122.000	CISAD1
When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?	Develop an alternate testing procedure.	Report the finding to management.	Perform a walkthrough of the change management process.	Create additional sample data to test additional changes.	a	If a sample size objective cannot be met with the given data, the IS auditor cannot provide assurance regarding the testing objective. The IS auditor should develop (with audit management approval) an alternate testing procedure.	CISAD1	622	69.000	CISAD1
Which of the following situations could impair the independence of an IS auditor? The IS auditor:	implemented specific functionality during the development of an application.	designed an embedded audit module for auditing an application.	participated as a member of an application project team and did not have operational responsibilities.	provided consulting advice concerning application good practices.	a	Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.	CISAD1	623	37.000	CISAD1
The PRIMARY advantage of a continuous audit approach is that it:	does not require an IS auditor to collect evidence on system reliability while processing is taking place.	allows the IS auditor to review and follow up on audit issues in a timely manner.	places the responsibility for enforcement and monitoring of controls on the security department instead of audit.	simplifies the extraction and correlation of data from multiple and complex systems.	b	Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.	CISAD1	624	80.000	CISAD1
Which of the following would impair the independence of a quality assurance team?	Ensuring compliance with development methods	Checking the test assumptions	Correcting coding errors during the testing process	Checking the code to ensure proper documentation	c	Correction of code should not be a responsibility of the quality assurance team, because it would not ensure segregation of duties and would impair the team's independence.	CISAD1	625	116.000	CISAD1
In planning an IS audit, the MOST critical step is the identification of the:	areas of significant risk	skill sets of the audit staff	test steps in the audit	time allotted for the audit	a	When designing a risk-based audit plan, it is important to identify the areas of highest risk to determine the areas to be audited.	CISAD1	626	160.000	CISAD1
The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:	control design testing	substantive testing	inspection of relevant documentation	perform tests on risk prevention	b	Tests of controls are the most effective procedures to assess whether controls accurately support operational effectiveness.	CISAD1	627	80.000	CISAD1
The extent to which data will be collected during an IS audit should be determined based on the:	Availability of critical and required information	Auditor's familiarity with the circumstances	Auditee's ability to find relevant evidence	Purpose and scope of the audit being done	d	The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit.	CISAD1	628	94.000	CISAD1
While planning an IS audit, an assessment of risk should be made to provide:	reasonable assurance that the audit will cover material items	definite assurance that material items will be covered during the audit work	reasonable assurance that all items will be covered by the audit	sufficient assurance that all items will be covered during the audit work	a	The applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work.	CISAD1	629	76.000	CISAD1
The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:	inform the audit committee of the potential issue	review audit logs for the IDs in question	document the finding and explain the risk of using shared IDs	request that the IDs be removed from the system	c	An IS auditor's role is to detect and document findings and control deficiencies. The use of shared IDs is not recommended because it does not allow for accountability of transactions.	CISAD1***	630	2.000	CISAD1***
An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:	that the control is operating efficiently	that the control is operating as designed	the integrity of data controls	the reasonableness of financial reporting controls	b	Compliance tests can be used to test the existence and effectiveness of a defined process.	CISAD1***	631	27.000	CISAD1***
The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?	Generate sample test data	Generalized audit software	Integrated test facility	Embedded audit module	b	Generalized audit software can perform various analyses, including re-computations, to detect payroll overpayments.	CISAD1	632	31.000	CISAD1
During a security audit of IT processes, an IS auditor finds that documented security procedures do not exist. The IS auditor should:	Create the procedures document based on the practices	Issue an opinion of the current state and end the audit	Conduct compliance testing on available data	Identify and evaluate existing practices	d	The most proactive approach is to identify and evaluate the existing security practices and submit the findings to management, recommending documentation or enforcement of the current controls.	CISAD1	633	148.000	CISAD1
During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should:	Ensure the risk assessment is aligned to management's risk assessment process	Identify information assets and the underlying systems	Disclose the threats and impacts to management	Identify and evaluate the existing controls	d	It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls to calculate the risk level after identifying potential threats and impacts.	CISAD1***	634	40.000	CISAD1***
Which of the following would normally be the MOST reliable evidence for an IS auditor?	Assurance from line management that an application is working as designed	Confirmation letter received from a third party verifying an account balance	Trend data obtained from Internet sources	Ratio analysis developed by the IS auditor from reports supplied by line management	b	Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management. Management is not objective and may not understand the risk and control environment, and they are only providing evidence that the application is working correctly, not the controls.	CISAD1	635	155.000	CISAD1
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?	The point at which controls are exercised as data flow through the system	Only preventive and detective controls are relevant	Corrective controls are regarded as compensating	Classification allows an IS auditor to determine the controls that are missing	a	An IS auditor should focus on when controls are exercised as data flow through a computer system. Corrective controls may also be relevant because they allow an error or problem to be corrected. Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls.	CISAD1***	636	179.000	CISAD1***
Which audit technique provides the BEST evidence of the segregation of duties in an IT department?	Discussion with management	Review of the organization chart	Observation and interviews	Testing of user access rights	c	Based on observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations. By interviewing the IT staff, the auditor can get an overview of the tasks performed.	CISAD1***	637	116.000	CISAD1***
After reviewing the disaster recovery planning process of an organization, an IS auditor requests a meeting with organization management to discuss the findings. Which of the following BEST describes the main goal of this meeting?	Obtain management approval of the corrective action plan	Confirm factual accuracy of the findings	Assist management in the implementation of corrective actions	Prioritize the resolution of the items	b	The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action. Management approval of the corrective action plan is not required. Management can elect to implement another corrective action plan to address the risk.	CISAD1	638	199.000	CISAD1
An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures includes:	Vouching	Authorizations	Corrections	Tracing	d	Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.	CISAD1	639	185.000	CISAD1
An IS auditor is carrying out a system configuration review. Which of the following is the BEST evidence in support of the current system configuration settings?	System configuration values that are imported to a spreadsheet by the system administrator	Standard report with configuration values that are retrieved from the system by the IS auditor	Dated screenshot of the system configuration settings that are made available by the system administrator	Annual review of approved system configuration values by the business owner	b	Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner, because the IS auditor does not have a vested interest in the outcome of the audit.	CISAD1	640	124.000	CISAD1
The purpose of a checksum on an amount field in an electronic data interchange communication of financial transactions is to ensure:	Integrity	Authenticity	Authorization	Nonrepudiation	a	A checksum that is calculated on an amount field and included in the electronic data interchange communication can be used to identify unauthorized modifications. Authenticity and nonrepudiation require additional controls, and authorization cannot be established by a checksum alone.	CISAD1	641	122.000	CISAD1
Which of the following forms of evidence would an IS auditor consider the MOST reliable?	An oral statement from the auditee	The results of a test that is performed by an external IS auditor	An internally generated computer accounting report	A confirmation letter that is received from an outside source	b	An independent test that is performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party. An audit should consist of a combination of inspection, observation, and inquiry by an IS auditor as determined by risk. This provides a standard methodology and reasonable assurance that the controls and test results are accurate.	CISAD1	642	19.000	CISAD1
An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:	EDI trading partner agreements	Physical controls for terminals	Authentication techniques for sending and receiving messages	Program change control procedures	c	Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. EDI trading partner agreements minimize exposure to legal issues but do not resolve the problem of unauthorized transactions.	CISAD1	643	182.000	CISAD1
An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?	Walk-through with the reviewer of the operation of the control	System-generated exception reports for the review period with the reviewer's sign-off	A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer	Management's confirmation of the effectiveness of the control for the review period	c	A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report. Management's confirmation of effectiveness of the control lacks independence and may be biased.	CISAD1***	644	3.000	CISAD1***
A1-41 A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?	Key verification	One-for-one checking	Manual recalculations	Functional acknowledgments	d	Acting as an audit trail for electronic data interchange transactions, functional acknowledgments are one of the main controls used in data mapping.	CISAD1***	645	21.000	CISAD1***
A1-42 Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?	Variable sampling	Stratified mean per unit	Attribute sampling	Unstratified mean per unit	c	Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.	CISAD1	646	175.000	CISAD1
A1-43 The BEST method of confirming the accuracy of a system tax calculation is by:	Review and analysis of the source code of the calculation programs	Recreating program logic using generalized audit software to calculate monthly totals	Preparing simulated transactions for processing and comparing the results to predetermined results	Automatic flowcharting and analysis of the source code of the calculation programs	c	Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation.	CISAD1***	647	106.000	CISAD1***
A1-44 An IS auditor performing a review of application controls would evaluate the:	Efficiency of the application in meeting the business processes	Impact of any exposures discovered	Business processes served by the application	Application's optimization	b	An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses.	CISAD1***	648	18.000	CISAD1***
A1-45 Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The IS auditor should:	Include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings	Not include the finding in the final report because management resolved the item	Not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit	Include the finding in the closing meeting for discussion purposes only	a	The audit report should contain all relevant findings and the response from management even if the finding has been resolved. This would mean that subsequent audits may test for the continued resolution of the control. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.	CISAD1***	649	135.000	CISAD1***
A1-46 The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods will BEST assist the IS auditors?	Stop-or-go	Classical variable	Discovery	Probability-proportional-to-size	c	Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.	CISAD1	650	136.000	CISAD1
A1-47 When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:	Controls needed to mitigate risk are in place	Vulnerabilities and threats are identified	Audit risk is considered	A gap analysis is appropriate	b	While developing a risk-based audit strategy, it is critical that the risk and vulnerabilities are understood. They determine the areas to be audited and the extent of coverage.	CISAD1	651	150.000	CISAD1
A1-48 During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:	Ask the auditee to sign a release form accepting full legal responsibility	Elaborate on the significance of the finding and the risk of not correcting it	Report the disagreement to the audit committee for resolution	Accept the auditee's position because they are the process owners	b	If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware.	CISAD1***	652	33.000	CISAD1***
A1-49 To ensure that audit resources deliver the best value to the organization, the FIRST step in an audit project is to:	Schedule the audits and monitor the time spent on each audit	Train the IS audit staff on current technology used in the organization	Develop the audit plan based on a detailed risk assessment	Monitor progress of audits and initiate cost control measures	c	It is most important to develop a risk-based audit plan to ensure effective use of audit resources. Monitoring audits and initiating cost controls does not ensure the effective use of audit resources.	CISAD1	653	48.000	CISAD1
A1-50 Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings?	Retest the control to validate the finding	Engage a third party to validate the finding	Include the finding in the report with the department manager's comments	Revalidate the supporting evidence for the finding	d	Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections that are pointed out by a department manager should be taken into consideration. Therefore, the first step is to revalidate the evidence for the finding.	CISAD1	654	26.000	CISAD1
An IS auditor should use statistical sampling, and not judgment (nonstatistical) sampling, when:	The probability of error must be objectively quantified.	The auditor wants to avoid sampling risk.	Generalized audit software is unavailable.	The tolerable error rate cannot be determined.	a	Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Sampling risk is the risk of a sample not being representative of the population. This risk exists for judgment and statistical samples. Statistical sampling can use generalized audit software, but it is not required. The tolerable error rate must be predetermined for both judgment and statistical sampling.	CISAD1	655	183.000	CISAD1
What is the BEST action for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because intrusion detection system (IDS) and firewall controls are in place?	Revise the finding in the audit report per management's feedback.	Retract the finding because the IDS controls are in place.	Retract the finding because the firewall rules are monitored.	Document the identified finding in the audit report.	d	The IS auditor may include the management response in the report, but that will not affect the requirement to report the finding. The finding remains valid and the management response is documented; however, the audit may indicate a need to review the validity of the management response. IS auditor independence dictates that the additional information provided by the auditee is taken into consideration. Normally, an IS auditor does not automatically retract or revise the finding.	CISAD1	656	59.000	CISAD1
An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes and terminations) are completed and delivered to the bank, which prepares the checks and reports for distribution. To BEST ensure payroll data accuracy:	Payroll reports should be compared to input forms.	Gross payroll should be recalculated manually.	Checks should be compared to input forms.	Checks should be reconciled with output reports.	a	The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Recalculating gross payroll manually only verifies whether the processing is correct and not the data accuracy of inputs. Comparing checks to input forms is not feasible because checks contain the processed information and input forms contain the input data. Reconciling checks with output reports only confirms that checks were issued as stated on output reports.	CISAD1	657	131.000	CISAD1
Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?	Lack of transaction authorizations	Loss or duplication of EDI transmissions	Transmission delay	Deletion or manipulation of transactions prior to, or after, establishment of application controls	a	Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, lack of transaction authorization is the greatest risk. Loss or duplication of electronic data interchange transmissions is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. Deletion or manipulation of transactions prior to, or after, establishment of application controls is an example of risk. Logging detects any alteration to the data, and the impact is not as great as that of unauthorized transactions.	CISAD1***	658	26.000	CISAD1***
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:	Address audit objectives.	Collect sufficient evidence.	Specify appropriate tests.	Minimize audit resources.	a	ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary. The IS auditor does not collect evidence in the planning stage of audits. Specifying appropriate tests is not the primary goal of audit planning. Effective use of audit resources is a goal of audit planning, not minimizing audit resources.	CISAD1	659	160.000	CISAD1
When selecting audit procedures, an IS auditor should use professional judgment to ensure that:	Sufficient evidence will be collected.	Significant deficiencies will be corrected within a reasonable period.	All material weaknesses will be identified.	Audit costs will be kept at a minimum level.	a	Procedures are processes that an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment that is appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising during an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate, and the IS auditor's past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work. The correction of deficiencies is the responsibility of management and is not a part of the audit procedure selection process. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit, and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will be identified and corrected. Professional judgment ensures that audit resources and costs are used wisely, but this is not the primary objective of the auditor when selecting audit procedures.	CISAD1***	660	137.000	CISAD1***
A substantive test to verify that tape library inventory records are accurate is:	Determining whether bar code readers are installed.	Determining whether the movement of tapes is authorized.	Conducting a physical count of the tape inventory.	Checking whether receipts and issues of tapes are accurately recorded.	c	Determining whether bar code readers are installed is a compliance test. Determining whether the movement of tapes is authorized is a compliance test. Conducting a physical count of the tape inventory is a substantive test. Checking whether receipts and issues of tapes are accurately recorded is a compliance test.	CISAD1	661	58.000	CISAD1
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to:	Acknowledge receipt of electronic orders with a confirmation message.	Perform reasonableness checks on quantities ordered before filling orders.	Verify the identity of senders and determine if orders correspond to contract terms.	Encrypt electronic orders.	c	Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.	CISAD1	662	133.000	CISAD1
An IS auditor finds that the answers received during an interview with a payroll clerk do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:	Conclude that the controls are inadequate.	Expand the scope to include substantive testing.	Place greater reliance on previous audits.	Suspend the audit.	b	Based solely on the interview with the payroll clerk, the IS auditor will not be able to collect evidence to conclude on the adequacy of existing controls. If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. Placing greater reliance on previous audits is an inappropriate action, because it provides no current knowledge of the adequacy of the existing controls. Suspending the audit is an inappropriate action, because it provides no current knowledge of the adequacy of the existing controls.	CISAD1	663	2.000	CISAD1
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:	Professional independence.	Organizational independence.	Technical competence.	Professional competence.	a	When an IS auditor recommends a specific vendor, the auditor's professional independence is compromised. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical competence is not relevant to the requirement of independence. Professional competence is not relevant to the requirement of independence.	CISAD1	664	68.000	CISAD1
The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:	Understand the business process.	Comply with auditing standards.	Identify control weakness.	Develop the risk assessment.	a	Understanding the business process is the first step an IS auditor needs to perform. Identifying control weaknesses is not the primary reason for the walk-through and typically occurs at a later stage in the audit. The main reason is to understand the business process.	CISAD1	665	193.000	CISAD1
In the process of evaluating program change controls, an IS auditor uses source code comparison software to:	Examine source program changes without information from IS personnel.	Detect a source program change made between acquiring a copy of the source and the comparison run.	Confirm that the control copy is the current version of the production program.	Ensure that all changes made in the current source copy are tested.	a	When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent, and relatively complete assurance of program changes because the source code comparison identifies the changes.	CISAD1***	666	10.000	CISAD1***
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:	Confirm that the auditors did not overlook any important issues.	Gain agreement on the findings.	Receive feedback on the adequacy of the audit procedures.	Test the structure of the final presentation.	b	The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management.	CISAD1	667	135.000	CISAD1
Which of the following audit techniques BEST helps an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update?	Automated code comparison	Test data run	Code review	Review of code migration procedures	c	An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure.	CISAD1***	668	59.000	CISAD1***
When preparing an audit report, the IS auditor should ensure that the results are supported by:	Statements from IS management.	Work papers of other auditors.	An organizational control self-assessment.	Sufficient and appropriate audit evidence.	d	ISACA's IS Audit and Assurance Standard on reporting requires that the IS auditor has sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence that is collected during the review.	CISAD1	669	26.000	CISAD1
While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:	Effectiveness of the QA function because it should interact between project management and user management.	Efficiency of the QA function because it should interact with the project implementation team.	Effectiveness of the project manager because the project manager should interact with the QA function.	Efficiency of the project manager because the QA function needs to communicate with the project implementation team.	a	To be effective, the quality assurance (QA) function should be independent of project management. If it is not, project management may put pressure on the QA function to approve an inadequate product.	CISAD1	670	17.000	CISAD1
The final decision to include a material finding in an audit report should be made by the:	Audit committee.	Auditee's manager.	IS auditor	Chief executive officer	c	The IS auditor should make the final decision about what to include or exclude from the audit report.	CISAD1	671	165.000	CISAD1
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:	Audit trail of the versioning of the work papers.	Approval of the audit phases.	Access rights to the work papers	Confidentiality of the work papers.	d	Encryption provides confidentiality for the electronic work papers.	CISAD1	672	52.000	CISAD1
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:	Comply with regulatory requirements.	Provide a basis for drawing reasonable conclusions.	Ensure complete audit coverage.	Perform the audit according to the defined scope	b	The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them.	CISAD1	673	138.000	CISAD1
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:	Expand activities to determine whether an investigation is warranted.	Report the matter to the audit committee.	Report the possibility of fraud to management.	Consult with external legal counsel to determine the course of action to be taken.	a	An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.	CISAD1	674	5.000	CISAD1
An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: A1-71	A. An effective preventive control.	B. A valid detective control.	C. Not an adequate control.	D. A corrective control.	c	Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control).	CISAD1	675	23.000	CISAD1
An organization's IS audit charter should specify the: A1-72	A. plans for IS audit engagements.	B. objectives and scope of IS audit engagements.	C. detailed training plan for the IS audit staff.	D. role of the IS audit function.	d	The objectives and scope of each IS audit should be agreed on in an engagement letter. The charter would specify the objectives and scope of the audit function but not of individual engagements.	CISAD1***	676	186.000	CISAD1***
Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A1-73	A. Attribute sampling	B. Computer-assisted audit techniques	C. Compliance testing	D. Integrated test facility	b	Computer-assisted audit techniques (CAATs) enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria.	CISAD1	677	61.000	CISAD1
When developing a risk management program, what is the FIRST activity to be performed? A1-74	A. Threat assessment	B. Classification of data	C. Inventory of assets	D. Criticality analysis	c	Identification of the assets to be protected is the first step in the development of a risk management program.	CISAD1***	678	25.000	CISAD1***
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A1-75	A. Excessive transaction turnaround time.	B. Application interface failure.	C. Improper transaction authorization.	D. Nonvalidated batch totals.	c	Foremost among the risks associated with electronic data interchange (EDI) is improper transaction authorization.	CISAD1***	679	42.000	CISAD1***
Which of the following would be MOST useful for an IS auditor for accessing and analyzing digital data to collect relevant audit evidence from diverse software environments? A1-76	A. Structured Query Language	B. Application software reports.	C. Data analytics controls	D. Computer-assisted auditing techniques	d	CAATs are tools used for accessing data in an electronic form from diverse software environments, record formats, etc.	CISAD1***	680	159.000	CISAD1***
Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? A1-77	A. Variable sampling	B. Judgmental sampling	C. Stratified random sampling	D. Systematic sampling	c	Stratification ensures that all sampling units in each subgroup have a known, nonzero chance of selection.	CISAD1***	681	57.000	CISAD1***
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. What should the IS auditor do? A1-78	A. Decline the assignment.	B. Inform management of the possible conflict of interest after completing the audit assignment.	C. Inform the BCP team of the possible conflict of interest prior to beginning the assignment.	D. Communicate the possibility of conflict of interest to audit management prior to starting the assignment.	d	A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment.	CISAD1	682	151.000	CISAD1
The PRIMARY purpose of an IT forensic audit is: A1-79	A. To participate in investigations related to corporate fraud.	B. The systematic collection and analysis of evidence after a system irregularity.	C. To assess the correctness of an organization's financial statements.	D. To preserve evidence of criminal activity.	b	The systematic collection and analysis of evidence after a system irregularity best describes a forensic audit.	CISAD1	683	125.000	CISAD1
An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? A1-80	A. Issue an audit finding.	B. Seek an explanation from IS management.	C. Review the classifications of data held on the server.	D. Expand the sample of logs reviewed.	d	IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence.	CISAD1	684	30.000	CISAD1
A1-81 In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario?	Hiring additional staff to provide segregation of duties	Preventing the release manager from making program modifications	Logging of changes to development libraries	Verifying that only approved program changes are implemented	d	Verifying program changes has roughly the same effect as intended by full segregation of duties.	CISAD1	685	100.000	CISAD1
A1-82 Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?	Establishing segregation of duties	Understanding all IT systems and controls relevant to audit objectives	List all controls from the audit program to select ones matching with audit objectives	Review the results of a risk self-assessment	d	Understanding the business, its operating model and key processes.	CISAD1***	686	136.000	CISAD1***
A1-83 An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:	Expand the scope of the IS audit to include the devices that are not on the network diagram	Evaluate the impact of the undocumented devices on the audit scope	Note a control deficiency because the network diagram has not been approved	Plan follow-up audits of the undocumented devices	b	In a risk-based approach to an IS audit, the scope is determined by the impact that the devices will have on the audit.	CISAD1***	687	178.000	CISAD1***
A1-84 An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?	A list of accounts with access levels generated by the system	Human resources access documents signed by employees' managers	A spreadsheet provided by the system administrator	Observations performed onsite in the presence of a system administrator	a	The access list generated by the system is the most reliable, because it is the most objective evidence.	CISAD1***	688	1.000	CISAD1***
A1-85 During a compliance audit of a small bank, the IS auditor notes that the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews that are conducted by the user's supervisor represents the BEST compensating control?	Audit trails that show the date and time of the transaction	A daily report with the total numbers and dollar amounts of each transaction	User account administration	Computer log files that show individual transactions	d	Computer logs record the activities of individuals during their access to a computer system or data file and record any abnormal activities.	CISAD1***	689	177.000	CISAD1***
A1-86 A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern?	The work may be construed as a self-audit	Audit points may largely shift to technical aspects	The employee may not have sufficient control assessment skills	The employee's knowledge of business risk may be limited	a	Because the employee had been a developer, it is recommended that the audit coverage should exclude the systems developed by this employee to avoid any conflicts of interest.	CISAD1	690	159.000	CISAD1
A1-87 Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee?	Communicate results to the auditee	Develop timelines for the implementation of suggested recommendations	Confirm the findings and propose a course of corrective action	Identify compensating controls to the identified risk	c	Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee to confirm the accuracy and propose corrective actions.	CISAD1	691	1.000	CISAD1
A1-38 Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?	A Participating in the design of the risk management framework	B. Advising on different implementation techniques	C. Facilitating risk awareness training	D Performing a due diligence review of the risk management processes	a	Justification: A. Participating in the design of the risk management framework involves designing controls, which compromises the independence of the IS auditor to audit the risk management process. B Advising on different implementation techniques does not compromise the IS auditor's independence because the IS auditor will not be involved in the decision-making process. C. Facilitating awareness training does not hamper the IS auditor's independence because the auditor will not be involved in the decision-making process. D Due diligence reviews are a type of audit generally related to mergers and acquisitions.	CISAD1	692	2.000	CISAD1
A1-89 Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?	Key stakeholders are incorrectly identified	Control costs will exceed planned budget	Important business risk may be overlooked	Previously audited areas may be inadvertently included	c	Without clear audit objectives, important business risks may be overlooked, impacting the effectiveness of the audit.	CISAD1	693	131.000	CISAD1
A1-90 An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?	Computer-aided software engineering tools	Embedded data collection tools	Trend/variance detection tools	Heuristic scanning tools	c	Trend/variance detection tools look for anomalies in user or system behavior, making them suitable for analyzing audit trails.	CISAD1***	694	203.000	CISAD1***
While performing an audit of an accounting application's internal data integrity controls...	Continue to test the accounting application controls and inform the IT manager about the control deficiency...	Complete the audit and not report the control deficiency because it is not part of the audit scope.	Continue to test the accounting application controls and include the deficiency in the final report.	Cease all audit activity until the control deficiency is resolved.	c	The IS auditor should not assume that the IT manager will follow through on a verbal notification to resolve the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit.	CISAD1	695	105.000	CISAD1
Which of the following will MOST successfully identify overlapping key controls in business application systems?	Reviewing system functionalities that are attached to complex business processes	Submitting test transactions through an integrated test facility	Replacing manual monitoring with an automated auditing solution	Testing controls to validate that they are effective	c	As part of the effort to realize continuous audit management, there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts can discover unnecessary or overlapping key controls in existing systems.	CISAD1	696	50.000	CISAD1
When performing a risk analysis, the IS auditor should FIRST:	Review the data classification program	Identify the organization's information assets	Identify the inherent risk of the system	Perform a cost-benefit analysis for controls	b	The data classification program assists the IS auditor in identifying these assets. The first step of the risk assessment process is to identify the systems and processes that support the business objectives because risk to those processes impacts the achievement of business goals. After the business objectives and the underlying systems are identified, the greatest degree of risk management effort should be focused towards those assets containing data considered most sensitive.	CISAD1	697	120.000	CISAD1
After identifying the findings, the IS auditor should FIRST:	Gain agreement on the findings	Determine mitigation measures for the findings	Inform senior management of the findings	Obtain remediation deadlines to close the findings	a	If findings are not agreed upon and confirmed by both parties, then there may be an issue during sign-off on the final audit report or while discussing findings with management. When agreement is obtained with the auditee, it implies the finding is understood and a clear plan of action can be determined. Although the auditor may recommend mitigation measures, the organization ultimately decides and implements the mitigation strategies as a function of risk management.	CISAD1	698	66.000	CISAD1
A PRIMARY benefit derived for an organization employing control self-assessment techniques is that it:	Can identify high-risk areas that might need a detailed review later.	Allows IS auditors to independently assess risk	Can be used as a replacement for traditional audits	Allows management to relinquish responsibility for control	a	Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review later. CSA requires the involvement of IS auditors and line management. The internal audit function shifts some of the control monitoring responsibilities to the functional areas. CSA is not a replacement for traditional audits. CSA is not intended to replace audit's responsibilities, but to enhance them.	CISAD1	699	115.000	CISAD1
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?	Prioritize the identified risk	Define the audit universe	Identify the critical controls	Determine the testing approach	b	In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure, and authorization matrix.	CISAD1	700	43.000	CISAD1
Which of the following is MOST likely to be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?	Delivering cybersecurity awareness training	Designing the cybersecurity controls	Advising on the cybersecurity framework	Conducting the vulnerability assessment	b	If an auditor designs the controls, a conflict of interest arises in the neutrality of the auditor to address deficiencies during an audit. This is in violation of the ISACA Code of Ethics. Conducting a vulnerability assessment can be the responsibility of the IS auditor and does not present a conflict of interest. Part of the role of an IS auditor can be to advise on a cybersecurity framework, provided that such advice does not rise to the level of designing specific controls that the auditor would later review.	CISAD1	701	110.000	CISAD1
An IS auditor identified a business process to be audited. The IS auditor should NEXT identify the:	Most valuable information assets.	IS audit resources to be deployed	Auditee personnel to be interviewed	Control objectives and activities	d	After the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit. All assets need to be identified, not just information assets. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit.	CISAD1***	702	62.000	CISAD1***
The effect of which of the following should have priority in planning the scope and objectives of an IS audit?	Applicable statutory requirements	Applicable corporate standards	Applicable industry good practices	Organizational policies and procedures	a	The effect of applicable statutory requirements must be factored in while planning an IS audit. The IS auditor has no options regarding statutory requirements because there can be no limitation of scope relating to statutory requirements. Statutory requirements always take priority over corporate standards. Industry good practices help plan an audit; however, good practices are not mandatory and can be deviated from to meet organizational objectives. Organizational policies and procedures are important, but statutory requirements always take priority. Organizational policies must be in alignment with statutory requirements.	CISAD1***	703	154.000	CISAD1***
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:	Remove the IS auditor from the engagement.	Cancel the engagement.	Disclose the issue to the client.	Take steps to restore the IS auditor's independence	c	In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, which exists in certain countries. Canceling the engagement is not required if properly disclosed and accepted. This is not a feasible solution. The independence of the IS auditor cannot be restored while continuing to conduct the audit.	CISAD1***	704	8.000	CISAD1***
An IS auditor is planning to evaluate the control design effectiveness that is related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?	Interview	Inquiry	Reperformance	Walk-through	d	Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control, because it actually exists.	CISAD1	705	40.000	CISAD1
Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit?	To ensure management's concerns are addressed	To provide reasonable assurance material items will be addressed	To ensure the audit team will perform audits within budget	To develop audit program and procedures needed to perform the audit	b	A risk assessment helps to focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is also important.	CISAD1***	706	160.000	CISAD1***
Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting?	A Risk statement includes an explanation of a business impact.	Findings are clearly tracked back to evidence.	Recommendations address root causes of findings.	Remediation plans are provided by responsible parties.	b	It is important to have findings clearly tracked back to evidence before communicating them to ensure their accuracy and relevance.	CISAD1	707	33.000	CISAD1
The MAIN advantage of an IS auditor directly extracting data from a general ledger systems is:	Reduction of human resources needed to support the audit	Reduction in the time to have access to the information	Greater flexibility for the audit department	Greater assurance of data validity	d	If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness, and therefore, all required data will be collected.	CISAD1	708	112.000	CISAD1
An IS auditor wants to determine the number of purchase orders that are not appropriately approved. Which of the following sampling techniques should an IS auditor use to make such a conclusion?	Attribute	Variable	Stop-or-go	Judgment	a	Attribute sampling is used to test compliance of transactions to controls in this instance, the existence of appropriate approval.	CISAD1	709	82.000	CISAD1
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by using CAATs?	Usefulness	Reliability	Relevance	Adequacy	b	Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system.	CISAD1***	710	196.000	CISAD1***
An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?	Development of an audit program	Define the audit scope	Identification of key information owners	Development of a risk assessment	d	A risk assessment should be performed to determine how internal audit resources should be allocated to ensure that all material items will be addressed.	CISAD1***	711	118.000	CISAD1***
Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?	Managing audit staff	Allocating resources	Project management	Attention to detail	c	Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.	CISAD1***	712	57.000	CISAD1***
What is the MAJOR benefit of conducting a control self-assessment over a traditional audit?	It detects risk sooner.	It replaces the internal audit function.	It reduces the audit workload.	It reduces audit resource requirements.	a	Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help to increase the understanding of business risk and internal controls.	CISAD1	713	156.000	CISAD1
A1-110 An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect?	A Control risk	B. Compliance risk	C. Inherent risk	D. Residual risk	c	MA.. Control risk can be high, but it is not due to internal controls not being identified, evaluated or tested, and is not due to the number of users or business areas affected. Sort B. Compliance risk is the penalty applied to current and future earnings for noncontumance to laws and regulations and may not be impacted by the number of users and business areas affected. C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without considering the actions that management has taken or might take.	CISAD1***	714	158.000	CISAD1***
A1-111 An IS auditor discovers a potential material finding. The BEST course of action is to:	report the potential finding to business management.	discuss the potential finding with the audit committee.	increase the scope of the audit.	perform additional testing.	d	The item should be confirmed through additional testing before it is reported to management. Increasing the scope could demand more needed audit resources. An auditor can quickly lose credibility if the finding was not justified.	CISAD1	715	158.000	CISAD1
A1-112 Which of the following is in the BEST position to approve changes to the audit charter?	Board of directors	Audit committee	Executive management	Director of internal audit	b	The audit committee should approve the audit charter as it is independent and senior.	CISAD1	716	128.000	CISAD1
A1-113 An IS auditor reviewing the process of log monitoring wants to evaluate the organization's manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?	Inspection	Inquiry	Walk-through	Reperformance	c	A walk-through includes inquiry, observation, inspection, and reperformance, providing a thorough understanding of the process.	CISAD1***	717	45.000	CISAD1***
A1-114 An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:	Substantive testing.	Compliance testing.	Analytical testing.	Control testing.	a	Substantive testing gathers evidence on completeness, accuracy, or existence of activities or transactions.	CISAD1***	718	20.000	CISAD1***
A1-115 Which of the following does a lack of adequate controls represent?	Impact	Vulnerability	Asset	Threat	b	A lack of adequate controls represents a vulnerability exposing sensitive information to risks.	CISAD1	719	197.000	CISAD1
A1-116 An IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the organization's procedures. Which of the following is the auditor's BEST course of action?	Do not report the lack of reconciliation.	Recommend regular physical inventory counts.	Report the lack of daily reconciliations.	Recommend the implementation of a more secure access system.	c	The auditor should report the lack of daily reconciliation as an exception to management.	CISAD1	720	125.000	CISAD1
A1-117 During an audit, the IS auditor notes the application developer also performs quality assurance testing on another application. Which of the following is the MOST important course of action for the auditor?	Recommend compensating controls.	Review the code created by the developer.	Analyze the quality assurance dashboards.	Report the identified condition.	d	The auditor should report the condition to address the segregation of duties concern.	CISAD1***	721	23.000	CISAD1***
A1-118 An IS auditor is reviewing risk and controls of a bank's wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following?	Privileged access to the wire transfer system	Wire transfer procedures	Fraud monitoring controls	Employee background checks.	b	Wire transfer procedures ensure segregation of duties to prevent internal fraud.	CISAD1	722	131.000	CISAD1
A1-119 An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt as	Lower confidence coefficient, resulting in a smaller sample size.	Higher confidence coefficient, resulting in a smaller sample size.	Higher confidence coefficient, resulting in a larger sample size.	Lower confidence coefficient, resulting in a larger sample size.	a	With strong internal controls, a lower confidence coefficient allows a smaller sample size.	CISAD1***	723	50.000	CISAD1***
A1-120 Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience?	A. Internal quality requirements	B The audit guidelines	C. The audit methodology	D. Professional standards	d	A Internal quality requirements may exist but are superseded by the requirement of supervision to comply with professional standards. B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with C professional standards. D. Professional standards from ISACA, The Institute of Internal Auditors and the International Federation of Accountants require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.	CISAD1***	724	36.000	CISAD1***
A1-121 Which technique will BEST test for the existence of dual control when auditing the wire transfer systems of a bank?	Analysis of transaction logs	Reperformance.	Observation	Interviewing personnel	c	Observation ensures that dual control is physically followed during operations.	CISAD1***	725	154.000	CISAD1***
A1-122: In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional	A. Stop-or-go sampling.	B. Substantive testing.	C. Compliance testing.	D. Discovery sampling.	b	Both inherent and control risk are high, so additional substantive testing is needed.	CISAD1	726	171.000	CISAD1
A1-123: The PRIMARY objective of the audit initiation meeting with an IS audit client is to	A. Discuss the scope of the audit.	B. Identify resource requirements of the audit.	C. Select the methodology of the audit	D. Collect audit evidence.	a	Initiation meetings primarily define the audit scope.	CISAD1	727	108.000	CISAD1
A1-124: The PRIMARY purpose of the IS audit charter is to:	A. Establish the organizational structure of the audit department.	B. Illustrate the reporting responsibilities of the IS audit function.	C. Detail the resource requirements needed for the audit function.	D. Outline the responsibility and authority of the IS audit function.	d	Defines purpose, responsibility, authority, and accountability of the IS audit function.	CISAD1	728	79.000	CISAD1
A1-125: Which of the following is MOST important for an IS auditor to understand when auditing an ecommerce environment?	A. The technology architecture of the ecommerce environment.	B. The policies, procedures, and practices forming the control environment.	C. The nature and criticality of the business processes supported by the application.	D. Continuous monitoring of control measures for system availability and reliability.	c	Understanding business processes is crucial for identifying specific controls to review.	CISAD1***	729	69.000	CISAD1***
A1-126: During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?	A. Discuss with the IT managers.	B. Review the IT job descriptions.	C. Research past IT audit reports.	D. Evaluate the organizational structure.	a	Discussing with IT managers provides insights into actual responsibilities.	CISAD1	730	21.000	CISAD1
A1-127: A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?	A. Detective	B. Preventive	C. Corrective	D. Directive	b	Prevents unauthorized transactions by requiring manager approval.	CISAD1	731	45.000	CISAD1
A1-128: During an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:	A. Include a review of the database controls in the scope.	B. Document for future review.	C. Work with database administrators to correct the issue.	D. Report the weaknesses as observed.	d	Observations outside scope should still be reported.	CISAD1	732	65.000	CISAD1
A1-129: A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:	A. Directive control.	B. Corrective control.	C. Compensating control.	D. Detective control.	b	Detects and reports unauthorized access attempts.	CISAD1	733	135.000	CISAD1
A1-130: Due to unexpected resource constraints of the IS audit team, the audit plan, as originally approved, cannot be completed. Assuming the situation is communicated in the audit report, which course of action is MOST acceptable?	A. Test the adequacy of the control design.	B. Test the operational effectiveness of controls.	C. Focus on auditing high-risk areas.	D. Rely on management testing of controls.	c	Focuses efforts on areas posing the highest risk due to resource constraints.	CISAD1	734	143.000	CISAD1
A1-131: Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system?	A. Reperformance	B. Process walk-through	C. Observation	D. Documentation review	a	Reperforming ensures accuracy through independent verification.	CISAD1	735	189.000	CISAD1
A1-132: Which of the following choices would be the BEST source of information when developing a risk-based audit plan?	A. Process owners identify key controls.	B. System custodians identify vulnerabilities.	C. Peer auditors understand previous audit results.	D. Senior management identify key business processes.	d	Identifying business processes sets the stage for risk assessment.	CISAD1***	736	75.000	CISAD1***
A1-133: While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:	A. Report the issue to IT management.	B. Discuss the issue with the service provider.	C. Perform a risk assessment.	D. Perform an access review.	a	Issues should be reported to IT management for resolution.	CISAD1***	737	129.000	CISAD1***
A1-134: Which of the following is the PRIMARY requirement for reporting IS audit results? The report is:	A. Prepared according to a predefined and standard template.	B. Backed by sufficient and appropriate audit evidence.	C. Comprehensive in coverage of enterprise processes.	D. Reviewed and approved by audit management.	b	Ensures findings are supported and can be validated if needed.	CISAD1	738	159.000	CISAD1
A1-135: An IS auditor performing an audit of the risk assessment process should FIRST confirm that:	A. Reasonable threats to the information assets are identified.	B. Technical and organizational vulnerabilities have been analyzed.	C. Assets have been identified and ranked.	D. The effects of potential security breaches have been evaluated.	c	Identifying and ranking assets guides risk assessment scope.	CISAD1	739	103.000	CISAD1
A1-136: Which of the following represents an example of a preventive control with respect to IT personnel?	A. A security guard stationed at the server room door.	B. An intrusion detection system.	C. Implementation of a badge entry system for the IT facility.	D. A fire suppression system in the server room.	c	Prevents unauthorized access through physical security measures.	CISAD1	740	84.000	CISAD1
A1-137: Which of the following is an attribute of the control self-assessment approach?	A. Broad stakeholder involvement.	B. Auditors are the primary control analysts.	C. Limited employee participation.	D. Policy driven.	a	Emphasizes employee participation and accountability.	CISAD1***	741	129.000	CISAD1***
A1-138: An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization discovered the following: . The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. . The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention. . The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred. The IS auditor's report should recommend that:	A. Censuring the deputy chief executive officer (CEO).	B. Setting up a board to review the existing plan.	C. A manager coordinates the creation of a new plan within a defined time limit.	D. Issuing the existing plan to all key management and staff.	d	Recommends immediate action to update and formalize the DRP.	CISAD1***	742	199.000	CISAD1***
A1-139: An IS auditor finds that a disaster recovery plan (DRP) for critical business functions does not cover all systems. The MOST appropriate course of action for the IS auditor is to:	A. Alert management and evaluate the impact of not covering all systems.	B. Cancel the audit.	C. Complete the audit of the systems covered by the existing DRP.	D. Postpone the audit until the systems are added to the DRP.	a	Management should be informed of gaps in coverage and their potential impact.	CISAD1	743	83.000	CISAD1
A1-140: Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds?	A. Generalized audit software.	B. An integrated test facility.	C. Regression tests.	D. Transaction snapshots.	a	Provides capabilities to filter and analyze large volumes of transaction data.	CISAD1	744	181.000	CISAD1
Which of the following is MOST important to ensure that effective application controls are maintained? A1-141	Exception reporting	Manager oversight	Control self-assessment	Peer reviews	c	Control self-assessment (CSA) is a formal and documented process that reviews business objectives and internal controls, including automated controls. It involves collaboration and testing, making it crucial for maintaining effective controls.	CISAD1***	745	190.000	CISAD1***
The success of a control self-assessment depends highly on: A1-142	Line managers assuming a portion of the responsibility for control monitoring	Assigning staff managers, the responsibility for building controls	The implementation of a stringent control policy and rule-driven controls	The implementation of supervision and monitoring of controls of assigned duties	a	Control self-assessment (CSA) success hinges on line managers assuming control monitoring responsibilities, enhancing control effectiveness through their involvement.	CISAD1***	746	60.000	CISAD1***
Which of the following is evaluated as a preventive control by an IS auditor performing an audit? A1-143	Transaction logs	Before and after image reporting	Table lookups	Tracing and tagging	c	Table lookups prevent undefined data entry, qualifying them as preventive controls in auditing.	CISAD1***	747	53.000	CISAD1***
The PRIMARY objective of embedding an audit module while developing online application systems is: A1-144	To collect evidence while transactions are processed	To reduce requirements for periodic internal audits	To identify and report fraudulent transactions	To increase efficiency of the audit function	a	Embedding an audit module aims primarily to collect audit evidence during transaction processing, enhancing the audit process's efficiency and reliability.	CISAD1	748	180.000	CISAD1
A PRIMARY benefit of continuous auditing is that: A1-145	Effective preventive controls are enforced	Errors can be corrected in a timely fashion	Fraud can be detected more quickly	System integrity is ensured	c	Continuous auditing reduces resource use and enhances fraud detection capability through continuous evidence collection, focusing auditors on critical data.	CISAD1***	749	37.000	CISAD1***
An IS auditor wants to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness? A1-146	Observation of a logged event	Review of the procedure manual	Interview with management	Interview with security personnel	a	Observing the process of resetting security access and logging the event provides direct evidence of the adequacy of physical security controls.	CISAD1***	750	23.000	CISAD1***
As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors? A1-147	Range check	Validity check	Duplicate check	Check digit	d	Check digits are effective in detecting transposition and transcription errors by verifying data integrity through calculated numeric values.	CISAD1***	751	2.000	CISAD1***
The MAIN purpose of the annual IS audit plan is to: A1-148	Allocate resources for audits	Reduce the impact of audit risk	Develop a training plan for auditors	Minimize audit costs	a	IS audit plans prioritize and allocate resources effectively to accomplish audit objectives.	CISAD1	752	23.000	CISAD1
Which of the following would be expected to approve the audit charter? A1-149	Chief financial officer	Chief executive officer	Audit steering committee	Audit committee	d	The audit committee is responsible for approving the audit charter, ensuring alignment with organizational objectives and oversight.	CISAD1	753	123.000	CISAD1
Which of the following is the PRIMARY purpose of a risk-based audit? A1-150	High-impact areas are addressed first	Audit resources are allocated efficiently	Material areas are addressed first	Management concerns are prioritized	c	A risk-based audit focuses on auditing material areas based on risk rankings, ensuring efficient resource allocation.	CISAD1***	754	104.000	CISAD1***
An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? A1-151	Discuss the finding with the IT auditor's manager	Retest the control to confirm the finding	Elevate the risk associated with the control	Discuss the finding with the auditee's manager	a	Discussing the finding with the IT auditor's manager is recommended to resolve disagreements professionally and effectively.	CISAD1***	755	124.000	CISAD1***
A2-1 Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to ensure:	adequate cross-training exists between functions.	an effective internal control environment is in place by increasing morale.	potential irregularities in processing are identified by a temporary replacement.	the risk of processing errors is reduced.	c	Employees who perform critical and sensitive functions within an organization should be required to take some time off to help ensure that irregularities and fraud are detected.	CISAD2	756	27.000	CISAD2
A2-2 An IS auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?	Ignore the absence of management approval because employees follow the policies.	Recommend immediate management approval of the policies.	Emphasize the importance of approval to management.	Report the absence of documented approval.	d	Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies.	CISAD2***	757	129.000	CISAD2***
A2-3 What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management?	Projects are aligned with the organization's strategy.	Identified project risk is monitored and mitigated.	Controls related to project planning and budgeting are appropriate.	IT project metrics are reported accurately.	a	The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results.	CISAD2	758	160.000	CISAD2
A2-4 In a review of the human resources policies and procedures within an organization, an IS auditor is MOST concerned with the absence of a:	process for formalized exit interviews.	termination checklist.	requirement for new employees to sign a nondisclosure agreement.	requirement for periodic job rotations.	c	A termination checklist is critical to ensure the logical and physical security of an enterprise. It prevents the loss of enterprise property issued to employees and risks like intellectual property theft.	CISAD2	759	58.000	CISAD2
A2-5 Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation?	Ensure that assurance objectives are defined.	Determine stakeholder requirements and involvement.	Identify relevant risk and related opportunities.	Determine relevant enablers and their applicability.	b	Assurance objectives must be defined to align IT governance with business strategy, ensuring value addition.	CISAD2***	760	177.000	CISAD2***
A2-6 Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees?	To prevent conflicts of interest.	To prevent the misuse of corporate resources.	To prevent employee performance issues.	To prevent theft of IT assets.	b	Implementing policies to prevent conflicts of interest is crucial to mitigate risks like fraud and intellectual property theft.	CISAD2	761	119.000	CISAD2
A2-7 An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk?	The policy has not been updated in more than one year.	The policy includes no revision history.	The policy is approved by the security administrator.	The company does not have an information security policy committee.	c	A policy must have proper management approval to be enforceable, ensuring compliance and security.	CISAD2	762	55.000	CISAD2
A2-8 When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern?	Controls are eliminated as part of the streamlining BPR effort.	Resources are not adequate to support the BPR process.	The audit department does not have a consulting role in the BPR effort.	The BPR effort includes employees with limited knowledge of the process area.	a	Elimination of controls during BPR poses significant risks to operations, necessitating careful auditing.	CISAD2***	763	124.000	CISAD2***
A2-9 When auditing the IT governance framework and IT risk management practices existing within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?	Review the strategic alignment of IT with the business.	Implement accountability rules within the organization.	Ensure that independent IS audits are conducted periodically.	Create a chief risk officer role in the organization.	b	Implementing accountability rules ensures clear definition of responsibilities, critical for effective IT governance.	CISAD2***	764	94.000	CISAD2***
A2-10 An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:	Verify how the organization complies with standards.	Identify and report existing controls.	Review the metrics for quality evaluation.	Request all standards adopted by the organization.	d	The first step is to understand the standards adopted by the organization before evaluating compliance and controls.	CISAD2***	765	200.000	CISAD2***
A2-11 An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should:	Recommend that this separate project be completed as soon as possible.	Report this issue as a finding in the audit report.	Recommend the adoption of the Zachman framework.	Rescope the audit to include the separate project as part of the current audit.	b	Reporting the issue ensures that gaps in EA representation are highlighted, essential for strategic planning.	CISAD2	766	31.000	CISAD2
A2-12 An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:	Controls in place.	Effectiveness of the controls.	Mechanism for monitoring the risk.	Threats/vulnerabilities affecting the assets.	d	Evaluating threats and vulnerabilities helps in assessing risks before reviewing controls and effectiveness.	CISAD2	767	33.000	CISAD2
A2-13 The PRIMARY benefit of an enterprise architecture initiative is to:	Enable the organization to invest in the most appropriate technology.	Ensure security controls are implemented on critical platforms.	Allow development teams to be more responsive to business requirements.	Provide business units with greater autonomy to select IT solutions that fit their needs.	a	EA ensures IT investments align with business needs, optimizing technology use and strategic alignment.	CISAD2***	768	144.000	CISAD2***
A2-14 Which of the following situations is addressed by a software escrow agreement?	The vendor of custom-written software goes out of business.	The system administrator requires access to software to recover from a disaster.	A user requests to have software reloaded onto a replacement hard drive.	An IS auditor requires access to software code written by the organization.	a	Escrow ensures access to software source code if the vendor fails to maintain it, critical for business continuity.	CISAD2	769	29.000	CISAD2
A2-15 An IS auditor reviews an organizational chart PRIMARILY for:	Investigating various communication channels.	Understanding the responsibilities and authority of individuals.	Investigating the network connected to different employees.	Understanding the complexity of the organizational structure.	c	Organizational charts clarify roles and responsibilities, aiding in segregation of duties and governance.	CISAD2***	770	138.000	CISAD2***
A2-16 Sharing risk is a key factor in which of the following methods of managing risk?	Transferring risk.	Tolerating risk.	Terminating risk.	Treating risk.	a	Transferring risk, like through insurance, spreads the risk, reducing impact on the organization.	CISAD2***	771	21.000	CISAD2***
A2-17 A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:	Compute the amortization of the related assets.	Calculate a return on investment.	Apply a qualitative approach.	Spend the time needed to define the loss amount exactly.	c	When exact financial losses are hard to calculate, a qualitative approach helps gauge impact effectively.	CISAD2***	772	108.000	CISAD2***
A2-18 While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that:	Quality management systems comply with good practices.	Continuous improvement targets are being monitored.	Standard operating procedures are updated annually.	Key performance indicators are defined.	b	Continuous improvement is crucial for quality management systems to meet evolving business needs.	CISAD2***	773	14.000	CISAD2***
A2-19 An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor?	IT projects are not consistently formally approved.	IT projects are not following the system development life cycle process.	The IT department's projects will not be adequately funded.	The IT department may not be working toward a common goal.	d	Lack of formal approval hampers goal alignment and proper funding, risking strategic misalignment.	CISAD2	774	102.000	CISAD2
A2-20 Value delivery from IT to the business is MOST effectively achieved by:	Aligning the IT strategy with the enterprise strategy.	Embedding accountability in the enterprise.	Providing a positive return on investment.	Establishing an enterprise-wide risk management process.	a	A. B IT's value delivery to the business is driven by aligning IT with the enterprise's strategy. Embedding accountability in the enterprise pronotes risk management (another element of corporate governance). C. While return on investment is important, it is not the only criterion by which the value of IT is assessed. D. Enterprisewide risk management is critical to IT governance; however, by itself, it will not guarantee that IT delivers value to the business unless the IT strategy is aligned with the enterprise strategy.	CISAD2	775	44.000	CISAD2
A2-21 During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan is to:	Evaluate the adequacy of the service levels that the vendor can provide in a contingency.	Evaluate the financial stability of the service bureau and its ability to fulfill the contract.	Review the experience of the vendor's staff.	Test the business continuity plan.	a	A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements.	CISAD2***	776	27.000	CISAD2***
A2-22 An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the auditor consider MOST important to facilitate compliance with the policy upon its implementation?	Existing IT mechanisms enabling compliance	Alignment of the policy to the business strategy	Current and future technology initiatives.	Regulatory compliance objectives defined in the policy	a	The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.	CISAD2***	777	53.000	CISAD2***
A2-23 The MOST likely effect of the lack of senior management commitment to IT strategic planning is:	Lack of investment in technology	Lack of a methodology for systems development	Technology not aligning with organization objectives	Absence of control over technology contracts	c	A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is not aligned with organization strategy.	CISAD2	778	70.000	CISAD2
A2-24 Which of the following is a function of an IT steering committee?	Monitoring vendor-controlled change control and testing	Ensuring a separation of duties within the information's processing environment	Approving and monitoring the status of IT plans and budgets	Liaising between the IT department and end users	c	The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets.	CISAD2	779	129.000	CISAD2
A2-25 An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor?	The information security policy is not periodically reviewed by senior management.	A policy ensuring systems are patched in a timely manner does not exist.	The audit committee did not review the organization's mission statement.	An organizational policy related to information asset protection does not exist.	a	Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern.	CISAD2***	780	25.000	CISAD2***
A2-26 Involvement of senior management is MOST important in the development of:	Strategic plans.	IT policies.	IT procedures.	Standards and guidelines.	a	Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.	CISAD2***	781	137.000	CISAD2***
A2-27 Effective IT governance ensures that the IT plan is consistent with the organization's:	Business plan	Audit plan.	Security plan.	Investment plan.	a	To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans.	CISAD2	782	181.000	CISAD2
A2-28 Establishing the level of acceptable risk is the responsibility of:	Quality assurance management.	Senior business management.	The chief information officer.	The chief security officer.	b	Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process.	CISAD2	783	25.000	CISAD2
A2-29 IT governance is PRIMARILY the responsibility of the:	chief executive officer.	board of directors.	IT steering committee.	audit committee.	b	IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).	CISAD2	784	159.000	CISAD2
A2-30 From a control perspective, the key element in job descriptions is that they:	Provide instructions on how to do the job and define authority.	Are current, documented and readily available to the employee.	Communicate management's specific job performance expectations.	Establish responsibility and accountability for the employee's actions.	d	From a control perspective, a job description should establish responsibility and accountability. This aids in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access.	CISAD2	785	4.000	CISAD2
A2-31 Which of the following BEST provides assurance of the integrity of new staff?	Background screening	References	Bonding	Qualifications listed on a resume	a	A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver's license abstracts, financial status checks, verification of education, etc.	CISAD2	786	130.000	CISAD2
A2-32 When an employee is terminated from service, the MOST important action is to:	hand over all of the employee's files to another designated employee.	complete a backup of the employee's work.	notify other employees of the termination.	disable the employee's logical access.	d	There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take.	CISAD2	787	97.000	CISAD2
A2-33 A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:	The security controls of the application may not meet requirements.	The application may not meet the requirements of the business users.	The application technology may be inconsistent with the enterprise architecture.	The application may create unanticipated support issues for IT.	c	The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.	CISAD2	788	93.000	CISAD2
A2-34 Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:	Ensure that the employee maintains a good quality of life, which will lead to greater productivity.	Reduce the opportunity for an employee to commit an improper or illegal act.	Provide proper cross-training for another employee.	Eliminate the potential disruption caused when an employee takes vacation one day at a time.	b	Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts.	CISAD2	789	80.000	CISAD2
A2-35 A local area network (LAN) administrator normally is restricted from:	having end-user responsibilities.	reporting to the end-user manager.	having programming responsibilities.	being responsible for LAN security administration.	c	A LAN administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities.	CISAD2	790	1.000	CISAD2
A2-36 A decision support system is used to help high-level management:	Solve highly structured problems.	Combine the use of decision models with predetermined criteria.	Make decisions based on data analysis and interactive models.	Support only structured decision-making tasks.	c	A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria.	CISAD2***	791	150.000	CISAD2***
A2-37 During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?	Maximum acceptable downtime metrics have not been defined in the contract.	The IT department does not manage the relationship with the cloud vendor.	The help desk call center is in a different country, with different privacy requirements.	Organization-defined security policies are not applied to the cloud application.	d	Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.	CISAD2	792	157.000	CISAD2
A2-38 Before implementing an IT balanced scorecard, an organization must:	Deliver effective and efficient services.	Define key performance indicators.	Provide business value to IT projects.	Control IT expenses.	b	Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC.	CISAD2	793	23.000	CISAD2
A2-39 To support an organization's goals, an IT department should have:	A low-cost philosophy.	Long and short-term plans.	Leading-edge technology.	Plans to acquire new hardware and software.	b	To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals.	CISAD2	794	17.000	CISAD2
A2-40 In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether:	There is an integration of IT and business personnel within projects.	There is a clear definition of the IT mission and vision.	A strategic information technology planning scorecard is in place.	The plan correlates business objectives to IT goals and objectives.	a	The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan.	CISAD2	795	148.000	CISAD2
A2-41 Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department?	Allocating resources	Adapting to changing technologies.	Conducting control self-assessments	Evaluating hardware needs	a	The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately.	CISAD2***	796	141.000	CISAD2***
A2-42 Which of the following goals do you expect to find in an organization's strategic plan?	Results of new software testing	An evaluation of information technology needs	Short-term project plans for a new planning system	Approved suppliers for products offered by the company	d	Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization's strategic plan.	CISAD2***	797	98.000	CISAD2***
A2-43 Which of the following does an IS auditor consider to be MOST important when evaluating an organization's IT strategy? That it:	Was approved by line management.	Does not vary from the IT department's preliminary budget.	Complies with procurement procedures.	Supports the business objectives of the organization.	d	Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals.	CISAD2	798	69.000	CISAD2
A2-44 An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:	A backup server is available to run ETCS operations with up-to-date data.	A backup server is loaded with all relevant software and data.	The systems staff of the organization is trained to handle any event.	Source code of the ETCS application is placed in escrow.	d	Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization has the opportunity to modify the software should the vendor cease to be in business.	CISAD2	799	74.000	CISAD2
A2-45 When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations business objectives by determining whether IT:	Has all the personnel and equipment it needs.	Plans are consistent with management strategy.	Uses its equipment and personnel efficiently and effectively.	Has sufficient excess capacity to respond to changing directions.	b	The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans.	CISAD2	800	172.000	CISAD2
A2-46 An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?	Network administrators are responsible for quality assurance.	System administrators are application programmers.	End users are security administrators for critical applications.	Systems analysts are database administrators.	b	When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door.	CISAD2	801	62.000	CISAD2
A2-47 Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?	User management coordination does not exist.	Specific user accountability cannot be established.	Unauthorized users may have access to modify data.	Audit recommendations may not be implemented.	c	Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization. The ability of unauthorized users to modify data is greater than the risk of authorized user accounts not being controlled properly.	CISAD2	802	128.000	CISAD2
A2-48 An IS audit department is planning to minimize the risk of short-term employees. Activities contributing to this objective are documented procedures, knowledge sharing, cross-training and:	Succession planning.	Staff job evaluation.	Responsibilities definitions.	Employee award programs.	a	Succession planning ensures that internal personnel with the potential to fill key positions in the organization are identified and developed.	CISAD2	803	14.000	CISAD2
A2-49 The rate of change in technology increases the importance of:	Outsourcing the IT function.	Implementing and enforcing sound processes.	Hiring qualified personnel.	Meeting user requirements.	b	Change control requires that good change management processes be implemented and enforced.	CISAD2	804	108.000	CISAD2
A2-50 An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that:	This lack of knowledge may lead to unintentional disclosure of sensitive information.	Information security is not critical to all functions.	IS audit should provide security training to the employees.	The audit finding will cause management to provide continuous training to staff.	a	All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.	CISAD2***	805	107.000	CISAD2***
A2-51 Which of the following is responsible for the approval of an information security policy?	IT department	Security committee	Security administrator	Board of directors	d	Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.	CISAD2***	806	204.000	CISAD2***
A2-52 While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation?	Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC.	IT projects could suffer from cost overruns.	Misleading indications of IT performance may be presented to management.	IT service level agreements may not be accurate.	c	The IT balanced scorecard is designed to measure IT performance. To measure performance, a sufficient number of performance drivers (key performance indicators KPIs) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading and lead to unsound decisions.	CISAD2***	807	80.000	CISAD2***
A2-53 Which of the following should be included in an organization's information security policy?	A list of key IT resources to be secured	The basis for access control authorization	Identity of sensitive security assets	Relevant software security features	b	The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.	CISAD2	808	21.000	CISAD2
A2-54 Which of the following is the initial step in creating a firewall policy?	A cost-benefit analysis of methods for securing the applications	Identification of network applications to be externally accessed	Identification of vulnerabilities associated with network applications to be externally accessed	Creation of an application traffic matrix showing protection methods	b	Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications.	CISAD2***	809	135.000	CISAD2***
A2-55 Which of the following is an implementation risk within the process of decision support systems?	Management control	Semistructured dimensions	Inability to specify purpose and usage patterns	Changes in decision processes	c	The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS.	CISAD2	810	112.000	CISAD2
A2-56 Which of the following is MOST critical for the successful implementation and maintenance of a security policy?	Assimilation of the framework and intent of a written security policy by all appropriate parties	Management support and approval for the implementation and maintenance of a security policy	Enforcement of security rules by providing punitive actions for any violation of security rules	Stringent implementation, monitoring and enforcing of rules by the security officer through access control software	a	Assimilation of the framework and intent of a written security policy by all levels of management and users of the system is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective.	CISAD2***	811	102.000	CISAD2***
A2-57 A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and:	recovery	retention.	rebuilding.	reuse.	b	Besides being a good practice, laws and regulations may require an organization to keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic paper makes the retention policy of corporate email a necessity.	CISAD2	812	32.000	CISAD2
A2-58 An organization is considering making a major investment to upgrade technology. Which of the following choices is the MOST important to consider?	A cost analysis	The security risk of the current technology	Compatibility with existing systems	A risk analysis	d	Prior to implementing new technology, an organization should perform a risk assessment, which is then presented to business unit management for review and acceptance.	CISAD2***	813	48.000	CISAD2***
A2-59 Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment?	To conduct a feasibility study to demonstrate IT value	To ensure that investments are made according to business requirements	To ensure that proper security controls are enforced	To ensure that a standard development methodology is implemented	b	A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities.	CISAD2	814	149.000	CISAD2
A2-60 IS control objectives are useful to IS auditors because they provide the basis for understanding the:	Desired result or purpose of implementing specific control procedures	Best IS security control practices relevant to a specific entity.	Techniques for securing information	Security policy	a	An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity.	CISAD2	815	180.000	CISAD2
A2-61 The initial step in establishing an information security program is the:	Development and implementation of an information security standards manual	Performance of a comprehensive security control review by the IS auditor	Adoption of a corporate information security policy statement	Purchase of security access control software	c	A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.	CISAD2***	816	98.000	CISAD2***
A2-62 Which of the following is the MOST important function to be performed by IT management when a service has been outsourced?	Ensuring that invoices are paid to the provider	Participating in systems design with the provider	Renegotiating the provider's fees	Monitoring the outsourcing provider's performance	d	In an outsourcing environment, the enterprise is dependent on the performance of the service provider. Therefore, it is critical that the outsourcing provider's performance is monitored to ensure that services are delivered to the enterprise as required.	CISAD2	817	135.000	CISAD2
A2-63: An organization purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following helps to mitigate the risk relating to continued application support?	A viability study on the vendor	A software escrow agreement	Financial evaluation of the vendor	A contractual agreement for future enhancements	b	Considering that the vendor has been in the business for only one year, the biggest concern is financial stability or viability of the vendor and the risk of the vendor going out of business. The best way that this risk can be addressed is to have a software escrow agreement for the source code of the application, which provides the entity access to the source code if the vendor goes out of business.	CISAD2	818	54.000	CISAD2
A2-64: An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:	Hardware configuration	Access control software	Ownership of intellectual property	Application development methodology	c	The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.	CISAD2	819	73.000	CISAD2
A2-65: While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the:	Requirement for securely protecting of information can be compromised	Contract may be terminated because prior permission from the outsourcer was not obtained	Other service provider to whom work has been outsourced is not subject to audit	Outsourcer will approach the other service provider directly for further work	a	When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries.	CISAD2	820	139.000	CISAD2
A2-66: A benefit of open system architecture is that it:	Facilitates interoperability within different systems	Facilitates the integration of proprietary components	Will be a basis for volume discounts from equipment vendors	Allows for the achievement of more economies of scale for equipment	a	Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors.	CISAD2***	821	99.000	CISAD2***
A2-67: The risk associated with electronic evidence gathering is MOST likely reduced by an email:	Destruction policy	Security policy	Archive policy	Audit policy	c	With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.	CISAD2	822	182.000	CISAD2
A2-68: The output of the risk management process is an input for making:	Business plans	Audit charters	Security policy decisions	Software design decisions	c	The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.	CISAD2	823	35.000	CISAD2
A2-69: An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task?	Immediately report the risk to the chief information officer and chief executive officer	Examine the e-business application in development	Identify threats and the likelihood of occurrence	Check the budget available for risk management	c	To determine the risk associated with e-business, an IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.	CISAD2	824	202.000	CISAD2
A2-70: An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee:	Is responsible for project approval and prioritization	Is responsible for developing the long-term IT plan	Reports the status of IT projects to the board of directors	Is responsible for determining business goals	d	Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business not the other way around.	CISAD2***	825	94.000	CISAD2***
A2-71: An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed?	Require the vendor to provide monthly status reports	Have periodic meetings with the client IT manager	Conduct periodic audit reviews of the vendor	Require that performance parameters be stated within the contract	c	Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client's requirements for security controls may become less of a focus for the vendor, and the results may slip.	CISAD2	826	144.000	CISAD2
A2-72: Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?	The maturity of the project management process	The regulatory environment	Past audit findings	The IT project portfolio analysis	d	Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.	CISAD2	827	42.000	CISAD2
A2-73: Which of the following does a lack of adequate security controls represent?	Threat	Asset	Impact	Vulnerability	d	The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers.	CISAD2	828	163.000	CISAD2
A2-74: Which of the following is the PRIMARY objective of an IT performance measurement process?	Minimize errors	Gather performance data	Establish performance baselines	Optimize performance	d	An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions.	CISAD2	829	189.000	CISAD2
A2-75: As an outcome of information security governance, strategic alignment provides:	Security requirements driven by enterprise requirements	Baseline security following good practices	Institutionalized and commoditized solutions	An understanding of risk exposure	a	Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements.	CISAD2***	830	102.000	CISAD2***
A2-76: Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy:	Is driven by an IT department's objectives	Is published, but users are not required to read the policy	Does not include information security procedures	Has not been updated in over a year	a	Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.	CISAD2***	831	132.000	CISAD2***
A2-77: Which of the following IT governance good practices improves strategic alignment?	Supplier and partner risk is managed	A knowledge base on customers, products, markets and processes is in place	A structure is provided that facilitates the creation and sharing of business information	Top management mediates between the imperatives of business and technology	d	Top management mediating between the imperatives of business and technology is an IT strategic alignment good practice.	CISAD2	832	41.000	CISAD2
A2-78: Effective IT governance requires organizational structures and processes to ensure that:	Risk is maintained at a level acceptable for IT management	The business strategy is derived from an IT strategy	IT governance is separate and distinct from the overall governance	The IT strategy extends the organization's strategies and objectives	d	Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives, and that the strategy is aligned with business strategy.	CISAD2	833	113.000	CISAD2
A2-79: Assessing IT risk is BEST achieved by:	Evaluating threats and vulnerabilities associated with existing IT assets and IT projects	Using the organization's past actual loss experience to determine current exposure	Reviewing published loss statistics from comparable organizations	Reviewing IT control weaknesses identified in audit reports	a	To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.	CISAD2	834	190.000	CISAD2
A2-80: When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control?	Restricting physical access to computing equipment	Reviewing transaction and application logs	Performing background checks prior to hiring IT staff	Locking user sessions after a specified period of inactivity	b	Reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught.	CISAD2	835	136.000	CISAD2
A2-81: A top-down approach to the development of operational policies helps to ensure:	That they are consistent across the organization	That they are implemented as a part of risk assessment	Compliance with all policies	That they are reviewed periodically	a	Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies.	CISAD2	836	111.000	CISAD2
A2-82: An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:	Dependency on a single person	Inadequate succession planning	One person knowing all parts of a system	A disruption of operations	c	Cross-training is a process of training more than one individual to perform a specific job or procedure. However, before using this approach, it is prudent to assess the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege.	CISAD2***	837	172.000	CISAD2***
A2-83: Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?	Minimizing costs for the services provided	Prohibiting the provider from subcontracting services	Evaluating the process for transferring knowledge to the IT department	Determining if the services were provided as contracted	d	From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements.	CISAD2	838	105.000	CISAD2
A2-84: Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?	Time-zone differences can impede communications between IT teams	Telecommunications cost can be much higher in the first year	Privacy laws can prevent cross-border flow of information	Software development may require more detailed specifications	c	Privacy laws prohibiting the cross-border flow of personally identifiable information make it impossible to locate a data warehouse containing customer information in another country.	CISAD2	839	163.000	CISAD2
A2-85: When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify?	The risk associated with the use of the products is periodically assessed	The latest version of software is listed for each product	Due to licensing issues, the list does not contain open source software	After-hours support is offered	a	Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process.	CISAD2	840	182.000	CISAD2
A2-86: When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies:	are aligned with globally accepted industry good practices	are approved by the board of directors and senior management	strike a balance between business and security requirements	provide direction for implementing security procedures	c	Because information security policies must be aligned with an organization's business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies.	CISAD2	841	58.000	CISAD2
A2-87: On which of the following factors should an IS auditor PRIMARILY focus when determining the appropriate level of protection for an information asset?	Results of a risk assessment	Relative value to the business	Results of a vulnerability assessment	Cost of security controls	a	The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review.	CISAD2	842	114.000	CISAD2
A2-88: From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:	Is cost-effective	Is future thinking and innovative	Is aligned with the business strategy	Has the appropriate priority level assigned	c	The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy.	CISAD2	843	51.000	CISAD2
A2-89: Which of the following is the MOST important element for the successful implementation of IT governance?	Implementing an IT scorecard	Identifying organizational strategies	Performing a risk assessment	Creating a formal security policy	b	The key objective of an IT governance program is to support the business; therefore, the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective.	CISAD2	844	81.000	CISAD2
A2-90: To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:	control self-assessments	a business impact analysis	an IT balanced scorecard	business process reengineering	c	An IT balanced scorecard provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate.	CISAD2	845	71.000	CISAD2
A2-91: Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement requirements for a critical IT security service?	Compliance with the master contract	Agreed-on key performance indicators	Results of business continuity tests	Results of independent audit reports	b	Key performance indicators are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time.	CISAD2***	846	126.000	CISAD2***
A2-92: To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:	Avoidance	Transfer	Mitigation	Acceptance	c	Risk mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. By requiring the system's administrator to sign off on the completion of the backups, this is an administrative control that can be validated for compliance.	CISAD2***	847	174.000	CISAD2***
A2-93: A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of:	vulnerabilities	threats	probabilities	impacts	a	Vulnerabilities represent weaknesses of information resources that may be exploited by a threat. Because these are weaknesses that can be addressed by the security specialist, they are examples of vulnerabilities.	CISAD2	848	73.000	CISAD2
A2-94: An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?	An audit clause is present in all contracts	The service level agreement of each contract is substantiated by appropriate key performance indicators	The contractual warranties of the providers support the business needs of the organization	At contract termination, support is guaranteed by each outsourcer for new outsourcers	c	The primary requirement is for the services provided by the outsource supplier to meet the needs of the business.	CISAD2***	849	161.000	CISAD2***
A2-95: To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the:	enterprise data model	IT balanced scorecard	IT organizational structure	historical financial statements	b	The IT balanced scorecard is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way, the auditor can measure the success of the IT investment and strategy.	CISAD2***	850	108.000	CISAD2***
A2-96: Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor?	Core activities that provide a differentiated advantage to the organization have been outsourced	Periodic renegotiation is not specified in the outsourcing contract	The outsourcing contract fails to cover every action required by the business	Similar activities are outsourced to more than one vendor	a	An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that condition should be concerned.	CISAD2	851	193.000	CISAD2
A2-97: For a health care organization, which one of the following reasons MOST likely indicates that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation?	Member service representative training cost will be much higher	There are regulations regarding data privacy	It is harder to monitor remote databases	Time zone differences could impede customer service	b	Regulations prohibiting the cross-border flow of personally identifiable information may make it impossible to locate a data warehouse containing customer/member information in another country.	CISAD2	852	87.000	CISAD2
A2-98: The PRIMARY control purpose of required vacations or job rotations is to:	allow cross-training for development	help preserve employee morale	detect improper or illegal employee acts	provide a competitive employee benefit	c	The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud.	CISAD2	853	9.000	CISAD2
A2-99: When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:	incorporates state of the art technology	addresses the required operational controls	articulates the IT mission and vision	specifies project management practices	c	The IT strategic plan must include a clear articulation of the IT mission and vision.	CISAD2	854	22.000	CISAD2
A2-100: A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario?	Hire a second DBA and split the duties between the two individuals	Remove the DBA's root access on all UNIX servers	Ensure that all actions of the DBA are logged and that all logs are backed up to tape	Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access	d	By creating logs that the DBA cannot erase or modify, segregation of duties is enforced.	CISAD2	855	84.000	CISAD2
A2-101: Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer system?	Three users with the ability to capture and verify their own messages	Five users with the ability to capture and send their own messages	Five users with the ability to verify other users and to send their own messages	Three users with the ability to capture and verify the messages of other users and to send their own messages	a	The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message.	CISAD2***	856	18.000	CISAD2***
A2-102: Which of the following does an IS auditor FIRST reference when performing an IS audit?	Implemented procedures	Approved policies	Internal standards	Documented practices	b	Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy.	CISAD2***	857	188.000	CISAD2***
A2-103: An enterprise selected a vendor to develop and implement a new software system. To ensure that the enterprise's investment in software is protected, which of the following security clauses is MOST important to include in the master services agreement?	Limitation of liability	Service level requirements	Software escrow	Version control	c	Software escrow clauses in a contract ensure that the software source code will still be available to the organization in the event of a vendor issue, such as insolvency and copyright issues.	CISAD2	858	46.000	CISAD2
A2-104: When implementing an IT governance framework in an organization the MOST important objective is:	IT alignment with the business	Accountability	Value realization with IT	Enhancing the return on IT investments	a	The goals of IT governance are to improve IT performance, deliver optimum business value and ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies.	CISAD2	859	87.000	CISAD2
A2-105 An IS auditor is reviewing an IT security risk management program. Measures of security risk should:	address all of the network risk.	be tracked over time against the IT strategic plan.	consider the entire IT environment.	result in the identification of vulnerability tolerances.	c	Measures of security risk should not be limited to network risk, but rather focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. When assessing IT security risk, it is important to consider the entire IT environment.	CISAD2***	860	20.000	CISAD2***
A2-106 The ultimate purpose of IT governance is to:	encourage optimal use of IT	reduce IT costs.	decentralize IT resources across the organization.	centralize control of IT.	a	IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.	CISAD2	861	46.000	CISAD2
A2-107 Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement with an external IT service provider?	Payment terms	Uptime guarantee	Indemnification clause	Default resolution	b	The most important element of an SLA is the measurable terms of performance, such as uptime agreements.	CISAD2***	862	79.000	CISAD2***
A2-108 The PRIMARY objective of implementing corporate governance is to:	provide strategic direction.	control business operations.	align IT with business.	implement good practices.	a	Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly used. Hence, the primary objective of corporate governance is to provide strategic direction.	CISAD2***	863	148.000	CISAD2***
A2-109 Which of the following should be considered FIRST when implementing a risk management program?	An understanding of the organization's threat, vulnerability and risk profile	An understanding of the risk exposures and the potential consequences of compromise	A determination of risk management priorities that are based on potential consequences	A risk mitigation strategy sufficient to keep risk consequences at an acceptable level	a	Implementing risk management, as one of the outcomes of effective information security governance, requires a collective understanding of the organization's threat, vulnerability and risk profile as a first step.	CISAD2	864	17.000	CISAD2
A2-110 In the context of effective information security governance, the PRIMARY objective of value delivery is to:	Optimize security investments in support of business objectives.	Implement a standard set of security practices.	Institute a standards-based solution.	Implement a continuous improvement culture.	a	In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives.	CISAD2	865	109.000	CISAD2
A2-111 As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through:	performance measurement.	strategic alignment.	value delivery.	resource management.	a	Performance measurement includes setting and monitoring measurable objectives of that which the IT processes need to deliver (process outcome), and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement, because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.	CISAD2***	866	23.000	CISAD2***
A2-112 Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations?	Process maturity	Performance indicators	Business risk	Assurance reports	c	Priority should be given to those areas that represent a known risk to the enterprise operations.	CISAD2***	867	168.000	CISAD2***
A2-113 Responsibility for the governance of IT should rest with the:	IT strategy committee.	Chief information officer.	Audit committee.	Board of directors.	d	Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.	CISAD2	868	193.000	CISAD2
A2-114 Which of the following is normally a responsibility of the chief information security officer?	Periodically reviewing and evaluating the security policy	Executing user application and software testing and evaluation	Granting and revoking user access to IT resources	Approving access to data and applications	a	The role of the chief information security officer is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment.	CISAD2***	869	110.000	CISAD2***
A2-115 When developing a formal enterprise security program, the MOST critical success factor is the:	Establishment of a review board.	Creation of a security unit.	Effective support of an executive sponsor.	Selection of a security process owner.	c	The executive sponsor is in charge of supporting the organization's strategic security program and aids in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor.	CISAD2***	870	5.000	CISAD2***
A2-116 When reviewing an organization's strategic IT plan, an IS auditor should expect to find:	An assessment of the fit of the organization's application portfolio with business objectives.	Actions to reduce hardware procurement cost.	A listing of approved suppliers of IT contract resources.	A description of the technical architecture for the organization's network perimeter security.	a	An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process.	CISAD2***	871	131.000	CISAD2***
A2-117 When developing a security architecture, which of the following steps should be executed FIRST?	Developing security procedures	Defining a security policy	Specifying an access control methodology	Defining roles and responsibilities	b	Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff.	CISAD2***	872	89.000	CISAD2***
A2-118 Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?	Define a balanced scorecard for measuring performance.	Consider user satisfaction in the key performance indicators.	Select projects according to business benefits and risk.	Modify the yearly process of defining the project portfolio.	c	Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities.	CISAD2	873	2.000	CISAD2
A2-119 The PRIMARY benefit of implementing a security program as part of a security governance framework is the:	Alignment of the IT activities with IS audit recommendations	Enforcement of the management of security risk	Implementation of the chief information security officer's recommendations	Reduction of the cost for IT security	b	The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk.	CISAD2***	874	110.000	CISAD2***
A2-120 An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?	Risk reduction	Risk transfer	Risk avoidance	Risk mitigation	b	Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.	CISAD2***	875	199.000	CISAD2***
A2-121 An employee who has access to highly confidential information resigned. Upon departure, which of the following should be done FIRST?	Conduct an exit interview with the employee.	Ensure succession plans are in place.	Revoke the employee's access to all systems.	Review the employee's job history	c	If an employee has dealt with highly classified information, the first step is to revoke their access to all systems, to prevent exfiltration of data and restrict access to the information.	CISAD2	876	48.000	CISAD2
A2-122 An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement between the organization and vendor should be the provisions for:	documentation of staff background checks.	independent audit reports or full audit access.	reporting the year-to-year incremental cost reductions.	reporting staff turnover, development or training.	b	When the functions of an IT department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access.	CISAD2	877	177.000	CISAD2
A2-123 An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?	User acceptance testing occurs for all reports before release into production	Organizational data governance practices are put in place	Standard software tools are used for report development	Management signs off on requirements for new reports	b	This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative.	CISAD2	878	131.000	CISAD2
A2-124 Which of the following BEST supports the prioritization of new IT projects?	Internal control self-assessment	Information systems audit	Investment portfolio analysis	Business risk assessment	c	It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy but also provide the rationale for terminating nonperforming IT projects.	CISAD2	879	124.000	CISAD2
A2-125 Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:	Claims to meet or exceed industry security standards.	Agrees to be subject to external security reviews.	Has a good market reputation for service and experience.	Complies with security policies of the organization.	b	It is critical that an independent security review of an outsourcing vendor be obtained, because customer credit information will be kept with the vendor.	CISAD2***	880	62.000	CISAD2***
After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following is the GREATEST risk?	Project management and progress reporting is combined in a project management office that is driven by external consultants.	The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.	The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other organization's legacy systems.	The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.	b	If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house-developed legacy applications. The development of new integrated systems can require some knowledge of the legacy systems to gain an understanding of each business process.	CISAD2***	881	153.000	CISAD2***
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?	Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.	Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle.	No recommendation is necessary because the current approach is appropriate for a medium-sized organization.	Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management.	d	Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.	CISAD2***	882	201.000	CISAD2***
Overall quantitative business risk for a particular threat can be expressed as:	A product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.	The magnitude of the impact if a threat source successfully exploits the vulnerability.	The likelihood of a given threat source exploiting a given vulnerability.	The collective judgment of the risk assessment team.	a	Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits a vulnerability, and provides the best measure of the risk to an asset. The calculation of risk must consider impact and likelihood of a threat (not a threat source) exploiting a vulnerability.	CISAD2	883	149.000	CISAD2
While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met?	Monthly committee meetings include the subcontractor's manager.	Management reviews weekly reports from the subcontractor.	Permission is obtained from the government agent regarding the contract.	Periodic independent audit of the work delegated to the subcontractor.	d	Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised.	CISAD2	884	152.000	CISAD2
During an audit, which of the following situations are MOST concerning for an organization that significantly outsources IS processing to a private network?	The contract does not contain a right-to-audit clause for the third party.	The contract was not reviewed by an information security subject matter expert prior to signing.	The IS outsourcing guidelines are not approved by the board of directors.	There is a lack of well-defined IS performance evaluation procedures.	a	Lack of a right-to-audit clause in the contract impacts the IS auditor's ability to perform the IS audit. Hence, the IS auditor is most concerned with such a situation. In the case of outsourcing to a private network, the organization should ensure that the third party has a minimum set of IT security controls in place and that they are operating effectively.	CISAD2	885	201.000	CISAD2
The MOST important element for the effective design of an information security policy is the:	threat landscape.	prior security incidents.	emerging technologies.	enterprise risk appetite.	d	The risk appetite is the amount of risk on a broad level that an entity is willing to accept in pursuit of its mission to meet its strategic objectives. The purpose of the information security policy is to manage information risk to an acceptable level, so that the policy is principally aligned with the risk appetite.	CISAD2***	886	82.000	CISAD2***
As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor?	Use cloud providers for low-risk operations.	Revise compliance enforcement processes.	Request that senior management accept the risk.	Postpone low-priority security procedures.	c	Senior management determines resource allocations. Having established that the level of security is inadequate, it is imperative that senior management accept the risk resulting from their decisions.	CISAD2***	887	38.000	CISAD2***
Which of the following insurance types provide for a loss arising from fraudulent acts by employees?	Business interruption	Fidelity coverage	Errors and omissions	Extra expense	b	Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees.	CISAD2	888	103.000	CISAD2
Errors in audit procedures PRIMARILY impact which of the following risks?	Detection risk	Inherent risk	Control risk	Business risk	a	Detection risk is the probability that the audit procedures may fail to detect existence of a material error or fraud.	CISAD2	889	14.000	CISAD2
Which of the following is MOST important to consider when reviewing the classification levels of information assets?	Potential loss	Financial cost	Potential threats	Cost of insurance	a	The best basis for asset classification is an understanding of the total losses a business may incur if the asset is compromised. Typically, estimating these losses requires a review of criticality and sensitivity beyond financial cost, such as operational and strategic.	CISAD2***	890	126.000	CISAD2***
Which of the following is of MOST interest to an IS auditor reviewing an organization's risk strategy?	All risk is mitigated effectively.	Residual risk is zero after control implementation.	All likely risk is identified and ranked.	The organization uses an established risk framework.	c	Risk that is likely to impact the organization should be identified and documented as part of the risk strategy. Without knowing the risk, there is no risk strategy.	CISAD2***	891	81.000	CISAD2***
An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements?	The vendor provides the latest third-party audit report for verification.	The vendor provides the latest internal audit report for verification.	The vendor agrees to implement controls in alignment with the enterprise.	The vendor agrees to provide annual external audit reports in the contract.	d	The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits.	CISAD2	892	47.000	CISAD2
An IS auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern?	Senior management has limited involvement.	Return on investment is not measured.	Chargeback of IT cost is not consistent.	Risk appetite is not quantified.	a	To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when evaluating the soundness of IT governance.	CISAD2	893	49.000	CISAD2
After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?	A cost-benefit analysis	An annual loss expectancy calculation	A comparison of the cost of the IPS and firewall and the cost of the business systems	A business impact analysis	a	In a cost-benefit analysis, the total expected purchase and operational/support costs, and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option.	CISAD2	894	27.000	CISAD2
An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered:	Can deliver on the immediate contract	Is of similar financial standing as the organization.	Has significant financial obligations that can impose liability to the organization.	Can support the organization in the long term.	d	The long-term financial viability of a vendor is essential for deriving maximum value for the organization-it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.	CISAD2	895	158.000	CISAD2
Which of the following is the BEST way to ensure that organizational policies comply with legal requirements?	Inclusion of a blanket legal statement in each policy	Periodic review by subject matter experts	Annual sign-off by senior management on organizational policies	Policy alignment to the most restrictive regulations.	b	Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements.	CISAD2	896	189.000	CISAD2
An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?	Controls are implemented based on cost-benefit analysis.	The risk management framework is based on global standards.	The approval process for risk response is in place.	IT risk is presented in business terms.	d	For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.	CISAD2***	897	94.000	CISAD2***
An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies?	Sign-off is required on the enterprise's security policies for all users.	An indemnity clause is included in the contract with the service provider.	Mandatory security awareness training is implemented for all users.	Security policies should be modified to address compliance by third-party users.	b	Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely.	CISAD2	898	184.000	CISAD2
The corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation?	Have the current configuration approved by operations management.	Ensure that there is an audit trail for all existing accounts.	Implement individual user accounts for all staff.	Amend the IT policy to allow shared accounts.	c	Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario.	CISAD2***	899	17.000	CISAD2***
Which of the following reasons BEST describes the purpose of a mandatory vacation policy?	To ensure that employees are properly cross-trained in multiple functions	To improve employee morale	To identify potential errors or inconsistencies in business processes	To be used as a cost saving measure	c	Mandatory vacations help uncover potential fraud or inconsistencies. Ensuring that people who have access to sensitive internal controls or processes take a mandatory vacation annually is often a regulatory requirement and, most importantly, a good way to uncover fraud.	CISAD2	900	42.000	CISAD2
The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it:	Does not exceed the existing IT budget.	Is aligned with the investment strategy.	Has been approved by the IT steering committee.	Is aligned with the business plan.	d	Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.	CISAD2	901	145.000	CISAD2
An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor?	Due diligence should be performed on the software vendor.	A quarterly audit of the vendor facilities should be performed.	There should be a source code escrow agreement in place.	A high penalty clause should be included in the contract.	c	A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software, because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business.	CISAD2***	902	32.000	CISAD2***
An enterprise's risk appetite is BEST established by:	The chief legal officer	Security management	The audit committee	The steering committee	d	The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.	CISAD2	903	142.000	CISAD2
A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk?	The developers promote code into the production environment.	The business analyst writes the requirements and performs functional testing.	The IT manager also performs systems administration.	The database administrator also performs data backups.	a	If developers have access to the production environment, there is a risk that untested code can be migrated into the production environment.	CISAD2	904	87.000	CISAD2
A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee?	Approving IT project plans and budgets	Aligning IT to business objectives	Advising on IT compliance risk	Promoting IT governance practices	a	An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee, because it provides insight and advice to the board.	CISAD2***	905	183.000	CISAD2***
Which of the following is the BEST enabler for strategic alignment between business and IT?	A maturity model	Goals and metrics	Control objectives	A responsible, accountable, consulted and informed (RACI) chart	b	Goals and metrics ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment.	CISAD3***	906	48.000	CISAD3***
An IT steering committee should:	Ensure that information security policies and procedures have been executed properly.	Include a mix of members from different departments and staff levels.	Maintain minutes of its meetings and keep the board of directors informed.	Be briefed about new trends and products at each meeting by a vendor.	c	It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee. The board of directors should be informed about those decisions on a timely basis.	CISAD3***	907	15.000	CISAD3***
Who should review and approve system deliverables as they are defined and accomplished, to ensure the successful completion and implementation of a new business system application?	User management	Project steering committee	Senior management	Quality assurance staff	a	A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished, or implemented.	CISAD3***	908	37.000	CISAD3***
Which of the following BEST helps to prioritize project activities and determine the time line for a project?	A Gantt chart	Earned value analysis	Program evaluation review technique	Function point analysis	c	C. The PERT method works on the principle of obtaining project time lines based on project events for three likely scenarios-worst, best and normal. The timeline is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized.	CISAD3***	909	157.000	CISAD3***
An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue?	Project scope management	Project time management	Project risk management	Project procurement management	a	A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project.	CISAD3	910	125.000	CISAD3
An IS auditor is reviewing the software development process for an organization. Which of the following functions are appropriate for the end users to perform?	Program output testing	System configuration	Program-logic specification	Performance tuning	a	A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user.	CISAD3	911	164.000	CISAD3
An IS auditor is reviewing system development for a health care organization with two application environments- production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation?	The test environment may not have adequate controls to ensure data accuracy.	The test environment may produce inaccurate results due to use of production data.	Hardware in the test environment may not be identical to the production environment.	The test environment may not have adequate access controls implemented to ensure data confidentiality.	d	D. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed.	CISAD3	912	144.000	CISAD3
The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?	Significant cost savings over other testing approaches	Assurance that new, faster hardware is compatible with the new system	Assurance that the new system meets functional requirements	Increased resiliency during the parallel processing time	c	C. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.	CISAD3	913	7.000	CISAD3
What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team?	Alpha testing	White box testing	Regression testing	Beta testing	d	D. Beta testing is the final stage of testing and typically includes users outside of the development area. Beta testing is a form of user acceptance testing and generally involves a limited number of users who are external to the development effort.	CISAD3	914	11.000	CISAD3
During which phase of software application testing should an organization perform the testing of architectural design?	Acceptance testing	System testing	Integration testing	Unit testing	c	C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design.	CISAD3***	915	50.000	CISAD3***
Which of the following is an advantage of an integrated test facility?	It uses actual master files or dummies, and the auditor does not have to review the source of the transaction.	Periodic testing does not require separate test processes.	It validates application systems and ensures the correct operation of the system.	The need to prepare test data is eliminated.	b	B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be separated from production data.	CISAD3***	916	128.000	CISAD3***
An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?	Undocumented approval of some project changes.	Faulty migration of historical data from the old system to the new system	Incomplete testing of the standard functionality of the ERP subsystem	Duplication of existing payroll permissions on the new ERP subsystem	b	B. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount.	CISAD3***	917	11.000	CISAD3***
An enterprise is developing, a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?	Advise on the adoption of application controls to the new database software.	Provide future estimates of the licensing expenses to the project team.	Recommend to the project manager how to improve the efficiency of the migration.	Review the acceptance test case documentation before the rests are carried out.	d	D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.	CISAD3***	918	50.000	CISAD3***
During a postimplementation review, which of the following activities should be performed?	User acceptance testing	Return on investment analysis	Activation of audit trails.	Updates of the state of enterprise architecture diagrams	b	B. Following implementation, a cost-benefit analysis or return on investment should be reperformed to verify that the original business case benefits are delivered.	CISAD3***	919	183.000	CISAD3***
Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?	Requirements should be tested in terms of importance and frequency of use.	Test coverage should be restricted to functional requirements.	Automated tests should be performed through the use of scripting.	The number of required test runs should be reduced by retesting only defect fixes.	a	A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements, because complexity tends to increase the likelihood of defects.	CISAD3***	920	125.000	CISAD3***
By evaluating application development projects against the capability maturity model, an IS auditor should be able to verify that:	Reliable products are guaranteed.	Programmers' efficiency is improved.	Security requirements are designed.	Predictable software processes are followed.	d	D. By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software development process.	CISAD3***	921	185.000	CISAD3***
An IS auditor is performing a post-implementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management?	Recalculations	Limit checks	Run-to-run totals.	Reconciliations	b	B. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit.	CISAD3***	922	158.000	CISAD3***
Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor?	Process owners have not been identified.	The billing cost allocation method has not been determined.	Multiple application owners exist.	A training program does not exist	a	A. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. The absence of a defined process owner, may cause issues with monitoring or authorization controls.	CISAD3***	923	185.000	CISAD3***
When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that:	A clear business case has been approved by management.	Corporate security standards will be met.	Users will be involved in the implementation plan.	The new system will meet all required user functionality.	a	A. The first concern of an IS auditor is to ensure that the proposal meets the needs of the business. This should be established by a clear business case.	CISAD3	924	163.000	CISAD3
Which of the following types of risk is MOST likely encountered in a software as a service environment?	Noncompliance with software license agreements	Performance issues due to Internet delivery method	Higher cost due to software licensing requirements	Higher cost due to the need to update to compatible hardware	b	B. The risk that can be most likely encountered in a SaaS environment is speed and availability issues, because SaaS relies on the Internet for connectivity.	CISAD3	925	67.000	CISAD3
The most common reason for the failure of information systems to meet the needs of users is that:	user needs are constantly changing	the growth of system requirements was forecast inaccurately.	the hardware system limits the number of concurrent users.	user participation in defining the system's requirements was inadequate.	d	D. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish.	CISAD3	926	140.000	CISAD3
Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques provides the GREATEST assistance in developing an estimate of project duration?	Function point analysis	Program evaluation review technique chart	Rapid application development	Object-oriented system development	b	B. A program evaluation review technique (PERT) chart will help determine project duration once all the activities and the work involved with those activities are known.	CISAD3	927	140.000	CISAD3
An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following is MOST relevant?	A capability maturity model	Portfolio management	Configuration management	Project management body of knowledge	b	B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget.	CISAD3	928	170.000	CISAD3
The reason for establishing a stop or freezing point on the design of a new system is to:	prevent further changes to a project in process.	indicate the point at which the design is to be completed.	require that changes after that point be evaluated for cost-effectiveness.	provide the project management team with more control over the project design.	c	C. Projects often tend to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period.	CISAD3***	929	53.000	CISAD3***
Change control for business application systems being developed using prototyping could be complicated by the:	iterative nature of prototyping.	rapid pace of modifications in requirements and design.	emphasis on reports and screens	lack of integrated tools.	b	B. Changes in requirements and design happen so quickly that they are seldom documented or approved.	CISAD3***	930	14.000	CISAD3***
An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should:	conclude that the project is progressing as planned because dates are being met.	question the project manager further to identify whether overtime costs are being tracked accurately.	conclude that the programmers are intentionally working slowly to earn extra overtime pay.	investigate further to determine whether the project plan may not be accurate.	d	D. Although the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a good practice. Although overtime costs may be an indicator that something is wrong with the plan, in many organizations, the programming staff may be salaried, so overtime costs may not be directly recorded.	CISAD3	931	93.000	CISAD3
A project development team is considering using production data for its test deck. The team removed sensitive data elements before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice?	Not all functionality will be tested.	Production data are introduced into the test environment.	Specialized training is required.	The project may run over budget.	a	A. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement.	CISAD3	932	119.000	CISAD3
Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application?	Total cost of ownership of the application	The resources required for implementation	Return on investment to the company	The cost and complexity of security requirements	c	C. The proposed ROI benefits, along with targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.)	CISAD3	933	53.000	CISAD3
The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor?	The right to audit clause was not included in the contract	The business case was not established.	There was no source code escrow agreement.	The contract does not cover change management procedures.	b	B. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization.	CISAD3	934	154.000	CISAD3
Before implementing controls in a newly developed system, management should PRIMARILY ensure that the controls:	satisfy a requirement in addressing a risk.	do not reduce productivity.	are based on a minimized cost analysis.	are detective or corrective.	a	A. The purpose of a control is to mitigate a risk; therefore, the primary consideration when selecting a control is that it effectively mitigates an identified risk. When designing controls, it is necessary to consider all of the aspects in choices A through D. In an ideal situation, controls that address all of these aspects would be the best controls. Realistically, it may not be possible to design them all and the cost may be prohibitive; therefore, it is necessary to consider the controls related primarily to the treatment of existing risk in the organization.	CISAD3	935	39.000	CISAD3
Information for detecting unauthorized input from a user workstation would be BEST provided by the	console log printout.	transaction journal	automated suspense file listing.	user error report.	b	B. The transaction journal records all transaction activity, which then can be compared to the authorized source documents to identify any unauthorized input.	CISAD3***	936	57.000	CISAD3***
Which of the following has the MOST significant impact on the success of an application systems implementation?	The prototyping application development methodology	Compliance with applicable external requirements	The overall organizational environment	The software reengineering technique	c	C. The overall organizational environment has the most significant impact on the success of applications systems implemented. This includes the alignment between IT and the business, the maturity of the development processes and the use of change control and other project management tools.	CISAD3	937	193.000	CISAD3
The editing/validation of data entered at a remote site is performed MOST effectively at the:	central processing site after running the application system.	central processing site during the running of the application system	remote processing site after transmission of the data to the central processing site.	remote processing site prior to transmission of the data to the central processing site.	d	D. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.	CISAD3	938	75.000	CISAD3
A3-34 A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:	validation controls.	internal credibility checks.	clerical control procedures.	automated systems balancing.	d	Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.	CISAD3***	939	14.000	CISAD3***
A3-35 Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed, and an impact study has not been performed?	The time and cost implications caused by the change	The risk that regression tests will fail	Users not agreeing with the change	The project team not having the skills to make the necessary change	a	Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted, and the client is informed of the potential impact on the schedule and cost.	CISAD3***	940	78.000	CISAD3***
A3-36 An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if:	certain project iterations produce proof-of-concept deliverables and unfinished code.	application features and development processes are not extensively documented.	software development teams continually re-plan each step of their major projects.	project managers do not manage project resources, leaving that to project team members.	a	The agile software development methodology is an iterative process where each iteration or "sprint" produces functional code. If a development team was producing code for demonstration purposes, this would be an issue because the following iterations of the project build on the code developed in the prior sprint.	CISAD3	941	161.000	CISAD3
A3-37 Which of the following data validation edits is effective in detecting transposition and transcription errors?	Range check	Check digit	Validity check	Duplicate check	b	A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered (e.g., an incorrect, but valid, value substituted for the original). This control is effective in detecting transposition and transcription errors.	CISAD3***	942	80.000	CISAD3***
A3-38 Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to:	determine whether user feedback on the system has been documented.	assess whether the planned cost benefits are being measured, analyzed and reported.	review controls built into the system to assure that they are operating as designed.	review subsequent program change requests.	c	Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed.	CISAD3	943	110.000	CISAD3
A3-39 Which of the following types of risk could result from inadequate software project baselining?	Sign-off delays	Software integrity violations	Scope creep	Inadequate controls	c	A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project's scope and may incur time and budget overruns.	CISAD3	944	102.000	CISAD3
A3-40 An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST?	Review user access.	Evaluate the change request process.	Evaluate the reconciliation controls.	Review the data flow diagram.	d	The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.	CISAD3	945	31.000	CISAD3
A3-41 During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal. The IS auditor should FIRST:	test the software for compatibility with existing hardware.	perform a gap analysis.	review the licensing policy.	ensure that the procedure had been approved.	d	In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities.	CISAD3	946	23.000	CISAD3
A3-42 A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software?	System testing	Acceptance testing	Integration testing	Unit testing	b	Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level because this could result in delays and cost overruns.	CISAD3***	947	158.000	CISAD3***
A3-43 Which of the following is the MOST likely benefit of implementing a standardized infrastructure?	Improved cost-effectiveness of IT service delivery and operational support	Increased security of the IT service delivery center	Reduced level of investment in the IT infrastructure	Reduced need for testing future application changes	a	A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. In addition, the implementation of enhanced operational support tools (e.g., password management tools, patch management tools and auto provisioning of user access) is simplified. These tools can help the organization reduce the cost of IT service delivery and operational support.	CISAD3	948	43.000	CISAD3
A3-44 Which of the following is the MOST important element in the design of a data warehouse?	Quality of the metadata	Speed of the transactions	Volatility of the data	Vulnerability of the system	a	Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse.	CISAD3	949	155.000	CISAD3
A3-45 Ideally, stress testing should be carried out in a:	test environment using test data.	production environment using live workloads.	test environment using live workloads.	production environment using test data.	c	Stress testing is carried out to ensure that a system can cope with production workloads. Testing with production level workloads is important to ensure that the system will operate effectively when moved into production.	CISAD3	950	122.000	CISAD3
A3-46 Assignment of process ownership is essential in system development projects because it:	enables the tracking of the development completion percentage.	optimizes the design cost of user acceptance test cases.	minimizes the gaps between requirements and functionalities.	ensures that system design is based on business needs.	d	The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins.	CISAD3***	951	57.000	CISAD3***
A3-47 The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during:	the internal lab testing phase.	testing and prior to user acceptance.	the requirements gathering process.	the implementation phase.	c	The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues.	CISAD3	952	173.000	CISAD3
A3-48 The phases and deliverables of a system development life cycle project should be determined:	during the initial planning stages of the project	after early planning has been completed but before work has begun.	throughout the work stages, based on risk and exposures	only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls.	a	It is extremely important that the project be planned properly, and that the specific phases and deliverables are identified during the early stages of the project. This enables project tracking and resource management.	CISAD3***	953	65.000	CISAD3***
A3-49 Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to:	assess whether the planned cost benefits are being measured, analyzed and reported.	review control balances and verify that the system is processing data accurately	review the impact of program changes made during the first phase on the remainder of the project.	determine whether the system's objectives were achieved.	c	Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects.	CISAD3	954	144.000	CISAD3
A3-50 When implementing an application software package, which of the following presents the GREATEST risk?	Uncontrolled multiple software versions	Source programs that are not synchronized with object code	Incorrectly set parameters	Programming errors	c	Parameters that are not set correctly would be the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that could lead to system breach, failure or noncompliance.	CISAD3***	955	126.000	CISAD3***
A3-51 Which of the following is an advantage of prototyping?	The finished system normally has strong internal controls.	Prototype systems can provide significant time and cost savings.	Change control is often less complicated with prototype systems.	Prototyping ensures that functions or extras are not added to the intended system.	b	Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production.	CISAD3	956	35.000	CISAD3
A3-52 The PRIMARY objective of performing a postincident review is that it presents an opportunity to:	improve internal control procedures.	harden the network to industry good practices.	highlight the importance of incident response management to management.	improve employee awareness of the incident response process.	a	A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control.	CISAD3***	957	10.000	CISAD3***
A3-53 An advantage of using sanitized live transactions in test data is that:	all transaction types will be included.	every error condition is likely to be tested.	no special routines are required to assess the results.	test transactions are representative of live processing.	d	Test data will be representative of live processing; however, it is important that all sensitive information in the live transaction file is sanitized to prevent improper data disclosure.	CISAD3	958	80.000	CISAD3
A3-54 An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:	users may prefer to use contrived data for testing.	unauthorized access to sensitive data may result.	error handling and credibility checks may not be fully proven.	the full functionality of the new process may not necessarily be tested.	b	Unless the data are sanitized, there is a risk of disclosing sensitive data. There is a risk that former production data may not test all error routines; however, this is not as serious as the risk of release of sensitive data.	CISAD3	959	155.000	CISAD3
A3-55 Which of the following is the PRIMARY purpose for conducting parallel testing?	To determine whether the system is cost-effective	To enable comprehensive unit and system testing	To highlight errors in the program interfaces with files.	To ensure the new system meets user requirements	d	The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements by comparing the results of the old system with the new system to ensure correct processing.	CISAD3	960	10.000	CISAD3
A3-56 The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:	rules.	decision trees.	semantic nets.	dataflow diagrams.	b	Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached.	CISAD3	961	1.000	CISAD3
A3-57 An advantage in using a bottom-up versus a top-down approach to software testing is that:	interface errors are detected earlier.	confidence in the system is achieved earlier.	errors in critical modules are detected earlier.	major functions and processing are tested earlier.	c	The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that errors in critical modules are found earlier.	CISAD3	962	164.000	CISAD3
A3-58 During which of the following phases in system development would user acceptance test plans normally be prepared?	Feasibility study	Requirements definition	Implementation planning	Post-implementation review.	b	During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient.	CISAD3	963	196.000	CISAD3
A3-59 The use of object-oriented design and development techniques would MOST likely:	facilitate the ability to reuse modules.	improve system performance.	enhance control effectiveness.	speed up the system development life cycle.	a	One of the major benefits of object-oriented design and development is the ability to reuse modules.	CISAD3***	964	153.000	CISAD3***
A3-60 Which of the following should be included in a feasibility study for a project to implement an electronic data interchange process?	The encryption algorithm format	The detailed internal control procedures	The necessary communication protocols	The proposed trusted third-party agreement	c	The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.	CISAD3***	965	65.000	CISAD3***
A3-61 When a new system is to be implemented within a short time frame, it is MOST important to:	finish writing user manuals.	perform user acceptance testing.	add last-minute enhancements to functionalities.	ensure that the code has been documented and reviewed.	b	It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. If time is tight, the last thing one would want to do is add another enhancement because it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements.	CISAD3	966	70.000	CISAD3
A3-62 Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:	pre-BPR process flowcharts.	post-BPR process flowcharts.	BPR project plans.	continuous improvement and monitoring plans.	b	An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process.	CISAD3	967	9.000	CISAD3
A3-63 An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort?	Program evaluation review technique	Function point analysis	Counting source lines of code	White box testing	b	Function point analysis is a technique used to determine the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites.	CISAD3	968	141.000	CISAD3
A3-64 A company has contracted with an external consulting firm to implement a commercial financial systern to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern?	Acceptance testing is to be managed by users.	A quality plan is not part of the contracted deliverables.	Not all business functions will be available on initial implementation.	Prototyping is being used to confirm that the system meets business requirements.	b	A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when.	CISAD3***	969	61.000	CISAD3***
A3-65 When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist managerment in the decision-making process?	Discuss a single solution.	Consider security controls.	Demonstrate feasibility.	Consult the audit department.	c	The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost-benefit analysis, management can make an informed decision.	CISAD3	970	95.000	CISAD3
A3-66 Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the:	existence of a set of functions and their specified properties.	ability of the software to be transferred from one environment to another.	capability of software to maintain its level of performance under stated conditions.	relationship between the performance of the software and the amount of resources used.	a	Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement).	CISAD3***	971	19.000	CISAD3***
A3-67 During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be	increased maintenance.	improper documentation of testing.	improper acceptance of a program.	delays in problem resolution.	c	The major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards.	CISAD3	972	77.000	CISAD3
A3-68 The GREATEST advantage of rapid application development over the traditional system development life cycle is that it	facilitates user involvement.	allows early testing of technical features.	facilitates conversion to the new systern.	shortens the development time frame.	d	The greatest advantage and core objective of RAD is a shorter time frame for the development of a system.	CISAD3	973	66.000	CISAD3
A3-64 A company has contracted with an external consulting firm to implement a commercial financial systern to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern?	Acceptance testing is to be managed by users.	A quality plan is not part of the contracted deliverables.	Not all business functions will be available on initial implementation.	Prototyping is being used to confirm that the system meets business requirements.	b	A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when.	CISAD3	974	107.000	CISAD3
A3-65 When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist managerment in the decision-making process?	Discuss a single solution.	Consider security controls.	Demonstrate feasibility.	Consult the audit department.	c	The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost-benefit analysis, management can make an informed decision.	CISAD3	975	140.000	CISAD3
A3-66 Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the:	existence of a set of functions and their specified properties.	ability of the software to be transferred from one environment to another.	capability of software to maintain its level of performance under stated conditions.	relationship between the performance of the software and the amount of resources used.	a	Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement).	CISAD3***	976	110.000	CISAD3***
A3-67 During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be	increased maintenance.	improper documentation of testing.	improper acceptance of a program.	delays in problem resolution.	c	The major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards.	CISAD3	977	106.000	CISAD3
A3-68 The GREATEST advantage of rapid application development over the traditional system development life cycle is that it	facilitates user involvement.	allows early testing of technical features.	facilitates conversion to the new systern.	shortens the development time frame.	d	The greatest advantage and core objective of RAD is a shorter time frame for the development of a system.	CISAD3	978	64.000	CISAD3
A3-69 An IS auditor reviewing a proposed application software acquisition should ensure that the:	operating system (OS) being used is compatible with the existing hardware platform.	planned OS updates have been scheduled to minimize negative impacts on company needs.	OS has the latest versions and updates.	product is compatible with the current or planned OS.	d	In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS.	CISAD3	979	47.000	CISAD3
A3-70 Which of the following is of GREATEST concern to an IS auditor when performing an audit of a client relationship management system migration project?	The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks.	Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system.	A single implementation is planned, immediately decomunissioning the legacy system.	Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system's software.	c	Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risk. Decommissioning or disposing of the old hardware would complicate any fallback strategy, should the new system not operate correctly.	CISAD3	980	198.000	CISAD3
A3-71 Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?	Parallel testing	Pilot testing	Interface/integration testing	Sociability testing	d	The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems.	CISAD3***	981	81.000	CISAD3***
A3-72 At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:	report the error as a finding and leave further exploration to the auditee's discretion.	attempt to resolve the error.	recommend that problem resolution be escalated.	ignore the error because it is not possible to get objective evidence for the software error.	c	When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary.	CISAD3	982	3.000	CISAD3
A3-73 Which of the following is the GREATEST risk to the effectiveness of application system controls?	Removal of manual processing steps	Inadequate procedure manuals.	Collusion between employees	Unresolved regulatory compliance issues	c	Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented.	CISAD3	983	86.000	CISAD3
A3-74 An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?	Pilot	Parallel	Direct cutover	Phased	c	Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This is the riskiest approach and may cause a significant impact on the organization.	CISAD3	984	2.000	CISAD3
A3-75 During the requirements definition stage of a proposed enterprise resource planning system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform?	Unit testing	Integration testing	Sociability testing	Quality assurance testing	b	Integration testing is the best answer. Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design.	CISAD3	985	58.000	CISAD3
A3-76 During a post-implementation review of an enterprise resource managerment system, an IS auditor would MOST likely:	review access control configuration.	evaluate interface testing.	review detailed design documentation.	evaluate system testing.	a	Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system.	CISAD3***	986	136.000	CISAD3***
A3-77 An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed?	Project risk assessment	User acceptance testing	Post-implementation review	Management approval of the system	c	The purpose of a post-implementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The post-implementation review also evaluates how effective the project management practices were in keeping the project on track.	CISAD3***	987	18.000	CISAD3***
A3-78 In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:	isolation.	consistency.	atomicity.	durability.	c	The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out.	CISAD3	988	166.000	CISAD3
A3-79 A company undertakes a business process reengineering project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process?	Whether key controls are in place to protect assets and information resources	Whether the system can meet the performance goals	Whether the system addresses corporate customer requirements	Whether the new system will support separation of duties	a	The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process.	CISAD3	989	119.000	CISAD3
A3-80 A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately, and the corresponding products are produced?	Verifying production of customer orders	Logging all customer orders in the ERP system	Using hash totals in the order transmitting process	Approving (production supervisor) orders prior to production	a	Verification of the products produced will ensure that the produced products match the orders in the order system.	CISAD3***	990	141.000	CISAD3***
A3-81 When two or more systems are integrated, the IS auditor must review input/output controls in the:	Systems receiving the output of other systems.	Systems sending output to other systems.	Systems sending and receiving data.	Interfaces between the two systems.	c	Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other.	CISAD3***	991	190.000	CISAD3***
A3-82 An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:	check to ensure that the type of transaction is valid for the card type.	verify the format of the number entered, then locate is on the database.	ensure that the transaction entered is within the cardholder's credit limit.	confirm that the card is not shown as lost or stolen on the master file.	b	The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number entered by the user.	CISAD3	992	82.000	CISAD3
A3-83 A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code that is moved into production is the same?	Release management software	Manual code comparison	Regression testing in preproduction	Management approval of changes	a	Automated release management software can prevent unauthorized changes by moving code into production without any manual intervention.	CISAD3***	993	33.000	CISAD3***
A3-84 Which of the following will BEST ensure the successful offshore development of business applications?	Stringent contract management practices	Detailed and correctly applied specifications	Awareness of cultural and political differences	Post-implementation review	b	When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected.	CISAD3	994	71.000	CISAD3
A3-85 Documentation of a business case used in an IT development project should be retained until:	the end of the system's life cycle.	the project is approved.	user acceptance of the system.	the system is in production.	a	A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates versus actuals. Questions such as "Why do we do that?", "What was the original intent?" and "How did we perform against the plan?" can be answered, and lessons for developing future business cases can be learned.	CISAD3	995	33.000	CISAD3
A3-86 During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced, and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful:	Buffer overflow.	Brute force attack.	Distributed denial-of-service attack.	War dialing attack.	a	Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques.	CISAD3	996	189.000	CISAD3
A3-87 Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?	Bottom-up testing	Sociability testing	Top-down testing	System testing	c	The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early.	CISAD3	997	87.000	CISAD3
A3-88 When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:	not be concerned because there may be other compensating controls to mitigate the risk.	ensure that overrides are automatically logged and subject to review.	verify whether all such overrides are referred to senior management for approval.	recommend that overrides not be permitted.	b	If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log.	CISAD3	998	29.000	CISAD3
A3-89 Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?	A sufficient quantity of data for each test case	Data representing conditions that are expected in actual processing	Completing the test on schedule	A random sample of actual data	b	Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity.	CISAD3	999	104.000	CISAD3
A3-90 Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?	Project database	Policy documents	Project portfolio database	Program organization	c	A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports.	CISAD3	1,000	37.000	CISAD3
A3-91 Documentation of a business case used in an IT development project should be retained until:	the end of the system's life cycle.	the project is approved.	user acceptance of the system.	the system is in production.	a	A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates versus actuals. Questions such as "Why do we do that?", "What was the original intent?" and "How did we perform against the plan?" can be answered, and lessons for developing future business cases can be learned.	CISAD3	1,001	145.000	CISAD3
A3-92 During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced, and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful:	Buffer overflow.	Brute force attack.	Distributed denial-of-service attack.	War dialing attack.	a	Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques.	CISAD3	1,002	98.000	CISAD3
A3-93 Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?	Bottom-up testing	Sociability testing	Top-down testing	System testing	c	The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early.	CISAD3	1,003	109.000	CISAD3
A3-94 When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:	not be concerned because there may be other compensating controls to mitigate the risk.	ensure that overrides are automatically logged and subject to review.	verify whether all such overrides are referred to senior management for approval.	recommend that overrides not be permitted.	b	If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log.	CISAD3	1,004	108.000	CISAD3
A3-95 To minimize the cost of a software project, quality management techniques should be applied:	as close to their writing (i.e., point of origination) as possible.	primarily at project start to ensure that the project is established in accordance with organizational governance standards.	continuously throughout the project with an emphasis on finding and fixing defects primarily through testing to maximize the defect detection rate.	mainly at project close-down to capture lessons learned that can be applied to future projects.	c	Although it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work.	CISAD3	1,005	29.000	CISAD3
A3-96 When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:	whose sum of activity time is the shortest.	that have zero slack time.	that give the longest possible completion time.	whose sum of slack time is the shortest.	b	Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained.	CISAD3***	1,006	190.000	CISAD3***
A3-97 An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?	Report that the organization does not have effective project management	Recommend the project manager be changed	Review the IT governance structure	Review the business case and project management	d	Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.	CISAD3	1,007	189.000	CISAD3
A3-98 Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion?	Function point analysis	Earned value analysis	Cost budget	Program evaluation and review technique	b	Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists.	CISAD3***	1,008	168.000	CISAD3***
A3-99 Which of the following system and data conversion strategies provides the GREATEST redundancy?	Direct cutover	Pilot study	Phased approach	Parallel run	d	Parallel runs are the safest though the most expensive approach because both the old and new systems are run, thus incurring what might appear to be double costs.	CISAD3	1,009	154.000	CISAD3
A3-100 Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing?	Test data covering critical applications	Detailed test plans	Quality assurance test specifications	User acceptance test specifications	d	A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase.	CISAD3***	1,010	19.000	CISAD3***
A3-101 At the completion of a system development project, a post-project review should include which of the following?	Assessing risk that may lead to downtime after the production release	Identifying lessons learned that may be applicable to future projects	Verifying that the controls in the delivered system are working	Ensuring that test data are deleted	b	A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects.	CISAD3***	1,011	58.000	CISAD3***
A3-102 An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the:	complexity and risk associated with the project have been analyzed.	resources needed throughout the project have been determined.	technical deliverables have been identified.	a contract for external parties involved in the project has been completed.	a	Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome.	CISAD3	1,012	95.000	CISAD3
A3-103 From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:	a major deployment after proof of concept.	prototyping and a one-phase deployment.	a deployment plan based on sequenced phases.	to simulate the new infrastructure before deployment.	c	When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results.	CISAD3	1,013	76.000	CISAD3
A3-104 When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the:	project be discontinued.	business case be updated and possible corrective actions be identified.	project be returned to the project sponsor for re-approval.	project be completed and the business case be updated later.	b	The IS auditor should recommend that the business case be kept current throughout the project because it is a key input to decisions made throughout the life of any project.	CISAD3	1,014	116.000	CISAD3
A3-105 Which of the following is an advantage of the top-down approach to software testing?	Interface errors are identified early	Testing can be started before all programs are complete	It is more effective than other testing approaches	Errors in critical modules are detected sooner	a	The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner.	CISAD3	1,015	55.000	CISAD3
A3-106 During the system testing phase of an application development project the IS auditor should review the:	conceptual design specifications.	vendor contract.	error reports.	program change requests.	c	Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors.	CISAD3	1,016	167.000	CISAD3
A3-107 Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?	Increase the time allocated for system testing	Implement formal software inspections	Increase the development staff	Require the sign-off of all project deliverables	b	Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved.	CISAD3	1,017	145.000	CISAD3
A3-108 An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to:	stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans.	accept the project manager's position because the project manager is accountable for the outcome of the project.	offer to work with the risk manager when one is appointed.	inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.	a	The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy.	CISAD3	1,018	34.000	CISAD3
A3-109 The MAIN purpose of a transaction audit trail is to	reduce the use of storage media.	determine accountability and responsibility for processed transactions.	help an IS auditor trace transactions.	provide useful information for capacity planning.	b	Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system.	CISAD3	1,019	118.000	CISAD3
A3-110 An organization is implementing an enterprise resource planning application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?	Project sponsor	System development project team	Project steering committee	User project team	c	A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results.	CISAD3	1,020	170.000	CISAD3
A3-111 A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?	IS auditor	Database administrator	Project manager	Data owner	d	During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data.	CISAD3	1,021	64.000	CISAD3
A3-112 An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:	correlation of arithmetic characteristics of the data migrated between the two systems.	correlation of semantic characteristics of the data migrated between the two systems.	correlation of functional characteristics of the processes between the two systems.	relative efficiency of the processes between the two systems.	a	Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system.	CISAD3	1,022	141.000	CISAD3
A3-113 Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project?	System owners	System users	System designers	System builders	a	System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems.	CISAD3***	1,023	163.000	CISAD3***
A3-114 A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one sixth of the budget has been spent. The IS auditor should FIRST determine:	the amount of progress achieved compared to the project schedule.	if the project budget can be reduced.	if the project could be brought in ahead of schedule.	if the budget savings can be applied to increase the project scope.	a	Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project.	CISAD3	1,024	55.000	CISAD3
A3-115 The MAJOR advantage of a component-based development approach is the	ability to manage an unrestricted variety of data types.	provision for modeling complex relationships.	capacity to meet the demands of a changing environment.	support of multiple development environments.	d	Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.	CISAD3	1,025	88.000	CISAD3
A3-116 The specific advantage of white box testing is that it	verifies a program can operate successfully with other parts of the system.	ensures a program's functional operating effectiveness without regard to the internal program structure.	determines procedural accuracy or conditions of a program's specific logic paths.	examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.	c	White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths.	CISAD3	1,026	7.000	CISAD3
A3-117 Following good practices, formal plans for implementation of new information systems are developed during the:	development phase.	design phase.	testing phase.	deployment phase.	b	The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses.	CISAD3***	1,027	105.000	CISAD3***
An IS auditor is reviewing a project that is using an agile software development approach. Which of the Following should the IS auditor expect to find?	Use of a capability maturity model	Regular monitoring of task-level progress against schedule	Extensive use of software development tools to maximize team productivity.	Post-iteration reviews that identify lessons learned for future use in the project	d	A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. Once of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations.	CISAD3***	1,028	68.000	CISAD3***
An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems?	Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled.	Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for.	Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected.	System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.	b	Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap.	CISAD3***	1,029	104.000	CISAD3***
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?	Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports	Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables	Extrapolation of the overall end date based on completed work packages and current resources	Calculation of the expected end date based on current resources and remaining available project budget	c	Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule).	CISAD3	1,030	146.000	CISAD3
An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make?	Consider the feasibility of a separate user acceptance environment	Schedule user testing to occur at a given time each day	Implement a source code version control tool	Only retest high-priority defects	a	A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment.	CISAD3	1,031	64.000	CISAD3
An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make?	Achieve standards alignment through an increase of resources devoted to the project	Align the data definition standards after completion of the project	Delay the project until compliance with standards can be achieved	Enforce standard compliance by adopting punitive measures against violators	a	Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources.	CISAD3	1,032	33.000	CISAD3
What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release?	To make sure that users are appropriately trained	To verify that the project was within budget	To check that the project meets expectations	To determine whether proper controls were implemented	c	The objective of a post-implementation review is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria). While an IS auditor would be interested in ensuring that proper controls were implemented, the most important consideration would be that the project meets expectations.	CISAD3***	1,033	41.000	CISAD3***
An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate?	Senior IS and business management must approve use before production data can be used for testing	Production data can be used if they are copied to a secure test environment	Production data can never be used. All test data must be developed and based on documented test cases	Production data can be used provided that confidentiality agreements are in place	a	There is risk associated with the use of production data for testing. These include compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production would provide insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to "real" data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy.	CISAD3***	1,034	58.000	CISAD3***
An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy?	Test and release a pilot with reduced functionality	Fix and retest the highest-severity functional defects.	Eliminate planned testing by the development team, and proceed straight to acceptance testing	Implement a test tool to automate defect tracking	a	Testing and releasing a pilot with reduced functionality reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation.	CISAD3***	1,035	73.000	CISAD3***
An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved?	Self-assessment	Reverse engineering	Prototyping	Gap analysis	d	Gap analysis would be the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to good practices (desired state) and which do not.	CISAD3	1,036	46.000	CISAD3
An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to ERP performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be?	Review the implementation of selected integrated controls	Request additional IS audit resources	Request vendor technical support to resolve performance issues	Review the results of stress tests during user acceptance testing	d	The appropriate recommendation is to review the results of stress tests during user acceptance testing that demonstrated the performance issues.	CISAD3***	1,037	165.000	CISAD3***
What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning payroll system that is replacing an existing legacy system?	Multiple testing	Parallel testing	Integration testing	Prototype testing	b	Parallel testing is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system.	CISAD3	1,038	155.000	CISAD3
A rapid application development methodology has been selected to implement a new enterprise resource planning system. All of the project activities have been assigned to the contracted consulting company because internal employees are not available. What is the IS auditor's FIRST step to compensate for the lack of resources?	Review the project plan and approach	Ask the vendor to provide additional external staff	Recommend that the company hire more people	Stop the project until all human resources are available	a	Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make the appropriate changes to compensate for the missing end users.	CISAD3	1,039	71.000	CISAD3
An IS auditor who is auditing the software acquisition process will ensure that the:	contract is reviewed and approved by the legal counsel before it is signed	requirements cannot be met with the systems already in place.	requirements are found to be critical for the business.	user participation is adequate in the process.	a	The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract.	CISAD3	1,040	173.000	CISAD3
Which of the following controls helps prevent duplication of vouchers during data entry?	A range check	Transposition and substitution	A sequence check	A cyclic redundancy check	c	A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers.	CISAD3	1,041	75.000	CISAD3
Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested?	A snapshot	Tracing and tagging	Logging	Mapping	d	Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.	CISAD3	1,042	91.000	CISAD3
The PRIMARY objective of conducting a post-implementation review for a business process automation project is to:	ensure that the project meets the intended business requirements.	evaluate the adequacy of controls.	confirm compliance with technological standards.	confirm compliance with regulatory requirements.	a	Ensuring that the project meets the intended business requirements is the primary objective of a post-implementation review.	CISAD3	1,043	174.000	CISAD3
While evaluating the "out of scope" section specified in a project plan, an IS auditor should ascertain whether the section:	effectively describes unofficial project objectives.	effectively describes project boundaries.	clearly states the project's "nice to have" objectives.	provides the necessary flexibility to the project team.	b	The purpose of the out of scope section is to make clear to readers what items are not considered project objectives so that all project stakeholders understand the project boundaries and what is in scope versus out of scope.	CISAD3	1,044	110.000	CISAD3
An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by:	the project manager.	systems development management.	business unit management.	the quality assurance team.	c	Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software.	CISAD3	1,045	58.000	CISAD3
Which of the following is MOST relevant to an IS auditor evaluating how the project manager has monitored the progress of the project?	Critical path diagrams	Program evaluation review technique diagrams	Function point analysis	Gantt charts	d	Gantt charts help to identify activities that have been completed early or late through comparison to a baseline. Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule.	CISAD3***	1,046	128.000	CISAD3***
While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project:	is behind schedule.	is ahead of schedule.	is on schedule	cannot be evaluated until the activity is completed.	a	Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed.	CISAD3	1,047	122.000	CISAD3
Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities?	The programming language	The development environment	A version control system	Program coding standards	d	Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications.	CISAD3***	1,048	34.000	CISAD3***
During a system development life cycle audit of a human resources and payroll application, the IS auditor notes that the data used for user acceptance testing have been masked. The purpose of masking the data is to ensure the:	confidentiality of the data.	accuracy of the data.	completeness of the data.	reliability of the data.	a	Masking is used to ensure the confidentiality of data, especially in a user acceptance testing exercise in which the testers have access to data that they would not have access to in normal production environments.	CISAD3	1,049	145.000	CISAD3
A company's development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects?	Functional verification of the prototypes is assigned to end users	The project is implemented while minor issues are open from user acceptance testing	Project responsibilities are not formally defined at the beginning of a project	Program documentation is inadequate	c	Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.	CISAD3***	1,050	174.000	CISAD3***
An IS auditor has been asked to review the implementation of a customer relationship management system for a large organization. The IS auditor discovered the project incurred significant over-budget expenses and scope creep caused the project to miss key dates. Which of the following should the IS auditor recommend for future projects?	Project management training	A software baseline	A balanced scorecard	Automated requirements software	b	Use of a software baseline provides a cutoff point for the design of the system and allows the project to proceed as scheduled without being delayed by scope creep.	CISAD3	1,051	29.000	CISAD3
Which of the following is the BEST indicator that a newly developed system will be used after it is in production?	Regression testing	User acceptance testing	Sociability testing	Parallel testing	b	User acceptance testing is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users.	CISAD3	1,052	58.000	CISAD3
The project steering committee is ultimately responsible for:	day-to-day management and leadership of the project.	allocating the funding for the project.	project deliverables, costs and timetables.	ensuring that system controls are in place.	c	The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables.	CISAD3	1,053	79.000	CISAD3
Which of the following BEST helps ensure that deviations from the project plan are identified?	A project management framework	A project management approach	A project resource plan	Project performance criteria	d	To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.	CISAD3***	1,054	111.000	CISAD3***
An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern?	The implementation phase of the project has no back out plan	User acceptance testing was not properly documented	The go-live date is over a holiday weekend when key IT staff are on vacation	Software functionality tests were completed, but stress testing was not performed	a	One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a back out plan. In an immediate cutover scenario, not having a back out plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so.	CISAD3	1,055	90.000	CISAD3
Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?	Alpha testing	Regression testing	Beta testing	White box testing	c	Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing and involves sending the beta version of the product to independent beta test sites or offering it free to interested users.	CISAD3	1,056	105.000	CISAD3
Which of the following is the BEST method of controlling scope creep in a system development project?	Defining penalties for changes in requirements	Establishing a software baseline	Adopting a matrix project management structure	Identifying the critical path of the project	b	Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements.	CISAD3	1,057	167.000	CISAD3
The PRIMARY purpose of a post-implementation review is to ascertain that:	The lessons learned have been documented.	Future enhancements can be identified.	The project has been delivered on time and budget.	Project objectives have been met.	d	A project manager performs a post-implementation review to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them.	CISAD3	1,058	158.000	CISAD3
Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?	Load testing	Stress testing	Recovery testing	Volume testing	a	Load testing evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate.	CISAD3	1,059	63.000	CISAD3
An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that:	it has not been determined how the project fits into the overall project portfolio.	the organizational impact of the project has not been assessed.	not all IT stakeholders have been given an opportunity to provide input.	the environmental impact of the data center has not been considered.	b	The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact-a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy.	CISAD3***	1,060	167.000	CISAD3***
A4-1 An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?	References from other clients for the service provider	The physical security of the service provider site	The proposed service level agreement with the service provider	Background checks of the service provider's employees	c	The SLA would define specific levels of performance and security required, making the provider contractually obligated to deliver as promised.	CISAD4	1,061	22.000	CISAD4
A4-2 An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention?	The SLA does not contain a transition clause from the old supplier to a new supplier or back to internal in the case of expiration or termination.	The SLA does not contain a late payment clause between the customer and the supplier.	The SLA does not contain a contractual commitment for service improvement.	The SLA does not contain a dispute resolution procedure between the contracting parties.	a	Lack of transition clauses poses the greatest risk because the old supplier might not facilitate a smooth transition, potentially causing service disruption and data loss.	CISAD4	1,062	204.000	CISAD4
A4-3 An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?	A clause providing a "right to audit" the service provider	A clause defining penalty payments for poor performance	Predefined service level report templates	A clause regarding supplier limitation of liability	a	Without a "right to audit" clause, the IS auditor cannot verify supplier performance and control deficiencies.	CISAD4	1,063	136.000	CISAD4
A4-4 When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software:	was installed, but not documented in the IT department records.	was being used by users not properly trained in its use.	is not listed in the approved software standards document	license will expire in the next 15 days.	c	The installation of unapproved software is a serious violation and could pose security, legal, and financial risks.	CISAD4***	1,064	126.000	CISAD4***
A4-5 An IS auditor of a healthcare organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms would be the GREATEST risk to the customer organization?	Data ownership is retained by the customer organization.	The third-party provider reserves the right to access data to perform certain operations.	Bulk data withdrawal mechanisms are undefined.	The customer organization is responsible for backup, archive, and restore.	b	Third-party access to customer information can pose significant regulatory compliance risks, especially with sensitive data like health information.	CISAD4	1,065	147.000	CISAD4
A4-6 Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?	A hot site maintained by the business	A commercial cold site	A reciprocal arrangement between its offices	A third-party hot site	c	A reciprocal arrangement is the least expensive and can provide an acceptable level of confidence for recovery.	CISAD4	1,066	96.000	CISAD4
A4-7 During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?	Field definition	Master table definition	Composite keys	Foreign key structure	d	Referential integrity is ensured by foreign keys, which link tables and ensure consistency.	CISAD4***	1,067	117.000	CISAD4***
A4-8 An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?	The default configurations are changed.	All tables in the database are denormalized.	Stored procedures and triggers are encrypted.	The service port used by the database server is changed.	a	Changing default configurations, such as passwords and services, is critical to prevent database compromise.	CISAD4	1,068	148.000	CISAD4
A4-9 In auditing a database environment, an IS auditor will be MOST concerned if the database administrator is performing which of the following functions?	Performing database changes according to change management procedures	Installing patches or upgrades to the operating system	Sizing table space and consulting on table join limitations	Performing backup and recovery procedures	b	Operating system patches and upgrades should be performed by a systems administrator to maintain proper segregation of duties.	CISAD4	1,069	76.000	CISAD4
A4-10 Which of the following is the MOST reasonable option for recovering a non-critical system?	Warm site	Mobile site	Hot site	Cold site	d	A cold site is cost-effective for non-critical systems as it takes longer to become operational but is less expensive.	CISAD4	1,070	81.000	CISAD4
A4-11 An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?	Changes are authorized by IT managers at all times.	User acceptance testing is performed and properly documented.	Test plans and procedures exist and are closely followed.	Capacity planning is performed as part of each development project.	c	Implementing and following a sound test plan and procedures is crucial to ensuring system availability.	CISAD4***	1,071	161.000	CISAD4***
A4-12 Data flow diagrams are used by IS auditors to:	identify key controls.	highlight high-level data definitions.	graphically summarize data paths and storage.	portray step-by-step details of data generation.	c	Data flow diagrams graphically summarize the flow and storage of data, tracking it from origination to destination.	CISAD4***	1,072	56.000	CISAD4***
A4-13 Which of the following statements is useful while drafting a disaster recovery plan?	Downtime costs decrease as the recovery point objective increases.	Downtime costs increase with time.	Recovery costs are independent of time.	Recovery costs can only be controlled on a short-term basis.	b	Downtime costs, such as loss of sales and idle resources, increase with time, emphasizing the importance of minimizing downtime.	CISAD4***	1,073	199.000	CISAD4***
A4-14 Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:	include the statement from management in the audit report	verify the software is in use through testing.	include the item in the audit report.	discuss the issue with senior management because it could have a negative impact on the organization.	b	The auditor should independently verify through testing before reporting the use of unlicensed software to ensure accuracy and completeness.	CISAD4	1,074	161.000	CISAD4
A4-15 An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable:	reduces crosstalk between pairs.	can be used in long-distance networks.	provides protection against wiretapping.	is simple to install.	a	UTP cable reduces the likelihood of crosstalk due to its twisted nature.	CISAD4	1,075	57.000	CISAD4
A4-16 Which of the following is the MOST critical element to effectively execute a disaster recovery plan?	Offsite storage of backup data	Up-to-date list of key disaster recovery contacts	Availability of a replacement data center	Clearly defined recovery time objective	a	Remote storage of backups is essential to restore systems during a disaster recovery scenario.	CISAD4***	1,076	95.000	CISAD4***
A4-17 While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on:	adequately monitoring service levels of IT resources and services.	providing data to enable timely planning for capacity and performance requirements.	providing accurate feedback on IT resource capacity.	properly forecasting performance, capacity, and throughput of IT resources.	c	Accurate capacity monitoring is the most critical element for continuous monitoring to ensure availability.	CISAD4***	1,077	43.000	CISAD4***
A4-18 Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis?	Business process owners	IT management	Senior business management	Industry experts	a	Business process owners provide the most relevant information for a BIA as they understand the business needs and criticality of applications.	CISAD4	1,078	117.000	CISAD4
A4-19 An IS auditor is reviewing an organization's disaster recovery plan (DRP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk?	Testing of the DRP has not been performed.	The disaster recovery strategy does not specify the use of a hot site.	The business impact analysis was conducted, but the results were not used.	The disaster recovery project manager for the implementation has recently left the organization.	c	Not using the BIA results in DRP planning means the DRP may not be designed to recover the most critical assets in the correct order.	CISAD4	1,079	65.000	CISAD4
A4-20 A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators have asked if they could reduce the testing of the patches. What approach should the organization take?	Continue the current process of testing and applying patches.	Delay patching until resources for testing are available	Reduce testing and ensure that an adequate backout plan is in place.	Rely on the vendor's testing of the patches	a	Testing patches before deployment is crucial to avoid disruptions; maintaining the current process ensures the security and stability of systems.	CISAD4	1,080	74.000	CISAD4
A4-21 Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?	A service adjustment resulting from an exception report took a day to implement.	The complexity of application logs used for service monitoring made the review difficult.	Service measures were not included in the SLA.	The document is updated on an annual basis.	c	Lack of service measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided.	CISAD4	1,081	33.000	CISAD4
A4-22 During an IS audit of the disaster recovery plan of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?	A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.	The corporate business continuity plan does not accurately document the systems that exist at remote offices.	Corporate security measures have not been incorporated into the test plan.	A test has not been made to ensure that tape backups from the remote offices are usable.	a	Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process.	CISAD4***	1,082	159.000	CISAD4***
A4-23 Which of the following reports should an IS auditor use to check compliance with a service level agreement's requirement for uptime?	Utilization reports.	Hardware error reports.	System logs.	Availability reports.	d	IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes.	CISAD4	1,083	30.000	CISAD4
A4-24 Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?	System log analysis	Compliance testing	Forensic analysis	Analytical review	b	Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently.	CISAD4***	1,084	76.000	CISAD4***
A4-25 During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?	Recommend redesigning the change management process.	Gain more assurance on the findings through root cause analysis.	Recommend that program migration be stopped until the change process is documented.	Document the finding and present it to management.	b	A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.	CISAD4	1,085	16.000	CISAD4
A4-26 An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:	The setup is geographically dispersed.	The servers are clustered in one site.	A hot site is ready for activation.	Diverse routing is implemented for the network.	b	A clustered setup in one site makes the entire network vulnerable to natural disasters or other disruptive events.	CISAD4	1,086	123.000	CISAD4
A4-27 Management considered two projections for its disaster recovery plan: plan A with two months to fully recover and plan B with eight months to fully recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher	Downtime costs.	Resumption costs.	Recovery costs.	Walk-through costs.	a	Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher.	CISAD4	1,087	50.000	CISAD4
A4-28 Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program?	A system downtime log	Vendors' reliability figures	Regularly scheduled maintenance log	A written preventive maintenance schedule	a	A system downtime log provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control.	CISAD4***	1,088	83.000	CISAD4***
A4-29 An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide?	Ask the SaaS vendor to provide a weekly report on application uptime.	Implement an online polling tool to monitor the application and record outages.	Log all application outages reported by users and aggregate the outage time weekly.	Contract an independent third party to provide weekly reports on application uptime.	b	Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved.	CISAD4	1,089	137.000	CISAD4
A4-30 Applying a retention date on a file will ensure that:	Data cannot be read until the date is set.	Data will not be deleted before that date.	Backup copies are not retained after that date.	Datasets having the same name are differentiated.	b	A retention date will ensure that a file cannot be overwritten or deleted before that date has passed.	CISAD4	1,090	66.000	CISAD4
A4-31 Which of the following is a network diagnostic tool that monitors and records network information?	Online monitor	Downtime report	Help desk report	Protocol analyzer	d	Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.	CISAD4***	1,091	33.000	CISAD4***
A4-32 An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:	Problem management procedures.	Software development procedures.	Backout procedures.	Incident management procedures	c	Backout procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process which specifies what procedures should be followed when software is being upgraded but the upgrade does not work and requires a fallback to its former state.	CISAD4	1,092	40.000	CISAD4
A4-33 Which of the following is a MAJOR concern during a review of help desk activities?	Certain calls could not be resolved by the help desk team.	A dedicated line is not assigned to the help desk team.	Resolved incidents are closed without reference to end users.	The help desk instant messaging has been down for more than six months.	c	The help desk function is a service-oriented unit. The end users must be advised before an incident can be regarded as closed.	CISAD4	1,093	151.000	CISAD4
A4-34 The MAIN purpose for periodically testing offsite disaster recovery facilities is to:	Protect the integrity of the data in the database.	Eliminate the need to develop detailed contingency plans.	Ensure the continued compatibility of the contingency facilities.	Ensure that program and system documentation remains current.	c	The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans would work in an actual disaster.	CISAD4	1,094	97.000	CISAD4
A4-35 A large chain of shops with electronic funds transfer at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor?	Offsite storage of daily backups	Alternative standby processor onsite	Installation of duplex communication links	Alternative standby processor at another network node	d	Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops.	CISAD4***	1,095	56.000	CISAD4***
A4-36 The database administrator suggests that database efficiency can be improved by denormalizing some tables. This would result in:	Loss of confidentiality	Increased redundancy	Unauthorized accesses	Application malfunctions	b	Denormalization is a design or optimization process for a relational database that increases redundancy.	CISAD4	1,096	21.000	CISAD4
A4-37 An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?	There are a growing number of emergency changes.	There were instances when some jobs were not completed on time.	There were instances when some jobs were overridden by computer operators.	Evidence shows that only scheduled jobs were run.	c	The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical.	CISAD4	1,097	118.000	CISAD4
A4-38 A new business requirement required changing database vendors. Which of the following areas should the IS auditor PRIMARILY examine in relation to this implementation?	Integrity of the data	Timing of the cutover	Authorization level of users	Normalization of the data	a	A critical issue when migrating data from one database to another is the integrity of the data and ensuring that the data are migrated completely and correctly.	CISAD4	1,098	192.000	CISAD4
A4-39 The objective of concurrency control in a database system is to:	Restrict updating of the database to authorized users.	Ensure integrity when two processes attempt to update the same data at the same time.	Prevent inadvertent or unauthorized disclosure of data in the database.	Ensure the accuracy, completeness and consistency of data.	b	Concurrency controls prevent data integrity problems, such as lost updates and inconsistent data, when two processes attempt to update the same data simultaneously.	CISAD4	1,099	195.000	CISAD4
A4-40 Which of the following controls would provide the GREATEST assurance of database integrity?	Audit log procedures	Table link/reference checks	Query/table access time checks	Rollback and rollforward database features	b	Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity.	CISAD4	1,100	195.000	CISAD4
A4-41 Which of the following is widely accepted as one of the critical components in networking management?	Configuration and change management	Topological mappings	Application of monitoring tools	Proxy server troubleshooting	a	Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services.	CISAD4	1,101	13.000	CISAD4
A4-42 In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?	A size check	A hash total	A validity check	A field check	c	A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special.	CISAD4***	1,102	49.000	CISAD4***
A4-43 Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies?	Developments may result in hardware and software incompatibility	Resources may not be available when needed	The recovery plan cannot be live tested	The security infrastructures in each company may be different	a	If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster.	CISAD4***	1,103	70.000	CISAD4***
A4-44 Which of the following is MOST directly affected by network performance monitoring tools?	Integrity	Availability	Completeness	Confidentiality	b	Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic that is most directly affected by network monitoring is availability.	CISAD4***	1,104	182.000	CISAD4***
A4-45 When auditing the onsite archiving process of emails, the IS auditor should pay the MOST attention to:	The existence of a data retention policy	The storage capacity of the archiving solution	The level of user awareness concerning email use	The support and stability of the archiving solution manufacturer	a	Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required.	CISAD4	1,105	17.000	CISAD4
A4-46 Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?	Assess the impact of patches prior to installation	Ask the vendors for a new software version with all fixes included	Install the security patch immediately	Decline to deal with these vendors in the future	a	The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, it is necessary to test the patches as much as possible before rolling them out to the entire organization.	CISAD4	1,106	128.000	CISAD4
A4-47 Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?	Release-to-release source and object comparison reports	Library control software restricting changes to source code	Restricted access to source code and object code	Date and time-stamp reviews of source and object code	d	Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.	CISAD4***	1,107	19.000	CISAD4***
A4-48 A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:	With their named account to make the changes	With the shared DBA account to make the changes	To the server administrative account to make the changes	To the user's account to make the changes	a	Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes.	CISAD4	1,108	95.000	CISAD4
A4-49 During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software?	The client did not pay for the open source software components	The organization and client must comply with open source software license terms	Open source software has security vulnerabilities	Open source software is unreliable for commercial use	b	There are many types of open source software licenses and each has different terms and conditions. Some open source software licensing allows use of the open source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products could violate licensing terms by selling the product for profit. The IS auditor should be most concerned with open source software licensing compliance to avoid unintended intellectual property risk or legal consequences.	CISAD4	1,109	198.000	CISAD4
A4-50 An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?	Allow changes to be made only with the database administrator (DBA) user account	Make changes to the database after granting access to a normal user account	Use the DBA user account to make changes, log the changes and review the change log the following day	Use the normal user account to make changes, log the changes and review the change log the following day	c	The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. Because an abbreviated number of steps are used, this represents an adequate set of compensating controls.	CISAD4***	1,110	80.000	CISAD4***
A4-51 Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with change control procedures in an organization?	Review software migration records and verify approvals	Identify changes that have occurred and verify approvals	Review change control documentation and verify approvals	Ensure that only appropriate staff can migrate changes into production	b	The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved.	CISAD4***	1,111	4.000	CISAD4***
A4-52 When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied?	Transfer	Mitigation	Avoidance	Acceptance	b	A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy.	CISAD4***	1,112	64.000	CISAD4***
A4-53 A programmer maliciously modified a production program to change data and then restored it back to the original code. Which of the following would MOST effectively detect the malicious activity?	Comparing source code	Reviewing system log files	Comparing object code	Reviewing executable and source code integrity	b	Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library.	CISAD4***	1,113	189.000	CISAD4***
A4-54 An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined?	The interruption window	The recovery time objective	The service delivery objective	The recovery point objective	d	The recovery point objective (RPO) is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption.	CISAD4	1,114	94.000	CISAD4
A4-55 The PRIMARY benefit of an IT manager monitoring technical capacity is to:	Identify the need for new hardware and storage procurement	Determine the future capacity need based on usage	Ensure that the service level requirements are met	Ensure that systems operate at optimal capacity	c	Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT.	CISAD4***	1,115	59.000	CISAD4***
A4-56 An IS auditor reviewing an organization's disaster recovery plan should PRIMARILY verify that it is:	Tested every six months	Regularly reviewed and updated	Approved by the chief executive officer	Communicated to every department head in the organization	b	The plan should be reviewed at appropriate intervals, depending on the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effective.	CISAD4***	1,116	119.000	CISAD4***
A4-57 There are several methods of providing telecommunication continuity. The method of routing traffic through split-cable or duplicate cable facilities is called:	Alternative routing	Diverse routing	Long-haul network diversity	Last-mile circuit protection	b	Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. It can be accomplished with different and duplicate cable sheaths.	CISAD4***	1,117	105.000	CISAD4***
A4-58 Recovery procedures for an information processing facility are BEST based on:	Recovery time objective	Recovery point objective	Maximum tolerable outage	Information security policy	a	The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. The RTO is the desired recovery time frame based on maximum tolerable outage (MTO) and available recovery alternatives.	CISAD4***	1,118	12.000	CISAD4***
A4-59 An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff respond to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario?	Notify the local fire department of the alarm condition	Prepare to activate the fire suppression system	Ensure all persons in the data center are evacuated	Remove all backups from the data center	c	In an emergency, safety of life is always the first priority; therefore, the complete and orderly evacuation of the facility staff would be the most important activity.	CISAD4	1,119	147.000	CISAD4
A4-60 An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue?	Plan an audit of the cloud vendor	Review the vendor contract to determine its DR capabilities	Review an independent auditor's report of the cloud vendor	Request a copy of the DRP from the cloud vendor	b	DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives and recovery point objectives. Without the contractual language, the vendor is not required to provide DR services.	CISAD4	1,120	125.000	CISAD4
A4-61 An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?	System administrators use shared accounts which never expire at the hot site	Disk space utilization data are not kept current	Physical security controls at the hot site are less robust than at the main site	Servers at the hot site do not have the same specifications as at the main site	b	Not knowing how much disk space is in use and, therefore, how much is needed at the disaster recovery site could create major issues in the case of a disaster.	CISAD4***	1,121	10.000	CISAD4***
A4-62 When reviewing system parameters, an IS auditor's PRIMARY concern should be that:	They are set to meet both security and performance requirements	Changes are recorded in an audit trail and periodically reviewed	Changes are authorized and supported by appropriate documents	Access to parameters in the system is restricted	a	The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control.	CISAD4***	1,122	72.000	CISAD4***
A4-63 An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a:	Cold site	Warm site	Dial-up site	Duplicate processing facility	a	A cold site is ready to receive equipment but does not offer any components at the site in advance of the need.	CISAD4	1,123	160.000	CISAD4
A4-64 An optimized disaster recovery plan for an organization should:	Reduce the length of the recovery time and the cost of recovery	Increase the length of the recovery time and the cost of recovery	Reduce the duration of the recovery time and increase the cost of recovery	Not affect the recovery time or the cost of recovery	a	One of the objectives of a disaster recovery plan (DRP) is to reduce the duration and cost of recovering from a disaster.	CISAD4	1,124	101.000	CISAD4
A4-65 A disaster recovery plan for an organization's financial system specifies that the recovery point objective is zero and the recovery time objective is 72 hours. Which of the following is the MOST cost-effective solution?	A hot site that can be operational in eight hours with asynchronous backup of the transaction logs	Distributed database systems in multiple locations updated asynchronously	Synchronous remote copy of the data in a warm site that can be operational in 48 hours	Synchronous updates of the data and standby active systems in a hot site	c	The synchronous copy of the data storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO.	CISAD4	1,125	59.000	CISAD4
A4-66 A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines. Which of the following would be the BEST contingency plan for the communications processor?	Reciprocal agreement with another organization	Alternate processor in the same location	Alternate processor at another network node	Duplex communication links	c	The unavailability of the central communications processor would disrupt all access to the banking network. Having a duplicate processor in another location that could be used for alternate processing is the best solution.	CISAD4	1,126	45.000	CISAD4
A4-67 Which of the following provides the BEST evidence of an organization's disaster recovery capability readiness?	A disaster recovery plan (DRP)	Customer references for the alternate site provider	Processes for maintaining the DRP	Results of tests and exercises	d	Only tests and exercises demonstrate the adequacy of the plans and provide reasonable assurance of an organization's disaster recovery capability readiness.	CISAD4	1,127	146.000	CISAD4
A4-68 An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored?	Change permissions to prevent DBAs from purging logs	Forward database logs to a centralized log server to which the DBAs do not have access	Require that critical changes to the database are formally approved	Back up database logs to tape	b	To protect the availability and integrity of the database logs, it is most feasible to forward the database logs to a centralized log server to which the DBAs do not have access.	CISAD4	1,128	134.000	CISAD4
A4-69 While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering:	Inadequate procedures for ensuring adequate system portability	Inadequate operational documentation for the system	An inadequate alternate service provider listing	An inadequate software escrow agreement	d	The inclusion of a clause in the agreement that requires software code to be placed in escrow helps to ensure that the customer can continue to use the software and/or obtain technical support if a vendor were to go out of business.	CISAD4	1,129	121.000	CISAD4
A4-70 Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility?	Verify compatibility with the hot site	Review the implementation report	Perform a walk-through of the disaster recovery plan	Update the IT assets inventory	d	An IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IT infrastructure.	CISAD4	1,130	142.000	CISAD4
A4-71 Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit?	A hot site is contracted for and available as needed.	A business continuity manual is available and current.	Insurance coverage is adequate and premiums are current.	Data backups are performed timely and stored offsite	d	A hot site is important, but it is of no use if there are no data backups for it. A business continuity manual is advisable but not most important in a disaster recovery audit. Insurance coverage should be adequate to cover costs but is not as important as having the data backup. Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process.	CISAD4	1,131	52.000	CISAD4
A4-72 Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements?	Benchmark test results	Server logs	Downtime reports	Server utilization data	d	Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization. A server log contains data showing activities performed on the server but does not contain the utilization data required to ensure the optimal configuration of servers. A downtime report identifies the elapsed time when a computer is not operating correctly because of machine failure but is not useful in determining optimal server configurations. Monitoring server utilization identifies underutilized servers and monitors overall server utilization. Underutilized servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment.	CISAD4***	1,132	56.000	CISAD4***
A4-73 Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan's effectiveness?	Paper test	Post-test	Preparedness test	Walk-through	c	A paper test is a walk-through of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes the preparedness test. A post-test is actually a test phase and is comprised of a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems. A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan's effectiveness. It also provides a means to improve the plan in increments. A walk-through is a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.	CISAD4***	1,133	28.000	CISAD4***
A4-74 While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be	Shadow file processing	Electronic vaulting	Hard-disk mirroring	Hot-site provisioning	a	In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium, this is a method used by banks. This is not usually in real time as much as a shadow file system is. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.	CISAD4***	1,134	109.000	CISAD4***
A4-75 Which of the following is the BEST method for determining the criticality of each application system in the production environment?	Interview the application programmers.	Perform a gap analysis.	Review the most recent application audits.	Perform a business impact analysis.	d	Interviews with the application programmers will provide limited information related to the criticality of the systems. A gap analysis is relevant to system development and project management but does not determine application criticality. The audits may not contain the required information about application criticality or may not have been done recently. A business impact analysis (BIA) will give the impact of the loss of each application. A BIA is conducted with representatives of the business that can accurately describe the criticality of a system and its importance to the business.	CISAD4***	1,135	99.000	CISAD4***
A4-76 Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a post-implementation review?	The code was missed during the initial implementation.	The change did not have change management approval.	The error was discovered during the post-implementation review.	The release team used the same change order number.	b	Change management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate change management approval. Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change was promoted into the production environment without management approval. Most release/change control errors are discovered during post-implementation review. It is of greater concern that the change was promoted without management approval after it was discovered. Using the same change order number is not a relevant concern.	CISAD4***	1,136	101.000	CISAD4***
A4-77 A hot site should be implemented as a recovery strategy when the:	disaster downtime tolerance is low.	recovery point objective is high.	recovery time objective is high.	maximum tolerable downtime is long.	a	Disaster downtime tolerance is the time gap during which the business can accept non-availability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot site, should be used. The recovery point objective (RPO) is the earliest point in time at which it is possible to recover the data. A high RPO means that the process would result in greater losses of data. A high recovery time objective means that additional time would be available for the recovery strategy, thus making other recovery alternatives such as warm or cold sites viable alternatives. If the maximum tolerable downtime is long, then a warm or cold site is a more cost-effective solution.	CISAD4***	1,137	76.000	CISAD4***
A4-78 In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy?	Disaster tolerance is high.	The recovery time objective is high.	The recovery point objective is low.	The recovery point objective is high.	c	Data mirroring is a data recovery technique, and disaster tolerance addresses the allowable time for an outage of the business. The recovery time objective (RTO) is an indicator of the disaster tolerance. Data mirroring addresses data loss, not the RTO. The recovery point objective (RPO) indicates the latest point in time at which it is possible to recover the data. This determines how often the data must be backed up to minimize data loss. If the RPO is low, then the organization does not want to lose much data and must use a process such as data mirroring to prevent data loss. If the RPO is high, then a less expensive backup strategy can be used; data mirroring should not be implemented as the data recovery strategy.	CISAD4***	1,138	108.000	CISAD4***
A4-79 Which of the following stakeholders is the MOST important in terms of developing a business continuity plan?	Process owners	Application owners.	The board of directors	IT management	a	Process owners are essential in identifying the critical business functions, recovery times and resources needed. A business continuity plan (BCP) is concerned with the continuity of business processes, while applications may or may not support critical business processes. The board of directors might approve the plan, but they are typically not involved in the details of developing the BCP. IT management will identify the IT resources, servers and infrastructure needed to support the critical business functions as defined by the business process owners.	CISAD4***	1,139	137.000	CISAD4***
A4-80 Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process?	Test a sample population of change requests	Test a sample of authorized changes	Interview personnel in charge of the change control process	Perform an end-to-end walk-through of the process	d	Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change controls process because people may know the process but not follow it. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.	CISAD4***	1,140	52.000	CISAD4***
A4-81 During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: Certified information CISA Star Auto	A. only systems administrators perform the patch process.	B. the client's change management process is adequate.	C. patches are validated using parallel testing in production.	D. an approval process of the patch, including a risk assessment, is developed.	b	The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly.	CISAD4***	1,141	137.000	CISAD4***
A4-82 A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future?	A. Improve regression test cases.	B. Activate audit trails for a limited period after release.	C. Conduct an application user access review	D. Ensure that developers do not have access to code after testing	d	To ensure proper segregation of duties, developers should be restricted to the development environment only. If code needs to be modified after user acceptance testing, the process must be restarted in development.	CISAD4***	1,142	112.000	CISAD4***
A4-83 An organization completed a business impact analysis as part of business continuity planning. The NEXT step in the process is to develop:	A. a business continuity strategy.	B. a test and exercise plan.	C. a user training program.	D. the business continuity plan (BCP).	a	A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase.	CISAD4***	1,143	79.000	CISAD4***
A4-84 An IS auditor performing an application maintenance audit would review the log of program changes for the:	A. Authorization of program changes.	B. Creation date of a current object module.	C. Number of program changes actually made.	D. Creation date of a current source program.	a	The auditor wants to ensure that only authorized changes have been made to the application. The auditor would therefore review the log of program changes to verify that all changes have been approved.	CISAD4***	1,144	159.000	CISAD4***
A4-85 Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party?	A. The current service level agreement.	B. A recent independent third-party audit report.	C. The current business continuity plan procedures.	D. A recent disaster recovery plan test report.	b	An independent third-party audit report such as a Statements on Standards for Attestation Engagements 16 would provide assurance of the existence and effectiveness of internal controls at the third party.	CISAD4***	1,145	121.000	CISAD4***
A4-86 When reviewing a disaster recovery plan, an IS auditor should be MOST concerned with the lack of:	A. process owner involvement.	B. well-documented testing procedures.	C. an alternate processing facility.	D. a well-documented data classification scheme.	a	Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create the disaster recovery plan. If the IS auditor determined that process owners were not involved, this would be a significant concern.	CISAD4***	1,146	96.000	CISAD4***
A4-87 An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement?	A. Overall number of users supported.	B. First call resolution rate.	C. Number of incidents reported to the help desk.	D. Number of agents answering the phones.	b	The first call resolution rate is a good way to measure the effectiveness of the supporting organization.	CISAD4	1,147	79.000	CISAD4
A4-88 Which of the following activities performed by a database administrator should be performed by a different person?	A. Deleting database activity logs.	B. Implementing database optimization tools.	C. Monitoring database usage.	D. Defining backup and recovery procedures.	a	Because database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role.	CISAD4	1,148	32.000	CISAD4
A4-89 Which of the following is the BEST reason for integrating the testing of non-critical systems in disaster recovery plans (DRPs) with business continuity plans (BCPs)?	A. To ensure that DRPs are aligned to the business impact analysis.	B. Infrastructure recovery personnel can be assisted by business subject matter experts.	C. BCPs may assume the existence of capabilities that are not in DRPs.	D. To provide business executives with knowledge of disaster recovery capabilities.	c	BCPs may assume the existence of capabilities that are not part of the DRPs, such as allowing employees to work from home during the disaster; however, IT may not have made sufficient provisions for these capabilities. While the noncritical systems are important, it is possible that they are not part of the DRPs. Therefore, DRP and BCP testing should be integrated.	CISAD4***	1,149	93.000	CISAD4***
A4-90 An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?	A. Log all table update transactions.	B. Implement before-and-after image reporting.	C. Use tracing and tagging.	D. Implement integrity constraints in the database.	d	Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, preventing any undefined data from being entered.	CISAD4	1,150	169.000	CISAD4
A4-91 An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the:	A. IT department implement control mechanisms to prevent unauthorized software installation.	B. Security policy be updated to include the specific language regarding unauthorized software.	C. IT department prohibit the download of unauthorized software.	D. Users obtain approval from an IS manager before installing nonstandard software.	b	Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue and provide authority for the IT department to implement technical controls.	CISAD4***	1,151	200.000	CISAD4***
The purpose of code signing is to provide assurance that:	the software has not been subsequently modified	the application can safely interface with another signed application	the signer of the application is trusted	the private key of the signer has not been compromised	a	Code signing ensures that the executable code came from a reputable source and has not been modified after being signed. B: The signing of code will not ensure that it will integrate with other applications. C: Code signing will provide assurance of the source but will not ensure that the source is trusted. The code signing will, however, ensure that the code has not been modified. D: The compromise of the sender's private key would result in a loss of trust and is not the purpose of code signing.	CISAD4	1,152	131.000	CISAD4
An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated?	Consistency	Isolation	Durability	Atomicity	d	A: Consistency ensures that the database is in a proper state when the transaction begins and ends and that the transaction has not violated integrity rules. B: Isolation means that, while in an intermediate state, the transaction data are invisible to external operations. This prevents two transactions from attempting to access the same data at the same time. C: Durability guarantees that a successful transaction will persist and cannot be undone. D: Atomicity guarantees that either the entire transaction is processed or none of it is.	CISAD4***	1,153	22.000	CISAD4***
Responsibility and reporting lines cannot always be established when auditing automated systems because:	diversified control makes ownership irrelevant	staff traditionally changes jobs with greater frequency	ownership is difficult to establish where resources are shared	duties change frequently in the rapid development of technology	c	A: Ownership is required to ensure that someone has responsibility for the secure and proper operation of a system and the protection of data. B: The movement of staff is not a serious issue because the responsibility should be linked to a job description, not an individual. C: The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department. D: Duties may change frequently, but that does not absolve the organization of having a declared owner for systems and data.	CISAD4***	1,154	24.000	CISAD4***
Which of the following distinguishes a business impact analysis from a risk assessment?	An inventory of critical assets	An identification of vulnerabilities	A listing of threats	A determination of acceptable downtime	d	A: An inventory of critical assets is completed in both a risk assessment and a business impact analysis (BIA). B: An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C: A listing of threats is relevant both in a risk assessment and a BIA. D: A determination of acceptable downtime is made only in a BIA.	CISAD4***	1,155	86.000	CISAD4***
When reviewing a hardware maintenance program, an IS auditor should assess whether:	the schedule of all unplanned maintenance is maintained	it is in line with historical trends	it has been approved by the IS steering committee	the program is validated against vendor specifications	d	A: Unplanned maintenance cannot be scheduled. B: Hardware maintenance programs do not necessarily need to be in line with historic trends. C: Maintenance schedules normally are not approved by the steering committee. D: Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications.	CISAD4***	1,156	63.000	CISAD4***
An IS auditor should recommend the use of library control software to provide reasonable assurance that:	program changes have been authorized	only thoroughly tested programs are released	modified programs are automatically moved to production	source and executable code integrity is maintained	a	A: Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. B: Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. C: Programs should not be moved automatically into production without proper authorization. D: Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.	CISAD4***	1,157	190.000	CISAD4***
Which of the following would help to ensure the portability of an application connected to a database?	Verification of database import and export procedures	Usage of a Structured Query Language	Analysis of stored procedures/triggers	Synchronization of the entity-relation model with the database physical schema	b	A: Verification of import and export procedures with other systems ensures better interfacing with other systems but does not contribute to the portability of an application connecting to a database. B: The use of Structured Query Language facilitates portability because it is an industry standard used by many systems. C: Analyzing stored procedures/triggers ensures proper access/performance but does not contribute to the portability of an application connecting to a database. D: Reviewing the design entity-relation model will be helpful but does not contribute to the portability of an application connecting to a database.	CISAD4	1,158	151.000	CISAD4
Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend?	Develop a baseline and monitor system usage	Define alternate processing procedures	Prepare the maintenance manual	Implement the changes users have suggested	a	A: An IS auditor should recommend the development of a performance baseline and monitor the system's performance against the baseline to develop empirical data upon which decisions for modifying the system can be made. B: Alternate processing procedures will not alter a system's performance, and no changes should be made until the reported issue has been examined more thoroughly. C: A maintenance manual will not alter a system's performance or address the user concerns. D: Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.	CISAD4	1,159	61.000	CISAD4
The PRIMARY objective of service-level management is to:	define, agree on, record and manage the required levels of service	ensure that services are managed to deliver the highest achievable level of availability	keep the costs associated with any service at a minimum	monitor and report any legal noncompliance to business management	a	A: The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. B: SLM does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. C: SLM cannot ensure that costs for all services will be kept at a low or minimum level because costs associated with a service will directly reflect the customer's requirements. D: Monitoring and reporting legal noncompliance is not a primary objective of SLM.	CISAD4***	1,160	184.000	CISAD4***
Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan?	The plan is approved by the chief information officer	The plan contact lists have not been updated	Test results are not adequately documented	The training schedule for recovery personnel is not included	c	A: Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the chief information officer. Pragmatically, lack of documenting test results could have more significant consequences. B: The contact lists are an important part of the business continuity plan (BCP); however, they are not as important as documenting the test results. C: The effectiveness of a BCP can best be determined through tests. If results of tests are not documented, then there is no basis for feedback, updates, etc. D: If test results are documented, a need for training will be identified and the BCP will be updated.	CISAD4***	1,161	200.000	CISAD4***
Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?	Manually copy files to accomplish replication	Review changes in the software version control system	Ensure that developers do not have access to the backup server	Review the access control log of the backup server	b	A: Even if replication is conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B: It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system program will prevent the transfer of development or earlier versions. C: If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D: Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.	CISAD4***	1,162	18.000	CISAD4***
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:	apply the patch according to the patch's release notes	ensure that a good change management process is in place	thoroughly test the patch before sending it to production	approve the patch after doing a risk assessment	b	A: The IS auditor should not apply the patch. That is an administrator responsibility. B: An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. C: The testing of the patch is the responsibility of the development or production support team, not the auditor. D: The IS auditor is not authorized to approve a patch. That is a responsibility of a steering committee.	CISAD4	1,163	115.000	CISAD4
During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:	the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed	there is no way of reconstructing the lost information, except by deleting the dangling tuples and reentering the transactions	the database will immediately stop execution and lose more information	the database will no longer accept input data	a	A: When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. Normally, this will cause the system to undertake a sequential search and slow down the processing. If the concerned files are big, this slowdown will be unacceptable. This is a violation of referential integrity. B: A system can recover the corrupted external key by re-indexing the table. C: The corruption of a foreign key will not stop program execution. D: The corruption of a foreign key will not affect database input.	CISAD4	1,164	196.000	CISAD4
In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?	Foreign key	Primary key	Secondary key	Public key	a	A: In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. B: It should not be possible to delete a row from a customer table when the customer number (primary key) of that row is stored with live orders on the orders table (the foreign key to the customer table). A primary key works in one table so it is not able to provide/ensure referential integrity by itself. C: Secondary keys that are not foreign keys are not subject to referential integrity checks. D: A public key is related to encryption and not linked in any way to referential integrity.	CISAD4***	1,165	154.000	CISAD4***
The PRIMARY objective of testing a business continuity plan is to:	familiarize employees with the business continuity plan	ensure that all residual risk is addressed	exercise all possible disaster scenarios	identify limitations of the business continuity plan	d	A: Familiarizing employees with the business continuity plan is a secondary benefit of a test. B: It is not cost-effective to address all residual risk in a business continuity plan. C: It is not practical to test all possible disaster scenarios. D: Testing the business continuity plan provides the best evidence of any limitations that may exist.	CISAD4	1,166	57.000	CISAD4
An IS auditor examining the security configuration of an operating system should review the:	transaction logs	authorization tables	parameter settings	routing tables	c	A: Transaction logs are used to track and analyze transactions related to an application or system interface, but that is not the primary source of audit evidence in an operating system audit. B: Authorization tables are used to verify implementation of logical access controls and will not be of much help when reviewing control features of an operating system. C: Configuration parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload and control environment. Improper implementation and/or monitoring of operating systems can result in undetected errors and corruption of the data being processed, as well as lead to unauthorized access and inaccurate logging of system usage. D: Routing tables do not contain information about the operating system and, therefore, provide no information to aid in the evaluation of controls.	CISAD4***	1,167	39.000	CISAD4***
A4-108 During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?	Staging and job setup	Supervisory review of logs	Regular backup of tapes	Offsite storage of tapes	c	Configuration parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload and control environment. Improper implementation and/or monitoring of operating systems can result in undetected errors and corruption of the data being processed, as well as lead to unauthorized access and inaccurate logging of system usage.	CISAD4***	1,168	196.000	CISAD4***
A4-109 While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should:	recommend the use of disk mirroring	review the adequacy of offsite storage	review the capacity management process	recommend the use of a compression algorithm	c	Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. This will look at capacity from a strategic viewpoint and allow a plan to forecast and purchase additional equipment in a planned manner.	CISAD4***	1,169	119.000	CISAD4***
A4-110 Which of the following is the GREATEST risk of an organization using reciprocal agreements for disaster recovery between two business units?	Both entities are vulnerable to the same incident	The documents contain legal deficiencies	IT systems are not identical	One party has more frequent disruptions than the other	a	Inadequate agreements between two business units is a risk, but generally a lesser one than the risk that both organizations will suffer a disaster at the same time. The use of reciprocal disaster recovery is based on the probability that both organizations will not suffer a disaster at the same time.	CISAD4***	1,170	11.000	CISAD4***
A4-111 In determining the acceptable time period for the resumption of critical business processes:	only downtime costs need to be considered	recovery operations should be analyzed	both downtime costs and recovery costs need to be evaluated	indirect downtime costs should be ignored	c	Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis should be a recovery strategy that represents the optimal balance.	CISAD4	1,171	108.000	CISAD4
A4-112 To verify that the correct version of a data file was used for a production run, an IS auditor should review:	operator problem reports	operator work schedules	system logs	output distribution reports	c	System logs are automated reports which identify most of the activities performed on the computer. The IS auditor can then carry out tests to ensure that the correct file version was used for a production run.	CISAD4***	1,172	146.000	CISAD4***
A4-113 The BEST audit procedure to determine if unauthorized changes have been made to production code is to:	examine the change control system records and trace them forward to object code files	review access control permissions operating within the production program libraries	examine object code to find instances of changes and trace them back to change control records	review change approval designations established within the change control system	c	The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes.	CISAD4***	1,173	30.000	CISAD4***
A4-114 When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:	recommend that the database be normalized	review the conceptual data model	review the stored procedures	review the justification	a	If the database is not normalized, the IS auditor should review the justification because, in some situations, denormalization is recommended for performance reasons.	CISAD4***	1,174	16.000	CISAD4***
A4-115 Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit?	Data backups are performed on a timely basis	A recovery site is contracted for and available as needed	Human safety procedures are in place	Insurance coverage is adequate and premiums are current	c	The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.	CISAD4	1,175	96.000	CISAD4
A4-116 The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software?	Rewrite the patches and apply them	Review the code and application of available patches	Develop in-house patches	Identify and test suitable patches before applying them	d	Suitable patches from the existing developers should be selected and tested before applying them.	CISAD4	1,176	98.000	CISAD4
A4-117 During the audit of a database server, which of the following would be considered the GREATEST exposure?	The password on the administrator account does not expire	Default global security settings for the database remain unchanged	Old data have not been purged	Database activity is not fully logged	b	Default security settings for the database could allow issues such as blank user passwords or passwords that were the same as the username.	CISAD4***	1,177	83.000	CISAD4***
A4-118 An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?	Commands typed on the command line are logged	Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs	Access to the operating system command line is granted through an access restriction tool with preapproved rights	Software development tools and compilers have been removed from the production environment	b	The matching of hash keys over time would allow detection of changes to files.	CISAD4***	1,178	55.000	CISAD4***
A4-119 A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application?	Preventing the compromise of the source code during the implementation process	Ensuring that vendor default accounts and passwords have been disabled	Removing the old copies of the program from escrow to avoid confusion	Verifying that the vendor is meeting support and maintenance agreements	b	Disabling vendor default accounts and passwords is a critical part of implementing a new application.	CISAD4***	1,179	48.000	CISAD4***
A4-120 The MAIN criterion for determining the severity level of a service disruption incident is:	Cost of recovery	Negative public opinion	Geographic location	Downtime	d	The longer the period of time a client cannot be serviced, the greater the severity (impact) of the incident.	CISAD4	1,180	73.000	CISAD4
A4-121 Doing which of the following during peak production hours could result in unexpected downtime?	Performing data migration or tape backup	Performing preventive maintenance on electrical systems	Promoting applications from development to the staging environment	Reconfiguring a standby router in the data center	b	Preventive maintenance activities should be scheduled for non-peak times of the day, and preferably during a maintenance window time period.	CISAD4***	1,181	78.000	CISAD4***
A4-122 During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?	Postpone the audit until the agreement is documented.	Report the existence of the undocumented agreement to senior management.	Draft a service level agreement for the two departments.	Confirm the content of the agreement with both departments.	c	An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties agree with the terms of the agreement. Drafting a service level agreement is not the IS auditor's responsibility.	CISAD4***	1,182	85.000	CISAD4***
A4-123 A database administrator has detected a performance problem with some tables, which could be solved through denormalization. This situation will increase the risk of:	concurrent access	deadlocks	unauthorized access to data.	a loss of data integrity.	d	Denormalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity.	CISAD4	1,183	79.000	CISAD4
A4-124 Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases?	Change management	Backup and recovery	Incident management	Configuration management	d	The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return.	CISAD4***	1,184	173.000	CISAD4***
A4-125 An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered:	Change management	Backup and recovery	Configuration management	Incident management	c	The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return.	CISAD4***	1,185	158.000	CISAD4***
A4-126 The BEST method for assessing the effectiveness of a business continuity plan is to review the:	plans and compare them to appropriate standards.	results from previous tests.	emergency procedures and employee training	offsite storage and environmental controls.	b	Previous test results will provide evidence of the effectiveness of the business continuity plan.	CISAD4	1,186	144.000	CISAD4
A4-127 With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the:	clarity and simplicity of the business continuity plans.	adequacy of the business continuity plans.	effectiveness of the business continuity plans.	ability of IS and end-user personnel to respond effectively in emergencies.	a	The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards and the results of tests of the plan. To evaluate effectiveness, the IS auditor should review the results from previous tests or incidents. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization has implemented plans to allow	CISAD4***	1,187	115.000	CISAD4***
A4-128 During the design of a business continuity plan, the business impact analysis identifies critical processes and supporting applications. This will PRIMARILY influence the:	responsibility for maintaining the business continuity plan.	criteria for selecting a recovery site provider.	recovery strategy.	responsibilities of key personnel.	a	The responsibility for maintaining the business continuity plan is decided after the selection or design of the appropriate recovery strategy and development of the plan. The criteria for selecting a recovery site provider are decided after the selection or design of the appropriate recovery strategy. The most appropriate strategy is selected based on the relative risk level, time lines and criticality identified in the business impact analysis. The responsibilities of key personnel are decided after the selection or design of the appropriate recovery strategy during the plan development phase.	CISAD4***	1,188	132.000	CISAD4***
A4-129 During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:	assessment of the situation may be delayed.	execution of the disaster recovery plan could be impacted.	notification of the teams might not occur.	potential crisis recognition might be delayed.	a	Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis.	CISAD4***	1,189	87.000	CISAD4***
A4-130 An organization has just completed its annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization?	Review and evaluate the business continuity plan for adequacy	Perform a full simulation of the business continuity plan	Train and educate employees regarding the business continuity plan	Notify critical contacts in the business continuity plan	a	The business continuity plan should be reviewed every time a risk assessment is completed for the organization.	CISAD4	1,190	93.000	CISAD4
A4-131 Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database?	Authentication controls	Data normalization controls	Read/write access log controls	Commitment and rollback controls	d	Commitment and rollback controls are directly relevant to integrity, ensuring that database operations are completed entirely or not at all, maintaining transactional integrity.	CISAD4***	1,191	191.000	CISAD4***
A4-132 An IS auditor finds that the data warehouse query performance decreases significantly at certain times of the day. Which of the following controls would be MOST relevant for the IS auditor to review?	Permanent table-space allocation	Commitment and rollback controls	User spool and database limit controls	Read/write access log controls	c	User spool and database limit controls restrict the space available for queries, preventing excessive resource consumption and optimizing query performance during peak times.	CISAD4	1,192	93.000	CISAD4
A4-133 In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?	Approve and document the change the next business day.	Limit developer access to production to a specific time frame.	Obtain secondary approval before releasing to production.	Disable the compiler option in the production machine.	a	Allowing emergency changes with subsequent documentation balances speed with accountability, mitigating risks effectively.	CISAD4***	1,193	129.000	CISAD4***
A4-134 Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether:	all threats can be completely removed.	a cost-effective, built-in resilience can be implemented.	the recovery time objective can be optimized.	the cost of recovery can be minimized.	b	Prioritizing built-in resilience in the initial stages ensures proactive risk management and effective disaster recovery preparedness.	CISAD4***	1,194	56.000	CISAD4***
A4-135 An IS auditor determined that the IT manager recently changed the vendor responsible for maintenance, altering incident resolution times. Which of the following should concern the IS auditor the MOST?	Disaster recovery plans may be invalid and need to be revised.	Transactional business data may be lost in system failure.	The new maintenance vendor is unfamiliar with organization policies.	Application owners were not informed of the change.	d	Lack of communication with application owners poses the greatest risk to business continuity and operational stability.	CISAD4	1,195	29.000	CISAD4
A4-136 In the event of a data center disaster, which strategy would be the MOST appropriate to ensure complete recovery of a critical database?	Daily data backup to tape and storage at a remote site	Real-time replication to a remote site	Hard disk mirroring to a local server	Real-time data backup to the local storage area network	b	Real-time replication maintains data integrity across locations, ensuring immediate access to critical data in disaster scenarios.	CISAD4	1,196	33.000	CISAD4
A4-137 If the recovery time objective increases:	the disaster tolerance increases.	the cost of recovery increases.	a cold site cannot be used.	the data backup frequency increases.	a	A longer recovery time objective enhances disaster tolerance, allowing more time for recovery before critical operations are impacted.	CISAD4	1,197	56.000	CISAD4
A4-138 Due to changes in IT, the disaster recovery plan of a large organization has been altered. What is the PRIMARY risk if the new plan is not tested?	Catastrophic service interruption	High consumption of resources	Total cost of recovery may not be minimized	Users and recovery teams may face severe difficulties when activating the plan	a	Lack of testing increases the risk of service disruptions, potentially leading to severe operational impacts.	CISAD4***	1,198	160.000	CISAD4***
A4-139 When developing a disaster recovery plan, what should determine the acceptable downtime?	Annual loss expectancy	Service delivery objective	Quantity of orphan data	Maximum tolerable outage	d	The maximum tolerable outage sets the acceptable downtime, ensuring operational continuity within defined limits.	CISAD4	1,199	48.000	CISAD4
A4-140 During the review of an enterprise's preventive maintenance process, what is MOST important for the IS auditor to verify regarding maintenance activities?	has performed background checks on all service personnel.	escorts service personnel at all times when performing their work.	performs maintenance during noneritical proccssing times.	independently verifies that maintenance is being performed.	c	The biggest risk to normal operations in a data center would be if an incident or mishap were to happen during critical peak processing times; therefore, it would be prudent to ensure that no type of system maintenance be performed at these critical times.	CISAD4	1,200	106.000	CISAD4
A4-141 Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective?	Virtual tape libraries	Disk-based snapshots	Continuous data backup	Disk-to-tape backup	c	Continuous data backup provides real-time data protection, meeting the requirement for granular restore points without significant data loss.	CISAD4	1,201	164.000	CISAD4
A4-142 A lower recovery time objective results in:	higher disaster tolerance	higher cost	wider interruption windows	more permissive data loss	b	Lower RTO implies quicker recovery, which often requires more expensive, resource-intensive strategies to minimize downtime effectively.	CISAD4***	1,202	153.000	CISAD4***
A4-143 During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities, impacting business SLA compliance. What is the GREATEST concern?	The support model was not approved by senior management	The incident resolution time specified in the SLA is not realistic	There are inadequate resources to support the applications	The support model was not properly developed and implemented	d	Proper development and implementation of the support model ensures incidents are managed effectively, preventing significant business impacts.	CISAD4	1,203	28.000	CISAD4
A4-144 What is the BEST backup strategy for a large database supporting online sales?	Weekly full backup with daily incremental backup	Daily full backup	Clustered servers	Mirrored hard disks	d	Mirrored hard disks provide redundancy crucial for data integrity in real-time transaction environments like online sales.	CISAD4	1,204	194.000	CISAD4
A4-145 An IS auditor notes that an organization's BCP does not adequately address information confidentiality during the recovery process. What should be recommended?	The level of information security required during business recovery procedures	Information security roles and responsibilities in crisis management	Information security resource requirements	Change management procedures for information security affecting BCP	a	Specifying information security levels during recovery ensures confidentiality aligns with operational needs under crisis conditions.	CISAD4	1,205	61.000	CISAD4
A4-146 During a disaster recovery test, the IS auditor finds the performance of the disaster recovery site's server to be slow. What should the IS auditor FIRST review?	Event error log generated at the disaster recovery site	Disaster recovery plan	Configurations and alignment of primary and disaster recovery sites	Disaster recovery test plan	c	Reviewing configurations and alignment identifies potential causes of slow server performance, ensuring effective disaster recovery site operations.	CISAD4***	1,206	70.000	CISAD4***
A4-147 What is the GREATEST risk when storage growth in a critical file server is not managed properly?	Backup time would steadily increase	Backup operational costs would significantly increase	Storage operational costs would significantly increase	Server recovery work may not meet the recovery time objective	d	Improperly managed storage growth can delay server recovery, potentially failing to meet critical recovery time objectives essential for business continuity.	CISAD4	1,207	121.000	CISAD4
A4-148 An organization has a business process with a recovery time objective of zero and a recovery point objective close to one minute. This implies that the process can tolerate:	a data loss of up to one minute, but processing must be continuous	a one-minute processing interruption but no data loss	a processing interruption of one minute or more	both data loss and a processing interruption longer than one minute	a	Zero RTO indicates continuous operation tolerance, while a one-minute RPO allows minimal data loss during disruptions.	CISAD4	1,208	161.000	CISAD4
A4-149 What is the GREATEST concern during an IT disaster recovery test?	Limited test time window for essential systems	Defective backup systems causing test failures	Lengthy procedures to shut down and secure the original site	Dependence on the same employees for test execution	b	Defective backup systems undermine test validity, jeopardizing reliable disaster recovery readiness.	CISAD4***	1,209	73.000	CISAD4***
A4-150 What should be frequently updated to ensure the effectiveness of a disaster recovery plan?	Contact information of key personnel	Server inventory documentation	Individual roles and responsibilities	Procedures for declaring a disaster	a	Updated contact information ensures key personnel availability, crucial for implementing and managing effective disaster recovery operations.	CISAD4***	1,210	163.000	CISAD4***
A4-151 A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the system and the IT operations team can sustain operations in the emergency environment.	System and the IT operations team can sustain operations in the emergency environment	Resources and the environment could sustain the transaction load	Connectivity to the applications at the remote site meets response time requirements	Workflow of actual business operations can use the emergency system in case of a disaster	a	The applications have been operated intensively, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested.	CISAD4	1,211	115.000	CISAD4
A4-152 Which of the following is the MOST important consideration when defining recovery point objectives?	Minimum operating requirements	Acceptable data loss	Mean time between failures	Acceptable time for recovery	b	Recovery point objectives are the level of data loss/reworking an organization is willing to accept. Mean time between failures helps define likelihood of system failure.	CISAD4***	1,212	138.000	CISAD4***
A4-153 To address an organization's disaster recovery requirements, backup intervals should not exceed the:	Service level objective	Recovery time objective	Recovery point objective	Maximum acceptable outage	c	Recovery point objective defines the point in time to which data must be restored after a disaster to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame.	CISAD4***	1,213	54.000	CISAD4***
A4-154 The FIRST step in the execution of a problem management mechanism should be:	Issue analysis	Exception ranking	Exception reporting	Root cause analysis	d	Root cause analysis is performed once the exceptions have been identified and is not normally the first part of problem management.	CISAD4	1,214	128.000	CISAD4
A4-155 Which of the following would BEST support 24/7 availability?	Daily backup	Offsite storage	Mirroring	Periodic testing	c	Mirroring of critical elements is a tool that facilitates immediate (failover) recoverability.	CISAD4	1,215	17.000	CISAD4
A4-156 The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to:	Achieve performance improvement	Provide user authentication	Ensure availability of data	Ensure the confidentiality of data	c	RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk, ensuring the availability of data.	CISAD4	1,216	90.000	CISAD4
A4-157 Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files?	Physically separated from the data center and not subject to the same risk	Given the same level of protection as that of the computer data center	Outsourced to a reliable third party	Equipped with surveillance capabilities	a	It is important that there is an offsite storage location for IS files and that it is in a location not subject to the same risk as the primary data center.	CISAD4	1,217	118.000	CISAD4
A4-158 If a database is restored using before-image dumps, where should the process begin following an interruption?	Before the last transaction	After the last transaction	As the first transaction after the latest checkpoint	As the last transaction before the latest checkpoint	a	If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken.	CISAD4***	1,218	86.000	CISAD4***
A4-159 In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems?	Maintaining system software parameters	Ensuring periodic dumps of transaction logs	Ensuring grandfather-father-son file backups	Maintaining important data at an offsite location	b	Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historic data for online systems.	CISAD4***	1,219	53.000	CISAD4***
A4-160 Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan?	Preparedness tests	Paper tests	Full operational tests	Actual service disruption	a	Preparedness tests involve simulation of the entire environment (in phases) at relatively low cost and help the team to better understand and prepare for the actual test scenario.	CISAD4	1,220	142.000	CISAD4
A4-161 Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:	database integrity checks.	validation checks.	input controls.	database commits and rollbacks.	d	Database commits ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully.	CISAD4	1,221	34.000	CISAD4
A4-162 Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?	Validated daily backups	Change management procedures	Data dictionary maintenance	A read-only restriction	d	Because most data in a data warehouse are historic and do not need to be changed, applying read-only restrictions prevents data manipulation.	CISAD4***	1,222	31.000	CISAD4***
A4-163 Which of the following ensures the availability of transactions in the event of a disaster?	Send hourly tapes containing transactions offsite.	Send daily tapes containing transactions offsite.	Capture transactions to multiple storage devices.	Transmit transactions offsite in real time.	d	The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility.	CISAD4	1,223	27.000	CISAD4
A4-164 IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:	upgrading to a level 5 RAID.	increasing the frequency of onsite backups.	reinstating the offsite backups.	establishing a cold site in a secure location.	c	A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups.	CISAD4***	1,224	180.000	CISAD4***
A4-165 In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations?	Physical security measures	Total number of subscribers	Number of subscribers permitted to use a site at one time	References by other users	c	The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers.	CISAD4	1,225	182.000	CISAD4
A4-166 Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement for the availability of outsourced telecommunication services?	Downtime reports on the telecommunication services generated by the ISP	A utilization report of automatic failover services generated by the enterprise	A bandwidth utilization report provided by the ISP	Downtime reports on the telecommunication services generated by the enterprise	d	The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP.	CISAD4***	1,226	97.000	CISAD4***
A4-167 Integrating the business continuity plan into IT project management aids in:	the testing of the business continuity requirements.	the development of a more comprehensive set of requirements.	the development of a transaction flowchart.	ensuring the application meets the user's needs.	b	Integrating the BCP into the development process ensures complete coverage of the requirements through each phase of the project.	CISAD4***	1,227	112.000	CISAD4***
A4-168 An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation?	Ensure that audit trails are accurate and specific.	Ensure that personnel have adequate training.	Ensure that personnel background checks are performed for critical personnel.	Ensure that supervisory approval and review are performed for critical changes.	d	Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee.	CISAD4	1,228	30.000	CISAD4
A4-169 An IS auditor observed that multiple applications are hosted on the same server. The recovery time objective (RTO) for the server will be:	based on the application with the longest RTO.	based on the application with the shortest RTO.	based on the mean of each application's RTO.	independent of the RTO and based on the criticality of the application.	b	When several applications are hosted on a server, the server's RTO must be determined by taking the RTO of the most critical application, which is the shortest RTO.	CISAD4***	1,229	196.000	CISAD4***
A4-170 During an application audit, the IS auditor finds several problems related to corrupt data in the database. Which of the following is a corrective control that the IS auditor should recommend?	Define the standards, and closely monitor them for compliance.	Ensure that only authorized personnel can update the database.	Establish controls to handle concurrent access problems.	Proceed with restore procedures.	d	D. Proceeding with restore procedures is a corrective control. Restore procedures can be used to recover databases to their last-known archived version. A, B, and C are preventive or detective controls.	CISAD4	1,230	148.000	CISAD4
A4-171 Which of the following scenarios provides the BEST disaster recovery plan to implement for critical applications?	Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center	Daily data backups that are stored onsite in a fireproof safe	Real-time data replication between the main data center and the hot site located 500 meters from the main site	Daily data backups that are stored offsite with a warm site located 70 kilometers from the main data center	a	A. Of the given choices, this is the most suitable answer. The disaster recovery plan includes a hot site that is located sufficiently away from the main data center and will allow recovery in the event of a major disaster. Not having real-time backups may be a problem depending on recovery point objective (RPO).	CISAD4***	1,231	124.000	CISAD4***
A4-172 Which of the following is the BEST indicator of the effectiveness of backup and restore procedures while restoring data after a disaster?	Members of the recovery team were available.	Recovery time objectives were met.	Inventory of backup tapes was properly maintained.	Backup tapes were completely restored at an alternate site.	b	B. The effectiveness of backup and restore procedures is best ensured by recovery time objectives (RTOs) being met because these are the requirements that are critically defined during the business impact analysis stage, with the inputs and involvement of all business process owners.	CISAD4	1,232	173.000	CISAD4
A4-173 Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?	Warm site	Hot site	Cold site	Mobile recovery site	c	C. Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system.	CISAD4***	1,233	190.000	CISAD4***
A4-174 Which of the following should an incident response team address FIRST after a major incident in an information processing facility?	Restoration at the facility	Documentation of the facility	Containment at the facility	Monitoring of the facility	c	C. The first priority (after addressing life safety) is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation.	CISAD4	1,234	57.000	CISAD4
A4-175 An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST:	draft an audit finding and discuss it with the auditor in charge.	determine the sensitivity of the information on the hard drives.	discuss with the IT manager good practices in data disposal.	develop an appropriate data disposal policy for the enterprise.	b	B. Even though a policy is not available, the IS auditor should determine the nature of the information on the hard drives to quantify, as much as possible, the risk.	CISAD4	1,235	97.000	CISAD4
A4-176 An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important?	Review the request for proposal.	Review monthly performance reports generated by the ISP.	Review the service level agreement.	Research other clients of the ISP.	c	C. A service level agreement provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service.	CISAD4	1,236	114.000	CISAD4
A4-177 During an audit of a small enterprise, the IS auditor noted that the IS director has superuser privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend?	Implement a properly documented process for application role change requests.	Hire additional staff to provide a segregation of duties for application role changes.	Implement an automated process for changing application roles.	Document the current procedure in detail and make it available on the enterprise intranet.	a	A. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application.	CISAD4	1,237	140.000	CISAD4
A4-178 While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure:	the salvage team is trained to use the notification system.	the notification system provides for the recovery of the backup.	redundancies are built into the notification system.	the notification systems are stored in a vault.	c	C. If the notification system has been severely impacted by the damage, redundancy would be the best control.	CISAD4	1,238	35.000	CISAD4
A4-179 To ensure structured disaster recovery, it is MOST important that the business continuity plan and disaster recovery plan are:	stored at an alternate location.	communicated to all users.	tested regularly.	updated regularly.	c	C. If the BCP is tested regularly, the BCP and disaster recovery plan team is adequately aware of the process and that helps in structured disaster recovery.	CISAD4***	1,239	188.000	CISAD4***
A4-180 The PRIMARY purpose of a business impact analysis is to:	define recovery strategies.	identify the alternate site.	improve recovery testing.	calculate the annual loss expectancy.	a	A. One of the primary outcomes of a business impact analysis (BIA) is the recovery time objective and the recovery point objective, which help in defining the recovery strategies.	CISAD4	1,240	72.000	CISAD4
A4-181 Which of the following BEST helps define disaster recovery strategies?	Annual loss expectancy and exposure factor	Maximum tolerable downtime and data loss	Existing server and network redundancies	Data backup and offsite storage requirements	b	B. One of the key outcomes of the business impact analysis is the recovery time objective (RTO) and recovery point objective (RPO) maximum tolerable downtime and data loss that further help in identifying the recovery strategies.	CISAD4	1,241	55.000	CISAD4
A4-182 After a disaster declaration, the media creation date at a warm recovery site is based on the:	recovery point objective.	recovery time objective.	service delivery objective.	maximum tolerable outage.	a	A. The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO.	CISAD4***	1,242	149.000	CISAD4***
A4-183 The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the:	duration of the outage.	type of outage.	probability of the outage.	cause of the outage.	a	A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives.	CISAD4***	1,243	157.000	CISAD4***
A4-184 During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern?	Restoration testing for backup media is not performed; however, all data restore requests have been successful.	The policy for data backup and retention has not been reviewed by the business owner for the past three years.	The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually.	Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.	c	C. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider.	CISAD4***	1,244	129.000	CISAD4***
Determining the service delivery objective should be based PRIMARILY on:	the minimum acceptable operational capability.	the cost-effectiveness of the restoration process.	meeting the recovery time objective.	the allowable interruption window.	a	The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs.	CISAD4***	1,245	135.000	CISAD4***
An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when:	test systems run different configurations than do production systems.	change management records are paper based.	the configuration management database is not maintained.	the test environment is installed on the production server.	c	The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained or leave out critical dependencies during the test phase.	CISAD4***	1,246	179.000	CISAD4***
An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the:	alignment of the BCP with industry good practices.	results of business continuity tests performed by IS and end-user personnel.	offsite facility, its contents, security and environmental controls.	annual financial cost of the BCP activities versus the expected benefit of the implementation of the plan.	b	The effectiveness of the BCP can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives.	CISAD4	1,247	115.000	CISAD4
It is MOST appropriate to implement an incremental backup scheme when:	there is limited recovery time for critical data.	online disk-based media are preferred.	there is limited media capacity.	a random selection of backup sets is required.	c	In an incremental backup, after the full backup, only the files that have changed are backed up, thus minimizing media storage.	CISAD4	1,248	178.000	CISAD4
Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative?	Perform disaster recovery exercises annually.	Ensure that partnering organizations are separated geographically.	Regularly perform a business impact analysis.	Select a partnering organization with similar systems.	b	If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake.	CISAD4***	1,249	27.000	CISAD4***
During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a:	user raises a change request and tests it in the test environment.	programmer codes a change in the development environment and tests it in the test environment.	manager approves a change request and then reviews it in production.	manager initiates a change request and subsequently approves it.	d	Initiating and subsequently approving a change request violates the principle of segregation of duties. A person should not be able to approve their own requests.	CISAD4***	1,250	106.000	CISAD4***
In a disaster recovery situation, which of the following is the MOST important metric to ensure that data are synchronized between critical systems?	Recovery point objective	Recovery time objective	Recovery service resilience	Recovery service scalability	a	Establishing a common recovery point objective is most critical for ensuring that interdependencies between systems are properly synchronized. It ensures that systems do not contain data from different points in time that may result in accounting transactions that cannot be reconciled and a loss of referential integrity.	CISAD4***	1,251	105.000	CISAD4***
Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?	Ensure that media are encrypted.	Maintain a duplicate copy.	Maintain chain of custody.	Ensure that personnel are bonded.	b	Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data.	CISAD4	1,252	26.000	CISAD4
An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes?	Select a sample of change tickets and review them for authorization.	Perform a walk-through by tracing a program change from start to finish.	Trace a sample of modified programs to supporting change tickets.	Use query software to analyze all change tickets for missing fields.	c	Tracing a sample of modified programs to supporting change tickets is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation.	CISAD4	1,253	89.000	CISAD4
Emergency changes that bypass the normal change control process are MOST acceptable if:	management reviews and approves the changes after they have occurred.	the changes are reviewed by a peer at the time of the change.	the changes are documented in the change control system by the operations department.	management has preapproved all emergency changes.	a	Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable time period after they occur.	CISAD4	1,254	114.000	CISAD4
To optimize an organization's business continuity plan, an IS auditor should recommend a business impact analysis to determine:	the business processes that generate the most financial value for the organization and, therefore, must be recovered first.	the priorities and order for recovery to ensure alignment with the organization's business strategy.	the business processes that must be recovered following a disaster to ensure the organization's survival.	the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame.	c	To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first.	CISAD4***	1,255	131.000	CISAD4***
Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day?	Implementing a fault-tolerant disk-to-disk backup solution	Making a full backup to tape weekly and an incremental backup nightly	Creating a duplicate storage area network (SAN) and replicating the data to a second SAN	Creating identical server and storage infrastructure at a hot site	a	Disk-to-disk backup allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set.	CISAD4***	1,256	105.000	CISAD4***
Which of the following would BEST ensure uninterrupted operations in an organization with IT operation centers in several countries?	Distribution of key procedural documentation	Reciprocal agreement between business partners.	Strong senior management leadership	Employee training on the business continuity plan	d	Employee training on the plan is especially important for businesses with offices that are geographically separated because there is a greater chance of communication disruption.	CISAD4***	1,257	76.000	CISAD4***
Which of the following BEST ensures that users have uninterrupted access to a critical, heavily used web-based application?	Disk mirroring	Redundant Array of Inexpensive Disks	Dynamic domain name system	Load balancing	d	Load balancing best ensures uninterrupted system availability by distributing traffic across multiple servers. Load balancing helps ensure consistent response time for web applications. Also, if a web server fails, load balancing ensures that traffic will be directed to a different, functional server.	CISAD4	1,258	30.000	CISAD4
Which of the following is the BEST method to ensure that critical IT system failures do not recur?	Invest in redundant systems.	Conduct a follow-up audit.	Monitor system performance.	Perform root cause analysis.	d	Root cause analysis determines the key reason an incident has occurred and allows for appropriate corrections that will help prevent the incident from recurring.	CISAD4	1,259	146.000	CISAD4
Which of the following is MOST important when an operating system patch is to be applied to a production environment?	Successful regression testing by the developer	Approval from the information asset owner	Approval from the security officer	Patch installation at alternate sites	b	It is most important that information owners approve any changes to production systems to ensure that no serious business disruption takes place as the result of the patch release.	CISAD4	1,260	5.000	CISAD4
A4-201 The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should:	review the patch management policy and determine the risk associated with this condition.	recommend that IT systems personnel test and then install the patches immediately	recommend that patches be applied every month or immediately upon release.	take no action, because the IT processes related to patch management appear to be adequate.	a	Reviewing the patch management policy and determining whether the IT department is compliant with the policies will detect whether the policies are appropriate and what risk is associated with current practices.	CISAD4	1,261	122.000	CISAD4
A4-202 Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?	Incident response plan	Business impact analysis	Threat and risk analysis	Recovery time objective	b	Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure that IT assets are prioritized to align with the business.	CISAD4***	1,262	168.000	CISAD4***
A4-203 Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process?	The application owner requested new functionality.	Changes are developed using an agile methodology.	There is a high probability of a significant impact on operations.	The operating system vendor has released a security patch.	c	Emergency releases to an application are fixes that require implementation as quickly as possible to prevent significant user downtime. Emergency release procedures are followed in such situations.	CISAD4	1,263	189.000	CISAD4
A4-204 A company with a limited budget has a recovery time objective of 72 hours and a recovery point objective of 24 hours. Which of the following would BEST meet the requirements of the business?	A hot site	A cold site	A mirrored site	A warm site	d	A warm site is the most appropriate solution because it provides basic infrastructure and most of the required IT equipment to affordably meet the business requirements. The remainder of the equipment needed can be provided through vendor agreements within a few days.	CISAD4	1,264	28.000	CISAD4
A4-205 Which of the following is MOST important to determine the recovery point objective for a critical process in an enterprise?	Number of hours of acceptable downtime	Total cost of recovering critical systems.	Extent of data loss that is acceptable	Acceptable reduction in the level of service	c	The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.	CISAD4	1,265	113.000	CISAD4
A4-206 An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel?	Developers use a firefighter ID to promote code to production.	Emergency changes are authorized prior to promotion.	Production access is granted to the individual support ID when needed.	A dedicated user promotes emergency changes to production.	a	Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change.	CISAD4***	1,266	29.000	CISAD4***
A4-207 Segmenting a highly sensitive database results in:	reduced exposure.	reduced threat.	less criticality.	less sensitivity.	a	Segmenting data reduces the quantity of data exposed to a particular vulnerability.	CISAD4***	1,267	16.000	CISAD4***
A4-208 Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity?	Draft and publish a clear practice for enterprise-level incident response.	Establish a cross-departmental working group to share perspectives.	Develop a scenario and perform a structured walk-through.	Develop a project plan for end-to-end testing of disaster recovery.	c	A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans.	CISAD4	1,268	160.000	CISAD4
A4-209 An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation?	Malware on servers	Firewall misconfiguration	Increased spam received by the email server	Unauthorized network activities	d	Unauthorized network activities such as employee use of file or music sharing sites or online gambling or personal email containing large files or photos could contribute to network performance issues. Because the IS auditor found the degraded performance during business hours, this is the most likely cause.	CISAD4***	1,269	72.000	CISAD4***
A4-210 Which of the following is the BEST method for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor?	Ensure that automatic updates are enabled on critical production servers.	Verify manually that the patches are applied on a sample of production servers.	Review the change management log for critical production servers.	Run an automated tool to verify the security patches on production servers.	d	An automated tool can immediately provide a report on which patches have been applied and which are missing.	CISAD4	1,270	34.000	CISAD4
A4-211 An IS auditor is conducting a review of the disaster recovery procedures for a data center. Which of the following indicators BEST shows that the procedures meet the requirements?	Documented procedures were approved by management.	Procedures were reviewed and compared with industry good practices.	A tabletop exercise using the procedures was conducted.	Recovery teams and their responsibilities are documented.	c	Conducting a tabletop exercise (paper-based test) of the procedures with all responsible members, best ensures that the procedures meet the requirements. This type of test can identify missing or incorrect procedures because representatives responsible for performing the tasks are present.	CISAD4***	1,271	59.000	CISAD4***
A4-212 Which of the following choices BEST ensures accountability when updating data directly in a production database?	Review of audit logs.	Principle of least privilege	Approved validation plan	Segregation of duties	a	Detailed audit logs that contain the user ID of the individual who performed the change as well as the data before and after the change are the best evidence of database changes. A review of these logs would evidence the individual who changed the data (ensuring accountability) as well as the correctness of the change.	CISAD4***	1,272	174.000	CISAD4***
A4-213 An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend?	Apply the patch only after it has been thoroughly tested.	Implement a host-based intrusion detection system.	Modify the firewall rules to further protect the application server.	Assess the overall risk, then recommend whether to deploy the patch.	d	While it is important to ensure that systems are properly patched, a risk assessment needs to be performed to determine the likelihood and probability of the vulnerability being exploited. Therefore, the patch would be applied only if the risk of circumventing the existing security controls is great enough to warrant it.	CISAD4	1,273	119.000	CISAD4
A4-214 An IS auditor is reviewing the most recent disaster recovery plan of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan?	Executive management	IT management	Board of directors	Steering committee	b	Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management's approval would be most Important to verify that the system resources will be available in the event that a disaster event is triggered.	CISAD4***	1,274	32.000	CISAD4***
A4-215: Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters?	Recovery point objective	Volume of data to be backed up	Available data backup technologies	Recovery time objective	a	The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the acceptable amount of data loss in the case of interruption. Based on the RPO, one can design the data backup strategy for potential disasters using various technologies.	CISAD4***	1,275	62.000	CISAD4***
A4-216: While conducting an audit on the customer relationship management application, the IS auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. Once logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend?	No action should be taken because the system meets current business requirements	IT should increase the network bandwidth to improve performance	Users should be provided with detailed manuals to use the system properly	Establish performance measurement criteria for the authentication servers	d	Performance criteria for the authentication servers would help to quantify acceptable thresholds for system performance, which can be measured and remediated.	CISAD4***	1,276	39.000	CISAD4***
A4-217: Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production?	Provide and monitor separate developer login IDs for programming and for production support	Capture activities of the developer in the production environment by enabling detailed audit trails	Back up all affected records before allowing the developer to make production changes	Ensure that all changes are approved by the change manager prior to implementation	a	Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer.	CISAD4***	1,277	33.000	CISAD4***
A4-218: Which of the following choices would MOST likely ensure that a disaster recovery effort is successful?	The tabletop test was performed	Data restoration was completed	Recovery procedures are approved	Appropriate staff resources are committed	b	The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly.	CISAD4***	1,278	142.000	CISAD4***
A4-219: An IS auditor is auditing an IT disaster recovery plan. The IS auditor should PRIMARILY ensure that the plan covers:	a resilient IT infrastructure	alternate site information	documented disaster recovery test results	analysis and prioritization of business functions	d	The DRP must primarily focus on recovering critical business functions in the event of disaster within predefined RTOs; thus, it is necessary to align the recovery of IT services based on the criticality of business functions.	CISAD4	1,279	115.000	CISAD4
A4-220: An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution?	Redesign the controls related to data authorization	Implement additional segregation of duties controls	Review policy to see if a formal exception process is required	Implement additional logging controls	c	If the users are granted access to change data in support of the business requirements, the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure no unauthorized changes are made.	CISAD4	1,280	12.000	CISAD4
A4-221: A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed next, to verify the adequacy of the new BCP?	Full-scale test with relocation of all departments, including IT, to the contingency site	Walk-through test of a series of predefined scenarios with all critical personnel involved	IT disaster recovery test with business departments involved in testing the critical applications	Functional test of a scenario with limited IT involvement	d	After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test.	CISAD4***	1,281	199.000	CISAD4***
A4-222: Which of the following business continuity plan tests involves participation of relevant members of the crisis management/response team to practice proper coordination?	Tabletop	Functional	Full-scale	Deskcheck	a	The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details.	CISAD4***	1,282	99.000	CISAD4***
A4-223: Which of the following is the BEST method to ensure that the business continuity plan remains up to date?	The group walks through the different scenarios of the plan from beginning to end	The group ensures that specific systems can actually perform adequately at the alternate offsite facility	The group is aware of full-interruption test procedures	Interdepartmental communication is promoted to better respond in the case of a disaster	a	A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses.	CISAD4***	1,283	133.000	CISAD4***
A4-224: An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan?	Full operational test	Preparedness test	Paper test	Regression test	b	A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery.	CISAD4	1,284	193.000	CISAD4
A4-225: An organization's disaster recovery plan should address early recovery of	all information systems processes	all financial processing applications	only those applications designated by the IS manager	processing in priority order, as defined by business management	d	Business management should know which systems are critical and what they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan.	CISAD4	1,285	77.000	CISAD4
A4-226: Disaster recovery planning addresses the	technological aspect of business continuity planning (BCP)	operational part of BCP	functional aspect of BCP	overall coordination of BCP	a	Disaster recovery planning (DRP) is the technological aspect of business continuity planning (BCP) that focuses on IT systems and operations.	CISAD4***	1,286	14.000	CISAD4***
A4-227: Which of the following must exist to ensure the viability of a duplicate information processing facility?	The site is near the primary site to ensure quick and efficient recovery	The site contains the most advanced hardware available	The workload of the primary site is monitored to ensure adequate backup is available	The hardware is tested when it is installed to ensure it is working properly	c	Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient.	CISAD4	1,287	101.000	CISAD4
A4-228: The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely:	increase	decrease	remain the same	be unpredictable	a	Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation.	CISAD4***	1,288	174.000	CISAD4***
A4-229: Which of the following tasks should be performed FIRST when preparing a disaster recovery plan?	Develop a recovery strategy	Perform a business impact analysis	Map software systems, hardware and network components	Appoint recovery teams with defined personnel, roles and hierarchy	b	The first step in any disaster recovery plan is to perform a BIA.	CISAD4***	1,289	92.000	CISAD4***
A4-230: After completing the business impact analysis, what is the NEXT step in the business continuity planning process?	Test and maintain the plan	Develop a specific plan	Develop recovery strategies	Implement the plan	c	Once the business impact analysis (BIA) is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA.	CISAD4***	1,290	130.000	CISAD4***
A4-231: Which of the following is an appropriate test method to apply to a business continuity plan?	Pilot	Paper	Unit	System	b	A paper test (sometimes called a deskcheck) is appropriate for testing a BCP. It is a walk-through of the entire BCP, or part of the BCP, involving major players in the BCP's execution who reason out what may happen in a particular disaster.	CISAD4	1,291	66.000	CISAD4
A4-232 As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis?	Risk such as single point-of-failure and infrastructure risk	Threats to critical business processes	Critical business processes for ascertaining the priority for recovery	Resources required for resumption of business	c	The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. Other options like risks, threats, and resources are identified after critical processes are determined.	CISAD4***	1,292	37.000	CISAD4***
A4-233 Which of the following would contribute MOST to an effective business continuity plan?	The document is circulated to all interested parties.	Planning involves all user departments.	The plan is approved by senior management.	An audit is performed by an external IS auditor.	b	The involvement of user departments in the BCP is crucial for the identification of the business processing priorities and the development of an effective plan. Other options are less significant in ensuring BCP effectiveness.	CISAD4	1,293	148.000	CISAD4
A4-234 The PRIMARY objective of business continuity and disaster recovery plans should be to:	safeguard critical IS assets	provide for continuity of operations.	minimize the loss to an organization.	protect human life.	d	Because human life is invaluable, the main priority of any business continuity and disaster recovery plan should be to protect people. Other objectives are secondary to life safety.	CISAD4***	1,294	145.000	CISAD4***
A4-235 Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that:	each plan is consistent with one another.	all plans are integrated into a single plan.	each plan is dependent on one another.	the sequence for implementation of all plans is defined.	a	Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective.	CISAD4***	1,295	137.000	CISAD4***
A4-236 When developing a business continuity plan, which of the following tools should be used to gain an understanding of the organization's business processes?	Business continuity self audit	Resource recovery analysis	Risk assessment	Gap analysis	c	Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. Other options are not primarily for gaining business understanding.	CISAD4	1,296	109.000	CISAD4
A4-237 Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)?	The disaster levels are based on scopes of damaged functions but not on duration.	The difference between low-level disaster and software incidents is not clear.	The overall BCP is documented, but detailed recovery steps are not specified.	The responsibility for declaring a disaster is not identified.	d	If nobody declares the disaster, the BCP would not be invoked, making all other concerns less important.	CISAD4***	1,297	49.000	CISAD4***
A4-238 During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST?	Evacuation plan	Recovery priorities	Backup storages	Call tree	a	Protecting human resources during a disaster-related event should be addressed first. Having separate business continuity plans could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients.	CISAD4***	1,298	104.000	CISAD4***
A4-239 For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be:	stored in a secure, offsite facility.	approved by senior management.	communicated to appropriate personnel.	made available through the enterprise's intranet.	c	The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP.	CISAD4***	1,299	193.000	CISAD4***
A4-240 Which of the following is the PRIMARY objective of the business continuity plan process?	To provide assurance to stakeholders that business operations will continue in the event of disaster	To establish an alternate site for IT services to meet predefined recovery time objectives	To manage risk while recovering from an event that adversely affected operations	To meet the regulatory compliance requirements in the event of natural disaster	c	The BCP process primarily focuses on managing and mitigating risk during recovery of operations due to an event that affected operations.	CISAD4***	1,300	163.000	CISAD4***
A4-241 Which of the following would BEST help to detect errors in data processing?	Programmed edit checks	Well-designed data entry screens	Segregation of duties	Hash totals	d	The use of hash totals is an effective method to reliably detect errors in data processing. A hash total would indicate an error in data integrity.	CISAD4***	1,301	165.000	CISAD4***
A4-242 Which of the following is the MOST critical to the quality of data in a data warehouse?	Accuracy of the source data	Credibility of the data source	Accuracy of the extraction process	Accuracy of the data transformation.	a	Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Other factors are important but cannot compensate for inaccurate source data.	CISAD4	1,302	31.000	CISAD4
A4-243 A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?	The system will not process the change until the clerk's manager confirms the change by entering an approval code	The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager	The system requires the clerk to enter an approval code	The system displays a warning message to the clerk	a	Requiring an approval code by a manager would prevent or detect the use of an unauthorized interest rate. Other options are less effective in ensuring authorization.	CISAD4	1,303	181.000	CISAD4
A4-244 The GREATEST advantage of using web services for the exchange of information between two systems is:	Secure communication	Improved performance	Efficient interfacing	Enhanced documentation	c	Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used.	CISAD4	1,304	53.000	CISAD4
A4-245 Which of the following is a prevalent risk in the development of end-user computing applications?	Applications may not be subject to testing and IT general controls.	Development and maintenance costs may be increased.	Application development time may be increased.	Decision-making may be impaired due to diminished responsiveness to requests for information.	a	End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation.	CISAD4	1,305	139.000	CISAD4
A4-246 An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?	Log all table update transactions	Implement integrity constraints in the database	Implement before and after image reporting	Use tracing and tagging	b	Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered.	CISAD4	1,306	25.000	CISAD4
A4-247 A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk?	Confidentiality of the information stored in the database	The hardware being used to run the database application	Backups of the information in the overseas database	Remote access to the backup database	b	The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users.	CISAD4***	1,307	170.000	CISAD4***
A4-248 Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another?	Compare the hash total before and after the migration	Verify that the number of records is the same for both databases	Perform sample testing of the migrated account balances	Compare the control totals of all of the transactions	c	Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before and after the migration.	CISAD4***	1,308	162.000	CISAD4***
A4-249 During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions?	One-for-one checking	Data file security	Transaction logs	File updating and maintenance authorization	c	Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file.	CISAD4	1,309	88.000	CISAD4
A4-250 An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?	To detect data transposition errors	To ensure that transactions do not exceed predetermined amounts	To ensure that data entered are within reasonable limits	To ensure that data entered are within a predetermined range of values	a	A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.	CISAD4	1,310	177.000	CISAD4
A4-251 A hard disk containing confidential data was damaged beyond repair. If the goal is to positively prevent access to the data by anyone else, what should be done to the hard disk before it is discarded?	Overwriting	Low-level formatting	Degaussing	Destruction	d	Physically destroying the hard disk is the most effective way to ensure that data cannot be recovered.	CISAD4	1,311	6.000	CISAD4
A4-256 The responsibility for authorizing access to a business application system belongs to the:	data owner	security administrator	IT security manager	requestor's immediate supervisor	a	When a business application is developed, a good practice is to assign an information or data owner to the application. The information owner should be responsible for authorizing access to the application itself or to back-end databases for queries.	CISAD4	1,312	11.000	CISAD4
A4-253 An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should:	accept the DBA access as a common practice	assess the controls relevant to the DBA function	recommend the immediate revocation of the DBA access to production data	review user access authorizations approved by the DBA	b	When reviewing privileged accounts, the auditor should look for compensating controls that may address a potential exposure.	CISAD4***	1,313	170.000	CISAD4***
A4-254 Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information?	Degaussing	Defragmenting	Erasing	Destroying	d	Destroying magnetic media is the only way to assure that confidential information cannot be recovered.	CISAD4***	1,314	31.000	CISAD4***
A4-255 Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in a data warehouse?	Implement column- and row-level permissions	Enhance user authentication via strong passwords	Organize the data warehouse into subject matter-specific databases	Log user access to the data warehouse	a	Column-and row-level permissions control what information users can access. This "fine-grained" security model is likely to offer the best balance between information protection while still supporting a wide range of analytical and reporting uses.	CISAD4	1,315	193.000	CISAD4
A4-252 Authorizing access to application data is the responsibility of the:	data custodian	application administrator	data owner	security administrator	c	Data owners have authority to grant or withhold access to the data and applications for which they are responsible.	CISAD4	1,316	44.000	CISAD4
A4-257 What would be the MOST effective control for enforcing accountability among database users accessing sensitive information?	Implement a log management process	Implement a two-factor authentication	Use table views to access sensitive data	Separate database and application servers	a	Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour.	CISAD4***	1,317	179.000	CISAD4***
A4-258 While auditing an ecommerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following would be the PRIMARY concern for the IS auditor?	Availability of customer data	Integrity of customer data	Confidentiality of customer data	System storage performance	c	Due to its exposure to the Internet, storing customer data for six months raises concerns regarding confidentiality of customer data.	CISAD4***	1,318	76.000	CISAD4***
A5-1. Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is:	parameter tampering.	cross-site scripting.	cookie poisoning.	stealth commanding.	a	Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields. This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering.	CISAD5***	1,319	164.000	CISAD5***
A5-2. Which control is the BEST way to ensure that the data in a file have not been changed during transmission?	Reasonableness check	Parity bits	Hash values	Check digits	c	Hash values are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed.	CISAD5	1,320	116.000	CISAD5
A5-3. The PRIMARY purpose of audit trails is to:	improve response time for users.	establish accountability for processed transactions.	improve the operational efficiency of the system.	provide information to auditors who wish to track transactions.	b	Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system.	CISAD5	1,321	69.000	CISAD5
A5-4. Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?	Intrusion detection systems	Data mining techniques	Stateful inspection firewalls	Packet filtering routers	b	Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.	CISAD5***	1,322	7.000	CISAD5***
A5-5. Which of the following BEST ensures the integrity of a server's operating system?	Protecting the server in a secure location	Setting a boot password	Hardening the server configuration	Implementing activity logging	c	Hardening a system means to configure it in the most secure manner to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.	CISAD5***	1,323	41.000	CISAD5***
A5-6. Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?	Firewalls	Routers	Layer 2 switches	Virtual local area networks	a	Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.	CISAD5	1,324	21.000	CISAD5
A5-7. An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem using global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network when the CIO travels outside of the office. The IS auditor should:	do nothing because the inherent security features of GSM technology are appropriate.	recommend that the CIO stop using the laptop computer until encryption is enabled.	ensure that media access control address filtering is enabled on the network so unauthorized wireless users cannot connect.	suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.	a	The inherent security features of global system for mobile communications (GSM) technology combined with the use of a virtual private network (VPN) are appropriate. The confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network.	CISAD5***	1,325	82.000	CISAD5***
A5-8. Which of the following is the BEST way to minimize unauthorized access to unattended end-user PC systems?	Enforce use of a password-protected screen saver	Implement proximity-based authentication system	Terminate user session at predefined intervals	Adjust power management settings so the monitor screen is blank	a	A password-protected screen saver with a proper time interval is the best measure to prevent unauthorized access to unattended end-user systems. It is important to ensure that users lock the workstation when they step away from the machine, which is something that could be reinforced via awareness training.	CISAD5***	1,326	197.000	CISAD5***
A5-9. The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server?	Host intrusion detection software installed on the server	Password expiration and lockout policy	Password complexity rules	Two-factor authentication	d	Two-factor authentication requires a user to use a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems.	CISAD5	1,327	14.000	CISAD5
A5-10. An organization's IT director has approved the installation of a wireless local area network access point in a conference room for a team of consultants to access the internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that:	encryption is enabled on the access point.	the conference room network is on a separate virtual local area network (VLAN).	antivirus signatures and patch levels are current on the consultants' laptops.	default user IDs are disabled and strong passwords are set on the corporate servers.	b	The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users.	CISAD5	1,328	74.000	CISAD5
A5-11. The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured?	Database administrators are restricted from access to HR data.	Database logs are encrypted.	Database stored procedures are encrypted.	Database initialization parameters are appropriate.	d	When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle Database Management System), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters.	CISAD5	1,329	35.000	CISAD5
A5-12. An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to	maintain impartiality while evaluating the transaction.	ensure that the independence of an IS auditor is maintained.	assure that the integrity of the evidence is maintained.	assess all relevant evidence for the transaction.	c	The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.	CISAD5	1,330	160.000	CISAD5
A5-13. A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement?	Mandatory	Role-based	Discretionary	Single sign-on	b	Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis.	CISAD5	1,331	48.000	CISAD5
A5-14. Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization?	Actions performed on log files should be tracked in a separate log.	Write access to audit logs should be disabled.	Only select personnel should have rights to view or delete audit logs.	Backups of audit logs should be performed periodically.	c	Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted.	CISAD5***	1,332	98.000	CISAD5***
A5-15. A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern?	Most employees use laptops.	A packet filtering firewall is used.	The IP address space is smaller than the number of PCs.	Access to a network port is not restricted.	d	Given physical access to a port, anyone can connect to the internal network. This would allow	CISAD5***	1,333	15.000	CISAD5***
A5-16 Which of the following is an effective preventive control to ensure that a database administrator (DBA) complies with the custodianship of the enterprise's data?	Exception reports	Segregation of duties	Review of access logs and activities	Management supervision	b	Adequate segregation of duties (SoD) is a preventative control that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task.	CISAD5	1,334	12.000	CISAD5
A5-17 An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that:	the photo frame storage media could be used to steal corporate data	the drivers for the photo frame may be incompatible and crash the user's PC	the employee may bring inappropriate photographs into the office	the photo frame could be infected with malware	d	Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.	CISAD5	1,335	46.000	CISAD5
A5-18 An organization discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take would be to	Contact the appropriate law enforcement authorities to begin an investigation	Immediately ensure that no additional data are compromised	Disconnect the PC from the network	Update the antivirus signature on the PC to ensure that the malware or virus is detected and removed	c	The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network. Preserve the machine in a forensically sound condition and do not make any changes to it except to disconnect it from the network. Otherwise evidence would be destroyed by powering off the PC or updating the software on the PC.	CISAD5	1,336	41.000	CISAD5
A5-19 The IS auditor is reviewing findings from a prior IS audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be?	Digital signatures are not adequate to protect confidentiality	Digital signatures are adequate to protect confidentiality	The IS auditor should gather more information about the specific implementation	The IS auditor should recommend implementation of digital watermarking for secure email	a	Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding	CISAD5	1,337	166.000	CISAD5
A5-20 Which of the following line media would provide the BEST security for a telecommunication network?	Broadband network digital transmission	Baseband network	Dialup	Dedicated lines	d	Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.	CISAD5	1,338	40.000	CISAD5
A5-21 To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review:	A. the IT infrastructure.	B. organizational policies, standards and procedures.	C. legal and regulatory requirements.	D. adherence to organizational policies, standards and procedures.	c	To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.	CISAD5***	1,339	113.000	CISAD5***
A5-22 A human resources company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation?	A. The password for the wireless network is changed on a weekly basis	B. A stateful inspection firewall is used between the public wireless and company networks.	C. The public wireless network is physically segregated from the company network.	D. An intrusion detection system is deployed within the wireless network.	c	Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion.	CISAD5	1,340	89.000	CISAD5
A5-23 When reviewing the implementation of a local area network, an IS auditor should FIRST review the:	A. node list.	B. acceptance test report.	C. network diagram.	D. users list.	c	To properly review a local area network implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure.	CISAD5	1,341	120.000	CISAD5
A5-24 An IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take?	A. Determine whether this is a policy violation and document it.	B. Document the observation as an exception.	C. Recommend that all password configuration settings be identical.	D. Recommend that logs of IT developer access are reviewed periodically.	a	If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed.	CISAD5	1,342	56.000	CISAD5
A5-25 An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers?	A. Ensure that ports 80 and 443 are blocked at the firewall.	B. Inspect file and access permissions on all servers to ensure that all files have read-only access.	C. Perform a web application security review.	D. Make sure that only the IP addresses of existing customers are allowed through the firewall.	c	Performing a web application security review is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers.	CISAD5	1,343	201.000	CISAD5
A5-26 Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target?	A. Blind testing	B. Targeted testing	C. Double-blind testing	D. External testing	c	Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning. This is the best scenario for testing response capability because the target will react as if the attack were real.	CISAD5***	1,344	197.000	CISAD5***
A5-27 An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would meet this objective?	A. VoIP infrastructure needs to be segregated using virtual local area networks.	B. Buffers need to be introduced at the VoIP endpoints.	C. Ensure that end-to-end encryption is enabled in the VoIP system.	D. Ensure that emergency backup power is available for all parts of the VoIP infrastructure.	a	Segregating the VoIP traffic using VLANs would best protect the VoIP infrastructure from network-based attacks and potential eavesdropping.	CISAD5***	1,345	161.000	CISAD5***
A5-28 During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result?	A. A denial-of-service attack	B. Spoofing	C. Port scanning	D. A man-in-the-middle attack	b	Spoofing involves impersonating another device or user in order to bypass security measures.	CISAD5	1,346	167.000	CISAD5
A5-29 An IS auditor is reviewing an organization's information security policy, which requires encryption of all data placed on USB drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure?	A. Data Encryption Standard	B. Message Digest 5	C. Advanced Encryption Standard	D. Secure Shell	c	Advanced Encryption Standard (AES) provides the strongest encryption and would provide the greatest assurance that data are protected on USB drives.	CISAD5***	1,347	49.000	CISAD5***
A5-30 During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol (VoIP) over the internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure?	A. Network equipment failure	B. Distributed denial-of-service attack	C. Premium-rate fraud (toll fraud)	D. Social engineering attack	b	A distributed denial-of-service (DDoS) attack could potentially disrupt the organization's ability to communicate via VoIP among its offices.	CISAD5***	1,348	174.000	CISAD5***
A5-31 Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization?	A. Routing outbound Internet traffic through a content-filtering proxy server	B. Routing inbound Internet traffic through a reverse proxy server	C. Implementing a firewall with appropriate access rules	D. Deploying client software utilities that block inappropriate content	a	A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites.	CISAD5***	1,349	154.000	CISAD5***
A5-32 An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?	A. System unavailability	B. Exposure to malware	C. Unauthorized access	D. System integrity	c	Untested CGI scripts can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers.	CISAD5***	1,350	195.000	CISAD5***
A5-33 An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern?	A. Wireless mobile devices are not password-protected.	B. Default passwords are not changed when installing network devices.	C. An outbound web proxy does not exist.	D. All communication links do not use encryption.	b	The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment.	CISAD5	1,351	23.000	CISAD5
A5-34 An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data?	A. Data retention, backup and recovery	B. Return or destruction of information	C. Network and intrusion detection	D. A patch management process	b	When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract.	CISAD5***	1,352	56.000	CISAD5***
A5-35 Which of the following is the MOST effective control when granting temporary access to vendors?	A. Vendor access corresponds to the service level agreement.	B. User accounts are created with expiration dates and are based on services provided.	C. Administrator access is provided for a limited period.	D. User IDs are deleted when the work is completed.	b	The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date associated with each unique ID.	CISAD5***	1,353	195.000	CISAD5***
A5-36 During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:	A. An unauthorized user may use the ID to gain access.	B. User access management is time consuming.	C. Passwords are easily guessed.	D. User accountability may not be established.	d	The use of a user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is impossible to hold anyone accountable.	CISAD5	1,354	63.000	CISAD5
A5-37 An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor?	A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network.	B. Biometric scanners are not installed in restricted areas.	C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel.	D. Biometric system risk analysis was last conducted three years ago.	c	Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protect the confidentiality of the biometric data.	CISAD5***	1,355	140.000	CISAD5***
A5-38 When auditing a role-based access control system, the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make?	A. Ensure that these employees are adequately supervised.	B. Ensure that backups of the transaction logs are retained.	C. Implement controls to detect the changes.	D. Write transaction logs in real time to Write Once and Read Many drives.	d	The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time.	CISAD5	1,356	68.000	CISAD5
A5-39 During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:	A. Verification of user authorization at the field level.	B. Review of data communication access activity logs.	C. A periodic review of user activity logs.	D. Periodic review of changing data files.	a	General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted.	CISAD5***	1,357	21.000	CISAD5***
A5-40 An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern?	A. The local area network (LAN) switches are not connected to uninterruptible power supply units.	B. Network cabling is disorganized and not properly labeled.	C. The telephones are using the same cable used for LAN connections.	D. The wiring closet also contains power lines and breaker panels.	a	Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (Power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power during a utility interruption and potentially not be able to make emergency calls.	CISAD5	1,358	99.000	CISAD5
A5-41 When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor?	Unencrypted passwords are used.	Passwords are shared.	Redundant logon IDs exist.	Third-party users possess administrator access	a	When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered.	CISAD5***	1,359	9.000	CISAD5***
A5-42 During an IS risk assessment of a health care organization regarding protected health care information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?	Stuff have to type "[PHI]" in the subject field of email messages to be encrypted.	The organization does not encrypt all of its outgoing email messages	An individual's computer screen saver function is disabled	Server configuration requires the user to change the password annually	b	There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information.	CISAD5***	1,360	17.000	CISAD5***
A5-43 Which of the following is the responsibility of information asset owners?	Assignment of criticality levels to data	Implementation of information security within applications	Implementation of access rules to data and programs	Provision of physical and logical security for data	b	It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets.	CISAD5***	1,361	6.000	CISAD5***
A5-44 An IS auditor reviewing a network log discovers that an employee ran elevated commands on their PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack?	A privilege escalation	A race condition	A buffer overflow	An impersonation	a	A privilege escalation is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level.	CISAD5***	1,362	148.000	CISAD5***
A5-45 An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is preserved, Which of the following choices would be of MOST concern to the IS auditor?	There is no chain of custody policy	End users are not aware of incident reporting procedures	Log servers are not on a separate network	Backups are not performed consistently	d	Organizations should have a policy in place that directs employees to follow certain procedures when collecting evidence that may be used in a court of law. Chain of custody involves documentation of how digital evidence is acquired, processed, handled, stored, and protected, and who handled the evidence and why. If there is no policy in place, it is unlikely that employees will ensure that the chain of custody is maintained during any data breach investigation.	CISAD5***	1,363	48.000	CISAD5***
A5-46 An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to:	not report this issue because discretionary access controls are in place.	report this to the data owners to determine whether it is an exception.	recommend that mandatory access control he implemented.	report this as a finding to upper management	d	DAC allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.	CISAD5***	1,364	10.000	CISAD5***
A5-47 Electromagnetic emissions from a terminal represent a risk because they:	can be detected and displayed.	could have adverse health effects on personnel.	can disrupt processor functions.	could damage or erase nearby storage media	d	Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data.	CISAD5***	1,365	161.000	CISAD5***
A5-48 Security administration procedures require read-only access to:	security log files.	user profiles.	access control tables.	logging options.	a	Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities.	CISAD5***	1,366	148.000	CISAD5***
A5-49 With the help of a security officer, granting access to data is the responsibility of:	data owners.	system analysts.	programmers.	librarians.	a	Data owners are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners.	CISAD5	1,367	76.000	CISAD5
A5-50 The FIRST step in data classification is to:	establish ownership.	perform a criticality analysis.	create a data dictionary.	define access rules.	a	Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification.	CISAD5***	1,368	185.000	CISAD5***
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:	enrollment.	identification.	verification.	storage.	a	The users of a biometric device must first be enrolled in the device.	CISAD5	1,369	182.000	CISAD5
A hacker could obtain passwords without the use of computer tools or programs through the technique of	social engineering.	sniffers.	back doors.	Trojan horses.	a	Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc.	CISAD5	1,370	186.000	CISAD5
The reliability of an application system's audit trail may be questionable if:	user IDs are recorded in the audit trail	the security administrator has read-only rights to the audit file.	date and time stamps are recorded when an action occurs.	users can amend audit trail records when correcting system errors.	d	An audit trail is not effective if the details in it can be amended.	CISAD5	1,371	57.000	CISAD5
While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's NEXT step?	Observe the response mechanism.	Clear the virus from the network.	Inform appropriate personnel immediately.	Ensure deletion of the virus.	c	The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence.	CISAD5	1,372	55.000	CISAD5
The implementation of access controls FIRST requires:	a classification of IS resources.	the labeling of IS resources.	the creation of an access control list.	an inventory of IS resources.	d	The first step in implementing access controls is an inventory of IS resources.	CISAD5***	1,373	133.000	CISAD5***
Which of the following is an example of the defense in-depth security principle?	Using two firewalls to consecutively check the incoming network traffic	Using a firewall as well as logical access controls on the hosts to control incoming network traffic	Lack of physical signs on the outside of a computer center building	Using two firewalls in parallel to check different types of incoming traffic	b	Defense in-depth means using different security mechanisms that back each other up.	CISAD5***	1,374	41.000	CISAD5***
Which of the following would be the BEST access control procedure?	The data owner formally authorizes access and an administrator implements the user authorization tables.	Authorized staff implements the user authorization tables and the data owner approves them.	The data owner and an IS manager jointly create and update the user authorization tables.	The data owner creates and updates the user authorization tables.	a	The data owner holds the privilege and responsibility for formally establishing the access rights.	CISAD5***	1,375	113.000	CISAD5***
Which of the following would MOST effectively reduce social engineering incidents?	Security awareness training	Increased physical security measures	Email monitoring policy	Intrusion detection systems	a	By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents.	CISAD5	1,376	17.000	CISAD5
An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods?	Piggybacking	Shoulder surfing	Dumpster diving	Impersonation	b	Masking the display of passwords prevents unauthorized viewing by shoulder surfing.	CISAD5***	1,377	144.000	CISAD5***
To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:	the company policy be changed.	passwords are periodically changed.	an automated password management tool be used.	security awareness training is delivered.	c	The use of an automated password management tool enforces robust password policies.	CISAD5	1,378	54.000	CISAD5
A5-61 An IS auditor reviewing digital rights management applications should expect to find an extensive use for which of the following technologies?	A. Digitalized signatures	B. Hashing	C. Parsing	D. Steganography	d	Steganography is a technique for concealing the existence of messages or information within another message.	CISAD5	1,379	191.000	CISAD5
A5-62 The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods?	A. Piggybacking	B. Shoulder surfing	C. Dumpster diving	D. Impersonation	a	Piggybacking refers to unauthorized persons following authorized persons into restricted areas.	CISAD5***	1,380	188.000	CISAD5***
A5-63 Which of the following presents an inherent risk with no distinct identifiable preventive controls?	A. Piggybacking	B. Viruses	C. Data diddling	D. Unauthorized application shutdown	c	Data diddling involves changing data before they are entered into the computer, often occurring before security measures can protect the data.	CISAD5***	1,381	155.000	CISAD5***
A5-64 The MOST important difference between hashing and encryption is that hashing:	A. is irreversible	B. creates an output the same length as the original message	C. is concerned with integrity and security	D. is the same at the sending and receiving end	a	Hashing is irreversible, unlike encryption which is reversible, ensuring data integrity but not confidentiality.	CISAD5	1,382	17.000	CISAD5
Which of the following results in a denial-of-service attack?	Brute force attack	Ping of death	Leapfrog attack	Negative acknowledgment attack	b	The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service.	CISAD5***	1,383	204.000	CISAD5***
Which of the following is an advantage of elliptic curve encryption over RSA encryption?	Computation speed	Ability to support digital signatures	Simpler key distribution	Message integrity controls	a	The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed.	CISAD5	1,384	50.000	CISAD5
Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data?	Secure Sockets Layer	Intrusion detection system	Public key infrastructure	Virtual private network	a	Secure Sockets Layer (SSL) provides confidentiality through encryption and integrity through hash message authentication code.	CISAD5***	1,385	99.000	CISAD5***
Which of the following preventive controls BEST helps secure a web application?	Password masking	Developer training	Use of encryption	Vulnerability testing	b	Teaching developers to write secure code is the best preventive control for securing a web application.	CISAD5***	1,386	119.000	CISAD5***
Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network?	Server-based antivirus software	Enterprise-based antivirus software	Workstation-based antivirus software	Perimeter-based antivirus software	b	Enterprise-based antivirus software provides a layered defense model across various points in the network.	CISAD5***	1,387	43.000	CISAD5***
Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network implementation?	Computers on the enterprise's internal network	Computers at the backup site	Computers in employees' homes	Computers at the enterprise's remote offices	c	Home computers are least subject to corporate security policies and pose a higher risk in VPN implementations.	CISAD5	1,388	12.000	CISAD5
The PRIMARY reason for using digital signatures is to ensure data:	Confidentiality	Integrity	Availability	Correctness	b	Digital signatures provide integrity, ensuring that a signed document cannot be altered.	CISAD5	1,389	73.000	CISAD5
Which of the following is an example of a passive cybersecurity attack?	Traffic analysis	Masquerading	Denial-of-service	Email spoofing	a	Traffic analysis monitors or captures network traffic without modifying it.	CISAD5	1,390	26.000	CISAD5
An IS auditor is reviewing sccurity incident management procedures for the company. Which of the following choioes is the MOST important consideration?	Chain of custody of electronic evidence	System breach notification procedures	Fscalation procedures to external agencies	Proccdures to recover lost data	a	The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected property, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation.	CISAD5***	1,391	7.000	CISAD5***
An accuracy measure for a biometric system is:	System response time	Registration time	Input file size	False-acceptance rate	d	False-acceptance rate (FAR) is a measure of how often invalid individuals are accepted in a biometric system.	CISAD5	1,392	150.000	CISAD5
An IS auditor evaluating logical access controls should FIRST:	Documentation and evaluation	Test the access paths	Evaluate the security environment	Obtain an understanding of the security risk to information processing	d	When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.	CISAD5	1,393	194.000	CISAD5
Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal?	Overwriting the tapes	Initializing the tape labels	Degaussing the tapes	Erasing the tapes	c	The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes.	CISAD5	1,394	90.000	CISAD5
The review of router access control lists should be conducted during:	an environmental review	a network security review	a business continuity review	a data integrity review	b	Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc.	CISAD5	1,395	97.000	CISAD5
Which of the following components is responsible for the collection of data in an intrusion detection system?	Analyzer	Administration console	User interface	Sensor	d	Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.	CISAD5***	1,396	199.000	CISAD5***
Which of the following is the MOST significant function of a corporate public key infrastructure and certificate authority employing X.509 digital certificates?	It provides the public/private key set for the encryption and signature services used by email and file space	It binds a digital certificate and its public key to an individual subscriber's identity	It provides the authoritative source for employee identity and personal details	It provides the authoritative authentication source for object access	b	PKI is primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous.	CISAD5***	1,397	146.000	CISAD5***
A digital signature contains a message digest to:	show if the message has been altered after transmission	define the encryption algorithm	confirm the identity of the originator	enable message transmission in a digital format	a	The message digest is calculated and included in a digital signature to prove that the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message.	CISAD5	1,398	17.000	CISAD5
Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to ecommerce?	Registration authority	Certificate authority	Certification revocation list	Certification practice statement	b	The CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication.	CISAD5	1,399	132.000	CISAD5
A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted?	Work is completed in tunnel mode with IP security	A digital signature with RSA has been implemented	Digital certificates with RSA are being used	Work is being completed in TCP services	a	Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security.	CISAD5	1,400	123.000	CISAD5
Digital signatures require the:	signer to have a public key and the receiver to have a private key	signer to have a private key and the receiver to have a public key	signer and receiver to have a public key	signer and receiver to have a private key	b	Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is based on the sender encrypting a digest of the message with their private key and the receiver validating the message with the public key.	CISAD5***	1,401	36.000	CISAD5***
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called:	data integrity	authentication	nonrepudiation	replay protection	c	Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message.	CISAD5	1,402	168.000	CISAD5
During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?	Dumping the memory content to a file	Generating disk images of the compromised system	Rebooting the system	Removing the system from the network	c	Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory.	CISAD5***	1,403	10.000	CISAD5***
An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk?	Expired digital certificates	Self-signed digital certificates	Using the same digital certificate for multiple web sites	Using 56-bit digital certificates	b	Self-signed digital certificates are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack.	CISAD5***	1,404	39.000	CISAD5***
Which of the following controls would BEST detect intrusion?	User IDs and user privileges are granted through authorized procedures	Automatic logoff is used when a workstation is inactive for a particular period of time	Automatic logoff of the system occurs after a specified number of unsuccessful attempts	Unsuccessful logon attempts are monitored by the security administrator	d	Intrusion is detected by the active monitoring and review of unsuccessful logon attempts.	CISAD5	1,405	134.000	CISAD5
Which of the following is the BEST control over a guest wireless ID that is given to vendor staff?	Assignment of a renewable user ID which expires daily	A write-once log to monitor the vendor's activities on the system	Use of a user ID format similar to that used by employees	Ensuring that wireless network encryption is configured properly	a	A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used without authorization.	CISAD5***	1,406	36.000	CISAD5***
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:	maintenance of access logs of usage of various system resources	authorization and authentication of the user prior to granting access to system resources	adequate protection of stored data on servers by encryption or other means	accountability system and the ability to identify any terminal accessing system resources	b	The authorization and authentication of users before granting them access to system resources is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security.	CISAD5***	1,407	36.000	CISAD5***
An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?	Request that the system be shut down to preserve evidence	Report the incident to management	Ask for immediate suspension of the suspect accounts	Investigate the source and nature of the incident	b	The IS auditor should follow the incident response process of the organization. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action.	CISAD5***	1,408	118.000	CISAD5***
When using public key encryption to secure data being transmitted across a network:	both the key used to encrypt and decrypt the data are public	the key used to encrypt is private, but the key used to decrypt the data is public	the key used to encrypt is public, but the key used to decrypt the data is private	both the key used to encrypt and decrypt the data are private	c	Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.	CISAD5***	1,409	111.000	CISAD5***
The technique used to ensure security in virtual private networks is called:	data encapsulation	data wrapping	data transformation	data hashing	a	Encapsulation, or tunneling, is a technique used to encrypt the traffic payload so that it can be securely transmitted over an insecure network.	CISAD5	1,410	115.000	CISAD5
During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:	encryption	callback modems	message authentication	dedicated leased lines	a	Encryption of data is the most secure method of protecting confidential data from exposure.	CISAD5	1,411	128.000	CISAD5
An Internet-based attack using password sniffing can:	enable one party to act as if they are another party	cause modification to the contents of certain transactions	be used to gain access to systems containing proprietary information	result in major problems with billing systems and transaction processing agreements	c	Password sniffing attacks can be used to gain access to systems on which proprietary information is stored.	CISAD5***	1,412	63.000	CISAD5***
Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?	Proxy server	Firewall installation	Demilitarized zone	Virtual private network	d	The best way to secure remote access is through the use of encrypted VPNs. This would allow remote users a secure connection to the main systems.	CISAD5***	1,413	3.000	CISAD5***
During an audit of an enterprise that is dedicated to ecommerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used?	A biometric, digitalized and encrypted parameter with the customer's public key	A hash of the data that is transmitted and encrypted with the customer's private key	The customer's scanned signature encrypted with the customer's public key	A hash of the data that is transmitted and encrypted with the customer's public key	b	The calculation of a hash, or digest, of the data that are transmitted, and its encryption require the private key of the client (sender) and is called a signature of the message, or digital signature.	CISAD5	1,414	166.000	CISAD5
When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation?	Wiring and schematic diagram	Users lists and responsibilities	Application lists and their details	Backup and recovery procedures	a	The wiring and schematic diagram of the network is necessary to carry out a network audit. The IS auditor needs to know what equipment, configuration and addressing is used on the network to perform an audit of the network setup.	CISAD5	1,415	22.000	CISAD5
Which of the following should an IS auditor be MOST concerned about in a financial application?	Programmers have access to source code in user acceptance testing environment	Secondary controls are documented for identified role conflicts	The information security officer does not authorize all application changes	Programmers have access to the production database	d	Programmers who have access to the production database are considered to be a segregation of duties conflict.	CISAD5	1,416	142.000	CISAD5
Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to:	ensure prompt communication of adverse events to relevant management	contain costs related to maintaining disaster recovery plan capabilities	ensure that customers are promptly notified of issues such as security breaches	minimize the duration and impact of system outages and security incidents	d	An incident response plan helps minimize the impact of an incident because it provides a controlled response to incidents.	CISAD5	1,417	28.000	CISAD5
Email message authenticity and confidentiality is BEST achieved by signing the message using the:	sender's private key and encrypting the message using the receiver's public key	sender's public key and encrypting the message using the receiver's private key	receiver's private key and encrypting the message using the sender's public key	receiver's public key and encrypting the message using the sender's private key	a	By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. Encrypting with the receiver's public key provides confidentiality.	CISAD5***	1,418	173.000	CISAD5***
An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking?	An application-level gateway	A remote access server	A proxy server	Port scanning	a	An application-level gateway is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted.	CISAD5	1,419	84.000	CISAD5
Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization?	Virtual private network	Dedicated line	Leased line	Integrated services digital network	a	The most secure method is a virtual private network, using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet.	CISAD5	1,420	160.000	CISAD5
The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when:	connecting points are available in the facility to connect laptops to the network	users take precautions to keep their passwords confidential	terminals with password protection are located in insecure locations	terminals are located within the facility in small clusters under the supervision of an administrator	a	Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password.	CISAD5***	1,421	66.000	CISAD5***
Which of the following functions is performed by a virtual private network?	Hiding information from sniffers on the net	Enforcing security policies	Detecting misuse or mistakes	Regulating access	a	A virtual private network (VPN) hides information from sniffers on the Internet using tunneling. It works based on encapsulation and encryption of sensitive traffic.	CISAD5	1,422	8.000	CISAD5
Applying a digital signature to data traveling in a network provides:	confidentiality and integrity	security and nonrepudiation	integrity and nonrepudiation	confidentiality and nonrepudiation	c	A digital signature is created by signing a hash of a message with the private key of the sender. This provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message.	CISAD5	1,423	204.000	CISAD5
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet?	Customers are widely dispersed geographically, but the certificate authorities (CAs) are not	Customers can make their transactions from any computer or mobile device	The CA has several data processing subcenters to administer certificates	The organization is the owner of the CA	d	If the CA belongs to the same organization, this would pose a risk. The management of CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.	CISAD5	1,424	94.000	CISAD5
Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet?	Digital signatures	Asymmetric cryptography	Digital certificates	Message authentication code	c	Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository.	CISAD5***	1,425	1.000	CISAD5***
Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program?	Review the security training program	Ask the security administrator	Interview a sample of employees	Review the security reminders to employees	c	Interviewing a sample of employees is the best way to determine the effectiveness of a security awareness and training program because overall awareness must be determined, and effective security is dependent on people.	CISAD5***	1,426	40.000	CISAD5***
A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST?	Send a report to the IS audit department	Change the name of the DBA account	Suspend the DBA account	Change the database password	d	The password should be changed immediately because there is no way to know whether it has been compromised.	CISAD5	1,427	117.000	CISAD5
If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack?	Router configuration and rules	Design of the internal network	Updates to the router system software	Audit testing and review techniques	a	Improper router configuration and rules could lead to an exposure to denial-of-service (DoS) attacks.	CISAD5	1,428	48.000	CISAD5
The Secure Sockets Layer protocol ensures the confidentiality of a message by using:	symmetric encryption	message authentication codes	hash function	digital signature certificates	a	Secure Sockets Layer (SSL) uses a symmetric key for message encryption.	CISAD5***	1,429	179.000	CISAD5***
The PRIMARY goal of a web site certificate is:	authentication of the web site that will be surfed	authentication of the user who surfs through that site	preventing surfing of the web site by hackers	the same purpose as that of a digital certificate	a	Authenticating the site to be surfed is the primary goal of a web certificate.	CISAD5	1,430	55.000	CISAD5
An IS auditor performing detailed network assessments and access control reviews should FIRST:	determine the points of entry into the network	evaluate users' access authorization	assess users' identification and authorization	evaluate the domain-controlling server configuration	a	In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry, accordingly, for appropriate controls.	CISAD5	1,431	89.000	CISAD5
The MOST serious challenge in the operation of an intrusion detection system is:	filtering false positives alerts	learning vendor-specific protocols	updating detection signatures	blocking eligible connections	a	Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents-false positives, the equivalent of a false alarm.	CISAD5***	1,432	149.000	CISAD5***
An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor?	Developers have the ability to create or de-provision servers	Developers could gain elevated access to production servers	Developers can affect the performance of production servers with their applications	Developers could install unapproved applications to any servers	a	Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk.	CISAD5***	1,433	58.000	CISAD5***
Which of the following findings would be of GREATEST concern to an IS auditor during a review of logical access to an application?	Some developers have update access to production data	The file storing the application ID password is in cleartext in the production code	The change control team has knowledge of the application ID password	The application does not enforce the use of strong passwords	b	Compromise of the application ID password can result in untraceable, unauthorized changes to production data; storing the password in cleartext poses the greatest risk. While the production code may be protected from update access, it is viewable by development teams.	CISAD5***	1,434	89.000	CISAD5***
The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?	Using an intrusion detection system to report incidents	Mandating the use of passwords to access all software	Installing an efficient user log system to track the actions of each user	Training provided on a regular basis to all current and new employees	d	Regular training is an important part of a security awareness program.	CISAD5	1,435	26.000	CISAD5
A company determined that its web site was compromised, and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident?	A host-based intrusion prevention system	A network-based intrusion detection system	A firewall	Operating system patching	a	A host-based intrusion prevention system (IPS) prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator.	CISAD5	1,436	32.000	CISAD5
The role of the certificate authority (CA) as a third party is to:	provide secured communication and networking services based on certificates	host a repository of certificates with the corresponding public and secret keys issued by that CA	act as a trusted intermediary between two communication partners	confirm the identity of the entity owning a certificate issued by that CA	d	The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.	CISAD5	1,437	150.000	CISAD5
Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator?	Targeted testing	Internal testing	Double-blind testing	External testing	c	In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator.	CISAD5	1,438	142.000	CISAD5
Email traffic from the Internet is routed via firewall 1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:	alert the appropriate staff	create an entry in the log	close firewall 2	close firewall-1	b	Creating entry in the log is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet.	CISAD5	1,439	95.000	CISAD5
An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic?	Corruption of the Address Resolution Protocol cache in Ethernet switches	Use of a default administrator password on the analog phone switch	Deploying virtual local area networks without enabling encryption	End users having access to software tools such as packet sniffer applications	a	On an Ethernet switch there is a data table known as the Address Resolution Protocol (ARP) cache, which stores mappings between media access control and IP addresses. If the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on VoIP traffic.	CISAD5***	1,440	80.000	CISAD5***
To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system between the:	Firewall and the organization's network	Internet and the firewall	Internet and the web server	Web server and the firewall	a	Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization's network.	CISAD5***	1,441	109.000	CISAD5***
An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important?	The emergency power off button cover is missing	Scheduled maintenance of the fire suppression system was not performed	There are no security cameras inside the data center	The emergency exit door is blocked	d	Life safety is always the highest priority; therefore, the blocking of the emergency exit is the most serious problem.	CISAD5	1,442	187.000	CISAD5
Which of the following choices BEST helps information owners to properly classify data?	Understanding of technical controls that protect data	Training on organizational policies and standards	Use of an automated data leak prevention tool	Understanding which people need to access the data	b	While implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified.	CISAD5***	1,443	34.000	CISAD5***
A5-131 While auditing an internally developed web-application, an IS auditor determines that all business users share a common access profile. Which of the following is the MOST relevant recommendation to prevent the risk on unauthorized data modification?	Enable detailed logging of user actions.	Customize user access profiles per job responsibility.	Enforce strong password policy for all accounts.	Implement regular access rights review.	b	The strongest control is a preventive control that is automated through the system. Developing additional access profiles would ensure that the system restricts users to privileges defined by their job responsibilities and that an audit trail exists for those user actions.	CISAD5	1,444	49.000	CISAD5
A5-132 Which of the following is the MOST important security consideration to an organization that wants to move a business application to external cloud-service (PaaS) provided by a vendor?	Classification and categories of data process by the application.	Cost of hosting the application internally versus externally.	A reputation of a vendor on the market and feedbacks from clients.	Drop of application performance due to use of shared services.	a	Types of data and its sensitivity is a primary consideration, as there might be legal obligations related to data hosting and its level of protection (e.g. personal information, banking information, health information, etc.)	CISAD5***	1,445	83.000	CISAD5***
A5-133 Which of the following is BEST suited for secure communications within a small group?	Key distribution center	Certificate authority	Web of trust	Kerberos Authentication System	c	Web of trust is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy and distributes the public keys of users within a group.	CISAD5	1,446	91.000	CISAD5
A5-134 Which of the following is the MOST important action in recovering from a cyberattack?	Activating an incident response team	Hiring cyberforensic investigators	Executing a business continuity plan	Preserving evidence	a	Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational.	CISAD5	1,447	39.000	CISAD5
A5-135 What method might an IS auditor use to test wireless security at branch office locations?	War dialing	Social engineering	War driving	Password cracking	c	War driving is a technique for locating and gaining access to wireless networks by driving or walking around a building with a wireless-equipped computer.	CISAD5***	1,448	155.000	CISAD5***
A5-136 Which of the following intrusion detection systems will MOST likely generate false alarms resulting from normal network activity?	Statistical-based	Signature-based	Neural network	Host-based	a	A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious.	CISAD5***	1,449	13.000	CISAD5***
A5-137 When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the:	hardware is protected against power surges.	integrity is maintained if the main power is interrupted.	immediate power will be available if the main power is lost.	hardware is protected against long-term power fluctuations.	a	A voltage regulator protects against short-term power fluctuations.	CISAD5	1,450	102.000	CISAD5
A5-138 In an organization where an IT security baseline has been defined an IS auditor should FIRST ensure:	implementation.	compliance.	documentation.	sufficiency.	d	An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements.	CISAD5***	1,451	181.000	CISAD5***
A5-139 Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power?	Power line conditioners	Surge protective devices.	Alternative power supplies	Interruptible power supplies	a	Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment.	CISAD5***	1,452	165.000	CISAD5***
A5-140 An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers-one filled with carbon dioxide (CO₂), the other filled with halon gas. Which of the following should be given the HIGHEST priority in the IS auditor's report?	The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer	Both fire suppression systems present a risk of suffocation when used in a closed room.	The CO₂ extinguisher should be removed, because CO₂ is ineffective for suppressing fires involving solid combustibles (paper).	The documentation binders should be removed from the equipment room to reduce potential risk.	b	Protecting people's lives should always be of highest priority in fire suppression activities. Carbon dioxide (CO₂) and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards.	CISAD5***	1,453	165.000	CISAD5***
A5-141 What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks?	Unauthorized individuals wait for controlled doors to open and walk in behind those authorized.	The contingency plan for the organization cannot effectively test controlled access practices.	Access cards, keys and pads can be easily duplicated allowing easy compromise of the control.	Removing access for those who are no longer authorized is complex.	a	Piggybacking or tailgating can compromise the physical access controls.	CISAD5	1,454	113.000	CISAD5
A5-142 An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?	False-acceptance rate	Equal-error rate	False-rejection rate	False-identification rate	a	False-acceptance rate (FAR) is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptances is more important than the impact on the false reject rate.	CISAD5***	1,455	119.000	CISAD5***
A5-143 Which of the following groups would create MOST concern to an IS auditor if they have full access to the production database?	Application developers	System administrators	Business users	Information security team	a	Application developers having access to the production environment bear the highest risk. Due to their focus on delivery of changes, they tend to bypass quality assurance controls installing deficient changes into production environment.	CISAD5	1,456	171.000	CISAD5
A5-144 The BEST overall quantitative measure of the performance of biometric control devices is:	false-rejection rate.	false-acceptance rate.	equal-error rate.	estimated-error rate.	c	A low equal-error rate (EER) is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device.	CISAD5***	1,457	135.000	CISAD5***
A5-145 Which of the following is the MOST effective control over visitor access to a data center?	Visitors are escorted.	Visitor badges are required.	Visitors sign in.	Visitors are spot-checked by operators.	a	Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing facility.	CISAD5	1,458	197.000	CISAD5
A5-146 In a public key infrastructure, a registration authority:	verifies information supplied by the subject requesting a certificate.	issues the certificate after the required attributes are verified and the keys are generated.	digitally signs a message to achieve nonrepudiation of the signed message.	registers signed messages to protect them from future repudiation	a	A registration authority is responsible for verifying information supplied by the subject requesting a certificate and verifies the requestor's right to request a certificate on behalf of themselves or their organization.	CISAD5***	1,459	120.000	CISAD5***
A5-147 Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is:	restricted to predefined media access control addresses.	encrypted using static keys.	encrypted using dynamic keys.	initiated from devices that have encrypted storage.	c	When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted.	CISAD5***	1,460	81.000	CISAD5***
A5-148 Which of the following provides the MOST relevant information for proactively strengthening security settings?	Bastion host	Intrusion detection system	Honeypot	Intrusion prevention system	c	The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods.	CISAD5***	1,461	72.000	CISAD5***
A5-149 Over the long term, which of the following has the greatest potential to improve the security incident response process?	A walk-through review of incident response procedures	Simulation exercises performed by incident response team	Ongoing security training for users	Documenting responses to an incident	b	Simulation exercises to find the gaps and shortcomings in the actual incident response processes will help improve the process over time.	CISAD5	1,462	107.000	CISAD5
A5-150 When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of the following?	High number of false-positive alarms	Low coverage of network traffic	Network performance downgrade	Default detection settings	b	The cybersecurity attacks might not be timely identified if only small portion of network traffic is analyzed.	CISAD5***	1,463	203.000	CISAD5***
A5-151 Distributed denial-of-service attacks on Internet sites are typically evoked by hackers using which of the following?	Logic bombs	Phishing site	Spyware	Botnets	d	A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection.	CISAD5	1,464	126.000	CISAD5
A5-152 Validated digital signatures in an email software application will:	help detect spam.	provide confidentiality.	add to the workload of gateway servers.	significantly reduce available bandwidth.	a	Validated electronic signatures are based on qualified certificates that are created by a certificate authority, with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation can be assured, and a sender can be tracked. The recipient can configure his/her email server or client to automatically delete emails from specific senders.	CISAD5	1,465	133.000	CISAD5
A5-153 In transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the authentication header protocol because it provides:	connectionless integrity.	data origin authentication.	antireplay service.	confidentiality.	d	Only the ESP protocol provides confidentiality via encryption.	CISAD5	1,466	1.000	CISAD5
A5-154 IS management recently replaced its existing wired local area network with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?	Port scanning	Back door	Man-in-the-middle	War driving	d	A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside.	CISAD5***	1,467	169.000	CISAD5***
A5-155 Which of the following is the GREATEST concern associated with the use of peer-to-peer computing?	Virus infection	Data leakage	Network performance issues	Unauthorized software usage	b	Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern.	CISAD5***	1,468	82.000	CISAD5***
A5-156 The IS management of a multinational company is considering upgrading its existing virtual private network to support Voice-over Internet Protocol communication via tunneling. Which of the following considerations should be PRIMARILY addressed?	Reliability and quality of service	Means of authentication	Privacy of voice transmissions	Confidentiality of data transmissions	a	Reliability and quality of service (QoS) are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service controls.	CISAD5***	1,469	6.000	CISAD5***
A5-157 Which of the following antispam filtering methods has the LOWEST possibility of false-positive alerts?	Rule-based	Check-sum based	Heuristic filtering	Statistic-based	b	The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters.	CISAD5	1,470	200.000	CISAD5
A5-158 Which of the following public key infrastructure (PKI) elements describes procedure for disabling a compromised private key?	Certificate revocation list	Certification practice statement	Certificate policy	PKI disclosure statement	b	The certification practice statement is the how-to document used in policy-based public key infrastructure (PKI).	CISAD5***	1,471	32.000	CISAD5***
A5-159 The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?	Replay	Brute force	Cryptographic	Mimic	a	Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by attacker to gain unauthorized access.	CISAD5***	1,472	198.000	CISAD5***
A5-160 An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor?	Determine whether compensating controls are in place.	Document the issue in the audit report.	Recommend an update to the procedures.	Discuss the issue with senior management.	a	An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place.	CISAD5***	1,473	107.000	CISAD5***
A5-161 Two-factor authentication can be circumvented through which of the following attacks?	Denial-of-service	Man-in-the-middle	Key logging	Brute force	b	A man-in-the-middle attack is similar to piggybacking in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted.	CISAD5***	1,474	32.000	CISAD5***
A5-162 An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by:	digitally signing all email messages.	encrypting all email messages.	compressing all email messages.	password protecting all email messages.	a	By digitally signing all email messages, the receiver will be able to validate the authenticity of the sender.	CISAD5	1,475	158.000	CISAD5
A5-163 Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ?	Single sign-on authentication	Password complexity requirements	Two-factor authentication	Internet Protocol address restrictions	c	Two-factor authentication is the best method to provide a secure connection because it uses two factors, typically "what you have" (for example, a device to generate one-time-passwords), "what you are" (for example, biometric characteristics) or "what you know" (for example, a personal identification number or password).	CISAD5***	1,476	47.000	CISAD5***
A5-164 Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ?	Secret key encryption	Dynamic Internet Protocol address and port	Hash functions	Virtual private network tunnel	d	As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing an encrypted virtual private network tunnel would best ensure that the transmission of information was secure.	CISAD5	1,477	148.000	CISAD5
A5-165 The PRIMARY purpose of installing data leak prevention software is to:	restrict user access to confidential files stored on servers.	detect attempts to destroy sensitive data in an internal network.	block external systems from accessing internal resources.	control confidential documents leaving the internal network.	d	A server running a DLP software application uses predefined criteria to check whether any confidential documents or data are leaving the internal network.	CISAD5	1,478	49.000	CISAD5
A5-166 Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small organization?	Post-implementation functional testing	Registration and review of changes	Validation of user requirements	User acceptance testing	b	An independent review of the changes to the program in production could identify potential unauthorized changes, versions or functionality that the programmer had put into production.	CISAD5	1,479	191.000	CISAD5
A5-167 A characteristic of User Datagram Protocol in network communications is:	packets may arrive out of order.	increased communication latency.	incompatibility with packet broadcast.	error correction may slow down processing.	a	User Datagram Protocol (UDP) uses a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped.	CISAD5***	1,480	83.000	CISAD5***
A5-168 Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS?	Two-factor authentication	A digital certificate	Audit trails	Single sign-on authentication	c	Audit trails capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users.	CISAD5***	1,481	194.000	CISAD5***
A5-169 An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:	reduces the risk of unauthorized access to the network.	is not suitable for small networks.	automatically provides an IP address to anyone.	increases the risk associated with Wireless Encryption Protocol (WEP).	a	Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access.	CISAD5	1,482	64.000	CISAD5
A5-170 Which of the following is MOST indicative of the effectiveness of an information security awareness program?	Employees report more information regarding security incidents.	All employees have signed the information security policy.	Most employees have attended an awareness session.	Information security responsibilities have been included in job descriptions.	a	Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are acting as a consequence of the awareness program.	CISAD5	1,483	191.000	CISAD5
A5-171 An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks?	Establish two physically separate networks.	Implement virtual local area network segmentation.	Install a dedicated router between the two networks.	Install a firewall between the networks.	d	In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network.	CISAD5	1,484	187.000	CISAD5
From a control perspective, the PRIMARY objective of classifying information assets is to:	establish guidelines for the level of access controls that should be assigned.	ensure access controls are assigned to all information assets.	assist management and auditors in risk assessment.	identify which assets need to be insured against losses.	a	Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset. Not all information needs to be protected through access controls. Overprotecting data would be expensive.	CISAD5***	1,485	111.000	CISAD5***
An IS auditor reviewing access controls for a client-server environment should FIRST:	evaluate the encryption technique.	identify the network access points.	review the identity management system.	review the application level access controls.	b	A client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified.	CISAD5***	1,486	135.000	CISAD5***
To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet:	specifies the route that a packet should take through the network (the source routing field is enabled).	puts multiple destination hosts (the destination field has a broadcast address).	indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on).	allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled).	a	Internet Protocol (IP) spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing.	CISAD5***	1,487	140.000	CISAD5***
An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following offers the STRONGEST security?	Use of a point-to-point leased line	Use of a firewall rule to allow only the Internet Protocol address of the remote site.	Use of two-factor authentication	Use of a nonstandard port for Telnet	a	A leased line will effectively extend the local area network of the headquarters to the remote site, and the mainframe Telnet connection would travel over the private line, which would be less of a security risk when using an insecure protocol such as Telnet.	CISAD5***	1,488	25.000	CISAD5***
There is a concern that the risk of unauthorized access may increase after implementing a single sign-on process. To prevent unauthorized access, the MOST important action is to:	monitor failed authentication attempts.	review log files regularly.	deactivate unused accounts promptly.	mandate a strong password policy.	d	Strong passwords are important in any environment but take on special importance in an SSO environment, where a user enters a password only one time and thereafter has general access throughout the environment. Of the options given, only a strong password policy offers broad preventative effects.	CISAD5	1,489	161.000	CISAD5
An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:	IDS sensors are placed outside of the firewall.	a behavior-based IDS is causing many false alarms.	a signature-based IDS is weak against new types of attacks.	the IDS is used to detect encrypted traffic.	b	An excessive number of false alarms from a behavior-based intrusion detection system (IDS) indicates that additional tuning is needed. False positives cannot be eliminated entirely, but ignoring this warning sign may negate the value of the system by causing those responsible for monitoring its warnings to become convinced that anything reported is false.	CISAD5***	1,490	179.000	CISAD5***
Which of the following BEST describes the role of a directory server in a public key infrastructure?	Encrypts the information transmitted over the network	Makes other users' certificates available to applications	Facilitates the implementation of a password policy	Stores certificate revocation lists	b	A directory server makes other users' certificates available to applications.	CISAD5***	1,491	170.000	CISAD5***
An IS auditor is reviewing an organization's network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of:	a wet pipe-based fire suppression system.	a rented rack space in the NOC.	a carbon dioxide-based fire suppression system.	an uninterrupted power supply with 10 minutes of backup power.	c	CO2 systems should not be used in areas where people are present, because their function will cause suffocation in the event of a fire. Controls should consider personnel safety first.	CISAD5***	1,492	199.000	CISAD5***
Inadequate programming and coding practices increase the risk of:	social engineering.	buffer overflow exploitation.	synchronize flood.	brute force attacks.	b	Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and overwrite part of the program with arbitrary code, which will then be executed with the privileges of the program. The countermeasure is proper programming and good coding practices.	CISAD5	1,493	187.000	CISAD5
During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that, without ownership, there is no one with clear responsibility for:	updating group metadata.	reviewing existing user access.	approval of user access.	removing terminated users.	c	Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group.	CISAD5***	1,494	198.000	CISAD5***
An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks?	Spoofing	Phishing	Buffer overflow	Denial of service	b	URL shortening services have been adopted by hackers to fool users and spread malware (i.e., phishing)	CISAD5	1,495	148.000	CISAD5
When installing an intrusion detection system, which of the following is MOST important?	Properly locating it in the network architecture	Preventing denial-of-service attacks	Identifying messages that need to be quarantined	Minimizing the rejection errors	a	Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected.	CISAD5***	1,496	148.000	CISAD5***
Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program?	Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.	Job descriptions contain clear statements of accountability for information security.	In accordance with the degree of risk and business impact, there is adequate funding for security efforts.	No actual incidents have occurred that have caused a loss or a public embarrassment.	b	The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security.	CISAD5***	1,497	108.000	CISAD5***
Which of the following features of a public key infrastructure is MOST closely associated with proving that an online transaction was authorized by a specific customer?	Nonrepudiation	Encryption	Authentication	Integrity	a	Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message.	CISAD5***	1,498	123.000	CISAD5***
After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?	Fine-grained access control	Role-based access control	Access control lists	Network/service access control	b	Authorization in this case can best be addressed by role-based access control (RBAC) technology. RBAC controls according to job roles or functions. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation.	CISAD5***	1,499	175.000	CISAD5***
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:	an unauthorized user may use the ID to gain access.	user access management is time consuming.	user accountability is not established.	passwords are easily guessed.	c	The use of a single user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is more difficult to hold anyone accountable.	CISAD5	1,500	109.000	CISAD5
To protect a Voice-over Internet Protocol infrastructure against a denial-of-service attack, it is MOST important to secure the:	access control servers.	session border controllers.	backbone gateways.	intrusion detection system.	b	Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and DoS attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service.	CISAD5***	1,501	14.000	CISAD5***
In an online banking application, which of the following would BEST protect against identity theft?	Encryption of personal password	Restricting the user to a specific terminal	Two-factor authentication	Periodic review of access logs	c	Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know such as a password; something you have such as a token; and something you are which is biometric. Requiring two of these factors makes identity theft more difficult.	CISAD5	1,502	45.000	CISAD5
An IS auditor has found that employees are emailing sensitive company information to public web-based email domains. Which of the following is the BEST remediation option for the IS auditor to recommend?	Encrypted mail accounts	Training and awareness	Activity monitoring	Data loss prevention	d	Data loss prevention is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders. This is a better choice than relying on training and awareness because it works equally well when there is intent to steal data.	CISAD5***	1,503	28.000	CISAD5***
Which of the following potentially blocks hacking attempts?	Intrusion detection system	Honeypot system	Intrusion prevention system	Network security scanner	c	An intrusion prevention system is deployed as an inline device on a network or host that can detect and block hacking attempts.	CISAD5	1,504	79.000	CISAD5
A web server is attacked and compromised. Organizational policy states that incident response should balance containment of an attack with retaining freedom for later legal action against an attacker. Under the circumstances, which of the following should be performed FIRST?	Dump the volatile storage data to a disk	Run the server in a fail-safe mode	Disconnect the web server from the network	Shut down the web server	c	The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker.	CISAD5	1,505	11.000	CISAD5
What is the BEST approach to mitigate the risk of a phishing attack?	Intrusion detection	Security assessment	Strong authentication	User education	d	The best way to mitigate the risk of phishing is to educate users to take caution with suspicious Internet communications and not to trust them until verified. Users may require regular training to recognize suspicious web pages and email as the means and methods of threat actors evolve.	CISAD5	1,506	4.000	CISAD5
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?	Set up an exit interview with human resources	Initiate the handover process to ensure continuity of the project	Terminate the developer's logical access to IT resources	Ensure that management signs off on the termination paperwork	c	To protect IT assets, terminating logical access to IT resources is the first and most important action to take after management has confirmed the employee's clear intention to leave the enterprise.	CISAD5	1,507	18.000	CISAD5
Which of the following is a passive attack to a network?	Message modification	Masquerading	Denial-of-service	Traffic analysis	d	Traffic analysis allows a watching threat actor to determine the nature of the flow of traffic between defined hosts, which may allow the threat actor to guess the type of communication taking place without taking an active role.	CISAD5	1,508	89.000	CISAD5
The MOST likely explanation for a successful social engineering attack is:	computer error	judgment error	expertise	technology	b	Social engineering is fundamentally about obtaining from someone a level of trust that is not warranted.	CISAD5***	1,509	108.000	CISAD5***
A company is planning to install a network-based intrusion detection system to protect the web site that it hosts. Where should the device be installed?	On the local network	Outside the firewall	In the demilitarized zone	On the server that hosts the web site	c	Network-based IDSs detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the demilitarized zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to act.	CISAD5***	1,510	124.000	CISAD5***
An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production?	Server configuration has been hardened appropriately	Allocated physical resources are available	System administrators are trained to use the VM architecture	The VM server is included in the disaster recovery plan	a	The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture.	CISAD5***	1,511	45.000	CISAD5***
In what capacity would an IS auditor MOST likely see a hash function applied?	Authentication	Identification	Authorization	Encryption	a	The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources.	CISAD5***	1,512	1.000	CISAD5***
The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service attack is to deny all:	outgoing traffic with source addresses external to the network	incoming traffic with discernible spoofed IP source addresses	incoming traffic that includes options set in the Internet Protocol	incoming traffic whose destination address belongs to critical hosts	a	Outgoing traffic with an Internet Protocol (IP) source address different than the internal IP range in the network is invalid. In most of the cases, it signals a denial-of-service attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the infected machine from participating in the attack.	CISAD5***	1,513	85.000	CISAD5***
The purpose of a mantrap controlling access to a computer facility is PRIMARILY to:	prevent piggybacking	prevent toxic gases from entering the data center	starve a fire of oxygen	prevent rapid movement in or out of the facility	a	The intended purpose of a mantrap controlling access to a computer facility is primarily to prevent piggybacking.	CISAD5	1,514	90.000	CISAD5
Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a software as a service (SaaS) model with an external provider?	Workstation upgrades must be performed	Long-term software acquisition costs are higher	Contract with the provider does not include onsite technical support	Incident handling procedures with the provider are not well defined	d	A SaaS provider does not normally have onsite support for the organization. Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes.	CISAD5	1,515	134.000	CISAD5
A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is:	use of the user's electronic signature by another person if the password is compromised	forgery by using another user's private key to sign a message with an electronic signature	impersonation of a user by substitution of the user's public key with another person's public key	forgery by substitution of another person's private key on the computer	a	The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk.	CISAD5***	1,516	3.000	CISAD5***
Which of the following would be BEST prevented by a raised floor in the computer machine room?	Damage of wires around computers and servers	A power failure from static electricity	Shocks from earthquakes	Water flood damage	a	The primary reason for having a raised floor is to enable ventilation systems, power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor.	CISAD5***	1,517	157.000	CISAD5***
A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data?	Introduce a secondary authentication method such as card swipe	Apply role-based permissions within the application system	Have users input the ID and password for each database transaction	Set an expiration period for the database password embedded in the program	b	This is a normal process to allow the application to communicate with the database. Therefore, the best control is to control access to the application and procedures to ensure that access to data is granted based on a user's role.	CISAD5	1,518	138.000	CISAD5
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?	The tools used to conduct the test	Certifications held by the IS auditor	Permission from the data owner of the server	An intrusion detection system is enabled	c	The data owner should be informed of the risk associated with a penetration test, the timing of the test, what types of tests are to be conducted and other relevant details.	CISAD5	1,519	140.000	CISAD5
The GREATEST benefit of having well-defined data classification policies and procedures is:	a more accurate inventory of information assets	a decreased cost of controls	a reduced risk of inappropriate system access	an improved regulatory compliance	b	An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, costlier than is required based on the data classification.	CISAD5***	1,520	139.000	CISAD5***
Which of the following criteria are MOST needed to ensure that log information is admissible in court? Ensure that data have been:	independently time stamped	recorded by multiple logging systems	encrypted by the most secure algorithm	verified to ensure log integrity	d	It is important to assure that log information existed at a certain point of time and it has not been altered. Therefore, evidential credibility of log information is enhanced when there is proof that no one has tampered with this information, something typically accomplished by maintaining a documented chain of custody.	CISAD5	1,521	128.000	CISAD5
Which of the following is the MOST reliable form of single factor personal identification?	Smart card	Password	Photo identification	Iris scan	d	Because no two irises are alike, identification and verification can be done with confidence.	CISAD5	1,522	190.000	CISAD5
Which of the following controls would be MOST effective in reducing the risk of loss due to fraudulent online payment requests?	Transaction monitoring	Protecting web sessions using Secure Sockets Layer	Enforcing password complexity for authentication	Inputting validation checks on web forms	a	An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process.	CISAD5***	1,523	19.000	CISAD5***
Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network. Regarding the PIN, what is the MOST important rule to be included in a security policy?	Users should not leave tokens where they could be stolen	Users must never keep the token in the same bag as their laptop computer	Users should select a PIN that is completely random, with no repeating digits	Users should never write down their PIN	d	If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.	CISAD5***	1,524	106.000	CISAD5***
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?	Reviewing logs frequently	Testing and validating the rules	Training a local administrator at the new location	Sharing firewall administrative duties	b	A mistake in the rule set can render a firewall ineffective or insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment.	CISAD5	1,525	33.000	CISAD5
A data center has a badge-entry system. Which of the following is MOST important to protect the computing assets in the center?	Badge readers are installed in locations where tampering would be noticed	The computer that controls the badge system is backed up frequently	A process for promptly deactivating lost or stolen badges is followed	All badge entry attempts are logged, whether or not they succeed	c	The biggest risk is from unauthorized individuals who can enter the data center, whether they are employees or not. Thus, having and following a process of deactivating lost or stolen badges is important.	CISAD5***	1,526	80.000	CISAD5***
What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?	Malicious code could be spread across the network	The VPN logon could be spoofed	Traffic could be sniffed and decrypted	The VPN gateway could be compromised	a	Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic.	CISAD5***	1,527	5.000	CISAD5***
The use of digital signatures:	requires the use of a one-time password generator	provides encryption to a message	validates the source of a message	ensures message confidentiality	c	The use of a digital signature verifies the identity of the sender.	CISAD5	1,528	117.000	CISAD5
The FIRST step in successful attack to a system is:	gathering information	gaining access	denying services	evading detection	a	Successful attacks start by gathering Information about the target system. This is done in advance so that the attacker gets to know the target systems and the potential vulnerabilities that can be exploited in the attack.	CISAD5***	1,529	34.000	CISAD5***
Which of the following methods BEST mitigates the risk of disclosing confidential information through the use of social networking sites?	Providing security awareness training	Requiring a signed acceptable use policy	Monitoring the use of social media	Blocking access to social media	a	Providing security awareness training is the best method to mitigate the risk of disclosing confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical.	CISAD5	1,530	53.000	CISAD5
An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern?	The corporate network is using an intrusion prevention system	This part of the network is isolated from the corporate network	A single sign-on has been implemented in the corporate network	Antivirus software is in place to protect the corporate network	b	If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated.	CISAD5	1,531	71.000	CISAD5
When conducting a penetration test of an IT system, an organization should be MOST concerned with:	the confidentiality of the report	finding all weaknesses on the system	restoring systems to the original state	logging changes made to production systems	c	After the test is completed, the systems must be restored to their original state. In performing the test, changes may have been made to firewall rules, user IDs created, or false files uploaded. These must all be cleaned up before the test is completed.	CISAD5***	1,532	23.000	CISAD5***
An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST:	determine whether system developers have proper training on adequate security measures	determine whether system administrators have disabled security controls for any reason	verify that security requirements have been properly specified in the project plan	validate whether security controls are based on requirements which are no longer valid	c	If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make.	CISAD5***	1,533	44.000	CISAD5***
When protecting an organization's IT systems, which of the following is normally the next line of defense after the network firewall has been compromised?	Personal firewall	Antivirus programs	Intrusion detection system	Virtual local area network configuration	c	An IDS would be the next line of defense after the firewall. It would detect anomalies in the network/server activity and try to detect the perpetrator.	CISAD5***	1,534	109.000	CISAD5***
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application?	User registration and password policies	User security awareness	Use of intrusion detection/intrusion prevention systems	Domain name system server security hardening	d	The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.	CISAD5***	1,535	110.000	CISAD5***
Which of the following would MOST effectively enhance the security of a challenge-response based authentication system?	Selecting a more robust algorithm to generate challenge strings	Implementing measures to prevent session hijacking attacks	Increasing the frequency of associated password changes	Increasing the length of authentication strings	b	Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology.	CISAD5***	1,536	47.000	CISAD5***
When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?	Using a cryptographic hashing algorithm	Enciphering the message digest	Calculating a checksum of the transaction	Using a sequence number and time stamp	d	When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection and could be used to verify that a payment instruction was not duplicated.	CISAD5***	1,537	106.000	CISAD5***
In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit?	Device authentication and data origin authentication	Wireless intrusion detection and intrusion prevention systems	The use of cryptographic hashes	Packet headers and trailers	c	Calculating cryptographic hashes for wireless communications allows the receiving device to verify that the received communications have not been altered in transit. This prevents masquerading and message modification attacks.	CISAD5	1,538	94.000	CISAD5
An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access?	Implement Wired Equivalent Privacy	Permit access to only authorized media access control addresses	Disable open broadcast of service set identifiers	Implement Wi-Fi Protected Access 2	d	Wi-Fi Protected Access (WPA) 2 implements most of the requirements of the IEEE 802.11i standard. The Advanced Encryption Standard used in WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication Protocol and the pre-shared secret key authentication model.	CISAD5	1,539	93.000	CISAD5
An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability?	An implicit deny rule as the last rule in the rule base	Installation on an operating system configured with default settings	Rules permitting or denying access to systems or networks	Configuration as a virtual private network endpoint	b	Default settings of most equipment-including operating systems are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software.	CISAD5	1,540	19.000	CISAD5
The GREATEST risk from an improperly implemented intrusion prevention system is:	too many alerts for system administrators to verify	decreased network performance due to additional traffic	blocking of critical systems or services due to false triggers	reliance on specialized expertise within the IT organization	c	An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the IPS is triggered based on incorrectly defined or nonstandard behavior, it may block the service or connection of a critical internal system.	CISAD5	1,541	142.000	CISAD5
When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk?	There is no registration authority for reporting key compromises	The certificate revocation list is not current	Digital certificates contain a public key that is used to encrypt messages and verify digital signatures	Subscribers report key compromises to the certificate authority	b	If the certificate revocation list is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities.	CISAD5***	1,542	54.000	CISAD5***
When using a digital signature, the message digest is computed by the:	sender only	receiver only	sender and receiver both	certificate authority	c	A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm.	CISAD5	1,543	111.000	CISAD5
Which of the following would effectively verify the originator of a transaction?	Using a secret password between the originator and the receiver	Encrypting the transaction with the receiver's public key	Using a portable document format to encapsulate transaction content	Digitally signing the transaction with the source's private key	d	A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify the identity of the source of a transaction and the integrity of its content to a recipient.	CISAD5	1,544	115.000	CISAD5
An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor?	A login screen is not displayed for guest users	The guest network is not segregated from the production network	Guest users who are logged in are not isolated from each other	A single factor authentication technique is used to grant access	b	If the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. The implication of this is that guests have access to the organization's network.	CISAD5	1,545	139.000	CISAD5
Which of the following provides the GREATEST assurance for database password encryption?	Secure hash algorithm-256	Advanced encryption standard	Secure Shell	Triple data encryption standard	b	The use of advanced encryption standard (AES) is a secure encryption algorithm that is appropriate for encrypting passwords.	CISAD5***	1,546	92.000	CISAD5***
The reason a certification and accreditation process is performed on critical systems is to ensure that:	Security compliance has been technically evaluated	Data have been encrypted and are ready to be stored	The systems have been tested to run on different platforms	The systems have followed the phases of a waterfall model	a	Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration.	CISAD5	1,547	196.000	CISAD5
A perpetrator looking to gain access to and gather information about encrypted data being transmitted over a network would MOST likely use:	eavesdropping	spoofing	traffic analysis	masquerading	c	In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted, and eavesdropping would not yield any meaningful results.	CISAD5	1,548	174.000	CISAD5
A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft?	Web browser cookies are not automatically deleted	The computer is improperly configured	System updates have not been applied on the computer	Session time out is not activated	d	If an authenticated session is inactive and unattended, it can be hijacked and used for illegal purposes. It might then be difficult to establish the intruder because a legitimate session was used.	CISAD5***	1,549	2.000	CISAD5***
The MOST effective biometric control system is the one with:	the highest equal-error rate	the lowest equal-error rate	a false-rejection rate equal to the false acceptance rate	a false rejection rate equal to the failure-to-enroll rate	b	The biometric that has the lowest EER is the most effective. The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR).	CISAD5	1,550	123.000	CISAD5
Which of the following is a form of two-factor user authentication?	A smart card and personal identification number	A unique User ID and complex, non-dictionary password	An iris scan and a fingerprint scan	A magnetic-strip card and a proximity badge	a	A smart card is something that a user has, while a personal identification number paired with the card is something the user knows. This is an example of two-factor authentication.	CISAD5	1,551	78.000	CISAD5
An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that:	Non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity.	access cards are not labeled with the organization's name and address to facilitate easy return of a lost card.	card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards.	the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure,	a	Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card, driver's license).	CISAD5***	1,552	85.000	CISAD5***
When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor?	Hard disks are overwritten several times at the sector level but are not reformatted before leaving the organization.	All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization.	Hard disks are rendered unrcadable by hole-punching through the platters at specific positions before leaving the organization.	The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, wherc the hard disks are registered and then shredded.	b	Deleting and formatting only marks the sectors that contained files as being free. Publicly available tools are sufficient for someone to reconstruct data from hard drives prepared this way.	CISAD5	1,553	46.000	CISAD5
A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response?	Initial rejection of the request because it is against the security policy	Approval of the exception to policy to meet business needs	Assessment of the risk and identification of compensating controls	Revision of the OS baseline configuration	c	Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation.	CISAD5	1,554	186.000	CISAD5
An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy?	Stateful inspection firewall	Web content filter	Web cache server	Proxy server	b	A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available uniform resource locator blacklists and classifications for millions of web sites.	CISAD5	1,555	172.000	CISAD5
Which of the following specifically addresses how to detect cyberattacks against an organization's IT systems and how to recover from an attack?	An incident response plan	An IT contingency plan	A business continuity plan	A continuity of operations plan	a	The incident response plan (IRP) determines the information security responses to incidents such as cyberattacks on systems and/or networks. This plan establishes procedures to enable security personnel to identify, mitigate and recover from malicious computer incidents such as unauthorized access to a system or data, denial-of-service or unauthorized changes to system hardware or software.	CISAD5	1,556	47.000	CISAD5
The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure:	the confidentiality of the message	nonrepudiation by the sender	the authenticity of the message	the integrity of data transmitted by the sender	d	If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test.	CISAD5	1,557	59.000	CISAD5
The computer security incident response team of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may:	use this information to launch attacks	forward the security alert	implement individual solutions	fail to understand the threat	a	An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly.	CISAD5	1,558	73.000	CISAD5
Which of the following would be an indicator of the effectiveness of a computer security incident response team?	Financial impact per security incident	Number of security vulnerabilities that were patched	Percentage of business applications that are being protected	Number of successful penetration tests	a	The most important indicator is the financial impact per security incident. It may not be possible to prevent incidents entirely, but the team should be able to limit the cost of incidents through a combination of effective prevention, detection and response.	CISAD5***	1,559	142.000	CISAD5***
A5-247 A benefit of quality of service is that the:	entire network's availability and performance will be significantly improved.	telecom carrier will provide the company with accurate service-level compliance reports.	participating applications will have bandwidth guaranteed.	communications link will be supported by security controls to perform secure online transactions.	c	The main function of QoS is to optimize network performance by assigning priority to business applications and end users through the allocation of dedicated parts of the bandwidth to specific traffic. QoS will not guarantee that the communication itself will be improved or provide security controls. The QoS tools that many carriers use do not provide reports of service levels.	CISAD5***	1,560	110.000	CISAD5***
A5-248 Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?	The use of diskless workstations	Periodic checking of hard drives	The use of current antivirus software	Policies that result in instant dismissal if violated	b	The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded onto the network. Diskless workstations and policies are preventive controls. Antivirus software will not necessarily identify illegal software unless it contains a virus.	CISAD5***	1,561	21.000	CISAD5***
A5-249 An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation?	Symmetric key encryption	Digital signatures	Message digest algorithms	Digital certificates	d	Digital certificates provide confidentiality through public-private key encryption, integrity, and nonrepudiation through trusted third-party verification. Other options lack one or more of these features.	CISAD5***	1,562	78.000	CISAD5***
A5-250 An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:	passwords can be reused by employees within a defined time frame.	user accounts are not locked out after five failed attempts.	system administrators use shared login credentials.	password expiration is not automated.	c	The use of shared login credentials by administrators makes accountability impossible and poses the most severe risk, especially for privileged accounts.	CISAD5	1,563	100.000	CISAD5
A5-251 The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be?	There is no significant potential risk.	Soft zoning presents a potential risk.	Disabling of unused ports presents a potential risk.	The SAN administrator presents a potential risk.	d	The SAN administrator presents a potential risk due to lack of segregation of duties and being a single point of failure. This poses risks to system administration and security control validation.	CISAD5	1,564	154.000	CISAD5
A5-252 Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?	Sensitive data might be read by operators.	Data might be amended without authorization.	Unauthorized report copies might be printed.	Output might be lost in the event of system failure.	c	Spooling for offline printing may enable additional copies to be printed unless adequate safeguards exist as compensating controls. This is considered the most serious risk among the options given.	CISAD5***	1,565	142.000	CISAD5***
A5-253 Web and email filtering tools are valuable to an organization PRIMARILY because they:	protect the organization from viruses and nonbusiness materials.	maximize employee performance.	safeguard the organization's image.	assist the organization in preventing legal issues.	a	The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email. Other options are secondary benefits.	CISAD5	1,566	152.000	CISAD5
A5-254 Which of the following types of firewalls provide the GREATEST degree and granularity of control?	Screening router	Packet filter	Application gateway	Circuit gateway	c	The application gateway works at a more detailed level (OSI Layers 5 and 7) compared to other options, providing the greatest degree and granularity of control.	CISAD5***	1,567	108.000	CISAD5***
A5-255 After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools?	Differential	False-positive	False-negative	Less-detail	c	False-negative reporting means control weaknesses in the network are not identified, leaving the network vulnerable to attack. This poses the most serious risk among the options given.	CISAD5	1,568	6.000	CISAD5
A5-256 Which of the following is the MOST reliably effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol?	Install the latest vendor security patches immediately.	Block the protocol traffic in the perimeter firewall.	Block the protocol traffic between internal network segments.	Stop the services that the protocol uses.	d	Stopping the services is the most effective way to prevent a worm from spreading, as it directly addresses the means of propagation at the lowest practical level.	CISAD5***	1,569	145.000	CISAD5***
A5-257 An IS auditor is reviewing an organization's controls related to email encryption. The company's policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. In a public-key infrastructure implementation properly configured to provide confidentiality, email is:	encrypted with the sender's private key and decrypted with the sender's public key.	encrypted with the recipient's private key and decrypted with the sender's private key.	encrypted with the sender's private key and decrypted with the recipient's private key.	encrypted with the recipient's public key and decrypted with the recipient's private key.	d	Encrypting a message with the recipient's public key and decrypting it with the recipient's private key ensures message confidentiality, as only the intended recipient has the correct private key to decrypt the message.	CISAD5***	1,570	127.000	CISAD5***
A5-258 Which of the following types of firewalls would BEST protect a network from an Internet attack?	Screened subnet firewall	Application filtering gateway	Packet filtering router	Circuit-level gateway	a	A screened subnet firewall would provide the best protection by isolating Internet-based traffic from the rest of the corporate network.	CISAD5***	1,571	83.000	CISAD5***
A5-259 Neural networks are effective in detecting fraud because they can:	discover new trends because they are inherently linear.	solve problems where large and general sets of training data are not obtainable.	address problems that require consideration of a large number of input variables.	make assumptions about the shape of any curve relating variables to the output.	c	Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods.	CISAD5	1,572	113.000	CISAD5
A5-260 Which of the following BEST encrypts data on mobile devices?	Elliptical curve cryptography	Data encryption standard	Advanced encryption standard	The Blowfish algorithm	a	Elliptical curve cryptography (ECC) requires limited bandwidth resources and is suitable for encrypting mobile devices.	CISAD5***	1,573	87.000	CISAD5***
A5-261 Confidentiality of transmitted data can best be delivered by encrypting the	Message digest with the sender's private key.	Session key with the sender's public key.	Messages with the receiver's private key.	Session key with the receiver's public key.	d	This will ensure that the session key can only be obtained using the receiver's private key, retained by the receiver, thus ensuring confidentiality.	CISAD5***	1,574	151.000	CISAD5***
A5-262 The risk of dumpster diving is BEST mitigated by:	Implementing security awareness training.	Placing shred bins in copy rooms.	Developing a media disposal policy.	Placing shredders in individual offices.	a	Users should be educated to know the risk of carelessly discarding sensitive documents and other items, which is the most effective way to mitigate dumpster diving.	CISAD5***	1,575	100.000	CISAD5***
A5-263 An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?	A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall.	Firewall policies are updated on the basis of changing requirements.	Inbound traffic is blocked unless the traffic type and connections have been specifically permitted.	The firewall is placed on top of the commercial operating system with all default installation options.	d	The greatest concern is the potential presence of vulnerabilities in the underlying operating system that could undermine the security posture of the firewall platform itself, especially with all default installation options.	CISAD5	1,576	25.000	CISAD5
A5-264 An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation?	Physically secure wireless access points to prevent tampering.	Use service set identifiers that clearly identify the organization.	Encrypt traffic using the Wired Equivalent Privacy mechanism.	Implement the Simple Network Management Protocol to allow active monitoring.	a	Physically securing access points addresses the risk of malicious parties tampering with device settings, which is crucial for maintaining the security of the WLAN.	CISAD5***	1,577	184.000	CISAD5***
A5-265 Which of the following situations would increase the likelihood of fraud?	Application programmers are implementing changes to production programs.	Administrators are implementing vendor patches to vendor-supplied software without following change control procedures.	Operations support staff members are implementing changes to batch schedules.	Database administrators are implementing changes to data structures.	a	Lack of control over changes to production programs could result in application programs being modified to manipulate the data, increasing the likelihood of fraud.	CISAD5	1,578	195.000	CISAD5
A5-266 A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that:	The users may not remember to manually encrypt the data before transmission.	The site credentials were sent to the financial services company via email.	Personnel at the consulting firm may obtain access to sensitive data.	The use of a shared user ID to the FTP site does not allow for user accountability.	a	If the data is not encrypted, an unauthorized external party may download sensitive company data. This is the greatest risk compared to the other options.	CISAD5***	1,579	63.000	CISAD5***
A5-267 Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when:	A firewall exists.	A secure web connection is used.	The source of the executable file is certain.	The host web site is part of the organization.	c	Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets.	CISAD5***	1,580	117.000	CISAD5***
A5-268 Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions?	Parity check	Echo check	Block sum check	Cyclic redundancy check	d	The cyclic redundancy check (CRC) can check for a block of transmitted data and can detect all single-bit and double-bit errors, making it most effective for detecting bursts of errors.	CISAD5***	1,581	45.000	CISAD5***
A5-269 Which of the following types of transmission media provide the BEST security against unauthorized access?	Copper wire	Shielded twisted pair	Fiber-optic cables	Coaxial cables	c	Fiber-optic cables have proven to be more secure and more difficult to tap than the other media.	CISAD5***	1,582	141.000	CISAD5***
A5-270 Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?	Review the parameter settings.	Interview the firewall administrator.	Review the actual procedures.	Review the device's log file for recent attacks.	a	A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation.	CISAD5***	1,583	102.000	CISAD5***
A5-271 An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern?	Voice communication uses the same equipment that is used for data communication.	Ethernet switches are not protected by uninterrupted power supply units.	Voice communication is not encrypted on the local network.	The team that supports the data network also is responsible for the telephone system.	b	In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a significant concern for a call center.	CISAD5	1,584	68.000	CISAD5
A5-272 Which of the following would BEST ensure continuity of a wide area network across the organization?	Built-in alternative routing	Complete full system backup daily	A repair contract with a service provider	A duplicate machine alongside each server	a	Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic.	CISAD5***	1,585	35.000	CISAD5***
A5-273 An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor?	The service level agreement (SLA) ensures strict limits for uptime and performance.	The cloud provider will not agree to an unlimited right-to-audit as part of the SLA.	The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider.	The cloud provider's physical data centers are in multiple cities and countries.	d	Having data in multiple countries is the greatest concern because HR applicant data could contain personally identifiable information. There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy.	CISAD5***	1,586	160.000	CISAD5***
A5-274 An organization is reviewing its contract with a cloud computing provider. For which of the following reasons would the organization want to remove a lock-in clause from the cloud service contract?	Availability	Portability	Agility	Scalability	b	When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause to secure portability of their system assets (i.e., the right to transfer from one vendor to another).	CISAD5***	1,587	184.000	CISAD5***
A5-275 Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?	Inheritance	Dynamic warehousing	Encapsulation	Polymorphism	c	Encapsulation is a property of objects that prevents accessing either properties or methods that have not been previously defined as public, enhancing security over data.	CISAD5	1,588	178.000	CISAD5
A5-276 A review of wide area network (WAN) usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. An IS auditor should conclude that:	analysis is required to determine if a pattern emerges that results in a service loss for a short period of time.	WAN capacity is adequate for the maximum traffic demands because saturation has not been reached.	the line should immediately be replaced by one with a larger capacity to provide approximately 85 percent saturation.	users should be instructed to reduce their traffic demands or distribute them across all service hours to flatten bandwidth consumption.	a	The peak at 96 percent could be a one-off incident, so analysis to establish whether this is a regular pattern and what causes this behavior should be carried out before recommending any action.	CISAD5***	1,589	78.000	CISAD5***
A5-277 Which of the following BEST limits the impact of server failures in a distributed environment?	Redundant pathways	Clustering	Dial backup lines	Standby power	b	Clustering allows two or more servers to work as a unit so that when one of them fails, the other takes over, best limiting the impact of server failures.	CISAD5	1,590	48.000	CISAD5
A5-278 The MAIN reason for requiring that all computer clocks across an organization are synchronized is to:	Prevent omission or duplication of transactions.	Ensure smooth data transition from client machines to servers.	Ensure that email messages have accurate time stamps.	Support the incident investigation process.	d	During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult.	CISAD5***	1,591	56.000	CISAD5***
A5-279 When reviewing the configuration of network devices, an IS auditor should FIRST identify:	The good practices for the type of network devices deployed	Whether components of the network are missing	The importance of the network devices in the topology	Whether subcomponents of the network are being used appropriately	c	The first step is to understand the importance and role of the network device within the organization's network topology before proceeding with other assessments.	CISAD5***	1,592	161.000	CISAD5***
A5-280 Which of the following will BEST maintain the integrity of a firewall log?	Granting access to log information only to administrators	Capturing log events in the operating system layer	Writing dual logs onto separate storage media	Sending log information to a dedicated third-party log server	d	Establishing a dedicated third-party log server and logging events in it is the best procedure for maintaining the integrity of a firewall log. When access control to the log server is adequately maintained, the risk of unauthorized log modification is mitigated, therefore improving the integrity of log information.	CISAD5***	1,593	115.000	CISAD5***
A5-281 An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when:	The organization is not permitted to assess the controls in the participating vendor's site.	The service level agreement does not address the responsibility of the vendor in the case of a security breach.	Laws and regulations are different in the countries of the organization and the vendor.	The organization is using an older version of a browser and is vulnerable to certain types of security risk.	b	When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.	CISAD5***	1,594	124.000	CISAD5***
A5-282 Which one of the following can be used to provide automated assurance that proper data files are being used during processing?	File header record	Version usage	Parity checking	File security controls	a	A file header record provides assurance that proper data files are being used, and it allows for automatic checking.	CISAD5	1,595	138.000	CISAD5
A5-283 A cyclic redundancy check is commonly used to determine the:	Accuracy of data input.	Integrity of a downloaded program.	Adequacy of encryption.	Validity of data transfer.	d	The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check.	CISAD5	1,596	196.000	CISAD5
A5-284 An IS auditor is performing a review of a network. Users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST:	Use a protocol analyzer to perform network analysis and review error logs of local area network equipment.	Take steps to increase the bandwidth of the connection to the Internet.	Create a baseline using a protocol analyzer and implement quality of service to ensure that critical business applications work as intended.	Implement virtual local area networks to segment the network and ensure performance	a	In this case, the first step is to identify the problem through review and analysis of network traffic. Using a protocol analyzer and reviewing the log files of the related switches or routers will determine whether there is a configuration issue or hardware malfunction.	CISAD5***	1,597	51.000	CISAD5***
A5-285 In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?	Automated logging of changes to development libraries	Additional staff to provide separation of duties	Procedures that verify that only approved program changes are implemented	Access controls to prevent the operator from making program modifications	c	An IS auditor should recommend a formal change control process that manages and can detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This is a compensating control process.	CISAD5***	1,598	80.000	CISAD5***
Which of the following outlines the overall authority to perform an IS audit?	A. The audit scope with goals and objectives	B. A request from management to perform an audit	C. The approved audit charter	D. The approved audit schedule	c	A. The audit scope is specific to a single audit and does not grant authority to perform an audit. B. A request from management to perform an audit is not sufficient because it relates to a specific audit. C. The approved audit charter outlines the auditor’s responsibility, authority and accountability. D. The approved audit schedule does not grant authority to perform an audit.	CISAC1***	1,599	130.000	CISAC1***
In performing a risk-based audit, which risk assessment is completed FIRST by an IS auditor?	A. Detection risk assessment	B. Control risk assessment	C. Inherent risk assessment	D. Fraud risk assessment	c	A. Detection risk assessment is performed only after the inherent and control risk assessments have been performed to determine ability to detect errors within a targeted process. B. Control risk assessment is performed after the inherent risk assessment has been completed and is to determine the level of risk that remains after controls for the targeted process are in place. C. Inherent risk exists independently of an audit and can occur because of the nature of the business. To successfully conduct an audit, it is important to be aware of the related business processes. To perform the audit, an IS auditor needs to understand the business process; by understanding the business process, an IS auditor better understands the inherent risk. D. Fraud risk assessments are a subset of a control risk assessment in which an audit and assurance professional determines if the control risk addresses the ability of internal and/or external parties to commit fraudulent transactions within the system.	CISAC1***	1,600	201.000	CISAC1***
Which of the following would an IS auditor MOST likely focus on when developing a risk-based audit program?	A. Business processes	B. Administrative controls	C. Environmental controls	D. Business strategies	a	A. A risk-based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize risk. Business risk impacts the long-term viability of a specific business. Thus, an IS auditor using a risk-based audit approach must be able to understand business processes. B. Administrative controls, while an important subset of controls, are not the primary focus needed to understand the business processes within scope of the audit. C. Like administrative controls, environmental controls are an important control subset; however, they do not address high-level overarching business processes under review. D. Business strategies are the drivers for business processes; however, in this case, an IS auditor is focusing on the business processes that were put in place to enable the organization to meet the strategy.	CISAC1	1,601	55.000	CISAC1
Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?	A. Control risk	B. Detection risk	C. Inherent risk	D. Sampling risk	c	A. Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of internal controls. B. Detection risk is the risk that a material misstatement with a management assertion will not be detected by an audit and assurance professional’s substantive tests. It consists of two components: sampling risk and nonsampling risk. C. Inherent risk is the risk level or exposure without considering the actions that management has taken or might take. D. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken. Nonsampling risk is the detection risk not related to sampling; it can be due to a variety of reasons, including, but not limited to, human error.	CISAC1***	1,602	154.000	CISAC1***
An IS auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. In this situation, an IS auditor should:	A. Disregard these control weaknesses because a system software review is beyond the scope of this review.	B. Conduct a detailed system software review and report the control weaknesses.	C. Include in the report a statement that the audit was limited to a review of the application’s controls.	D. Review the system software controls as relevant and recommend a detailed system software review.	d	A. An IS auditor is not expected to ignore control weaknesses just because they are outside the scope of a current review. B. The conduct of a detailed systems software review may hamper the audit’s schedule, and an IS auditor may not be technically competent to do such a review at this time. C. If there are control weaknesses that have been discovered by an IS auditor, they should be disclosed. By issuing a disclaimer, this responsibility would be waived. D. The appropriate option would be to review the systems software as relevant to the review and recommend a detailed systems software review for which additional resources may be recommended.	CISAC1	1,603	138.000	CISAC1
Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals?	A. To plan for deployment of available audit resources	B. To consider changes to the risk environment	C. To provide inputs for documentation of the audit charter	D. To identify the applicable IS audit standards	b	A. Planning for deployment of available audit resources is determined by the audit assignments planned, which are influenced by the planning process. B. Short- and long-term issues that drive audit planning can be heavily impacted by changes to the risk environment, technologies and business processes of the enterprise. C. The audit charter reflects the mandate of top management to the audit function and resides at a more abstract level. D. Applicability of IS audit standards, guidelines and procedures is universal to any audit engagement and is not influenced by short- and long-term issues.	CISAC1	1,604	149.000	CISAC1
Which of the following is MOST effective for implementing a control self-assessment within small business units?	A. Informal peer reviews	B. Facilitated workshops	C. Process flow narratives	D. Data flow diagrams	b	A. Informal peer reviews would not be as effective because they would not necessarily identify and assess all control issues. B. Facilitated workshops work well within small business units. C. Process flow narratives would not be as effective because they would not necessarily identify and assess all control issues. D. Data flow diagrams would not be as effective because they would not necessarily identify and assess all control issues.	CISAC1***	1,605	189.000	CISAC1***
Which of the following would an IS auditor perform FIRST when planning an IS audit?	A. Define audit deliverables.	B. Finalize the audit scope and audit objectives.	C. Gain an understanding of the business’s objectives and purpose.	D. Develop the audit approach or audit strategy.	c	A. Defining audit deliverables is dependent upon having a thorough understanding of the business’s objectives and purpose. B. Finalizing the audit scope and objectives is dependent upon having a thorough understanding of the business’s objectives and purpose. C. The first step in audit planning is to gain an understanding of the business’s mission, objectives and purpose—which, in turn, identifies the relevant policies, standards, guidelines, procedures and organization structure. D. Developing the audit approach or strategy is dependent upon having a thorough understanding of the business’s objectives and purpose.	CISAC1	1,606	26.000	CISAC1
The approach an IS auditor should use to plan IS audit coverage should be based on:	A. risk.	B. materiality.	C. fraud monitoring.	D. sufficiency of audit evidence.	a	A. Audit planning requires a risk-based approach. B. Materiality pertains to potential weaknesses or absences of controls while planning a specific engagement, and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness. C. Fraud monitoring pertains to the identification of fraud-related transactions and patterns and may play a part in audit planning, but only as it pertains to organizational risk. D. Sufficiency of audit evidence pertains to the evaluation of the sufficiency of evidence obtained to support conclusions and achieve specific engagement objectives.	CISAC1***	1,607	158.000	CISAC1***
An organization performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is an example of a:	A. preventive control.	B. management control.	C. corrective control.	D. detective control.	c	A. Preventive controls are those that avert problems before they arise. Backup tapes cannot be used to prevent damage to files and, therefore, cannot be classified as a preventive control. B. Management controls modify processing systems to minimize a repeat occurrence of the problem. Backup tapes do not modify processing systems and, therefore, do not fit the definition of a management control. C. A corrective control helps to correct or minimize the impact of a problem. Backup tapes can be used for restoring the files in case of damage of files, thereby reducing the impact of a disruption. D. Detective controls help to detect and report problems as they occur. Backup tapes do not aid in detecting error.	CISAC1	1,608	26.000	CISAC1
In order for management to effectively monitor the compliance of processes and applications, which of the following would be the MOST ideal?	A. A central document repository	B. A knowledge management system	C. A dashboard	D. Benchmarking	c	A dashboard provides a set of information to illustrate compliance of the processes, applications and configurable elements and keeps the enterprise on course.	CISAC2	1,609	3.000	CISAC2
Which of the following would be included in an IS strategic plan?	A. Specifications for planned hardware purchases	B. Analysis of future business objectives	C. Target dates for development projects	D. Annual budgetary targets for the IT department	b	IS strategic plans must address the needs of the business and meet future business objectives. Hardware purchases may be outlined, but not specified, and neither budget targets nor development projects are relevant choices.	CISAC2	1,610	61.000	CISAC2
Which of the following BEST describes an IT department’s strategic planning process?	A. The IT department will have either short- or long-range plans depending on the organization’s broader plans and objectives.	B. The IT department’s strategic plan must be time- and project-oriented but not so detailed as to address and help determine priorities to meet business needs.	C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.	D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.	c	Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.	CISAC1***	1,611	22.000	CISAC1***
The MOST important responsibility of a data security officer in an organization is:	A. recommending and monitoring data security policies.	B. promoting security awareness within the organization.	C. establishing procedures for IT security policies.	D. administering physical and logical access controls.	a	A data security officer’s prime responsibility is recommending and monitoring data security policies.	CISAC2	1,612	161.000	CISAC2
What is considered the MOST critical element for the successful implementation of an information security program?	A. An effective enterprise risk management framework	B. Senior management commitment	C. An adequate budgeting process	D. Meticulous program planning	b	Commitment from senior management provides the basis to achieve success in implementing an information security program.	CISAC1***	1,613	76.000	CISAC1***
An IS auditor should ensure that IT governance performance measures:	A. evaluate the activities of IT oversight committees.	B. provide strategic IT drivers.	C. adhere to regulatory reporting standards and definitions.	D. evaluate the IT department.	a	Evaluating the activities of boards and committees providing oversight is an important aspect of governance and should be measured.	CISAC1***	1,614	111.000	CISAC1***
Which of the following tasks may be performed by the same person in a well-controlled information processing computer center?	A. Security administration and change management	B. Computer operations and system development	C. System development and change management	D. System development and system maintenance	d	It is common for system development and maintenance to be undertaken by the same person. In both, the programmer requires access to the source code in the development environment but should not be allowed access in the production environment.	CISAC1***	1,615	164.000	CISAC1***
Which of the following is the MOST critical control over database administration (DBA)?	A. Approval of DBA activities	B. Segregation of duties in regard to access rights granting/revoking	C. Review of access logs and activities	D. Review of the use of database tools	b	Segregation of duties (SoD) will prevent combination of conflicting functions. This is a preventive control, and it is the most critical control over DBA.	CISAC2	1,616	112.000	CISAC2
When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?	A. Origination	B. Authorization	C. Recording	D. Correction	b	Authorization should be separated from all aspects of record keeping (origination, recording and correction). Such a separation enhances the ability to detect the recording of unauthorized transactions.	CISAC2	1,617	134.000	CISAC2
In a small organization where segregation of duties (SoD) is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend?	A. Automated logging of changes to development libraries	B. Additional staff to provide SoD	C. Procedures that verify that only approved program changes are implemented	D. Access controls to prevent the operator from making program modifications	c	The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed by a third party on a regular basis. This would be a compensating control process.	CISAC2	1,618	164.000	CISAC2
3-1 To assist in testing an essential banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. An IS auditor’s PRIMARY concern is that the data should be:	A. sanitized.	B. complete.	C. representative.	D. current.	a	Test data should be sanitized to prevent sensitive data from leaking to unauthorized persons. Although it is important that the data set be complete, encompass a representation of the transactional data, and represent current data being processed, the primary concern is that test data should be sanitized to prevent sensitive data from leaking to unauthorized persons.	CISAC3	1,619	102.000	CISAC3
3-2 Which of the following is the PRIMARY purpose for conducting parallel testing?	A. To determine whether the system is cost-effective	B. To enable comprehensive unit and system testing	C. To highlight errors in the program interfaces with files	D. To ensure the new system meets user requirements	d	The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Although parallel testing may show that the old system is more cost-effective, unit and system testing are completed before parallel testing, and program interfaces with files are tested for errors during system testing, these are not the primary reasons.	CISAC3	1,620	140.000	CISAC3
3-3 When conducting a review of business process reengineering, an IS auditor found that an important preventive control had been removed. In this case, the IS auditor should:	A. inform management of the finding and determine whether management is willing to accept the potential material risk of not having that preventive control.	B. determine if a detective control has replaced the preventive control during the process, and if it has not, report the removal of the preventive control.	C. recommend that this and all control procedures that existed before the process was reengineered be included in the new process.	D. develop a continuous audit approach to monitor the effects of the removal of the preventive control.	a	Those in management should be informed immediately to determine whether they are willing to accept the potential material risk of not having that preventive control in place. Although the existence of a detective control instead of a preventive control usually increases the risk, and monitoring the new process might be necessary, the immediate step is to inform management.	CISAC1***	1,621	89.000	CISAC1***
3-4 Which of the following data validation edits is effective in detecting transposition and transcription errors?	A. Range check	B. Check digit	C. Validity check	D. Duplicate check	b	A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered (e.g., an incorrect, but valid, value substituted for the original). This control is effective in detecting transposition and transcription errors. Range check, validity check, and duplicate check do not effectively detect these errors.	CISAC1***	1,622	41.000	CISAC1***
3-5 Which of the following weaknesses would be considered the MOST serious in enterprise resource planning software used by a financial organization?	A. Access controls have not been reviewed.	B. Limited documentation is available.	C. Two-year-old backup tapes have not been replaced.	D. Database backups are performed once a day.	a	A lack of review of access controls in a financial organization could have serious consequences given the types of data and assets that could be accessed. Limited documentation, outdated backup tapes, and daily database backups are less critical compared to access control issues.	CISAC1***	1,623	59.000	CISAC1***
3-6 When auditing the requirements phase of a software acquisition, an IS auditor should:	A. assess the reasonability of the project timetable.	B. assess the vendor’s proposed quality processes.	C. ensure that the best software package is acquired.	D. review the completeness of the specifications.	d	The purpose of the requirements phase is to specify the functionality of the proposed system; therefore, an IS auditor would concentrate on the completeness of the specifications. Assessing the project timetable, vendor’s quality processes, or ensuring the best software package is acquired comes after completing the requirements phase.	CISAC3	1,624	119.000	CISAC3
3-7 An organization decides to purchase a software package instead of developing it. In such a case, the design and development phases of a traditional system development life cycle would be replaced with:	A. selection and configuration phases	B. feasibility and requirements phases	C. implementation and testing phases	D. nothing, as replacement is not required.	a	With a purchased package, the design and development phases of the traditional life cycle have become replaceable with selection and configuration phases. Feasibility and requirements, implementation, and post-implementation phases remain unaltered.	CISAC1***	1,625	119.000	CISAC1***
3-8 User specifications for a software development project using the traditional (waterfall) system development life cycle methodology have not been met. An IS auditor looking for a cause should look in which of the following areas?	A. Quality assurance	B. Requirements	C. Development	D. User training	b	To fail at user specifications implies that requirements engineering has been done to describe the users’ demands. Otherwise, there would not be a baseline of specifications to check against. Issues in quality assurance, development, or user training might be relevant but the primary cause lies in the requirements phase.	CISAC1***	1,626	83.000	CISAC1***
3-9 When introducing thin client architecture, which of the following types of risk regarding servers is significantly increased?	A. Integrity	B. Concurrency	C. Confidentiality	D. Availability	d	The main change when using thin client architecture is making the servers critical to the operation; therefore, the probability that one of them fails is increased and, as a result, the availability risk is increased. Integrity, concurrency, and confidentiality risks do not significantly change.	CISAC1***	1,627	75.000	CISAC1***
3-10 Which of the following procedures should be implemented to help ensure the completeness of inbound transactions via electronic data interchange (EDI)?	A. Segment counts built into the transaction set trailer	B. A log of the number of messages received, periodically verified with the transaction originator	C. An electronic audit trail for accountability and tracking	D. Matching acknowledgment transactions received to the log of EDI messages sent	a	Control totals built into the trailer record of each segment is the only option that will ensure all individual transactions sent are received completely. Logs, electronic audit trails, and matching acknowledgment transactions provide supporting evidence but are not as effective in ensuring completeness.	CISAC1***	1,628	157.000	CISAC1***
Which one of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments?	A. User satisfaction	B. Goal accomplishment	C. Benchmarking	D. Capacity and growth planning	c	Benchmarking provides a means of determining the level of performance offered by similar information processing facility environments.	CISAC4	1,629	129.000	CISAC4
For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor, in principle, recommends the use of which of the following recovery options?	A. Mobile site	B. Warm site	C. Cold site	D. Hot site	d	Hot sites are fully configured and ready to operate within several hours or, in some cases, even minutes.	CISAC4	1,630	148.000	CISAC4
Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process?	A. Trace from system-generated information to the change management documentation	B. Examine change management documentation for evidence of accuracy	C. Trace from the change management documentation to a system-generated audit trail	D. Examine change management documentation for evidence of completeness	a	When testing change management, the IS auditor should always start with system-generated information, containing the date and time a module was last updated, and trace from there to the documentation authorizing the change.	CISAC4	1,631	106.000	CISAC4
Which of the following would allow an enterprise to extend its intranet across the Internet to its business partners?	A. Virtual private network	B. Client-server	C. Dial-up access	D. Network service provider	a	Virtual private network (VPN) technology allows external partners to securely participate in the extranet using public networks as a transport or shared private network. Because of low cost, using public networks (Internet) as a transport is the principal method. VPNs rely on tunneling/encapsulation techniques, which allow the Internet Protocol (IP) to carry a variety of different protocols (e.g., SNA and IPX).	CISAC4	1,632	184.000	CISAC4
The classification based on criticality of a software application as part of an IS business continuity plan is determined by the:	A. nature of the business and the value of the application to the business.	B. replacement cost of the application.	C. vendor support available for the application.	D. associated threats and vulnerabilities of the application.	a	The criticality classification is determined by the role of the application system in supporting the strategy of the organization.	CISAC4	1,633	147.000	CISAC4
When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of:	A. system utilities.	B. application program generators.	C. systems security documentation.	D. access to stored procedures.	a	System utilities may enable unauthorized changes to be made to data on the client-server database. In an audit of database security, the controls over such utilities would be the primary concern of the IS auditor.	CISAC1***	1,634	131.000	CISAC1***
When reviewing a network used for Internet communications, an IS auditor will FIRST examine the:	A. validity of password change occurrences.	B. architecture of the client-server application.	C. network architecture and design.	D. firewall protection and proxy servers.	c	The first step in auditing a network is to understand the network architecture and design. Understanding the network architecture and design provides an overall picture of the network and its connectivity.	CISAC4	1,635	39.000	CISAC4
An IS auditor should be involved in:	A. observing tests of the disaster recovery plan.	B. developing the disaster recovery plan.	C. maintaining the disaster recovery plan.	D. reviewing the disaster recovery requirements of supplier contracts.	a	The IS auditor should always be present when disaster recovery plans are tested to ensure that the tested recovery procedures meet the required targets for restoration, that recovery procedures are effective and efficient, and to report on the results, as appropriate.	CISAC4	1,636	38.000	CISAC4
Data mirroring should be implemented as a recovery strategy when:	A. recovery point objective (RPO) is low.	B. recovery point objective (RPO) is high.	C. recovery time objective (RTO) is high.	D. disaster tolerance is high.	a	Recovery point objective (RPO) is the earliest point in time at which it is acceptable to recover the data. In other words, RPO indicates the age of the recovered data (i.e., how long ago the data were backed up or otherwise replicated). If RPO is very low, such as minutes, it means that the organization cannot afford to lose even a few minutes of data. In such cases, data mirroring (synchronous data replication) should be used as a recovery strategy.	CISAC4	1,637	46.000	CISAC4
Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department?	A. Developing the business continuity plan	B. Selecting and approving the recovery strategies used in the business continuity plan	C. Declaring a disaster	D. Restoring the IT systems and data after a disaster	d	The IT department of an organization is primarily responsible for restoring the IT systems and data after a disaster within the designated timeframes.	CISAC4	1,638	168.000	CISAC4
An IS auditor reviewing the configuration of a signature-based intrusion detection system would be MOST concerned if which of the following is discovered?	Auto-update is turned off.	Scanning for application vulnerabilities is disabled.	Analysis of encrypted data packets is disabled.	The IDS is placed between the demilitarized zone and the firewall.	a	The most important aspect in a signature-based intrusion detection system (IDS) is its ability to protect against known (signature) intrusion patterns. Such signatures are provided by the vendor and are critical to protecting an enterprise from outside attacks.	CISAC1***	1,639	27.000	CISAC1***
Which of the following BEST provides access control to payroll data being processed on a local server?	Logging access to personal information	Using separate passwords for sensitive transactions	Using software that restricts access rules to authorized staff	Restricting system access to business hours	c	The server and system security should be defined to allow only authorized staff members access to information about the staff whose records they handle on a day-to-day basis.	CISAC5	1,640	187.000	CISAC5
An IS auditor has just completed a review of an organization that has a mainframe computer and two database servers where all production data reside. Which of the following weaknesses would be considered the MOST serious?	The security officer also serves as the database administrator.	Password controls are not administered over the two database servers.	There is no business continuity plan for the mainframe system’s noncritical applications.	Most local area networks do not back up file-server-fixed disks regularly.	b	The absence of password controls on the two database servers, where production data reside, is the most critical weakness.	CISAC5	1,641	41.000	CISAC5
An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that:	maximum unauthorized access would be possible if a password is disclosed.	user access rights would be restricted by the additional security parameters.	the security administrator’s workload would increase.	user access rights would be increased.	a	If a password is disclosed when single sign-on is enabled, there is a risk that unauthorized access to all systems will be possible.	CISAC5	1,642	100.000	CISAC5
When reviewing an implementation of a Voice-over Internet Protocol system over a corporate wide area network, an IS auditor should expect to find:	an integrated services digital network data link.	traffic engineering.	wired equivalent privacy encryption of data.	analog phone terminals.	b	To ensure that quality of service requirements are achieved, the VoIP service over the wide area network should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed to provide quality of service and class of service support using statistical techniques, such as traffic engineering.	CISAC1***	1,643	182.000	CISAC1***
An insurance company is using public cloud computing for one of its critical applications to reduce costs. Which of the following would be of MOST concern to the IS auditor?	The inability to recover the service in a major technical failure scenario	The data in the shared environment being accessed by other companies	The service provider not including investigative support for incidents	The long-term viability of the service if the provider goes out of business	b	Considering that an insurance company must preserve the privacy/confidentiality of customer information, unauthorized access to information and data leakage are the major concerns.	CISAC5	1,644	157.000	CISAC5
Which of the following BEST determines whether complete encryption and authentication protocols for protecting information while being transmitted exist?	A digital signature with RSA has been implemented.	Work is being done in tunnel mode with the nested services of authentication header (AH) and encapsulating security payload (ESP).	Digital certificates with RSA are being used.	Work is being done in transport mode with the nested services of AH and ESP.	b	Tunnel mode provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested.	CISAC5	1,645	43.000	CISAC5
Which of the following concerns about the security of an electronic message would be addressed by digital signatures?	Unauthorized reading	Theft	Unauthorized copying	Alteration	d	A digital signature includes an encrypted hash total of the size of the message as it was transmitted by its originator. This hash would no longer be accurate if the message was altered subsequently, indicating that the alteration had occurred.	CISAC5	1,646	82.000	CISAC5
Which of the following characterizes a distributed denial-of-service attack?	Central initiation of intermediary computers to direct simultaneous spurious message traffic at a specified target site	Local initiation of intermediary computers to direct simultaneous spurious message traffic at a specified target site	Central initiation of a primary computer to direct simultaneous spurious message traffic at multiple target sites	Local initiation of intermediary computers to direct staggered spurious message traffic at a specified target site	a	This best describes a distribute denial-of-service (DDoS) attack. Such attacks are centrally initiated and involve the use of multiple compromised computers. The attacks work by flooding the target site with spurious data, thereby overwhelming the network and other related resources. To achieve this objective, the attacks need to be directed at a specific target and occur simultaneously.	CISAC1***	1,647	195.000	CISAC1***
Which of the following is the MOST effective preventive antivirus control?	Scanning email attachments on the mail server	Restoring systems from clean copies	Disabling universal serial bus ports	An online antivirus scan with up-to-date virus definitions	d	Antivirus software can be used to prevent virus attacks. By running regular scans, it can also be used to detect virus infections that have already occurred. Regular updates of the software are required to ensure it is able to update, detect and treat viruses as they emerge.	CISAC5	1,648	116.000	CISAC5









question	a	b	c	d	answer	justification	ref	sn	toughmark	chapter

Archives

Categories

Meta