estion 1: Skipped

During an IS audit, which is the BEST method for an IS auditor to evaluate the
implementation of segregation of duties within an IT department?

Evaluate the organizational structure.

Discuss it with the IT managers.

(Correct)

Research past IT audit reports.

Review the IT job descriptions.

Explanation

Discuss with the IT managers is correct. Discussing the implementation of segregation of

duties with the IT managers is the best way to determine how responsibilities are assigned
within the department. Review the IT job descriptions is incorrect. Job descriptions may not
be the best source of information because they can be outdated or what is documented in
the job descriptions may be different from what is actually performed. Research past IT
audit reports is incorrect. Past IS audit reports are not the best source of information
because they may not accurately describe how IT responsibilities are assigned. Evaluate the
organizational structure is incorrect. Evaluating the organizational structure may give a
limited view on the allocation of IT responsibilities. The responsibilities also may have
changed over time.
Question 2: Skipped
After reviewing its business processes, a large organization is deploying a new web
application based on a Voice-over Internet Protocol technology. Which of the
following is the MOST appropriate approach for implementing access control that will
facilitate security management of the VoIP web application?

Access control lists



Network/service access control

Role-based access control

(Correct)

Fine-grained access control

Explanation

Role-based access control (RBAC) is correct. Authorization in this case can best be
addressed by RBAC technology. RBAC controls access according to job roles or functions.
RBAC is easy to manage and can enforce strong and efficient access controls in large-scale
web environments including VoIP implementation. Fine-grained access control is incorrect.
This control on Voice-over Internet Protocol (VoIP) web applications does not scale to
enterprise-wide systems because it is primarily based on individual user identities and their
specific technical privileges. Access control lists is incorrect. This approach on VoIP web
applications does not scale to enterprise-wide systems because they are primarily based on
individual user identities and their specific technical privileges. Network/service access
control is incorrect. This addresses VoIP availability but does not address application-level
access or authorization.
Question 3: Skipped
An advantage in using a bottom-up vs. a top-down approach to software testing is
that -

interface errors are detected earlier.

major functions and processing are tested earlier.

confidence in the system is achieved earlier.


 errors in critical modules are detected earlier.

(Correct)

Explanation

Errors in critical modules are detected earlier is correct. The bottom-up approach to
software testing begins with the testing of atomic units, such as programs and modules, and
works upward until a complete system testing has taken place. The advantages of using a
bottom-up approach to software testing are the fact that errors in critical modules are
found earlier. Interface errors are detected earlier is incorrect. Interface errors will not be
found until later in the testing process—as a result of integration or system testing.
Confidence in the system is achieved earlier is incorrect. Confidence in the system cannot be
obtained until the testing is completed. Major functions and processing are tested earlier is
incorrect. Bottom-up testing tests individual components and major functions and
processing will not be adequately tested until systems and integration testing is completed.
Question 4: Skipped
In the context of effective information security governance, the primary objective of
value delivery is to -

optimize security investments in support of business objectives.

(Correct)

implement a continuous improvement culture.

implement a standard set of security practices.

institute a standards-based solution.

Explanation

Optimize security investments in support of business objectives is correct. In the context of

effective information security governance, value delivery is implemented to ensure
optimization of security investments in support of business objectives. Implement a
standard set of security practices is incorrect. The tools and techniques for implementing
 value delivery include implementation of a standard set of security practices; however,
implementation of standards is a means to achieve the objective of supporting value
delivery, not the objective itself. Institute a standards-based solution is incorrect. Value
delivery may be supported through the use of standards-based solutions, but the use of
standards-based solutions is not the goal of value delivery. Implement a continuous
improvement culture is incorrect. Continuous improvement culture in relation to a security
program is a process, not an objective.
Question 5: Skipped
Doing which of the following during peak production hours could result in
unexpected downtime?

Performing data migration or tape backup

Performing preventive maintenance on electrical systems

(Correct)

Reconfiguring a standby router in the data center

Promoting applications from development to the staging environment

Explanation

Performing preventive maintenance on electrical systems is correct. Preventive maintenance

activities should be scheduled for non-peak times of the day, and preferably during a
maintenance window time period. A mishap or incident caused by a maintenance worker
could result in unplanned downtime. Performing data migration or tape backup is incorrect.
Performing data migration may impact performance but would not cause downtime.
Promoting applications from development to the staging environment is incorrect.
Promoting applications into a staging environment (not production) should not affect
systems operations in any significant manner. Reconfiguring a standby router in the data
center is incorrect. Reconfiguring a standby router should not cause unexpected downtime
because the router is not operational and any problems should not affect network traffic.
Question 6: Skipped
 When reviewing a hardware maintenance program, an IS auditor should assess
whether:

it is in line with historical trends.

the program is validated against vendor specifications.

(Correct)

it has been approved by the IS steering committee.

the schedule of all unplanned maintenance is maintained.

Explanation

The program is validated against vendor specifications is correct. Although maintenance

requirements vary based on complexity and performance workloads, a hardware
maintenance schedule should be validated against the vendor-provided specifications. The
schedule of all unplanned maintenance is maintained is incorrect. Unplanned maintenance
cannot be scheduled. It is in line with historical trends is incorrect. Hardware maintenance
programs do not necessarily need to be in line with historic trends. It has been approved by
the IS steering committee is incorrect. Maintenance schedules normally are not approved by
the steering committee.
Question 7: Skipped
Which of the following should be the MOST important consideration when deciding
on areas of priority for IT governance implementations?

Assurance reports

Process maturity


 Performance indicators

Business risk

(Correct)

Explanation

Business risk is correct. Priority should be given to those areas that represent a known risk
to the enterprise operations. Process maturity is incorrect. The level of process maturity will
evolve as the implementation of the IT governance program occurs and may feed into the
decision-making process. Those areas that represent real risk to the business should be
given priority. Performance indicators is incorrect. The level of process performance will
demonstrate the effectiveness of the program but will not be the means to establish
priorities for governance. Those areas that represent real risk to the business should be
given priority. Assurance reports is incorrect. Audit reports will provide assurance of the
effectiveness of the implementation of governance but will not determine the priorities for
program. Those areas that represent real risk to the business should be given priority.
Question 8: Skipped
Which of the following is the GREATEST concern associated with the use of peer-to-
peer computing?

Data leakage

(Correct)

Network performance issues

Virus infection

Unauthorized software usage

Explanation
 Data leakage is correct. Peer-to-peer computing can share the contents of a user hard drive
over the Internet. The risk that sensitive data could be shared with others is the greatest
concern. Virus infection is incorrect. While peer-to-peer computing does increase the risk of
virus infection, the risk of data leakage is more severe, especially if it contains proprietary
data or intellectual property. Network performance issues is incorrect. Peer-to-peer
computing may use more network bandwidth and, therefore, may create performance
issues. However, data leakage is a more severe risk. Unauthorized software usage is
incorrect. Peer-to-peer computing may be used to download or share unauthorized
software, which users could install on their PCs unless other controls prevent it. However,
data leakage is a more severe risk.
Question 9: Skipped
When reviewing the IT strategic planning process, an IS auditor should ensure that the
plan-

addresses the required operational controls.

articulates the IT mission and vision.

(Correct)

incorporates state of the art technology.

specifies project management practices.

Explanation

Articulates the it mission and vision is correct. The IT strategic plan must include a clear
articulation of the IT mission and vision. Incorporates state of the art technology is incorrect.
The plan does not need to address state of the art technology; the decision to implement
new technology is dependent on the approach to risk and management strategy. Addresses
the required operational controls is incorrect. The plan does not need to address
operational controls because those are too granular for strategic planning. Specifies project
management practices is incorrect. The plan should be implemented with proper project
management, but the plan does not need to address project management practices.
Question 10: Skipped
 An IS auditor of a large organization is reviewing the roles and responsibilities of the
IT function and finds some individuals serving multiple roles. Which one of the
following combinations of roles should be of GREATEST concern for the IS auditor?

System administrators are application programmers.

(Correct)

Network administrators are responsible for quality assurance.

Systems analysts are database administrators.

End users are security administrators for critical applications.

Explanation

System administrators are application programmers is correct. When individuals serve

multiple roles, this represents a separation-of-duties problem with associated risk. System
administrators should not be application programmers, due to the associated rights of both
functions. A person with both system and programming rights can do almost anything on a
system, including creating a back door. The other combinations of roles are valid from a
separation of duties perspective. Network administrators are responsible for quality
assurance is incorrect. Ideally, network administrators should not be responsible for quality
assurance because they could approve their own work. However, that is not as serious as
the combination of system administrator and application programmer, which would allow
nearly unlimited abuse of privilege. End users are security administrators for critical
applications is incorrect. End users are security administrators for critical applications is
incorrect. In some distributed environments, especially with small staffing levels, users may
also manage security. Systems analysts are database administrators is incorrect. While a
database administrator is a very privileged position it would not be in conflict with the role
of a systems analyst.
Question 11: Skipped
Validated digital signatures in an email software application will:


 help detect spam.

(Correct)

add to the workload of gateway servers.

significantly reduce available bandwidth.

provide confidentiality.

Explanation

Help detect spam is correct. Validated electronic signatures are based on qualified
certificates that are created by a certificate authority, with the technical standards required
to ensure the key can neither be forced nor reproduced in a reasonable time. Such
certificates are only delivered through a registration authority after a proof of identity has
been passed. Using strong signatures in email traffic, nonrepudiation can be assured, and a
sender can be tracked. The recipient can configure his/her email server or client to
automatically delete emails from specific senders. Provide confidentiality is incorrect. For
confidentiality issues, one must use encryption, not a signature. Add to the workload of
gateway servers is incorrect. Without any filters directly applied on mail gateway servers to
block traffic without strong signatures, the workload will not increase. Using filters directly
on a gateway server will result in an overhead less than antivirus software imposes.
Significantly reduce available bandwidth is incorrect. Digital signatures are only a few bytes
in size and will not slash bandwidth. Even if gateway servers were to check certificate
revocation lists, there is little overhead.
Question 12: Skipped
Which of the following would effectively verify the originator of a transaction?

Encrypting the transaction with the receiver's public key

Digitally signing the transaction with the source's private key

(Correct)


Using a secret password between the originator and the receiver

Using a portable document format to encapsulate transaction content

Explanation

Digitally signing the transaction with the source’s private key is correct. A digital signature is
an electronic identification of a person, created by using a public key algorithm, to verify the
identity of the source of a transaction and the integrity of its content to a recipient. Using a
secret password between the originator and the receiver is incorrect. Because they are a
“shared secret” between the user and the system itself, passwords are considered a weaker
means of authentication. Encrypting the transaction with the recipient’s public key is
incorrect. This will provide confidentiality for the information but will not verify the source.
Using a portable document format to encapsulate transaction content is incorrect. This will
protect the integrity of the content but not necessarily authorship.
Question 13: Skipped
When developing a disaster recovery plan, the criteria for determining the acceptable
downtime should be the:

annual loss expectancy.

quantity of orphan data.

service delivery objective.

maximum tolerable outage.

(Correct)

Explanation
 Maximum tolerable outage is correct. Recovery time objective is determined based on the
acceptable downtime in case of a disruption of operations. It indicates the maximum
tolerable outage that an organization considers to be acceptable before a system or process
must resume following a disaster. Annual loss expectancy (ALE) is incorrect. The acceptable
downtime would not be determined by the ALE; ALE is related to risk management
calculations, not disaster recovery. Service delivery objective is incorrect. This is relevant to
business continuity, but it is not determined by acceptable downtime. Quantity of orphan
data is incorrect. This is relevant to business continuity, but it is not determined by
acceptable downtime.
Question 14: Skipped
While conducting a business continuity audit, which of the following would be MOST
important for an IS auditor to verify?

Human safety procedures are in place.

(Correct)

Data backups are performed on a timely basis.

A recovery site is contracted for and available as needed.

Insurance coverage is adequate and premiums are current.

Explanation

Human safety procedures are in place is correct. The most important element in any
business continuity process is the protection of human life. This takes precedence over all
other aspects of the plan. Data backups are performed on a timely basis is incorrect.
Performing data backups is necessary for a business continuity plan, but the IS auditor will
always be most concerned with human safety. A recovery site is contracted for and available
as needed is incorrect. A recovery site is important for business continuity, but life safety is
always the first priority. Insurance coverage is adequate and premiums are current is
incorrect. Insurance coverage is not as important as life safety.
Question 15: Skipped
 An IS auditor reviewing wireless network security determines that the Dynamic Host
Configuration Protocol is disabled at all wireless access points. This practice:

automatically provides an IP address to anyone.

increases the risk associated with Wireless Encryption Protocol.

reduces the risk of unauthorized access to the network.

(Correct)

is not suitable for small networks.

Explanation

Reduces the risk of unauthorized access to the network is correct. Dynamic Host
Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to
the network. With DHCP disabled, static IP addresses must be used, and this requires either
administrator support or a higher level of technical skill to attach to the network and gain
Internet access. Is not suitable for small networks is incorrect. DHCP is suitable for networks
of all sizes from home networks to large complex organizations. Automatically provides an
IP address to anyone is incorrect. DHCP does not provide IP addresses when disabled.
Increases the risk associated with Wireless Encryption Protocol (WEP) is incorrect. Disabling
of the DHCP makes it more difficult to exploit the well-known weaknesses in WEP.
Question 16: Skipped
An IS auditor is evaluating a newly developed IT policy for an organization. Which of
the following factors does the IS auditor consider MOST important to facilitate
compliance with the policy upon its implementation?

Existing IT mechanisms enabling compliance

(Correct)


 Current and future technology initiatives

Regulatory compliance objectives defined in the policy

Alignment of the policy to the business strategy

Explanation

Existing IT mechanisms enabling compliance is correct. The organization should be able to

comply with a policy when it is implemented. The most important consideration when
evaluating the new policy should be the existing mechanisms in place that enable the
organization and its employees to comply with the policy. Alignment of the policy to the
business strategy is incorrect. Policies should be aligned with the business strategy, but this
does not affect an organization’s ability to comply with the policy upon implementation.
Current and future technology initiatives is incorrect. They should be driven by the needs of
the business and would not affect an organization’s ability to comply with the policy.
Regulatory compliance objectives defined in the policy is incorrect. Regulatory compliance
objectives may be defined in the IT policy, but that would not facilitate compliance with the
policy. Defining objectives would only result in the organization knowing the desired state
and would not aid in achieving compliance.
Question 17: Skipped
While performing a review of a critical third-party application, an IS auditor would be
MOST concerned with discovering:

inadequate operational documentation for the system.

an inadequate alternate service provider listing.

an inadequate software escrow agreement.

(Correct)


 inadequate procedures for ensuring adequate system portability.

Explanation
An inadequate software escrow agreement is correct. The inclusion of a clause in the
agreement that requires software code to be placed in escrow helps to ensure that the
customer can continue to use the software and/or obtain technical support if a vendor were
to go out of business. Inadequate procedures for ensuring adequate system portability is
incorrect. Procedures to ensure that systems are developed so that they can be ported to
other system platforms will help ensure that the system can still continue functioning
without affecting the business process if changes to the infrastructure occur. This is less
important than availability of the software. Inadequate operational documentation for the
system is incorrect. This is a risk but would be less significant than the risk of unavailability
of the software. An inadequate alternate service provider listing is incorrect. While alternate
service providers could be used if a vendor goes out of business, having access to the
source code via a software escrow agreement is more important.
Question 18: Skipped
The PRIMARY benefit of an enterprise architecture initiative is to -

enable the organization to invest in the most appropriate technology.

(Correct)

ensure security controls are implemented on critical platforms.

allow development teams to be more responsive to business requirements.

provide business units with greater autonomy to select IT solutions that fit their needs.

Explanation

Enable the organization to invest in the most appropriate technology is correct. The primary
focus of the enterprise architecture (EA) is to ensure that technology investments are
consistent with the platform, data and development standards of the IT organization;
therefore, the goal of the EA is to help the organization to implement the technology that is
most effective. Ensure security controls are implemented on critical platforms is incorrect.
 Ensuring that security controls are implemented on critical platforms is important, but this is
not the function of the EA. The EA may be concerned with the design of security controls;
however, the EA would not help to ensure that they were implemented. The primary focus
of the EA is to ensure that technology investments are consistent with the platform, data
and development standards of the IT organization. Allow development teams to be more
responsive to business requirements is incorrect. While the EA process may enable
development teams to be more efficient, because they are creating solutions based on
standard platforms using standard programming languages and methods, the more critical
benefit of the EA is to provide guidance for IT investments of all types, which encompasses
much more than software development. Provide business units with greater autonomy to
select it solutions that fit their needs is incorrect. A primary focus of the EA is to define
standard platforms, databases and interfaces. Business units that invest in technology would
need to select IT solutions that meet their business needs and are compatible with the EA of
the enterprise. There may be instances when a proposed solution works better for a
business unit but is not at all consistent with the EA of the enterprise, so there would be a
need to compromise to ensure that the application can be supported by IT. Overall, the EA
would restrict the ability of business units in terms of the potential IT systems that they may
wish to implement. The support requirements would not be affected in this case.
Question 19: Skipped
As an IS auditor, you find a small number of user access requests that were not
authorized by managers through the normal predefined workflow steps and
escalation rules. You should-

perform an additional analysis.

(Correct)

report the problem to the audit committee.

recommend that the owner of the identity management system fix the workflow issues.

conduct a security risk assessment.

Explanation
 Perform an additional analysis is correct. The IS auditor needs to perform substantive testing
and additional analysis to determine why the approval and workflow processes are not
working as intended. Before making any recommendation, the IS auditor should gain a
good understanding of the scope of the problem and the factors that caused this incident.
The IS auditor should identify whether the issue was caused by managers not following
procedures, a problem with the workflow of the automated system or a combination of the
two. Report the problem to the audit committee is incorrect. The IS auditor does not yet
have enough information to report the problem. Conduct a security risk assessment is
incorrect. Changing the scope of the IS audit or conducting a security risk assessment
requires more detailed information about the processes and violations being reviewed.
Recommend that the owner of the identity management system fix the workflow issues is
incorrect. The IS auditor must first determine the root cause and impact of the findings and
does not have enough information to recommend fixing the workflow issues.
Question 20: Skipped
Which of the following is the PRIMARY objective of an IT performance measurement
process?

Establish performance baselines

Minimize errors

Optimize performance

(Correct)

Gather performance data

Explanation

Optimize performance is correct. An IT performance measurement process can be used to

optimize performance, measure and manage products/services, assure accountability and
make budget decisions. Minimize errors is incorrect. This is an aspect of performance but
not the primary objective of performance management. Gather performance data is
incorrect. This is necessary to measure IT performance but is not the objective of the
 process. Establish performance baselines is incorrect. The performance measurement
process compares actual performance with baselines but is not the objective of the process.
Question 21: Skipped
Which of the following provides the GREATEST assurance for database password
encryption?

Triple data encryption standard

Advanced encryption standard

(Correct)

Secure hash algorithm-256

Secure Shell

Explanation

Advanced encryption standard (AES) is correct. This is a secure encryption algorithm that is
appropriate for encrypting passwords. Secure hash algorithm-256 is incorrect. Hashing
functions are often used to protect passwords, but hashing is not encryption. Secure Shell is
incorrect. This may encrypt passwords that are being transmitted but does not encrypt data
at rest. Triple data encryption standard is incorrect. This is a valid encryption method;
however, AES is a stronger and more recent encryption algorithm.
Question 22: Skipped
The cryptographic hash sum of a message is recalculated by the receiver. This is to
ensure:

nonrepudiation by the sender.

the confidentiality of the message.



the integrity of data transmitted by the sender.

(Correct)

the authenticity of the message.

Explanation
The integrity of data transmitted by the sender is correct. If the hash sum is different from
what is expected, it implies that the message has been altered. This is an integrity test. The
confidentiality of the message is incorrect. A hash function ensures integrity of a message;
encrypting with a secret key provides confidentiality. Nonrepudiation by the sender is
incorrect. Signing the message with the private key of the sender ensures nonrepudiation
and authenticity. The authenticity of the message is incorrect. This is provided by the digital
signature.
Question 23: Skipped
The BEST overall quantitative measure of the performance of biometric control
devices is:

false-acceptance rate.

estimated-error rate.

false-rejection rate.

equal-error rate.

(Correct)

Explanation
 A low equal-error rate (EER) is correct. This is a combination of a low false-rejection rate
(FRR) and a low false-acceptance rate (FAR). EER, expressed as a percentage, is a measure of
the number of times that the FRR and FAR are equal. A low EER is the measure of the more
effective biometrics control device. False-rejection rate (FRR) is incorrect This only measures
the number of times an authorized person is denied entry. False-acceptance rate (FAR) is
incorrect. This only measures the number of times an unauthorized person may be accepted
as authorized. Estimated-error rate is incorrect. This is not a valid biometric term.
Question 24: Skipped
An IS auditor is assessing a biometric system used to protect physical access to a data
center containing regulated data. Which of the following observations is the
GREATEST concern to the auditor?

Biometric scanners are not installed in restricted areas.

Data transmitted between the biometric scanners and the access control system do not use
a securely encrypted tunnel.

(Correct)

Biometric system risk analysis was last conducted three years ago.

Administrative access to the biometric scanners or the access control system is permitted
over a virtual private network.

Explanation

Data transmitted between the biometric scanners and the access control system do not use
a securely encrypted tunnel is correct. Data transmitted between the biometric scanners and
the access control system should use a securely encrypted tunnel to protect the
confidentially of the biometric data. Administrative access to the biometric scanners or the
access control system is permitted over a virtual private network is incorrect. Generally,
virtual private network software provides a secure tunnel so that remote administration
functions can be performed. This is not a concern. Biometric scanners are not installed in
restricted areas is incorrect. Biometric scanners are best located in restricted areas to
prevent tampering, but video surveillance is an acceptable mitigating control. The greatest
 concern is lack of a securely encrypted tunnel between the scanners and the access control
system. Biometric system risk analysis was last conducted three years ago is incorrect. The
biometric risk analysis should be reperformed periodically, but an analysis performed three
years ago is not necessarily a cause for concern.
Question 25: Skipped
In order to establish a security awareness program, which of the following would
MOST likely be a part of the program?

Mandating the use of passwords to access all software

Using an intrusion detection system to report incidents

Training provided on a regular basis to all current and new employees

(Correct)

Installing an efficient user log system to track the actions of each user

Explanation

Training provided on a regular basis to all current and new employees is correct. Regular
training is an important part of a security awareness program. Using an intrusion detection
system to report incidents is incorrect. This is an implementation of a security program and
is not effective in establishing a security awareness program. Mandating the use of
passwords to access all software is incorrect. This is a policy decision, not an awareness
issue. Installing an efficient user log system to track the actions of each user is incorrect. This
is not a part of an awareness program.
Question 26: Skipped
During an implementation review of a recent application deployment, it was
determined that several incidents were assigned incorrect priorities and, because of
this, failed to meet the business service level agreement (SLA). What is the GREATEST
concern?


 The support model was not approved by senior management.

The support model was not properly developed and implemented.

(Correct)

There are inadequate resources to support the applications.

The incident resolution time specified in the SLA is not realistic.

Explanation

The support model was not properly developed and implemented is correct. The greatest
concern for the IS auditor is that the support model was not developed and implemented
correctly to prevent or react to potential outages. Incidents could cost the business a
significant amount of money and a support model should be implemented with the project.
This should be a step within the system development life cycle and procedures and, if it is
missed on one project, it may be a symptom of an overall breakdown in process. The
support model was not approved by senior management is incorrect. While senior
management involvement is important, the more critical issue is whether the support model
was not properly developed and implemented. The incident resolution time specified in the
service level agreement (SLA) is not realistic is incorrect. While the incident resolution time
specified in the service level agreement may not always be attainable, the more critical issue
is whether the support model was not properly developed and implemented. There are
inadequate resources to support the applications is incorrect. While adequate support
resources are important, the more critical issue is whether the support model was not
properly developed and implemented.
Question 27: Skipped
Which of the following forms of evidence would an IS auditor consider the MOST
reliable?

The results of a test performed by an external IS auditor

(Correct)


 An internally generated computer accounting report

A confirmation letter received from an outside source

An oral statement from the auditee

Explanation

The results of a test that is performed by an external IS auditor is correct. An independent

test that is performed by an IS auditor should always be considered a more reliable source
of evidence than a confirmation letter from a third party, because the letter is the result of
an analysis of the process and may not be based on authoritative audit techniques. An audit
should consist of a combination of inspection, observation and inquiry by an IS auditor as
determined by risk. This provides a standard methodology and reasonable assurance that
the controls and test results are accurate. An oral statement from the auditee is incorrect.
This is audit evidence but not as reliable as the results of a test that is performed by an
external IS auditor. An internally generated computer accounting report is incorrect. This is
audit evidence, but is not as reliable as the results of a test performed by an external IS
auditor. A confirmation letter that is received from an outside source is incorrect. An
independent test performed by an IS auditor should always be considered a more reliable
source of evidence than a confirmation letter from a third party, because a letter is
subjective and may not have been generated as a part of an authoritative audit or conform
to audit standards.
Question 28: Skipped
Which of the following reports is the MOST appropriate source of information for an
IS auditor to validate that an Internet service provider (ISP) has been complying with
an enterprise service level agreement for the availability of outsourced
telecommunication services?

Downtime reports on the telecommunication services generated by the enterprise

(Correct)

A utilization report of automatic failover services generated by the enterprise



A bandwidth utilization report provided by the ISP

Downtime reports on the telecommunication services generated by the ISP

Explanation

Downtime reports on the telecommunication services generated by the enterprise is correct.

The enterprise should use internally generated downtime reports to monitor the service
provided by the Internet service provider (ISP) and, as available, to compare with the reports
provided by the ISP. Downtime reports on the telecommunication services generated by the
ISP is incorrect. The ISP-generated downtime reports are produced by the same entity that
is being monitored. As a result, it will be necessary to review these reports for possible bias
and/or errors against other data. A utilization report of automatic failover services
generated by the enterprise is incorrect. The information provided by these reports is
indirect evidence of the extent that the backup telecommunication services were used.
These reports may not indicate compliance with the service level agreement, just that the
failover systems had been used. A bandwidth utilization report provided by the ISP is
incorrect. Utilization reports are used to measure the usage of bandwidth, not uptime.
Question 29: Skipped
After initial investigation, an IS auditor has reasons to believe that fraud may be
present. The IS auditor should-

report the matter to the audit committee.

consult with external legal counsel to determine the course of action to be taken.

report the possibility of fraud to management.

expand activities to determine whether an investigation is warranted.

(Correct)
 Explanation
Expand activities to determine whether an investigation is warranted is correct. An IS
auditor’s responsibilities for detecting fraud include evaluating fraud indicators and
deciding whether any additional action is necessary or whether an investigation should be
recommended. Report the matter to the audit committee is incorrect. The IS auditor should
notify the appropriate authorities within the organization only if it has determined that the
indicators of fraud are sufficient to recommend an investigation. Report the possibility of
fraud to management is incorrect. The IS auditor should report the possibility of fraud to
top management only after there is sufficient evidence to launch an investigation. This may
be affected by whether management may be involved in the fraud. Consult with external
legal counsel to determine the course of action to be taken is incorrect. Normally, the IS
auditor does not have authority to consult with external legal counsel.
Question 30: Skipped
Which technique would BEST test for the existence of dual control when auditing the
wire transfer systems of a bank?

Interviewing personnel

Analysis of transaction logs

Observation

(Correct)

Re-performance

Explanation

Observation is correct. Dual control requires that two people carry out an operation. The
observation technique helps to ascertain whether two individuals do get involved in
execution of the operation and an element of oversight exists. It is obvious if one individual
is masquerading and filling in the role of the second person. Analysis of transaction logs is
incorrect. This would help to show that dual control is in place but does not necessarily
guarantee that this process is being followed consistently. Therefore, observation is the
better test technique. Re-performance is incorrect. Although re-performance could provide
 assurance that dual control was in effect, re-performing wire transfers at a bank would not
be an option for an IS auditor. Interviewing personnel is incorrect. This is useful to
determine the level of awareness and understanding of the personnel carrying out the
operations. However, it does provide direct evidence confirming the existence of dual
control, because the information provided may not accurately reflect the process being
performed.
Question 31: Skipped
An organization is considering connecting a critical PC-based system to the Internet.
Which of the following would provide the BEST protection against hacking?

A proxy server

A remote access server

Port scanning

An application-level gateway

(Correct)

Explanation

An application-level gateway is correct. This is the best way to protect against hacking
because it can be configured with detailed rules that describe the type of user or connection
that is or is not permitted. It analyzes, in detail, each package—not only in layers one
through four of the Open System Interconnection model, but also layers five through seven,
which means that it reviews the commands of each higher-level protocol (Hypertext
Transmission Protocol, File Transfer Protocol, Simple Network Management Protocol, etc.). A
remote access server is incorrect. In this situation, there is a device (server) that asks for a
username and password before entering the network. This is good when accessing private
networks, but it can be mapped or scanned from the Internet, creating security exposure. A
proxy server is incorrect. This can provide excellent protection, but depending on the type
of proxy, they may not be able to examine traffic as effectively as an application gateway.
For proxy servers to work, an individual is needed who really knows how to do this, and
applications can use different ports for the different sections of the program. Port scanning
 is incorrect. This is used to detect vulnerabilities or open ports on a network, but not when
trying to control what comes from the Internet, or when all the ports available need to be
controlled. For example, the port for Ping (echo request) could be blocked and the IP
addresses would be available for the application and browsing but would not respond to
Ping.
Question 32: Skipped
An IS auditor who has discovered unauthorized transactions during a review of
electronic data interchange (EDI) transactions is likely to recommend improving the -

authentication techniques for sending and receiving messages.

(Correct)

physical controls for terminals.

program change control procedures.

EDI trading partner agreements.

Explanation

Authentication techniques for sending and receiving messages is correct. They play a key
role in minimizing exposure to unauthorized transactions. The electronic data interchange
trading partner agreements is incorrect. These minimize exposure to legal issues but do not
resolve the problem of unauthorized transactions. Physical control for terminals is incorrect.
This is important and may provide protection from unauthorized people accessing the
system but does not provide protection from unauthorized transactions by authorized users.
Program change control procedures is incorrect. Change control procedures do not resolve
the issue of unauthorized transactions.
Question 33: Skipped
A decision support system is used to help high-level management -

make decisions based on data analysis and interactive models.

 (Correct)

support only structured decision-making tasks.

combine the use of decision models with predetermined criteria.

solve highly structured problems.

Explanation

Make decisions based on data analysis and interactive models is correct. A decision support
system (DSS) emphasizes flexibility in the decision-making approach of management
through data analysis and the use of interactive models, not fixed criteria. Solve highly
structured problems is incorrect. A DSS is aimed at solving less structured problems.
Combine the use of decision models with predetermined criteria is incorrect. A DSS
combines the use of models and analytic techniques with traditional data access and
retrieval functions but is not limited by predetermined criteria. Support only structured
decision-making tasks is incorrect. A DSS supports semistructured decision-making tasks.
Question 34: Skipped
The editing/validation of data entered at a remote site is performed MOST effectively
at the -

central processing site during the running of the application system.

remote processing site after transmission of the data to the central processing site.

central processing site after running the application system.

remote processing site prior to transmission of the data to the central processing site.
 (Correct)

Explanation
Remote processing site prior to transmission of the data to the central processing site is
correct. It is important that the data entered from a remote site is edited and validated prior
to transmission to the central processing site.

Central processing site after running the application system is incorrect. Validating data
prior to transmission is the most efficient method and saves the effort of transmitting or
processing invalid data. However, due to the risk of errors being introduced during
transmission it is also good practice to re-validate the data at the central processing site.

Central processing site during the running of the application system is incorrect. Validating
data prior to transmission is the most efficient method and saves the effort of transmitting
or processing invalid data. However, due to the risk of errors being introduced during
transmission it is also good practice to re-validate the data at the central processing site.

Remote processing site after transmission of the data to the central processing site is
incorrect. Validating the data after it has been transmitted is not a valid control.

Question 35: Skipped

When a new system is to be implemented within a short time frame, it is MOST
important to -

perform user acceptance testing.

(Correct)

add last-minute enhancements to functionalities.

ensure that the code has been documented and reviewed.

finish writing user manuals.

Explanation
 Perform user acceptance testing is correct. It would be most important to complete the user
acceptance testing to ensure that the system to be implemented is working correctly. Finish
writing user manuals is incorrect. The completion of the user manuals is less important than
the need to test the system adequately. Add last-minute enhancements to functionalities is
incorrect. If time is tight, the last thing one would want to do is add another enhancement
because it would be necessary to freeze the code and complete the testing, then make any
other changes as future enhancements. Ensure that the code has been documented and
reviewed is incorrect. It would be appropriate to have the code documented and reviewed,
but unless the acceptance testing is completed, there is no guarantee that the system will
work correctly and meet user requirements.
Question 36: Skipped
Which of the following specifically addresses how to detect cyberattacks against an
organization's IT systems and how to recover from an attack?

An IT contingency plan

A business continuity plan

A continuity of operations plan

An incident response plan

(Correct)

Explanation

An incident response plan (IRP) is correct. This determines the information security
responses to incidents such as cyberattacks on systems and/or networks. This plan
establishes procedures to enable security personnel to identify, mitigate and recover from
malicious computer incidents such as unauthorized access to a system or data, denial-of-
service or unauthorized changes to system hardware or software. An IT contingency plan is
incorrect. This addresses IT system disruptions and establishes procedures for recovering
from a major application or general support system failure. The contingency plan deals with
ways to recover from an unexpected failure, but it does not address the identification or
prevention of cyberattacks. A business continuity plan (BCP) is incorrect. This addresses
 business processes and provides procedures for sustaining essential business operations
while recovering from a significant disruption. While a cyberattack could be severe enough
to require use of the BCP, the IRP would be used to determine which actions should be
taken—both to stop the attack as well as to resume normal operations after the attack. A
continuity of operations plan is incorrect. This addresses the subset of an organization’s
missions that are deemed most critical and contains procedures to sustain these functions
at an alternate site for a short time period.
Question 37: Skipped
Corrective action has been taken by an auditee immediately after the identification of
a reportable finding. The auditor should-

include the finding in the closing meeting for discussion purposes only.

not include the finding in the final report because management resolved the item.

not include the finding in the final report, because corrective action can be verified by the IS
auditor during the audit.

include the finding in the final report, because the IS auditor is responsible for an accurate
report of all findings.

(Correct)

Explanation

Include the finding in the final report, because the IS auditor is responsible for an accurate
report of all findings is correct and is a generally accepted audit practice. If an action is
taken after the audit started and before it ended, the audit report should identify the finding
and describe the corrective action taken. An audit report should reflect the situation, as it
existed at the start of the audit. All corrective actions taken by the auditee should be
reported in writing. Not include the finding in the final report because management
resolved the item is incorrect. The audit report should contain all relevant findings and the
response from management even if the finding has been resolved. This would mean that
subsequent audits may test for the continued resolution of the control. Not include the
finding in the final report, because corrective action can be verified by the IS auditor during
 the audit is incorrect. The audit report should contain the finding so that it is documented
and the removal of the control subsequent to the audit would be noticed. Include the
finding in the closing meeting for discussion purposes only is incorrect. The audit report
should contain the finding and resolution, and this can be mentioned in the final meeting.
The audit report should list all relevant findings and the response from management.
Question 38: Skipped
Which of the following would BEST ensure uninterrupted operations in an
organization with IT operation centers in several countries?

Reciprocal agreement between business partners

Distribution of key procedural documentation

Employee training on the business continuity plan

(Correct)

Strong senior management leadership

Explanation

Employee training on the business continuity plan (BCP) is correct. During a disaster, the
chain of command might be interrupted. Therefore, it is important that employees know
their roles in the BCP, including where to report and how to perform their job functions.
Employee training on the plan is especially important for businesses with offices that are
geographically separated because there is a greater chance of communication disruption.
Distribution of key procedural documentation is incorrect. Procedural documentation
should always be up to date and distributed to major locations. However, documents alone
are insufficient if employees do not know their role in the plan. Reciprocal agreement
between business partners is incorrect. A reciprocal agreement is an emergency processing
agreement between two or more enterprises with similar equipment or applications.
Typically, participants of a reciprocal agreement promise to provide processing time to each
other when an emergency arises. While it is integral to business continuity to have a
location for business operations, it does not necessarily need to be a reciprocal agreement.
For example, in some cases, business operations may be carried out from each employee’s
 home. Strong senior management leadership is incorrect. Senior management may not be
readily available to provide leadership during a disaster. Therefore, it is most important that
employees fully understand their roles in the BCP.
Question 39: Skipped
An organization's IS audit charter should specify the-

role of the IS audit function.

(Correct)

objectives and scope of IS audit engagements.

detailed training plan for the IS audit staff.

plans for IS audit engagements.

Explanation

Role of the IS audit function is correct. An IS audit charter establishes the role of the
information systems audit function. The charter should describe the overall authority, scope
and responsibilities of the audit function. It should be approved by the highest level of
management and, if available, by the audit committee. Plans for IS audit engagements is
incorrect. Planning is the responsibility of audit management. The objectives and scope of
each IS audit is incorrect. These should be agreed on in an engagement letter. The charter
would specify the objectives and scope of the audit function but not of individual
engagements. Detailed training plan for the IS audit staff is incorrect. A training plan that is
based on the audit plan should be developed by audit management.
Question 40: Skipped
Which of the following is the MOST reliably effective method for dealing with the
spread of a network worm that exploits vulnerability in a protocol?

Block the protocol traffic between internal network segments.



Install the latest vendor security patches immediately.

Stop the services that the protocol uses.

(Correct)

Block the protocol traffic in the perimeter firewall.

Explanation

Stop the services that the protocol uses is correct. This is the most effective way to prevent a
worm from spreading, because it directly addresses the means of propagation at the lowest
practical level. Install the latest vendor security patches immediately is incorrect. This will
improve the situation only if a patch has been released that addresses the particular
vulnerability in the protocol. Also, patches should not be installed prior to testing, because
patching systems can create new vulnerabilities or impact performance. Block the protocol
on the perimeter firewall is incorrect. This does not stop the worm from spreading if it is
introduced via portable media. Block the protocol traffic between internal network
segments is incorrect. This helps to slow the spread, but also prohibits any software that
uses it from working between segments.
Question 41: Skipped
Which of the following is the MOST important function to be performed by IT
management when a service has been outsourced?

Renegotiating the provider's fees

Monitoring the outsourcing provider's performance

(Correct)

Ensuring that invoices are paid to the provider



Participating in systems design with the provider

Explanation

Monitoring the outsourcing provider’s performance is correct. In an outsourcing

environment, the enterprise is dependent on the performance of the service provider.
Therefore, it is critical that the outsourcing provider’s performance bis monitored to
ensure that services are delivered to the enterprise as required. Ensuring that invoices are
paid to the provider is incorrect. Payment of invoices is a finance function, which would be
completed per contractual requirements. Participating in systems design with the provider is
incorrect. Participating in systems design is a by-product of monitoring the outsourcing
provider’s performance. Renegotiating the provider’s fees is incorrect. This is usually
a one-time activity and is not as important as monitoring the vendor’s performance.
Question 42: Skipped
Which of the following business continuity plan tests involves participation of
relevant members of the crisis management/response team to practice proper
coordination?

Functional

Full-scale

Deskcheck

Tabletop

(Correct)

Explanation

Tabletop is correct. The primary purpose of tabletop testing is to practice proper

coordination because it involves all or some of the crisis team members and is focused
more on coordination and communication issues than on technical process details.
Functional is incorrect. Functional testing involves mobilization of personnel and resources
 at various geographic sites. This is a more in-depth functional test and not primarily focused
on coordination and communication. Full-scale is incorrect. Full-scale testing involves
enterprisewide participation and full involvement of external organizations. Deskcheck is
incorrect. Deskcheck testing requires the least effort of the options given. Its aim is to
ensure the plan is up to date and promote familiarity of the BCP to critical personnel from
all areas.
Question 43: Skipped
The reason for establishing a stop or freezing point on the design of a new system is
to -

indicate the point at which the design is to be completed.

provide the project management team with more control over the project design.

require that changes after that point be evaluated for cost-effectiveness.

(Correct)

prevent further changes to a project in process.

Explanation

Require that changes after that point be evaluated for cost-effectiveness is correct. Projects
often tend to expand, especially during the requirements definition phase. This expansion
often grows to a point where the originally anticipated cost-benefits are diminished because
the cost of the project has increased. When this occurs, it is recommended that the project
be stopped or frozen to allow a review of all of the cost-benefits and the payback period.
Prevent further changes to a project in process is incorrect. The stop point is intended to
provide greater control over changes but not to prevent them. Indicate the point at which
the design is to be completed is incorrect. The stop point is used for project control but not
to create an artificial fixed point that requires the design of the project to cease. Provide the
project management team with more control over the project design is incorrect. A stop
point is used to control requirements, not systems design.
Question 44: Skipped
 Which of the following backup techniques is the MOST appropriate when an
organization requires extremely granular data restore points, as defined in the
recovery point objective?

Continuous data backup

(Correct)

Virtual tape libraries

Disk-to-tape backup

Disk-based snapshots

Explanation

Continuous data backup is correct. Recovery point objective (RPO) is based on the
acceptable data loss in the case of a disruption. In this scenario the organization needs a
short RPO and continuous data backup is the best option. Virtual tape libraries is incorrect.
These would require time to complete the backup, while continuous data backup happens
online (in real time). Disk-based snapshots is incorrect. These would require time to
complete the backup and would lose some data between the times of the backup and the
failure, while continuous data backup happens online (in real time). Disk-to-tape backup is
incorrect This would require time to complete the backup, while continuous data backup
happens online (in real time).
Question 45: Skipped
A database administrator (DBA) who needs to make emergency changes to a database
after normal working hours should log in:

with their named account to make the changes.

(Correct)


 with the shared DBA account to make the changes.

to the user's account to make the changes.

to the server administrative account to make the changes.

Explanation

With their named account to make the changes is correct. Logging in using the named user
account before using the database administrator (DBA) account provides accountability by
noting the person making the changes. The DBA account is typically a shared user account.
The shared account makes it difficult to establish the identity of the support user who is
performing the database update. The server administrative accounts are shared and may be
used by multiple support users. In addition, the server privilege accounts may not have the
ability to perform database changes. The use of a normal user account would not have
sufficient privileges to make changes on the database.
Question 46: Skipped
An organization is implementing an enterprise resource planning application. Of the
following, who is PRIMARILY responsible for overseeing the project to ensure that it is
progressing in accordance with the project plan and that it will deliver the expected
results?

Project steering committee

(Correct)

System development project team

User project team

Project sponsor
 Explanation
A project steering committee is correct. A project steering committee that provides an
overall direction for the enterprise resource planning (ERP) implementation project is
responsible for reviewing the project’s progress to ensure that it will deliver the
expected results. A project sponsor is incorrect. A project sponsor is typically the senior
manager in charge of the primary business unit that the application will support. The
sponsor provides funding for the project and works closely with the project manager to
define the critical success factors or metrics for the project. The project sponsor is not
responsible for reviewing the progress of the project. System development project team is
incorrect. A system development project team (SDPT) completes the assigned tasks, works
according to the instructions of the project manager and communicates with the user
project team. The SDPT is not responsible for overseeing the progress of the project. A user
project team (UPT) is incorrect. A user project team (UPT) completes the assigned tasks,
communicates effectively with the system development team and works according to the
advice of the project manager. A UPT is not responsible for reviewing the progress of the
project.
Question 47: Skipped
An organization is planning to replace its wired networks with wireless networks.
Which of the following would BEST secure the wireless network from unauthorized
access?

Implement Wired Equivalent Privacy.

Disable open broadcast of service set identifiers.

Implement Wi-Fi Protected Access 2.

(Correct)

Permit access to only authorized media access control addresses.

Explanation

Implement Wi-Fi Protected Access (WPA) 2 is correct. This implements most of the
requirements of the IEEE 802.11i standard. The Advanced Encryption Standard used in
 WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication
Protocol and the pre-shared secret key authentication model. Implement Wired Equivalent
Privacy is incorrect. Wired Equivalent Privacy can be cracked within minutes. WEP uses a
static key that has to be communicated to all authorized users, thus management is difficult.
Also, there is a greater vulnerability if the static key is not changed at regular intervals.
Permit access to only authorized media access control addresses is incorrect. The practice of
allowing access based on media access control is not a solution because MAC addresses can
be spoofed by attackers to gain access to the network. Disable open broadcast of service set
identifiers is incorrect. This is not an effective access control because many tools can detect
a wireless access point that is not broadcasting.
Question 48: Skipped
Which of the following would contribute MOST to an effective business continuity
plan?

Planning involves all user departments.

(Correct)

The document is circulated to all interested parties.

The plan is approved by senior management.

An audit is performed by an external IS auditor.

Explanation

Planning involves all user departments is correct. The involvement of user departments in
the business continuity plan (BCP) is crucial for the identification of the business processing
priorities and the development of an effective plan. The document is circulated to all
interested parties is incorrect. The BCP circulation will ensure that the BCP document is
received by all users. Although essential, this does not contribute significantly to the success
of the BCP. The plan is approved by senior management is incorrect. A BCP approved by
senior management would not necessarily ensure the effectiveness of the BCP. An audit is
performed by an external IS auditor is incorrect. An audit would not necessarily improve the
quality of the BCP.
 Question 49: Skipped
In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether
-

there is a clear definition of the IT mission and vision.

there is an integration of IT and business personnel within projects.

(Correct)

a strategic information technology planning scorecard is in place.

the plan correlates business objectives to IT goals and objectives.

Explanation

There is an integration of IT and business personnel within projects is correct. The

integration of IT and business personnel in projects is an operational issue and should be
considered while reviewing the short-range plan. A strategic plan provides a framework for
the IT short-range plan. There is a clear definition of the IT mission and vision is incorrect. A
clear definition of the IT mission and vision would be covered by a strategic plan. A strategic
information technology planning scorecard is in place is incorrect. A strategic information
technology planning scorecard would be covered by a strategic plan. The plan correlates
business objectives to IT goals and objectives is incorrect. Business objectives correlating to
IT goals and objectives would be covered by a strategic plan.
Question 50: Skipped
An IS audit department is considering implementing continuous auditing techniques
for a multinational retail enterprise that processes a large volume of transactions per
day. A PRIMARY benefit of continuous auditing is that:

errors can be corrected in a timely fashion.


 system integrity is ensured.

effective preventive controls are enforced.

fraud can be detected more quickly.

(Correct)

Explanation

Fraud can be detected more quickly is correct. Continuous auditing techniques assist the
auditing function in reducing the use of auditing resources through continuous collection of
evidence. This approach assists the IS auditors in identifying fraud in a timely fashion and
allows the auditors to focus on relevant data. Effective preventive controls are enforced is
incorrect. Continuous monitoring is detective in nature and, therefore, does not necessarily
assist the IS auditor in monitoring for preventive controls. The approach will detect and
monitor for errors that have already occurred. In addition, continuous monitoring will
benefit the internal audit function in reducing the use of auditing resources and in the
timely reporting of errors or inconsistencies. System integrity is ensured is incorrect. System
integrity is typically associated with preventive controls such as input controls and quality
assurance reviews. These controls do not typically benefit an internal auditing function
implementing continuous monitoring. Continuous monitoring benefits the internal audit
function because it reduces the use of auditing resources. Errors can be corrected in a timely
fashion is incorrect. Continuous audit will detect errors but not correct them. Correcting
errors is the function of the organization’s management and not the internal audit
function. Continuous auditing benefits the internal audit function because it reduces the use
of auditing resources to create a more efficient auditing function.
Question 51: Skipped
When using a digital signature, the message digest is computed by the:

receiver only.

sender and receiver both.

(Correct)


sender only.

certificate authority.

Explanation

Sender and receive both is correct. A digital signature is an electronic identification of a

person or entity. It is created by using asymmetric encryption. To verify integrity of data, the
sender uses a cryptographic hashing algorithm against the entire message to create a
message digest to be sent along with the message. Upon receipt of the message, the
receiver will recompute the hash using the same algorithm. Sender only is incorrect. The
message digest must be computed by the sender and the receiver to ensure message
integrity. Receiver only is incorrect. The receiver will compute a digest of the received
message to verify integrity of the received message. Certificate authority (CA) is incorrect.
The CA issues certificates that link the public key with its owner. The CA does not compute
digests of the messages to be communicated between the sender and receiver.
Question 52: Skipped
During an assessment of software development practices, an IS auditor finds that
open source software components were used in an application designed for a client.
What is the GREATEST concern the auditor would have about the use of open source
software?

Open source software is unreliable for commercial use.

The organization and client must comply with open source software license terms.

(Correct)

Open source software has security vulnerabilities.

The client did not pay for the open source software components.
 Explanation
The organization and client must comply with open source software license terms is correct.
There are many types of open source software licenses and each has different terms and
conditions. Some open source software licensing allows use of the open source software
component freely but requires that the completed software product must also allow the
same rights. This is known as viral licensing, and if the development organization is not
careful, its products could violate licensing terms by selling the product for profit. The IS
auditor should be most concerned with open source software licensing compliance to avoid
unintended intellectual property risk or legal consequences. The client did not pay for the
open source software components is incorrect. A major benefit of using open source
software is that it is free. The client is not required to pay for the open source software
components; however, both the developing organization and the client should be
concerned about the licensing terms and conditions of the open source software
components that are being used. Open source software has security vulnerabilities is
incorrect. Open source software, just like any software code, should be tested for security
flaws and should be part of the normal system development life cycle (SDLC) process. This is
not more of a concern than licensing compliance. Open source software is unreliable for
commercial use is incorrect. Open source software does not inherently lack quality. Like any
software code, it should be tested for reliability and should be part of the normal SDLC
process. This is not more of a concern than licensing compliance.
Question 53: Skipped
Effective IT governance ensures that the IT plan is consistent with the organization's -

security plan.

audit plan.

investment plan.

business plan.

(Correct)

Explanation
 Business plan is correct. To govern IT effectively, IT and business should be moving in the
same direction, requiring that the IT plans are aligned with an organization’s business
plans. Audit plan is incorrect and is not part of the IT plan. Security plan is incorrect and not
a responsibility of IT and does not need to be consistent with the IT plan. Investment plan is
incorrect and is not part of the IT plan.
Question 54: Skipped
An accuracy measure for a biometric system is:

false-acceptance rate.

(Correct)

system response time.

registration time.

input file size.

Explanation

False-acceptance rate is correct. Three main accuracy measures are used for a biometric
solution: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR).
FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often
invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the
false-acceptance rate. System response time is incorrect. An important consideration in the
implementation of biometrics is the time required to process a user. If the system is too
slow then it will impact productivity and lead to frustration. However, this is not an accuracy
measure. Registration time is incorrect. The registration time is a measure of the effort taken
to enroll a user in the system. This is not an accuracy measure. Input file size is incorrect. The
file size to retain biometric information varies depending on the type of biometric solution
selected. This is not an accuracy measure.
Question 55: Skipped
A company has contracted with an external consulting firm to implement a
commercial financial system to replace its existing system developed in-house. In
 reviewing the proposed development approach, which of the following would be of
GREATEST concern?

Acceptance testing is to be managed by users.

Prototyping is being used to confirm that the system meets business requirements.

A quality plan is not part of the contracted deliverables.

(Correct)

Not all business functions will be available on initial implementation.

Explanation

A quality plan is not part of the contracted deliverables is correct. A quality plan is an
essential element of all projects. It is critical that the contracted supplier be required to
produce such a plan. The quality plan for the proposed development contract should be
comprehensive and encompass all phases of the development and include which business
functions will be included and when. Acceptance testing is to be managed by users is
incorrect. Acceptance is normally managed by the user area because users must be satisfied
that the new system will meet their requirements. Not all business functions will be available
on initial implementation is incorrect. If the system is large, a phased-in approach to
implementing the application is a reasonable approach. Prototyping is being used to
confirm that the system meets business requirements is incorrect. Prototyping is a valid
method of ensuring that the system will meet business requirements.
Question 56: Skipped
There is a concern that the risk of unauthorized access may increase after
implementing a single sign-on process. To prevent unauthorized access, the MOST
important action is to:

monitor failed authentication attempts.



deactivate unused accounts promptly.

mandate a strong password policy.

(Correct)

review log files regularly.

Explanation

Mandate a strong password policy is correct. Strong passwords are important in any
environment but take on special importance in an SSO environment, where a user enters a
password only one time and thereafter has general access throughout the environment. Of
the options given, only a strong password policy offers broad preventative effects. Monitor
failed authentication attempts is incorrect. Ensuring that all failed authentication attempts
are monitored is a good practice but is not a preventive control. Review the log files
regularly is incorrect. This can increase the probability of detecting unauthorized access but
will not prevent unauthorized access. Deactivate unused accounts promptly is incorrect.
Ensuring that all unused accounts are deactivated is important; however, unauthorized
access may occur via a regularly used account.
Question 57: Skipped
Which of the following would be the MOST cost-effective recommendation for
reducing the number of defects encountered during software development projects?

Implement formal software inspections.

(Correct)

Increase the development staff.

Increase the time allocated for system testing.



Require the sign-off of all project deliverables.

Explanation

Implement formal software inspections is correct. Inspections of code and design are a
proven software quality technique. An advantage of this approach is that defects are
identified before they propagate through the development life cycle. This reduces the cost
of correction because less rework is involved. Increase the time allocated for system testing
is incorrect. Allowing more time for testing may discover more defects; however, little is
revealed as to why the quality problems are occurring, and the cost of the extra testing and
the cost of rectifying the defects found will be greater than if they had been discovered
earlier in the development process. Increase the development staff is incorrect. The ability of
the development staff can have a bearing on the quality of what is produced; however,
replacing staff can be expensive and disruptive, and the presence of a competent staff
cannot guarantee quality in the absence of effective quality management processes. Require
the sign-off of all project deliverables is incorrect. Sign-off of deliverables may help detect
defects if signatories are diligent about reviewing deliverable content; however, this is
difficult to enforce and may occur too late in the process to be cost-effective. Deliverable
reviews normally do not go down to the same level of detail as software inspections.
Question 58: Skipped
The purpose of a mantrap controlling access to a computer facility is PRIMARILY to:

starve a fire of oxygen.

prevent piggybacking.

(Correct)

prevent rapid movement in or out of the facility.

prevent toxic gases from entering the data center.

Explanation
 Prevent piggybacking is correct. The intended purpose of a mantrap controlling access to a
computer facility is primarily to prevent piggybacking. Prevent toxic gases from entering the
data center is incorrect. This could be accomplished with a single self-closing door. Starve a
fire of oxygen is incorrect. This could be accomplished with a single self-closing fire door.
Prevent rapid movement in or out of the facility is incorrect. A rapid exit may be necessary in
some circumstances (e.g., a fire).
Question 59: Skipped
Which of the following activities should the business continuity manager perform
FIRST after the replacement of hardware at the primary information processing
facility?

Verify compatibility with the hot site

Update the IT asset inventory

(Correct)

Review the implementation report

Perform a walk-through of the disaster recovery plan

Explanation

Update the IT assets inventory is correct. An IT assets inventory is the basic input for the
business continuity/disaster recovery plan, and the plan must be updated to reflect changes
in the IT infrastructure. Verify compatibility with the hot site is incorrect. Before validating
that the new hardware is compatible with the recovery site, the business continuity manager
should update the listing of all equipment and IT assets included in the business continuity
plan. Review the implementation report is incorrect. The implementation report will be of
limited value to the business continuity manager because the equipment has been installed.
Perform a walk-through of the disaster recovery plan is incorrect. The walk-through of the
plan should only be done after the asset inventory has been updated.
Question 60: Skipped
 IS management recently replaced its existing wired local area network with a wireless
infrastructure to accommodate the increased use of mobile devices within the
organization. This will increase the risk of which of the following attacks?

Port scanning

Man-in-the-middle

War driving

(Correct)

Back door

Explanation

War driving is correct. This attack uses a wireless Ethernet card, set in promiscuous mode,
and a powerful antenna to penetrate wireless systems from outside. Port scanning is
incorrect. This will often target the external firewall of the organization. Use of wireless will
not affect this. Back door is incorrect. This is an opening implanted into or left in software
that enables an unauthorized entry into a system. Man-in-the-middle is incorrect. These
attacks intercept a message and can read, replace or modify it.
Question 61: Skipped
Due to unexpected resource constraints of the IS audit team, the audit plan, as
originally approved, cannot be completed. Assuming the situation is communicated in
the audit report, which course of action is MOST acceptable?

Test the operational effectiveness of controls.

Test the adequacy of the control design.


 Rely on management testing of controls.

Focus on auditing high-risk areas.

(Correct)

Explanation

Focus on auditing high-risk areas is correct. Reducing the scope and focusing on auditing
high-risk areas is the best course of action. Test the adequacy of the control design is
incorrect. Testing the adequacy of control design is not the best course of action because
this does not ensure that controls operate effectively as designed. Test the operational
effectiveness of controls is incorrect. Testing control operating effectiveness does not
ensure that the audit plan is focused on areas of greatest risk. Rely on management testing
of controls is incorrect. The reliance on management testing of controls does not provide an
objective verification of the control environment.
Question 62: Skipped
An organization has implemented an online customer help desk application using a
software as a service (SaaS) operating model. An IS auditor is asked to recommend
the best control to monitor the service level agreement (SLA) with the SaaS vendor as
it relates to availability. What is the BEST recommendation that the IS auditor can
provide?

Contract an independent third party to provide weekly reports on application uptime.

Ask the SaaS vendor to provide a weekly report on application uptime.

Implement an online polling tool to monitor the application and record outages.

(Correct)

Log all application outages reported by users and aggregate the outage time weekly.

Explanation
 Implement an online polling tool to monitor and record application outages is correct. This
is the best option for an organization to monitor the software as a service application
availability. Comparing internal reports with the vendor’s service level agreement (SLA)
reports would ensure that the vendor’s monitoring of the SLA is accurate and that all
conflicts are appropriately resolved. Ask the software as a service (SaaS) vendor to provide a
weekly report on application uptime is incorrect. Weekly application availability reports are
useful, but these reports represent only the vendor’s perspective. While monitoring these
reports, the organization can raise concerns of inaccuracy; however, without internal
monitoring, such concerns cannot be substantiated. Log all application outages reported by
users and aggregate the outage time weekly is incorrect. Logging the outage times reported
by users is helpful but does not give a true picture of all outages of the online application.
Some outages may go unreported, especially if the outages are intermittent. Contract an
independent third party to provide weekly reports on application uptime is incorrect.
Contracting a third party to implement availability monitoring is not a cost-effective option.
Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third
party.
Question 63: Skipped
An IS auditor is to assess the suitability of a service level agreement (SLA) between the
organization and the supplier of outsourced services. To which of the following
observations should the IS auditor pay the MOST attention? The SLA does not contain
a-

dispute resolution procedure between the contracting parties.

contractual commitment for service improvement.

late payment clause between the customer and the supplier.

transition clauses from the old supplier to a new supplier or back to internal in the case of
expiration or termination.

(Correct)

Explanation
 Transition clauses from the old supplier to a new supplier or back to internal in the case of
expiration or termination is correct. The delivery of IT services for a specific customer always
implies a close linkage between the client and the supplier of the service. If there are no
contract terms to specify how the transition to a new supplier may be performed, there is
the risk that the old supplier may simply “pull the plug” if the contract expires or is
terminated or may not make data available to the outsourcing organization or new supplier.
This would be the greatest risk to the organization. Late payment clause between the
customer and the supplier is incorrect. Contractual issues regarding payment, service
improvement and dispute resolution are important but not as critical as ensuring that
service disruption, data loss, data retention, or other significant events occur in the event
that the organization switches to a new firm providing outsourced services. Contractual
commitment for service improvement is incorrect. The service level agreement (SLA) should
address performance requirements and metrics to report on the status of services provided;
it’s nice to have commitment for performance improvement, although it’s not mandated.
Dispute resolution procedure between the contracting parties is incorrect. The SLA should
address a dispute resolution procedure and specify the jurisdiction in case of a legal dispute,
but this is not the most critical part of an SLA.
Question 64: Skipped
What is the MAJOR benefit of conducting a control self-assessment over a traditional
audit?

It reduces audit workload.

It reduces audit resource requirements.

It detects risk sooner.

(Correct)

It replaces the internal audit function.

Explanation

It detects risk sooner is correct. Control self-assessments (CSAs) require employees to assess
the control stature of their own function. CSAs help to increase the understanding of
 business risk and internal controls. Because they are conducted more frequently than audits,
CSAs help to identify risk in a timelier manner. It replaces the internal audit function is
incorrect. CSAs do not replace the internal audit function; an audit must still be performed
to ensure that controls are present. It reduces the audit workload is incorrect. CSAs may not
reduce the audit function’s workload and are not a major difference between the two
approaches. It reduces audit resource requirements is incorrect. CSAs do not affect the need
for audit resources. Although the results of the CSA may serve as a reference point for the
audit process, they do not affect the scope or depth of audit work that needs to be
performed.
Question 65: Skipped
While reviewing the process for continuous monitoring of the capacity and
performance of IT resources, an IS auditor should PRIMARILY ensure that the process
is focused on:

providing accurate feedback on IT resource capacity.

(Correct)

providing data to enable timely planning for capacity and performance requirements.

adequately monitoring service levels of IT resources and services.

properly forecasting performance, capacity and throughput of IT resources.

Explanation

Providing accurate feedback on IT resource capacity is correct. Accurate capacity monitoring

of IT resources would be the most critical element of a continuous monitoring process.
Adequately monitoring service levels of IT resources and services is incorrect. Continuous
monitoring helps to ensure that service level agreements (SLAs) are met, but this would not
be the primary focus of monitoring. It is possible that even if a system were offline, it would
meet the requirements of an SLA. Therefore, accurate availability monitoring is more
important. Providing data to enable timely planning for capacity and performance
requirements is incorrect. While data gained from capacity and performance monitoring
would be an input to the planning process, the primary focus would be to monitor
 availability. Properly forecasting performance, capacity and throughput of IT resources is
incorrect. While continuous monitoring would help management to predict likely IT
resource capabilities, the more critical issue would be that availability monitoring is accurate.
Question 66: Skipped
The risk of dumpster diving is BEST mitigated by:

developing a media disposal policy.

placing shred bins in copy rooms.

implementing security awareness training.

(Correct)

placing shredders in individual offices.

Explanation

Implementing security awareness training is correct. Dumpster diving is used to steal

documents or computer media that were not properly discarded. Users should be educated
to know the risk of carelessly discarding sensitive documents and other items. Placing shred
bins in copy rooms is incorrect. The shred bins may not be properly used if users are not
aware of proper security techniques. Developing a media disposal policy is incorrect. A
media disposal policy is a good idea; however, if users are not aware of the policy it may not
be effective. Placing shredders in individual offices is incorrect. The shredders may not be
properly used if users are not aware of proper security techniques.
Question 67: Skipped
Which of the following is a function of an IT steering committee?

Approving and monitoring the status of IT plans and budgets

(Correct)


 Monitoring vendor-controlled change control and testing

Ensuring a separation of duties within the information's processing environment

Liaising between the IT department and end users

Explanation

Approving and monitoring the status of IT plans and budgets is correct. The IT steering
committee typically serves as a general review board for major IT projects and should not
become involved in routine operations; therefore, one of its functions is to approve and
monitor major projects, such as the status of IT plans and budgets. Monitoring vendor-
controlled change control and testing is incorrect. Vendor change control is a sourcing issue
and should be monitored by IT management. Ensuring a separation of duties within the
information’s processing environment is incorrect. This is an IT management
responsibility. Liaising between the IT department and end users is incorrect. This is a
function of the individual parties and not a committee responsibility.
Question 68: Skipped
When developing a risk management program, what is the FIRST activity to be
performed?

Classification of data

Threat assessment

Inventory of assets

(Correct)

Criticality analysis

Explanation
 Inventory of assets is correct. Identification of the assets to be protected is the first step in
the development of a risk management program. Threat assessment is incorrect. The assets
need to be identified first. A listing of the threats that can affect the assets is a later step in
the process. Classification of data is incorrect. Data classification is required for defining
access controls and in criticality analysis, but the assets (including data) need be identified
before doing classification. Criticality analysis is incorrect. This is a later step in the process
after the assets have been identified.
Question 69: Skipped
After reviewing the disaster recovery planning process of an organization, an IS
auditor requests a meeting with organization management to discuss the findings.
Which of the following BEST describes the main goal of this meeting?

Assisting management in the implementation of corrective actions.

Confirming factual accuracy of the findings.

(Correct)

Prioritizing the resolution of the items.

Obtaining management approval of the corrective action plan.

Explanation

Confirm factual accuracy of the findings is correct. The goal of the meeting is to confirm the
factual accuracy of the audit findings and present an opportunity for management to agree
on or respond to recommendations for corrective action. Obtain management approval of
the corrective action plan is incorrect. Management approval of the corrective action plan is
not required. Management can elect to implement another corrective action plan to address
the risk. Assist management in the implementation of corrective actions is incorrect.
Implementation of corrective actions should be done after the factual accuracy of findings is
established, but the work of implementing corrective action is not typically assigned to the
IS auditor, because this impairs the auditor’s independence. Prioritize the resolution of
the items is incorrect. Rating the audit findings provides guidance to management for
allocating resources to the high-risk items first.
 Question 70: Skipped
Effective IT governance requires organizational structures and processes to ensure
that-

IT governance is separate and distinct from the overall governance.

the business strategy is derived from an IT strategy.

the IT strategy extends the organization's strategies and objectives.

(Correct)

risk is maintained at a level acceptable for IT management.

Explanation

The IT strategy extends the organization’s strategies and objectives is correct. Effective IT
governance requires that board and executive management extend governance to IT and
provide the leadership, organizational structures and processes that ensure that the
organization’s IT sustains and extends the organization’s strategies and objectives,
and that the strategy is aligned with business strategy. Risk is maintained at a level
acceptable for IT management is incorrect. Risk acceptance levels are set by senior
management, not by IT management. The business strategy is derived from an IT strategy is
incorrect. The business strategy drives the IT strategy, not the other way around. IT
governance is separate and distinct from the overall governance is incorrect. IT governance
is not an isolated discipline; it must become an integral part of the overall enterprise
governance.
Question 71: Skipped
Which of the following is MOST important for an IS auditor to understand when
auditing an e-commerce environment?

The nature and criticality of the business process supported by the application

(Correct)


The policies, procedures and practices forming the control environment

Continuous monitoring of control measures for system availability and reliability

The technology architecture of the e-commerce environment

Explanation

The nature and criticality of the business processes supported by the application is correct.
The e-commerce application enables the execution of business transactions. Therefore, it is
important to understand the nature and criticality of the business process supported by the
e-commerce application to identify specific controls to review. The technology architecture
of the e-commerce environment is incorrect. Understanding the technology architecture of
the e-commerce environment is important; however, it is vital that the nature and criticality
of the business process supported by the e-commerce application are well understood. The
policies, procedures and practices forming the control environment is incorrect. Although
the policies, procedure and practices that form the internal control environment need to be
in alignment with the e-commerce environment, this is not the most important element that
the IS auditor needs to understand. Continuous monitoring of control measures for system
availability and reliability is incorrect. The availability of the e-commerce environment is
important, but this is only one of the aspects to be considered with respect to business
processes that are supported by the e-commerce application.
Question 72: Skipped
A web server is attacked and compromised. Organizational policy states that incident
response should balance containment of an attack with retaining freedom for later
legal action against an attacker. Under the circumstances, which of the following
should be performed FIRST?

Shut down the web server.

Run the server in a fail-safe mode.


 Disconnect the web server from the network.

(Correct)

Dump the volatile storage data to a disk.

Explanation

Disconnect the web server from the network is correct. The first action is to disconnect the
web server from the network to secure the device for investigation, contain the damage and
prevent more actions by the attacker. Dump the volatile storage data to a disk is incorrect.
This may be used at the investigation stage but does not contain an attack in progress. Run
the server in a fail-safe mode is incorrect. In order to do this, the server needs to be shut
down. Shut down the web server is incorrect. This could potentially erase information that
might be needed for a forensic investigation or to develop a strategy to prevent future
similar attacks.
Question 73: Skipped
While auditing an internally developed web application, an IS auditor determines that
all business users share a common access profile. Which of the following is the MOST
relevant recommendation to prevent the risk of unauthorized data modification?

Customize user access profiles per job responsibility.

(Correct)

Implement regular access rights review.

Enforce strong password policy for all accounts.

Enable detailed logging of user actions.

Explanation
 Customize user access profiles per job responsibility is correct. The strongest control is a
preventive control that is automated through the system. Developing additional access
profiles would ensure that the system restricts users to privileges defined by their job
responsibilities and that an audit trail exists for those user actions. Enable detailed logging
of user actions is incorrect. Logging is a detective control and often a secondary
recommendation in the event that technical issues or costs prohibit implementation of
preventive controls. Enforce strong password policy for all accounts is incorrect. While a
enforcing password policy is a type of preventive control, it is not as effective as removing
excessive access rights from users who do not need it to perform their job duties.
Implement regular access rights review is incorrect. Access right review will not help in this
scenario, because all profiles have similar set of access rights.
Question 74: Skipped
The BEST method for assessing the effectiveness of a business continuity plan is to
review the -

emergency procedures and employee training.

offsite storage and environmental controls.

plans and compare them to appropriate standards.

results from previous tests.

(Correct)

Explanation

Results from previous tests is correct. Previous test results will provide evidence of the
effectiveness of the business continuity plan. Plans and compare them to appropriate
standards is incorrect. Comparisons to standards will give some assurance that the plan
addresses the critical aspects of a business continuity plan but will not reveal anything
about its effectiveness. Emergency procedures and employee training is incorrect. Reviewing
emergency procedures would provide insight into some aspects of the plan but would fall
short of providing assurance of the plan’s overall effectiveness. Offsite storage and
environmental controls is incorrect. Reviewing offsite storage and environmental controls
 would provide insight into some aspects of the plan but would fall short of providing
assurance of the plan’s overall effectiveness.
Question 75: Skipped
During an audit, which of the following situations are MOST concerning for an
organization that significantly outsources IS processing to a private network?

The contract does not contain a right-to-audit clause for the third party.

(Correct)

The IS outsourcing guidelines are not approved by the board of directors.

There is a lack of well-defined IS performance evaluation procedures.

The contract was not reviewed by an information security subject matter expert prior to
signing.

Explanation

The contract does not contain a right-to-audit clause for the third party is correct. Lack of a
right-to-audit clause in the contract impacts the IS auditor’s ability to perform the IS
audit. Hence, the IS auditor is most concerned with such a situation. In the case of
outsourcing to a private network, the organization should ensure that the third party has a
minimum set of IT security controls in place and that they are operating effectively. The
contract was not reviewed by an information security subject matter expert prior to signing
is incorrect. Having an information security subject matter expert review a contract is a good
practice, but it is not a requirement in all industries. The IS outsourcing guidelines are not
approved by the board of directors is incorrect. Approval of the IS outsourcing guidelines by
the board is a good practice of governance, and lack of approval is an audit issue. However,
it does not impact the IS auditor’s ability to perform IS audit. There is a lack of well-
defined IS performance evaluation procedures is incorrect. Lack of well-defined procedures
does not enable objective evaluation of IS performance and is an audit issue. However, it
does not result into major risk or repercussions and also does not impact the IS auditor’s
ability to perform an IS audit.
Question 76: Skipped
 Which of the following data validation edits is effective in detecting transposition and
transcription errors?

Check digit

(Correct)

Duplicate check

Validity check

Range check

Explanation

A check digit is correct. This is a numeric value that is calculated mathematically and is
appended to data to ensure that the original data have not been altered (e.g., an incorrect,
but valid, value substituted for the original). This control is effective in detecting
transposition and transcription errors. A range check is incorrect. This is checking data that
matches a predetermined range of allowable values. A validity check is incorrect. This is
programmed checking of the data validity in accordance with predetermined criteria.
Duplicate check is incorrect. In a duplicate check, new or fresh transactions are matched to
those previously entered to ensure that they are not already in the system.
Question 77: Skipped
During the review of an enterprise's preventive maintenance process for systems at a
data center, the IS auditor has determined that adequate maintenance is being
performed on all critical computing, power and cooling systems. Additionally, it is
MOST important for the IS auditor to ensure that the organization:

has performed background checks on all service personnel.

escorts service personnel at all times when performing their work.



performs maintenance during noncritical processing times.

(Correct)

independently verifies that maintenance is being performed.

Explanation
Performs maintenance during noncritical processing times is correct. The biggest risk to
normal operations in a data center would be if an incident or mishap were to happen during
critical peak processing times; therefore, it would be prudent to ensure that no type of
system maintenance be performed at these critical times. Has performed background
checks on all service personnel is incorrect. While the trustworthiness of the service
personnel is important, it is normal practice for these individuals to be escorted and
supervised by the data center personnel. It is also expected that the service provider would
perform this background check, not the customer. Escort service personnel at all times when
performing their work is incorrect. This is common and a good practice, but the greater risk
in this case would be if work were performed during critical processing times. Independently
verifies that maintenance is being performed is incorrect. It is possible that the service
provider is performing inadequate maintenance; therefore, this issue may need to be
investigated; however, the bigger risk is maintenance being performed at critical processing
times.
Question 78: Skipped
If inadequate, which of the following would be the MOST likely contributor to a
denial-of-service attack?

Router configuration and rules

(Correct)

Design of the internal network

Updates to the router system software



Audit testing and review techniques

Explanation

Router configuration and rules is correct. Improper router configuration and rules could lead
to an exposure to denial-of-service (DoS) attacks. Design of the internal network is incorrect.
An inefficient design of the internal network may also lead to a DoS but this is not as high a
risk as router misconfiguration errors. Updates to router system software is incorrect. This
has led to a DoS in the past, but this is a subset of router configuration and rules. Audit
testing and review techniques is incorrect. This can cause a DoS if tests disable systems or
applications, but this is not the most likely risk.
Question 79: Skipped
An IS auditor conducting a review of software usage and licensing discovers that
numerous PCs contain unauthorized software.
Which of the following actions should the IS auditor take?

Report the use of the unauthorized software and the need to prevent recurrence.

(Correct)

Warn the end users about the risk of using illegal software.

Delete all copies of the unauthorized software.

Recommend an automated process to monitor for compliance with software licensing.

Explanation

"Report the use of the unauthorized software and the need to prevent recurrence" is
correct. The use of unauthorized or illegal software should be prohibited by an
organization. An IS auditor must convince the user and management of the risk and
the need to eliminate the risk. For example, software piracy can result in exposure and
severe fines.
 "Delete all copies of the unauthorized software" is incorrect. An IS auditor should not
assume the role of the enforcing officer and take on any personal involvement in removing
the unauthorized software.

"Recommend an automated process to monitor for compliance with software licensing" is

incorrect. This would detect compliance with software licensing. However, an automated
solution might not be the best option in all cases.
"Warn the end users about the risk of using illegal software" is incorrect. Auditors must
report material findings to management for action. Informing the users of risk is not the
primary responsibility of the IS auditor.

Question 80: Skipped

An organization has a business process with a recovery time objective equal to zero
and a recovery point objective close to one minute. This implies that the process can
tolerate:

a one-minute processing interruption but cannot tolerate any data loss.

a processing interruption of one minute or more.

a data loss of up to one minute, but the processing must be continuous.

(Correct)

both a data loss and a processing interruption longer than one minute.

Explanation

A data loss of up to one minute, but the processing must be continuous is correct. Recovery
time objective (RTO) measures an organization’s tolerance for downtime and recovery point
objective (RPO) measures how much data loss can be accepted. A one-minute processing
interruption but cannot tolerate any data loss is incorrect. A processing interruption of one
minute would exceed the zero RTO set by the organization. A processing interruption of one
minute or more is incorrect. This would exceed the continuous availability requirements of
an RTO of zero. Both a data loss and a processing interruption longer than one minute is
incorrect. An RPO of one minute would only allow data loss of one minute.
 Question 81: Skipped
During a disaster recovery test, an IS auditor observes that the performance of the
disaster recovery site's server is slow. To find the root cause of this, the IS auditor
should FIRST review the:

event error log generated at the disaster recovery site.

configurations and alignment of the primary and disaster recovery sites.

(Correct)

disaster recovery test plan.

disaster recovery plan.

Explanation

Configurations and alignment of the primary and disaster recovery sites is correct. Because
the configuration of the system is the most probable cause, the IS auditor should review
that first. Event error log generated at the disaster recovery site is incorrect. If the issue
cannot be clarified, the IS auditor should then review the event error log. Disaster recovery
test plan is incorrect. This would not identify any issues related to system performance
unless the test was poorly designed and inefficient, but that would come after checking the
configuration. Disaster recovery plan is incorrect. Reviewing the disaster recovery plan
would be unlikely to provide any information about system performance issues.
Question 82: Skipped
A firewall is being deployed at a new location. Which of the following is the MOST
important factor in ensuring a successful deployment?

Sharing firewall administrative duties

Testing and validating the rules

 (Correct)

Reviewing logs frequently

Training a local administrator at the new location

Explanation
Testing and validating the rules is correct. A mistake in the rule set can render a firewall
ineffective or insecure. Therefore, testing and validating the rules is the most important
factor in ensuring a successful deployment. Reviewing logs frequently is incorrect. A regular
review of log files would not start until the deployment has been completed. Training a local
administrator at the new location is incorrect. This may not be necessary if the firewalls are
managed from a central location. Sharing firewall administrative duties is incorrect. Having
multiple administrators is a good idea, but not the most important for successful
deployment.
Question 83: Skipped
A new application has been purchased from a vendor and is about to be implemented.
Which of the following choices is a key consideration when implementing the
application?

Preventing the compromise of the source code during the implementation process

Ensuring that vendor default accounts and passwords have been disabled

(Correct)

Removing the old copies of the program from escrow to avoid confusion

Verifying that the vendor is meeting support and maintenance agreements

Explanation
 Ensuring that vendor default accounts and passwords have been disabled is correct.
Disabling vendor default accounts and passwords is a critical part of implementing a new
application. Preventing the compromise of the source code during the implementation
process is incorrect. The source code may not even be available to the purchasing
organization, and it is the executable or object code that must be protected during
implementation. Removing the old copies of the program from escrow to avoid confusion is
incorrect. Because this is a new application, there should not be any problem with older
versions in escrow. Verifying that the vendor is meeting support and maintenance
agreements is incorrect. It is not possible to ensure that the vendor is meeting support and
maintenance requirements until the system is operating.
Question 84: Skipped
Emergency changes that bypass the normal change control process are MOST
acceptable if:

management has preapproved all emergency changes.

management reviews and approves the changes after they have occurred.

(Correct)

the changes are reviewed by a peer at the time of the change.

the changes are documented in the change control system by the operations department.

Explanation

Management reviews and approves the changes after they have occurred is correct. Because
management cannot always be available when a system failure occurs, it is acceptable for
changes to be reviewed and approved within a reasonable time period after they occur. The
changes are reviewed by a peer at the time of the change is incorrect. Although peer review
provides some accountability, management should review and approve all changes, even if
that review and approval must occur after the fact. The changes are documented in the
change control system by the operations department is incorrect. Documenting the event
does not replace the need for a review and approval process to occur. Management has
preapproved all emergency changes is incorrect. It is not a good control practice for
 management to ignore its responsibility by preapproving all emergency changes in advance
without reviewing them. Unauthorized changes could then be made without management’s
knowledge.
Question 85: Skipped
When identifying an earlier project completion time, which is to be obtained by
paying a premium for early completion, the activities that should be selected are
those -

that have zero slack time.

(Correct)

whose sum of activity time is the shortest.

that give the longest possible completion time.

whose sum of slack time is the shortest.

Explanation

That have zero slack time is correct. A critical path’s activity time is longer than that for
any other path through the network. This path is important because if everything goes as
scheduled, its length gives the shortest possible completion time for the overall project.
Activities on the critical path become candidates for crashing (i.e., for reduction in their time
by payment of a premium for early completion). Activities on the critical path have zero
slack time and conversely, activities with zero slack time are on a critical path. By
successively relaxing activities on a critical path, a curve showing total project costs versus
time can be obtained. Whose sum of activity time is the shortest is incorrect. Attention
should focus on the tasks within the critical path that have no slack time. That give the
longest possible completion time is incorrect. The critical path is the longest time length of
the activities but is not based on the longest time of any individual activity. Whose sum of
slack time is the shortest is incorrect. A task on the critical path has no slack time.
Question 86: Skipped
Which of the following is the BEST method for an IS auditor to verify that critical
production servers are running the latest security updates released by the vendor?


Ensure that automatic updates are enabled on critical production servers.

Review the change management log for critical production servers.

Verify manually that the patches are applied on a sample of production servers.

Run an automated tool to verify the security patches on production servers.

(Correct)

Explanation

Run an automated tool to verify the security patches on production servers is correct. An
automated tool can immediately provide a report on which patches have been applied and
which are missing. Ensure that automatic updates are enabled on production servers is
incorrect. This may be a valid way to manage the patching process; however, this would not
provide assurance that all servers are being patched appropriately. Verify manually that the
patches are applied on a sample of production servers is incorrect. This will be less effective
than automated testing and introduces a significant audit risk. Manual testing is also
difficult and time consuming. Review the change management log for critical production
servers is incorrect. The change management log may not be updated on time and may not
accurately reflect the patch update status on servers. A better testing strategy is to test the
server for patches, rather than examining the change management log.
Question 87: Skipped
The most common reason for the failure of information systems to meet the needs of
users is that -

the growth of system requirements was forecast inaccurately.

user participation in defining the system's requirements was inadequate.

(Correct)


user needs are constantly changing.

the hardware system limits the number of concurrent users.

Explanation

User participation in defining the system’s requirements was inadequate is correct. Lack
of adequate user involvement, especially in the system’s requirements phase, will usually
result in a system that does not fully or adequately address the needs of the user. Only users
can define what their needs are and, therefore, what the system should accomplish. User
needs are constantly changing is incorrect. Although changing user needs has an effect on
the success or failure of many projects, the core problem is usually a lack of getting the
initial requirements correct at the beginning of the project. The growth of system
requirements was forecast inaccurately is incorrect. Projects may fail as the needs of the
users increase; however, this can be mitigated through better change control procedures.
The hardware system limits the number of concurrent users is incorrect. Rarely do hardware
limitations affect the usability of the project as long as the requirements were correctly
documented at the beginning of the project.
Question 88: Skipped
In a risk-based IS audit, where both inherent and control risk have been assessed as
high, an IS auditor would MOST likely compensate for this scenario by performing
additional -

substantive testing.

(Correct)

stop-or-go sampling.

compliance testing.


 discovery sampling.

Explanation
Substantive testing is correct. Because both the inherent and control risk are high in this
case, additional testing is required. Substantive testing obtains audit evidence on the
completeness, accuracy or existence of activities or transactions during the audit period.
Stop-or-go sampling is incorrect. This is used when an IS auditor believes few errors will be
found in the population, and, thus, is not the best type of testing to perform in this case.
Compliance testing is incorrect. This is evidence gathering for the purpose of testing an
enterprise’s compliance with control procedures. Although performing compliance
testing is important, performing additional substantive testing is more appropriate in this
case. Discovery sampling is incorrect. This is a form of attribute sampling that is used to
determine a specified probability of finding at least one example of an occurrence
(attribute) in a population, typically used to test for fraud or other irregularities. In this case,
additional substantive testing is the better option.
Question 89: Skipped
Before implementing controls in a newly developed system, management should
PRIMARILY ensure that the controls -

are based on a minimized cost analysis.

are detective or corrective.

satisfy a requirement in addressing a risk.

(Correct)

do not reduce productivity.

Explanation

Satisfy a requirement in addressing a risk is correct. The purpose of a control is to mitigate a

risk; therefore, the primary consideration when selecting a control is that it effectively
mitigates an identified risk. When designing controls, it is necessary to consider all of the
aspects in the answer choices. In an ideal situation, controls that address all of these aspects
 would be the best controls. Realistically, it may not be possible to design them all and the
cost may be prohibitive; therefore, it is necessary to consider the controls related primarily
to the treatment of existing risk in the organization. Do not reduce productivity is incorrect.
Controls will often affect productivity and performance; however, this must be balanced
against the benefit obtained from the implementation of the control. Are based on a
minimized cost analysis is incorrect. The most important reason for a control is to mitigate a
risk—and the selection of a control is usually based on a cost-benefit analysis, not on
selecting just the least expensive control. Are detective or corrective is incorrect. A good
control environment will include preventive, detective and corrective controls.
Question 90: Skipped
Suppose you have found that the enterprise architecture (EA) recently adopted by an
organization has an adequate current-state representation. However, the organization
has started a separate project to develop a future-state representation. As an IS
auditor, you should -

re-scope the audit to include the separate project as part of the current audit.

recommend that this separate project be completed as soon as possible.

recommend the adoption of the Zachmann framework.

report this issue as a finding in the audit report.

(Correct)

Explanation

Report this issue as a finding in the audit report is correct. It is critical for the EA to include
the future state because the gap between the current state and the future state will
determine IT strategic and tactical plans. If the EA does not include a future-state
representation, it is not complete, and this issue should be reported as a finding.
Recommend that this separate project be completed as soon as possible is incorrect. The IS
auditor does not ordinarily provide input on the timing of projects, but rather provides an
assessment of the current environment. The most critical issue in this scenario is that the
enterprise architecture (EA) is undergoing change, so the IS auditor should be most
 concerned with reporting this issue. Recommend the adoption of the Zachmann framework
is incorrect. The organization is free to choose any EA framework, and the IS auditor should
not recommend a specific framework. Re-scope the audit to include the separate project as
part of the current audit is incorrect. Changing the scope of an audit to include the
secondary project is not required, although a follow-up audit may be desired.
Question 91: Skipped
A hard disk containing confidential data was damaged beyond repair. If the goal is to
positively prevent access to the data by anyone else, what should be done to the hard
disk before it is discarded?

Degaussing

Low-level formatting

Destruction

(Correct)

Overwriting

Explanation

Destruction is correct. Physically destroying the hard disk is the most effective way to ensure
that data cannot be recovered. Overwriting is incorrect. Rewriting data is impractical
because the hard disk is damaged and offers less assurance than physical destruction even
when done successfully. Low-level formatting is incorrect. This is impractical because the
hard disk is damaged and offers less assurance than physical destruction even when done
successfully. Degaussing is incorrect. This is highly effective but offers less assurance than
physical destruction.
Question 92: Skipped
The head of human resources has requested an IS audit to identify payroll
overpayments for the previous year. Which would be the BEST audit technique to use
in this situation?


 Generate sample test data

Integrated test facility

Generalized audit software

(Correct)

Embedded audit module

Explanation

Generalized audit software is correct. This features include mathematical computations,

stratification, statistical analysis, sequence checking, duplicate checking and re-
computations. An IS auditor, using generalized audit software, can design appropriate tests
to recompute the payroll, thereby determining whether there were overpayments and to
whom they were made. Generate sample test data is incorrect. Test data tests for the
existence of controls that might prevent overpayments, but it does not detect specific,
previous miscalculations. An integrated test facility is incorrect. This helps to identify a
problem as it occurs but does not detect errors for a previous period. An embedded audit
module is incorrect. This can enable the IS auditor to evaluate a process and gather audit
evidence, but it does not detect errors for a previous period.
Question 93: Skipped
An IS auditor has been assigned to review an organization's information security
policy. Which of the following issues represents the HIGHEST potential risk?

The policy is approved by the security administrator.

(Correct)

The policy has not been updated in more than one year.


 The company does not have an information security policy committee.

The policy includes no revision history.

Explanation

The policy is approved by the security administrator is correct. The information security
policy should have an owner who has management responsibility for the development,
review, approval and evaluation of the security policy. The position of security administrator
is typically a staff-level position (not management), and therefore does not have the
authority to approve the policy. In addition, an individual in a more independent position
should also review the policy. Without proper management approval, enforcing the policy
may be problematic, leading to compliance or security issues. The policy has not been
updated in more than one year is incorrect. Although the information security policy should
be updated on a regular basis, the specific time period may vary based on the organization.
Although reviewing policies annually is a good practice, the policy may be updated less
frequently and still be relevant and effective. An outdated policy is still enforceable, whereas
a policy without proper approval is not enforceable. The policy includes no revision history
is incorrect. The lack of a revision history with respect to the IS policy document is an issue
but not as significant as not having it approved by management. A new policy, for example,
may not have been subject to any revisions yet. The company does not have an information
security policy committee is incorrect. Although a policy committee drawn from across the
company is a good practice and may help write better policies, a good policy can be written
by a single person, and the lack of a committee is not a problem by itself.
Question 94: Skipped
During which of the following phases in system development would user acceptance
test plans normally be prepared?

Requirements definition

(Correct)

Feasibility study

Postimplementation review


Implementation planning

Explanation

Requirements definition is correct. During requirements definition, the project team will be
working with the users to define their precise objectives and functional needs. At this time,
the users should be working with the team to consider and document how the system
functionality can be tested to ensure that it meets their stated needs. An IS auditor should
know at what point user testing should be planned to ensure that it is most effective and
efficient. The feasibility study is incorrect and is too early for such detailed user involvement.
Implementation planning is incorrect. The implementation planning phase is when the tests
are conducted. It is too late in the process to develop the test plan. Post-implementation
review is incorrect. User acceptance testing should be completed prior to implementation.
Question 95: Skipped
Consider an organization that has outsourced its help desk activities. As an IS auditor,
your GREATEST concern when reviewing the contract and associated service level
agreement between the organization and vendor should be the provisions for -

reporting the year-to-year incremental cost reductions.

independent audit reports or full audit access.

(Correct)

documentation of staff background checks.

reporting staff turnover, development or training.

Explanation

Independent audit reports or full audit access is correct. When the functions of an IT
department are outsourced, an IS auditor should ensure that a provision is made for
independent audit reports that cover all essential areas, or that the outsourcer has full audit
access. Documentation of staff background checks is incorrect. Although it is necessary to
 document the fact that background checks are performed, this is only one of the provisions
that should be in place for audits. Reporting the year-to-year incremental cost reductions is
incorrect. Financial measures such as year-to-year incremental cost reductions are desirable
to have in a service level agreement (SLA); however, cost reductions are not as important as
the availability of independent audit reports or full audit access. Reporting staff turnover,
development or training is incorrect. An SLA might include human relationship measures
such as resource planning, staff turnover, development or training, but this is not as
important as the requirements for independent reports or full audit access by the
outsourcing organization.
Question 96: Skipped
Which of the following is the MOST critical step when planning an IS audit?

Review findings from prior audits.

Perform a risk assessment.

(Correct)

Executive management’s approval of the audit plan.

Review IS security policies and procedures.

Explanation

Perform a risk assessment is correct. Of all the steps listed, performing a risk assessment is
the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard
1202 (Risk Assessment in Planning), statement 1202.2: “IS audit and assurance
professionals shall identify and assess risk relevant to the area under review, when planning
individual engagements.†In addition to the standards requirement, if a risk assessment is
not performed, then high-risk areas of the auditee systems or operations may not be
identified for evaluation. Review findings from prior audits is incorrect. The findings of a
previous audit are of interest to the auditor, but they are not the most critical step. The most
critical step involves finding the current issues or high-risk areas, not reviewing the
resolution of older issues. A review of historical audit findings could indicate that
management is not resolving the items or the recommendation was ineffective. Executive
 management’s approval of the audit plan is incorrect. Executive management is not
required to approve the audit plan. It is typically approved by the audit committee or board
of directors. Management could recommend areas to audit. Review information security
policies and procedures is incorrect. Reviewing information security policies and procedures
is normally be conducted during fieldwork, not planning.
Question 97: Skipped
What is the MOST prevalent security risk when an organization implements remote
virtual private network (VPN) access to its network?

The VPN gateway could be compromised.

Traffic could be sniffed and decrypted.

Malicious code could be spread across the network.

(Correct)

The VPN logon could be spoofed.

Explanation

Malicious code could be spread across the network is correct. Virtual private network (VPN)
is a mature technology; VPN devices are hard to break. However, when remote access is
enabled, malicious code in a remote client could spread to the organization’s network. One
problem is when the VPN terminates inside the network and the encrypted VPN traffic goes
through the firewall. This means that the firewall cannot adequately examine the traffic. The
VPN logon could be spoofed is incorrect. A secure VPN solution would use two-factor
authentication to prevent spoofing. Traffic could be sniffed and decrypted is incorrect.
Sniffing encrypted traffic does not generally provide an attack vector for its unauthorized
decryption. The VPN gateway could be compromised is incorrect. A misconfigured or poorly
implemented VPN gateway could be subject to attack, but if it is located in a secure subnet,
then the risk is reduced.
Question 98: Skipped
 To address the risk of operations staff's failure to perform the daily backup,
management requires that the systems administrator sign off on the daily backup.
This is an example of risk -

avoidance.

acceptance.

transfer.

mitigation.

(Correct)

Explanation

Mitigation is correct. Risk mitigation is the strategy that provides for the definition and
implementation of controls to address the risk described. By requiring the system’s
administrator to sign off on the completion of the backups, this is an administrative control
that can be validated for compliance. Avoidance is incorrect. Risk avoidance is a strategy
that provides for not implementing certain activities or processes that would incur risk.
Transfer is incorrect. Risk transfer is the strategy that provides for sharing risk with partners
or purchasing insurance coverage. Acceptance is incorrect. Risk acceptance is a strategy that
provides for formal acknowledgment of the existence of a risk but not taking any action to
reduce the risk, and the monitoring of that risk.
Question 99: Skipped
Which of the following is the MOST likely reason an organization implements an
emergency change to an application using the emergency change control process?

The operating system vendor has released a security patch.

Changes are developed using an agile methodology.



The application owner requested new functionality.

There is a high probability of a significant impact on operations.

(Correct)

Explanation
There is a high probability of a significant impact on operations is correct. Emergency
releases to an application are fixes that require implementation as quickly as possible to
prevent significant user downtime. Emergency release procedures are followed in such
situations. The application owner requested new functionality is incorrect. Requests for new
functionality by the application owner generally follow normal change control procedures,
unless they have an impact on the business function. Changes are developed using an agile
methodology is incorrect. The agile system development methodology breaks down
projects into short time-boxed iterations. Each iteration focuses on developing end-to-end
functionality from user interface to data storage for the intended architecture. However, the
release does not need to follow emergency release procedures unless there is a significant
impact on operations. The operating system vendor has released a security patch is
incorrect. Operating system security patches are applied after testing, and therefore there is
no need for an emergency release.
Question 100: Skipped
Which of the following findings would be of GREATEST concern to an IS auditor
during a review of logical access to an application?

The change control team has knowledge of the application ID password.

The file storing the application ID password is in cleartext in the production code.

(Correct)

The application does not enforce the use of strong passwords.


 Some developers have update access to production data.

Explanation
The file storing the application ID password is in cleartext in the production code is correct.
Compromise of the application ID password can result in untraceable, unauthorized changes
to production data; storing the password in cleartext poses the greatest risk. While the
production code may be protected from update access, it is viewable by development
teams. Some developers have update access to production data is incorrect. Developers
might need limited update access to production data to perform their jobs and this access,
when approved and reviewed by management, is acceptable even though it does pose a
risk. The change control team has knowledge of the application ID password is incorrect.
Knowledge of the application ID password by the change control team does not pose a
great concern if adequate separation of duties exists between change control and
development activities. There may be occasions when the application ID needs to be used
by change control in the production environment. The application does not enforce the use
of strong passwords is incorrect. While the lack of a strong password policy and
configuration can result in compromised accounts, the risk is lower than if the application ID
password is compromised because the application ID password does not allow for
traceability.
Question 101: Skipped
The PRIMARY purpose for meeting with auditees prior to formally closing a review is
to-

receive feedback on the adequacy of the audit procedures.

gain agreement on the findings.

(Correct)

confirm that the auditors did not overlook any important issues.

test the structure of the final presentation.

Explanation
 Gain agreement on the findings is correct. The primary purpose for meeting with auditees
prior to formally closing a review is to gain agreement on the findings and responses from
management. Confirm that the auditors did not overlook any important issues is incorrect.
The closing meeting identifies any misunderstandings or errors in the audit but does not
identify any important issues overlooked in the audit. Receive feedback on the adequacy of
the audit procedures is incorrect. The closing meeting may obtain comments from
management on the conduct of the audit but is not intended to be a formal review of the
adequacy of the audit procedures. Test the structure of the final presentation is incorrect.
The structure of an audit report and the presentation follows accepted standards and
practices. The closing meeting may indicate errors in the audit or presentation but is not
intended to test the structure of the presentation.
Question 102: Skipped
Which of the following should an IS auditor review to understand project progress in
terms of time, budget and deliverables for early detection of possible overruns and
for projecting estimates at completion?

Cost budget

Function point analysis

Program evaluation and review technique

Earned value analysis

(Correct)

Explanation

Earned value analysis (EVA) is correct. This is an industry standard method for measuring a
project’s progress at any given point in time, forecasting its completion date and final
cost, and analyzing variances in the schedule and budget as the project proceeds. It
compares the planned amount of work with what has actually been completed to determine
if the cost, schedule and work accomplished are progressing in accordance with the plan.
EVA works most effectively if a well-formed work breakdown structure exists. Function point
analysis is incorrect. This is an indirect measure of software size and complexity and,
 therefore, does not address the elements of time and budget. Cost budgets is incorrect.
These do not address time. Program evaluation and review technique is incorrect. This aids
time and deliverables management but lacks projections for estimates at completion and
overall financial management.
Question 103: Skipped
Which of the following insurance types provide for a loss arising from fraudulent acts
by employees?

Errors and omissions

Fidelity coverage

(Correct)

Extra expense

Business interruption

Explanation

Fidelity coverage is correct. This type of insurance covers the loss arising from dishonest or
fraudulent acts by employees. Business interruption is incorrect. Business interruption
insurance covers the loss of profit due to the disruption in the operations of an
organization. Errors and omissions is incorrect. This type of insurance provides legal liability
protection in the event that the professional practitioner commits an act that results in
financial loss to a client. Extra expense is incorrect. This type of insurance is designed to
cover the extra costs of continuing operations following a disaster/disruption within an
organization.
Question 104: Skipped
The MAIN purpose of the annual IS audit plan is to -

Allocate resources for audits.

(Correct)


Reduce the impact of audit risk.

Minimize the audit costs.

Develop a training plan for auditors.

Explanation

Allocate resources for audits is correct. Because IS audit assignments need to be

accomplished with limited time and human resources, audits are scheduled and prioritized
as determined by IS audit management. Reduce the impact of audit risk is incorrect. Audit
risk is inherent to all audits, and the schedule has no bearing on the impact to audit risk.
Develop a training plan for auditors is incorrect. Developing a training plan for auditors is
important, but it is not the main purpose of an IS audit plan. Minimize the audit costs is
incorrect. Minimizing the audit costs could be one of the objectives of annual IS audit plan.
However, this would be a result of ensuring audit resources are used effectively.
Question 105: Skipped
In a relational database with referential integrity, the use of which of the following
keys would prevent deletion of a row from a customer table as long as the customer
number of that row is stored with live orders on the orders table?

Secondary key

Primary key

Foreign key

(Correct)

Public key
 Explanation
Foreign key is correct. In a relational database with referential integrity, the use of foreign
keys would prevent events such as primary key changes and record deletions, resulting in
orphaned relations within the database. Primary key is incorrect. It should not be possible to
delete a row from a customer table when the customer number (primary key) of that row is
stored with live orders on the orders table (the foreign key to the customer table). A primary
key works in one table so it is not able to provide/ensure referential integrity by itself.
Secondary key is incorrect. Secondary keys that are not foreign keys are not subject to
referential integrity checks. Public key is incorrect. A public key is related to encryption and
not linked in any way to referential integrity.
Question 106: Skipped
An audit charter should -

clearly state audit objectives for, and the delegation of, authority to the maintenance and
review of internal controls.

document the audit procedures designed to achieve the planned audit objectives.

outline the overall authority, scope and responsibilities of the audit function.

(Correct)

be dynamic and change to coincide with the changing nature of technology and the audit
profession.

Explanation

Outline the overall authority, scope and responsibilities of the audit function is correct. An
audit charter should state management’s objectives for and delegation of authority to IS
auditors. Be dynamic and change to coincide with the changing nature of technology and
the audit profession is incorrect. The audit charter should not be subject to changes in
technology and should not significantly change over time. The charter should be approved
at the highest level of management. Clearly state audit objectives for, and the delegation of,
authority to the maintenance and review of internal controls is incorrect. An audit charter
states the authority and reporting requirements for the audit but not the details of
 maintenance of internal controls. Document the audit procedures designed to achieve the
planned audit objectives is incorrect. An audit charter is not at a detailed level and,
therefore, does not include specific audit objectives or procedures.
Question 107: Skipped
During an IS audit of a global organization, the IS auditor discovers that the
organization uses Voice-over Internet Protocol over the Internet as the sole means of
voice connectivity among all offices. Which of the following presents the MOST
significant risk for the organization's VoIP infrastructure?

Network equipment failure

Premium-rate fraud (toll fraud)

Distributed denial-of-service attack

(Correct)

Social engineering attack

Explanation

Distributed denial-of-service (DDoS) attack is correct. This would potentially disrupt the
organization’s ability to communicate among its offices and have the highest impact. In a
traditional voice network, a DDoS attack would only affect the data network, not voice
communications. Network equipment failure is incorrect. The use of Voice-over Internet
Protocol does not introduce any unique risk with respect to equipment failure, and
redundancy can be used to address network failure. Premium-rate fraud (toll fraud) is
incorrect. Toll fraud occurs when someone compromises the phone system and makes
unauthorized long- distance calls. While toll fraud may cost the business money, the more
severe risk would be the disruption of service. Social engineering attack is incorrect. This
involves gathering sensitive information to launch an attack and can be exercised over any
kind of telephony.
Question 108: Skipped
 During an application audit, the IS auditor finds several problems related to corrupt
data in the database. Which of the following is a corrective control that the IS auditor
should recommend?

Ensure that only authorized personnel can update the database.

Establish controls to handle concurrent access problems.

Proceed with restore procedures.

(Correct)

Define the standards, and closely monitor them for compliance.

Explanation

Proceed with restore procedures is correct as this is a corrective control. Restore procedures
can be used to recover databases to their last-known archived version. Define the standards,
and closely monitor them for compliance is incorrect. Establishing standards is a preventive
control, and monitoring for compliance is a detective control. Ensure that only authorized
personnel can update the database is incorrect as this is a preventive control. Establish
controls to handle concurrent access problems is incorrect as this is a preventive control.
Question 109: Skipped
As an IS auditor, you review one day of logs for a remotely managed server and finds
one case where logging failed, and the backup restarts cannot be confirmed. What
should you do?

Seek an explanation from IS management.

Issue an audit finding.


 Review the classifications of data held on the server.

Expand the sample of logs reviewed.

(Correct)

Explanation

Expand the sample of logs reviewed is correct. IS Audit and Assurance Standards require
that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found
a potential problem and now needs to determine whether this is an isolated incident or a
systematic control failure. Issue an audit finding is incorrect. At this stage it is too
preliminary to issue an audit finding. Seeking an explanation from management is advisable,
but it is better to gather additional evidence to properly evaluate the seriousness of the
situation. Seek an explanation from IS management is incorrect. Without gathering more
information on the incident and the frequency of the incident, it is difficult to obtain a
meaningful explanation from management. Review the classifications of data held on the
server is incorrect. A backup failure, which has not been established at this point, will be
serious if it involves critical data. However, the issue is not the importance of the data on the
server, where a problem has been detected, but whether a systematic control failure that
impacts other servers exists.
Question 110: Skipped
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that-

audit risk is considered.

controls needed to mitigate risk are in place.

a gap analysis is appropriate.

vulnerabilities and threats are identified.

(Correct)
 Explanation
Vulnerabilities and threats are identified is correct. While developing a risk-based audit
strategy, it is critical that the risk and vulnerabilities are understood. They determine the
areas to be audited and the extent of coverage. Controls needed to mitigate risk are in place
is incorrect. Understanding whether appropriate controls that are required to mitigate risk
are in place is a resultant effect of an audit. Audit risk is considered is incorrect. Audit risk is
an inherent aspect of auditing, directly related to the audit process and not relevant to the
risk analysis of the environment to be audited. A gap analysis is appropriate is incorrect. A
gap analysis is normally done to compare the actual state to an expected or desirable state.
Question 111: Skipped
Which of the following procedures would MOST effectively detect the loading of
illegal software packages onto a network?

Policies that result in instant dismissal if violated

The use of current antivirus software

Periodic checking of hard drives

(Correct)

The use of diskless workstations

Explanation

Periodic checking of hard drives is correct. This would be the most effective method of
identifying illegal software packages loaded onto the network. The use of diskless
workstations is incorrect. These act as a preventive control and are not totally effective in
preventing users from accessing illegal software over the network. The use of current
antivirus software is incorrect. Antivirus software will not necessarily identify illegal software,
unless the software contains a virus. Policies that result in instant dismissal if violated is
incorrect. Policies are a preventive control to lay out the rules about loading the software,
but will not detect the actual occurrence.
Question 112: Skipped
 Which of the following MOST likely indicates that a customer data warehouse should
remain in-house rather than be outsourced to an offshore operation?

Software development may require more detailed specifications.

Time-zone differences can impede communications between IT teams.

Privacy laws can prevent cross-border flow of information.

(Correct)

Telecommunications cost can be much higher in the first year.

Explanation

Privacy laws can prevent cross-border flow of information is correct. Privacy laws prohibiting
the cross-border flow of personally identifiable information make it impossible to locate a
data warehouse containing customer information in another country. Time-zone differences
can impede communications between IT teams is incorrect. These are usually manageable
issues for outsourcing solutions. Telecommunications cost can be much higher in the first
year is incorrect. Higher telecommunications costs are a part of the cost-benefit analysis and
not usually a reason to retain data in-house. Software development may require more
detailed specifications is incorrect. Software development typically requires more detailed
specifications when dealing with offshore operations, but that is not a factor that should
prohibit the outsourcing solution.
Question 113: Skipped
A data center has a badge-entry system. Which of the following is MOST important to
protect the computing assets in the center?

All badge entry attempts are logged, whether or not they succeed.

The computer that controls the badge system is backed up frequently.



A process for promptly deactivating lost or stolen badges is followed.

(Correct)

Badge readers are installed in locations where tampering would be noticed.

Explanation
A process for promptly deactivating lost or stolen badges is followed is correct. The biggest
risk is from unauthorized individuals who can enter the data center, whether they are
employees or not. Thus, having and following a process of deactivating lost or stolen
badges is important. Badge readers are installed in locations where tampering would be
noticed is incorrect. Tampering with a badge reader cannot open the door, so this is
irrelevant. The computer that controls the badge system is backed up frequently is incorrect.
The configuration of the system does not change frequently; therefore, frequent backup is
not necessary. All badge entry attempts are logged, whether or not they succeed is
incorrect. Logging the entry attempts is important, but not as important as ensuring that a
lost or stolen badge is disabled as quickly as possible.
Question 114: Skipped
An IS auditor discovers that uniform resource locators (URLs) for online control self-
assessment questionnaires are sent using URL shortening services. The use of URL
shortening services would MOST likely increase the risk of which of the following
attacks?

Phishing

(Correct)

Denial-of-service

Spoofing


 Buffer overflow

Explanation
Phishing is correct. URL shortening services have been adopted by hackers to fool users and
spread malware (i.e., phishing). Spoofing is incorrect. This applies to source addressing,
while uniform resource locator (URL) shortening applies to destination addressing. Buffer
overflow is incorrect. This is not generally associated with URL shortening. Denial-of-service
is incorrect. These attacks are not affected by URL shortening services.
Question 115: Skipped
In a review of the human resources policies and procedures within an organization, an
IS auditor is MOST concerned with the absence of a -

requirement for new employees to sign a nondisclosure agreement.

requirement for periodic job rotations.

process for formalized exit interviews.

termination checklist.

(Correct)

Explanation

Termination checklist is correct. A termination checklist is critical to ensure the logical and
physical security of an enterprise. In addition to preventing the loss of enterprise property
that was issued to the employee, there is the risk of unauthorized access, intellectual
property theft and even sabotage by a disgruntled former employee. Requirement for
periodic job rotations is incorrect. Job rotation is a valuable control to ensure continuity of
operations, but not the most serious human resources policy risk. Process for formalized exit
interviews is incorrect. Holding an exit interview is desirable when possible to gain feedback
but is not a serious risk. Requirement for new employees to sign a nondisclosure agreement
(NDA) is incorrect. Signing a NDA is a recommended human resources practice, but a lack of
an NDA is not the most serious risk listed.
Question 116: Skipped
 Which of the following is an appropriate test method to apply to a business continuity
plan?

Paper

(Correct)

Unit

Pilot

System

Explanation

Paper is correct. A paper test (sometimes called a deskcheck) is appropriate for testing a
business continuity plan (BCP). It is a walk-through of the entire BCP, or part of the BCP,
involving major players in the BCP’s execution who reason out what may happen in a
particular disaster. Pilot is incorrect. A pilot test is used for implementing a new process or
technology and is not appropriate for a BCP. Unit is incorrect. A unit test is used to test new
software components and is not appropriate for a BCP. System is incorrect. A system test is
an integrated test used to test a new IT system but is not appropriate for a BCP.
Question 117: Skipped
The output of the risk management process is an input for making – what?

security policy decisions.

(Correct)

software design decisions.


 audit charters.

business plans.

Explanation

Security policy decisions is correct. The risk management process is about making specific,
security-related decisions, such as the level of acceptable risk. Business plans is incorrect.
Making a business plan is not the ultimate goal of the risk management process. Audit
charters is incorrect. Risk management can help create the audit plan, but not the audit
charter. Software design decisions is incorrect. Risk management will drive the design of
security controls in software but influencing security policy is more important.
Question 118: Skipped
Which of the following would normally be the MOST reliable evidence for an IS
auditor?

Assurance from line management that an application is working as designed

A confirmation letter received from a third party verifying an account balance

(Correct)

Trend data obtained from Internet sources

Ratio analysis developed by the IS auditor from reports supplied by line management

Explanation

A confirmation letter received from a third party verifying an account balance is correct.
Evidence obtained from independent third parties is almost always considered to be more
reliable than assurance provided by local management. Assurance from line management
that an application is working as designed is incorrect. Because management is not
objective and may not understand the risk and control environment, and they are only
providing evidence that the application is working correctly (not the controls), their
 assurance is not an acceptable level of trust for audit evidence. Trend data obtained from
Internet sources is incorrect. Data collected from the Internet is not always trustworthy or
independently validated. Ratio analysis developed by the IS auditor from reports supplied
by line management is incorrect. Ratio analysis can identify trends and deviations from a
baseline but is not reliable evidence.
Question 119: Skipped
An IS auditor is reviewing a project risk assessment and notices that the overall
residual risk level is high due to confidentiality requirements. Which of the following
types of risk is normally high due to the number of unauthorized users the project
may affect?

Residual risk

Compliance risk

Inherent risk

(Correct)

Control risk

Explanation

Inherent risk is correct. This is normally high due to the number of users and business areas
that may be affected. Inherent risk is the risk level or exposure without considering the
actions that management has taken or might take. Control risk is incorrect. This can be high,
but it is not due to internal controls not being identified, evaluated or tested, and is not due
to the number of users or business areas affected. Compliance risk is incorrect. Compliance
risk is the penalty applied to current and future earnings for nonconformance to laws and
regulations and may not be impacted by the number of users and business areas affected.
Residual risk is incorrect. This is the remaining risk after management has implemented a
risk response and is not based on the number of users or business areas affected.
Question 120: Skipped
Which of the following is the PRIMARY purpose for conducting parallel testing?


To enable comprehensive unit and system testing

To determine whether the system is cost-effective

To ensure the new system meets user requirements

(Correct)

To highlight errors in the program interfaces with files

Explanation

To ensure the new system meets user requirements is correct. The purpose of parallel
testing is to ensure that the implementation of a new system will meet user requirements by
comparing the results of the old system with the new system to ensure correct processing.
To determine whether the system is cost-effective is incorrect. Parallel testing may show
that the old system is, in fact, more cost-effective than the new system, but this is not the
primary reason for parallel testing. To enable comprehensive unit and system testing is
incorrect. Unit and system testing are completed before parallel testing. To highlight errors
in the program interfaces with files is incorrect. Program interfaces with files are tested for
errors during system testing.
Question 121: Skipped
During a logical access controls review, an IS auditor observes that user accounts are
shared. The GREATEST risk resulting from this situation is that:

an unauthorized user may use the ID to gain access.

passwords are easily guessed.

user access management is time consuming.



user accountability is not established.

(Correct)

Explanation

User accountability is not established is correct. The use of a single user ID by more than
one individual precludes knowing who, in fact, used that ID to access a system; therefore, it
is more difficult to hold anyone accountable. An unauthorized user may use the ID to gain
access is incorrect. This risk is no greater than an unauthorized user accessing the system
with a unique user ID. User access management is time consuming is incorrect. Access
management would not be any different with shared IDs. Passwords are easily guessed is
incorrect. Shared user IDs do not necessarily have easily guessed passwords.
Question 122: Skipped
Determining the service delivery objective should be based PRIMARILY on:

the minimum acceptable operational capability.

(Correct)

the cost-effectiveness of the restoration process.

the allowable interruption window.

meeting the recovery time objectives.

Explanation
The minimum acceptable operational capability is correct. The service delivery objective
(SDO) is the level of service to be reached during the alternate process mode until the
normal situation is restored. This is directly related to the business needs. The cost-
effectiveness of the restoration process is incorrect. This is not the main consideration of
determining the SDO. Meeting the recovery time objectives is incorrect. This may be one of
the considerations in determining the SDO, but it is a secondary factor. The allowable
 interruption window is incorrect. This may be one of the factors secondary to determining
the SDO.
Question 123: Skipped
When evaluating the collective effect of preventive, detective, and corrective controls
within a process, an IS auditor should be aware of which of the following?

Only preventive and detective controls are relevant

The point at which controls are exercised as data flow through the system

(Correct)

Corrective controls are regarded as compensating

Classification allows an IS auditor to determine which controls are missing

Explanation

"The point at which controls are exercised as data flow through the system" is correct.
An IS auditor should focus on when controls are exercised as data flow through a
computer system.

"Only preventive and detective controls are relevant" is incorrect. Corrective controls may
also be relevant because they allow an error or problem to be corrected.

"Corrective controls are regarded as compensating" is incorrect. Corrective controls remove

or reduce the effects of errors or irregularities and are not exclusively regarded as
compensating controls.

"Classification allows an IS auditor to determine which controls are missing" is incorrect. The
existence and function of controls are important but not the classification.

Question 124: Skipped

Depending on the complexity of an organization's business continuity plan (BCP), it
may be developed as a set of plans to address various aspects of business continuity
and disaster recovery. In such an environment, it is essential that -


the sequence for implementation of all plans is defined.

all plans are integrated into a single plan.

each plan is consistent with one another.

(Correct)

each plan is dependent on one another.

Explanation

Each plan is consistent with one another is correct. Depending on the complexity of an
organization, there could be more than one plan to address various aspects of business
continuity and disaster recovery, but the plans must be consistent to be effective. All plans
are integrated into a single plan is incorrect. The plans do not necessarily have to be
integrated into one single plan. Each plan is dependent on one another is incorrect.
Although each plan may be independent, each plan has to be consistent with other plans to
have a viable business continuity planning strategy. The sequence for implementation of all
plans is defined is incorrect. It may not be possible to define a sequence in which plans have
to be implemented because it may be dependent on the nature of disaster, criticality,
recovery time, etc.
Question 125: Skipped
Errors in audit procedures PRIMARILY impact which of the following risk types?

Control risk

Business risk

Detection risk
 (Correct)

Inherent risk

Explanation

Detection risk is correct. This is the probability that the audit procedures may fail to detect
existence of a material error or fraud. Inherent risk is incorrect. This refers to the risk
involved in the nature of business or transaction and is not affected by human error. Control
risk is incorrect. This is the risk that a material error exists that would not be prevented or
detected on a timely basis by the system of internal controls. Business risk is incorrect. This
is not a component of audit risk.
Question 126: Skipped
Which of the following potentially blocks hacking attempts?

Honeypot system

Network security scanner

Intrusion prevention system

(Correct)

Intrusion detection system

Explanation

The 'Intrusion prevention system (IPS)' is correct. This is deployed as an inline device
on a network or host that can detect and block hacking attempts. It is a system
designed to not only detect an attack but also to prevent the intended victim hosts
from being affected by the attacks.

The 'Intrusion detection system (IDS)' is incorrect. This is a detective control and does not
block any hacking attempts. The role of IDS is to just report only. IDS inspects network and
 host security activity to identify suspicious patterns that may indicate a network or system
attack.
The 'Honeypot system' is incorrect. A honeypot solution captures intruder activity or traps
the intruders when they attempt to explore a simulated target. It is a specially configured
server, also known as a decoy server, designed to attract and monitor intruders in a manner
such that their actions do not affect production systems. It is also known as the "decoy
server".

'Network security scanner' is incorrect. This identifies vulnerabilities but does not remediate
them.

Question 127: Skipped

The MOST important reason for an IS auditor to obtain sufficient and appropriate
audit evidence is to-

comply with regulatory requirements.

provide a basis for drawing reasonable conclusions.

(Correct)

ensure complete audit coverage.

perform the audit according to the defined scope.

Explanation

Provide a basis for drawing reasonable conclusions is correct. The scope of an IS audit is
defined by its objectives. This involves identifying control weaknesses relevant to the scope
of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only
identifying control weaknesses but also documenting and validating them. Comply with
regulatory requirements is incorrect. This is relevant to an audit but is not the most
important reason why sufficient and relevant evidence is required. Ensure complete audit
coverage is incorrect. Ensuring coverage is relevant to conducting an IS audit but is not the
most important reason why sufficient and relevant evidence is required. The reason for
obtaining evidence is to ensure that the audit conclusions are factual and accurate. Perform
 the audit according to the defined scope is incorrect. The execution of an audit to meet its
defined scope is relevant to an audit but is not the reason why sufficient and relevant
evidence is required.
Question 128: Skipped
Which of the following security measures BEST ensures the integrity of information
stored in a data warehouse?

A read-only restriction

(Correct)

Validated daily backups

Change management procedures

Data dictionary maintenance

Explanation

A read-only restriction is correct. Because most data in a data warehouse are historic and do
not need to be changed, applying read-only restrictions prevents data manipulation.
Validated daily backups is incorrect. Backups address availability, not integrity. Validated
backups ensure that the backup will work when needed. Change management procedures is
incorrect. Adequate change management procedures protect the data warehouse and the
systems with which the data warehouse interfaces from unauthorized changes but are not
usually concerned with the data. Data dictionary maintenance is incorrect. These procedures
provide for the definition and structure of data that are input to the data warehouse. This
will not affect the integrity of data already stored.
Question 129: Skipped
During an IS audit of the disaster recovery plan of a global enterprise, the auditor
observes that some remote offices have very limited local IT resources. Which of the
following observations would be the MOST critical for the IS auditor?


 Corporate security measures have not been incorporated into the test plan.

A test has not been made to ensure that tape backups from the remote offices are usable.

The corporate business continuity plan does not accurately document the systems that exist
at remote offices.

A test has not been made to ensure that local resources could maintain security and service
standards when recovering from a disaster or incident.

(Correct)

Explanation

A test has not been made to ensure that local resources could maintain security and service
standards when recovering from a disaster or incident is correct. Regardless of the capability
of local IT resources, the most critical risk would be the lack of testing, which would identify
quality issues in the recovery process. The corporate business continuity plan does not
accurately document the systems that exist at remote offices is incorrect. The corporate
business continuity plan may not include disaster recovery plan (DRP) details for remote
offices. It is important to ensure that the local plans have been tested. Corporate security
measures have not been incorporated into the test plan is incorrect. Security is an important
issue because many controls may be missing during a disaster. However, not having a
tested plan is more important. A test has not been made to ensure that tape backups from
the remote offices are usable is incorrect. The backups cannot be trusted until they have
been tested. However, this should be done as part of the overall tests of the DRP.
Question 130: Skipped
While reviewing a quality management system, the IS auditor should PRIMARILY
focus on collecting evidence to show that -

standard operating procedures of IT are updated annually.

quality management systems comply with good practices.



key performance indicators are defined.

continuous improvement targets are being monitored.

(Correct)

Explanation
Continuous improvement targets are being monitored is correct. Continuous and
measurable improvement of quality is the primary requirement to achieve the business
objective for the quality management system (QMS). Quality management systems comply
with good practices is incorrect. Generally, good practices are adopted according to
business requirements. Therefore, conforming to good practices may or may not be a
requirement of the business. Standard operating procedures of it are updated annually is
incorrect. Updating operating procedures is part of implementing the QMS; however, it
must be part of change management and not an annual activity. Key performance indicators
are defined is incorrect. Key performance indicators may be defined in a QMS, but they are
of little value if they are not being monitored.
Question 131: Skipped
During a data center audit, an IS auditor observes that some parameters in the tape
management system are set to bypass or ignore tape header records. Which of the
following is the MOST effective compensating control for this weakness?

Offsite storage of tapes

Supervisory review of logs

Staging and job setup

(Correct)

Regular backup of tapes

 Explanation
Staging and job setup is correct. If the IS auditor finds that there are effective staging and
job setup processes, this can be accepted as a compensating control. Not reading header
records may otherwise result in loading the wrong tape and deleting or accessing data on
the loaded tape. Supervisory review of logs is incorrect. This is a detective control that
would not prevent loading of the wrong tapes. Regular backup of tapes is incorrect. This is
not related to bypassing tape header records. Offsite storage of tapes is incorrect. This
would not prevent loading the wrong tape because of bypassing header records.
Question 132: Skipped
An IS auditor notes that patches for the operating system used by an organization are
deployed by the IT department as advised by the vendor. The MOST significant
concern an IS auditor should have with this practice is that IT has NOT considered:

delaying deployment until testing the impact of the patch.

(Correct)

the necessity of advising end users of new patches.

the training needs for users after applying the patch.

any beneficial impact of the patch on the operational systems.

Explanation

Delaying deployment until testing the impact of the patch is correct. Deploying patches
without testing exposes an organization to the risk of system disruption or failure. The
training needs for users after applying the patch is incorrect. Normally, there is no need for
training users when a new operating system patch has been installed. Any beneficial impact
of the patch on the operational systems is incorrect. Any beneficial impact is less important
than the risk of unavailability, which could be avoided with proper testing. The necessity of
advising end users of new patches is incorrect. Normally, there is no need for advising users
when a new operating system patch has been installed except to ensure that the patch is
applied at a time that will have minimal impact on operations.
Question 133: Skipped
 Which of the following should an IS auditor review to gain an understanding of the
effectiveness of controls over the management of multiple projects?

Project database

Policy documents

Project portfolio database

(Correct)

Program organization

Explanation

A project portfolio database is correct. This is the basis for project portfolio management. It
includes project data such as owner, schedules, objectives, project type, status and cost.
Project portfolio management requires specific project portfolio reports. A project database
is incorrect. This may contain the information about control effectiveness for one specific
project and updates to various parameters pertaining to the current status of that single
project. Policy documents is incorrect. These on project management set direction for the
design, development, implementation and monitoring of the project. Program organization
is incorrect. This is the team required (steering committee, quality assurance, systems
personnel, analyst, programmer, hardware support, etc.) to meet the delivery objectives of
the projects.
Question 134: Skipped
To minimize the cost of a software project, quality management techniques should be
applied -

mainly at project close-down to capture lessons learned that can be applied to future
projects.


 as close to their writing (i.e., point of origination) as possible.

primarily at project start to ensure that the project is established in accordance with
organizational governance standards.

continuously throughout the project with an emphasis on finding and fixing defects
primarily through testing to maximize the defect detection rate.

(Correct)

Explanation

Continuously throughout the project with an emphasis on finding and fixing defects
primarily through testing to maximize the defect detection rate is correct. Although it is
important to properly establish a software development project, quality management
should be effectively practiced throughout the project. The major source of unexpected
costs on most software projects is rework. The general rule is that the earlier in the
development life cycle that a defect occurs, and the longer it takes to find and fix that
defect, the more effort will be needed to correct it. A well-written quality management plan
is a good start, but it must also be actively applied. Simply relying on testing to identify
defects is a relatively costly and less effective way of achieving software quality. For
example, an error in requirements discovered in the testing phase can result in scrapping
significant amounts of work. As close to their writing (i.e., point of origination) as possible is
incorrect. Quality assurance (QA) should start as early as possible but continue through the
entire development process. Primarily at project start to ensure that the project is
established in accordance with organizational governance standards is incorrect. Only
performing QA during the start of the project will not detect problems that appear later in
the development cycle. Mainly at project close-down to capture lessons learned that can be
applied to future projects is incorrect. Capturing lessons learned will be too late for the
current project. Additionally, applying quality management techniques throughout a project
is likely to yield its own insights into the causes of quality problems and assist in staff
development.
Question 135: Skipped
In planning an IS audit, the MOST critical step is the identification of the -

areas of significant risk.

 (Correct)

time allotted for the audit.

skill sets of the audit staff.

test steps in the audit.

Explanation

Areas of significant risk is correct. When designing a risk-based audit plan, it is important to
identify the areas of highest risk to determine the areas to be audited. The skill sets of the
audit staff is incorrect. This should have been considered before deciding and selecting the
audit. Where the skills are inadequate, the organization should consider using external
resources. Test steps in the audit is incorrect. These are not as critical during the audit
planning process as identifying the areas of risk that should be audited. The time allotted
for an audit is incorrect. This is determined during the planning process based on the areas
to be audited and is primarily based on the requirement for conducting an appropriate
audit.
Question 136: Skipped
Which of the following tests performed by an IS auditor would be the MOST effective
in determining compliance with change control procedures in an organization?

Identify changes that have occurred and verify approvals.

(Correct)

Ensure that only appropriate staff can migrate changes into production.

Review change control documentation and verify approvals.


 Review software migration records and verify approvals.

Explanation
Identify changes that have occurred and verify approvals is correct. The most effective
method is to determine what changes have been made (check logs and modified dates) and
then verify that they have been approved. Review software migration records and verify
approvals is incorrect. Software migration records may not have all changes listed—changes
could have been made that were not included in the migration records. Review change
control documentation and verify approvals is incorrect. Change control records may not
have all changes listed. Ensure that only appropriate staff can migrate changes into
production is incorrect. Ensuring that only appropriate staff can migrate changes into
production is a key control process but, in itself, does not verify compliance.
Question 137: Skipped
An IS auditor reviewing database controls discovered that changes to the database
during normal working hours were handled through a standard set of procedures.
However, changes made after normal hours required only an abbreviated number of
steps. In this situation, which of the following would be considered an adequate set of
compensating controls?

Make changes to the database after granting access to a normal user account.

Use the normal user account to make changes, log the changes and review the change log
the following day.

Allow changes to be made only with the database administrator (DBA) user account.

Use the DBA user account to make changes, log the changes and review the change log the
following day.

(Correct)

Explanation

Use the database administrator (DBA) user account to make changes, log the changes and
review the change log the following day The use of a DBA user account is normally set up to
 log all changes made and is most appropriate for changes made outside of normal hours.
The use of a log, which records the changes, allows changes to be reviewed. Because an
abbreviated number of steps are used, this represents an adequate set of compensating
controls. Allow changes to be made only with the DBA user account is incorrect. The use of
the database administrator (DBA) user account without logging would permit uncontrolled
changes to be made to databases after access to the account was obtained. Make changes
to the database after granting access to a normal user account is incorrect. A normal user
account should not have access to a database. This would permit uncontrolled changes to
any of the databases. Use the normal user account to make changes, log the changes and
review the change log the following day is incorrect. Users should not be able to make
changes. Logging would only provide information on changes made but would not limit
changes to only those who were authorized.
Question 138: Skipped
The BEST filter rule for protecting a network from being used as an amplifier in a
denial-of-service attack is to deny all:

incoming traffic with discernible spoofed IP source addresses.

incoming traffic whose destination address belongs to critical hosts.

incoming traffic that includes options set in the Internet Protocol.

outgoing traffic with source addresses external to the network.

(Correct)

Explanation

Outgoing traffic with source addresses external to the network is correct. Outgoing traffic
with an Internet Protocol (IP) source address different than the internal IP range in the
network is invalid. In most of the cases, it signals a denial-of-service attack originated by an
internal user or by a previously compromised internal machine; in both cases, applying this
filter will stop the infected machine from participating in the attack. Incoming traffic with
discernible spoofed IP source addresses is incorrect. Denying incoming traffic will not
prevent an internal machine from participating in an attack on an outside target. Incoming
 traffic that includes options set in the Internet Protocol is incorrect. Incoming traffic will
have the IP options set according to the type of traffic. This is a normal condition. Incoming
traffic whose destination address belongs to critical hosts is incorrect. Denying incoming
traffic to internal hosts will prevent legitimate traffic.
Question 139: Skipped
Responsibility for the governance of IT should rest with the-

audit committee.

chief information officer.

board of directors.

(Correct)

IT strategy committee.

Explanation

Board of directors is correct. Governance is the set of responsibilities and practices exercised
by the board and executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risk is managed appropriately and
verifying that the enterprise’s resources are used responsibly. IT strategy committee is
incorrect. This group plays a significant role in the successful implementation of IT
governance within an organization, but the ultimate responsibility resides with the board of
directors. Chief information officer is incorrect. This individual plays a significant role in the
successful implementation of IT governance within an organization, but the ultimate
responsibility resides with the board of directors. Audit committee is incorrect. This group
plays a significant role in monitoring and overseeing the successful implementation of IT
governance within an organization, but the ultimate responsibility resides with the board of
directors.
Question 140: Skipped
Recovery procedures for an information processing facility are BEST based on:


 maximum tolerable outage.

information security policy.

recovery point objective.

recovery time objective.

(Correct)

Explanation

The recovery time objective (RTO) is correct. This is the amount of time allowed for the
recovery of a business function or resource after a disaster occurs; the RTO is the desired
recovery time frame based on maximum tolerable outage (MTO) and available recovery
alternatives. The recovery point objective (RPO) is incorrect. This has the greatest influence
on the recovery strategies for given data. It is determined based on the acceptable data loss
in case of a disruption of operations. The RPO effectively quantifies the permissible amount
of data loss in case of interruption. Maximum tolerable outage is incorrect. MTO is the
amount of time allowed for the recovery of a business function or resource after a disaster
occurs; it represents the time by which the service must be restored before the organization
is faced with the threat of collapse. An information security policy is incorrect. This does not
address recovery procedures.
Question 141: Skipped
An IS auditor is reviewing a manufacturing company and finds that mainframe users
at a remote site connect to the mainframe at headquarters over the Internet via
Telnet. Which of the following offers the STRONGEST security?

Use of a nonstandard port for Telnet

Use of a firewall rule to allow only the Internet Protocol address of the remote site


 Use of two-factor authentication

Use of a point-to-point leased line

(Correct)

Explanation

Use of a point-to-point leased line is correct. A leased line will effectively extend the local
area network of the headquarters to the remote site, and the mainframe Telnet connection
would travel over the private line, which would be less of a security risk when using an
insecure protocol such as Telnet. Use of a firewall rule to allow only the Internet Protocol
address of the remote site is incorrect. A firewall rule at the headquarters network to only
allow Telnet connections from the Internet Protocol (IP) address assigned to the remote site
would make the connection more secure than the current arrangement, but a dedicated
leased line is the most secure option of those listed. Use of two-factor authentication is
incorrect. While two-factor authentication would enhance the login security, it would not
secure the transmission channel against eavesdropping, and, therefore, a leased line would
be a better option. Use of a nonstandard port for Telnet is incorrect. Attacks on network
services start with the assumption that network services use the standard Transmission
Control Protocol/IP port number assigned for the service, which is port 23 for Telnet. By
reconfiguring the host and client, a different port can be used. Assigning a nonstandard
port for services is a good general security practice because it makes it more difficult to
determine what service is using the port; however, in this case, creating a leased-line
connection to the remote site would be a better solution.
Question 142: Skipped
When protecting an organization's IT systems, which of the following is normally the
next line of defense after the network firewall has been compromised?

Personal firewall

Virtual local area network configuration

Intrusion detection system

 (Correct)

Antivirus programs

Explanation

Intrusion detection system (IDS) is correct. An IDS would be the next line of defense after
the firewall. It would detect anomalies in the network/server activity and try to detect the
perpetrator. Personal firewall is incorrect. This would occur later in the defensive strategy,
being located on the endpoints. Antivirus programs is incorrect. These would be installed on
endpoints as well as on the network, but the next layer of defense after a firewall is an
IDS/intrusion protection system. Virtual local area network configuration is incorrect. This is
not intended to compensate for a compromise of the firewall. It is an architectural good
practice.
Question 143: Skipped
A proposed transaction processing application will have many data capture sources
and outputs in paper and electronic form. To ensure that transactions are not lost
during processing, an IS auditor should recommend the inclusion of – what?

validation controls.

automated systems balancing.

(Correct)

clerical control procedures.

internal credibility checks.

Explanation

Automated systems balancing is correct. This would be the best way to ensure that no
transactions are lost as any imbalance between total inputs and total outputs would be
reported for investigation and correction. Validation controls is incorrect. Input and output
 validation controls are certainly valid controls but will not detect and report lost
transactions. Internal credibility checks is incorrect. These are valid controls to detect errors
in processing but will not detect and report lost transactions. Clerical control procedures is
incorrect. A clerical procedure could be used to summarize and compare inputs and
outputs; however, an automated process is less susceptible to error.
Question 144: Skipped
An IS auditor has been asked to participate in project initiation meetings for a critical
project. The IS auditor's MAIN concern should be that the -

technical deliverables have been identified.

complexity and risk associated with the project have been analyzed.

(Correct)

a contract for external parties involved in the project has been completed.

resources needed throughout the project have been determined.

Explanation

Complexity and risk associated with the project have been analyzed is correct.
Understanding complexity and risk, and actively managing these throughout a project are
critical to a successful outcome. Resources needed throughout the project have been
determined is incorrect. The resources needed will be dependent on the complexity of the
project. Technical deliverables have been identified is incorrect. It is too early to identify the
technical deliverables. A contract for external parties involved in the project has been
completed is incorrect. Not all projects will require contracts with external parties.
Question 145: Skipped
Which of the following should an IS auditor recommend for the protection of specific
sensitive information stored in a data warehouse?

Implement column- and row-level permissions

 (Correct)

Log user access to the data warehouse

Organize the data warehouse into subject matter–specific databases

Enhance user authentication via strong passwords

Explanation

Implement column- and row-level permissions is correct. Column- and row-level

permissions control what information users can access. Column-level security prevents users
from seeing one or more attributes on a table. With row-level security a certain grouping of
information on a table is restricted (e.g., if a table held details of employee salaries, then a
restriction could be put in place to ensure that, unless specifically authorized, users could
not view the salaries of executive staff). Column- and row-level security can be achieved in a
relational database by allowing users to access logical representations of data (views) rather
than physical tables. This “fine-grained” security model is likely to offer the best balance
between information protection while still supporting a wide range of analytical and
reporting uses. Enhance user authentication via strong passwords is incorrect. This is a
security control that should apply to all users of the data warehouse and does not
specifically address protection of specific sensitive data. Organize a data warehouse into
subject-specific databases is incorrect. This is a potentially useful practice but, in itself, does
not adequately protect sensitive data. Database-level security is normally too “coarse” a
level to efficiently and effectively protect information. For example, one database may hold
information that needs to be restricted such as employee salary and customer profitability
details while other information such as employee department may need to be legitimately
accessed by a large number of users. Organizing the data warehouse into subject matter-
specific databases is similar to user access in that this control should generally apply. Extra
attention could be devoted to reviewing access to tables with sensitive data, but this control
is not sufficient without strong preventive controls at the column and row level. Log user
access to the data warehouse is incorrect. This is important, but it is only a detective control
that will not provide adequate protection to sensitive information.
Question 146: Skipped
Which of the following BEST describes the role of a directory server in a public key
infrastructure?


Encrypts the information transmitted over the network

Makes other users' certificates available to applications

(Correct)

Facilitates the implementation of a password policy

Stores certificate revocation lists

Explanation

Makes other users’ certificates available to applications is correct. A directory server makes
other users’ certificates available to applications. Encrypts the information transmitted over
the network is incorrect. This is a role performed by a security server. Facilitates the
implementation of a password policy is incorrect. This is not relevant to public key
infrastructure. Stores certificate revocation lists is incorrect. This is a role performed by a
security server.
Question 147: Skipped
What method might an IS auditor use to test wireless security at branch office
locations?

War driving

(Correct)

War dialing

Social engineering


Password cracking

Explanation

War driving is correct. This is a technique for locating and gaining access to wireless
networks by driving or walking around a building with a wireless-equipped computer. War
dialing is incorrect. This is a technique for gaining access to a computer or a network
through the dialing of defined blocks of telephone numbers, with the hope of getting an
answer from a modem. Social engineering is incorrect. This is a technique used to gather
information that can assist an attacker in gaining logical or physical access to data or
resources. Social engineering exploits human weaknesses. Password cracking is incorrect.
Password crackers are tools used to guess users’ passwords by trying combinations and
dictionary words. Once a wireless device has been identified, password crackers may be
used to try to attack it.
Question 148: Skipped
Distributed denial-of-service attacks on Internet sites are typically evoked by hackers
using which of the following?

Logic bombs

Phishing site

Botnets

(Correct)

Spyware

Explanation

Botnets is correct. A botnet is a number of Internet-connected devices, each of which is

running one or more bots. Botnets can be used to perform distributed denial-of-service
attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and
its connection. Logic bombs is incorrect. These are programs designed to destroy or modify
 data at a specific event or time in the future. Phishing site is incorrect. This is an attack,
normally via email, pretending to be an authorized person or organization requesting
information. Spyware is incorrect. This is a program that picks up information from PC drives
by making copies of their contents.
Question 149: Skipped
An IS auditor is evaluating the IT governance framework of an organization. Which of
the following is the GREATEST concern?

Return on investment is not measured.

Chargeback of IT cost is not consistent.

Risk appetite is not quantified.

Senior management has limited involvement.

(Correct)

Explanation

Senior management has limited involvement is correct. To ensure that the IT governance
framework is effectively in place, senior management must be involved and aware of roles
and responsibilities. Therefore, it is most essential to ensure the involvement of senior
management when evaluating the soundness of IT governance. Return on investment is not
measured is incorrect. Ensuring revenue management is a part of the objectives in the IT
governance framework. Therefore, it is not effective in verifying the soundness of IT
governance. Chargeback of IT cost is not consistent is incorrect. Introduction of a cost
allocation system is part of the objectives in an IT governance framework. Therefore, it is not
effective in verifying the soundness of IT governance. Risk appetite is not quantified is
incorrect. Estimation of risk appetite is important; however, at the same time, management
should ensure that controls are in place. Therefore, checking only on risk appetite does not
verify soundness of IT governance.
Question 150: Skipped
While reviewing the IT infrastructure, an IS auditor notices that storage resources are
continuously being added. The IS auditor should:


review the adequacy of offsite storage.

recommend the use of a compression algorithm.

recommend the use of disk mirroring.

review the capacity management process.

(Correct)

Explanation

Review the capacity management process is correct. Capacity management is the planning
and monitoring of computer resources to ensure that available IT resources are used
efficiently and effectively. This will look at capacity from a strategic viewpoint and allow a
plan to forecast and purchase additional equipment in a planned manner. Recommend the
use of disk mirroring is incorrect. A disk mirroring solution would increase storage
requirements. This would not be advisable until a proper capacity management plan is in
place. Review the adequacy of offsite storage is incorrect. Offsite storage is unrelated to the
problem. Recommend the use of a compression algorithm is incorrect. Though data
compression may save disk space, it could affect system performance. This is not the first
choice—the auditor should recommend more investigation into the increased demand for
storage before providing any recommended solutions.