2

When reviewing the development of information security policies, the PRIMARY focus of an IS
auditor should be on assuring that these policies _______________.
SELECT THE CORRECT ANSWER
are aligned with globally accepted industry best practices
are approved by the board of directors and senior management
strike a balance between business and security requirements
provide direction for implementing security procedures

Correct Option: C
EXPLANATION
Information security policies must be first aligned with an organization's objectives. Best practices
are adopted based on the business objectives. It is essential that policies be approved; however, that
is not the primary focus during development. Policies cannot provide direction if they are not aligned
with business requirements.

3
Identify a true statement about Unified Modeling Language (UML).
SELECT THE CORRECT ANSWER
General-purpose notational language for specifying and visualizing software for object-oriented
environments
Provide a standard model for generating test data
Integrated process for modeling physical interactions
General-purpose programming language

Correct Option: A
EXPLANATION
Unified Modeling Language (UML) is a development tool for complex object-oriented programming
projects and needs an additional level of understanding with advance planning to be effective.

6
Which of the following is the most popular medium for connecting workstations in a corporate
environment?
SELECT THE CORRECT ANSWER
UTP
STP
Coaxial cable
Fiber optics

Correct Option: A
EXPLANATION
The most popular media is UTP, or unshielded twisted-pair. STP, shielded twisted-pair, is more
resistant to electronic noise and may be used in a shop environment. Coaxial cable is no longer used
for connecting workstations. Fiber optics is often used for interconnecting servers.

10
In software programming, which of the following is a name for a database row?
SELECT THE CORRECT ANSWER
Attribute
Domain
Tuple
Primary Key

Correct Option: C
EXPLANATION
The row in a database is also known as a tuple. Data contained in columns are referred to as
attributes or capabilities.

11
Which of the following factors is MOST responsible for the increased need to assign additional
information security responsibility to users?
SELECT THE CORRECT ANSWER
The greater quantity of data created and distributed by end users
Increased dependency of business processes on IT processes
Advances in security technology over the years
Lean staff that have traditionally constituted IT organizations

Correct Option: A
EXPLANATION
The creation and distribution of data by end users with less involvement from the central IT
organization is the single most relevant factor that requires users to be more responsible and
informed about security issues. While business processes are more dependent on IT processes,
making IT processes more critical, this does not affect governance as much as the proliferation of
end-user data. The advancement of security technology has enabled the assignment of certain
security responsibilities to end users, such as self-service password reset systems. But these
technologies have not specifically changed the role of end users in IT security. The typically lean
nature of IT staffing has been supplemented by improvements in technology, so this is not the
correct answer.

12
Which of the following is the MOST efficient way to test the design effectiveness of a partially
automated change control process?
SELECT THE CORRECT ANSWER
Test a sample population of changes.
Perform an end-to-end walk-through of the process.
Test one change that has been authorized.
Use a computer-assisted audit test (CAAT).

Correct Option: B
EXPLANATION
An end-to-end walk-through is the best way to confirm design effectiveness since it ensures that
controls are adequate to meet the risks associated with change control. Testing a sample population
of changes is a test of operating effectiveness. Testing one change that has been authorized may not
provide sufficient assurance with respect to the entire process because it would not test the
elements of the process related to authorization. Using a CAAT would not cover the manual aspects
of the process.

15
An IS auditor conducting a physical security audit of an organization's back office processing
facility would find which of the following techniques MOST effective to determine that the
company's sensitive information is secure?
SELECT THE CORRECT ANSWER
Social engineering
Penetration testing
War walking
Vulnerability assessment

Correct Option: A
EXPLANATION
Social engineering is a technique used to exploit human vulnerabilities to obtain confidential or
sensitive organization information. This technique can be used to gain unauthorized access to the
organization facilities and manipulate people to divulge sensitive information-e.g., a social engineer
may walk into company facilities, obtain confidential papers or information left on employees' desks
and printers, and even pose as a member of the help desk team to obtain user passwords.
Penetration testing is a method of evaluating the security of a computer system or network by
simulating an attack from a malicious person or hacker. This activity is typically carried out over the
network and does not address the physical security of the facility. War walking is the technique that
involves using of a handheld personal digital assistant (PDA) with the intent to compromise the
wireless network security. Wireless signals usually transcend the physical boundaries of a facility and
thus do not directly address physical security. Vulnerability assessment is a method of evaluating the
security of the network and servers by running automated scanning software to enumerate
vulnerabilities of systems and IT infrastructure. This activity is typically carried out over the network.

19. An IS auditor finds that an enterprise neither restricts the use nor has a policy addressing the
use of universal serial bus (USB) storage devices. Which of the following would be MOST
important for the IS auditor to recommend?
SELECT THE CORRECT ANSWER
Implementing security software to prevent the use of USB ports for data transfer
Introducing a policy to address the use of portable drives
Implementing a virtual private network (VPN) solution to ensure encrypted sessions during
transmission of data
Disabling USB ports on all machines

Correct Option: A
EXPLANATION
The best method to prevent the use of portable media is through a hardware or software solution.
Since the enterprise does not have a policy to address the use of portable drives, it is possible that
management did not consider the risks associated with their use. Because of the portable nature of
these drives, they are prone to being misplaced or lost. Option B is not correct because, while a
policy would address use, it is not a strong enough method to prevent use. If there were an
indication that management accepts the risks, then this would be the correct answer. Management
should first understand the risks associated with the drives, and a decision should be made as to
how risks will be controlled. Option C is not correct because a VPN solution does not address the use
of portable media. A VPN is used for a secure method of remote access to a private network. Option
D is not correct because it is not practical to disable all USB ports because they may be used for a
mouse, local printer, or other legitimate devices.

21
An IT executive of an insurance company asked an external auditor to evaluate the User IDs for
emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a
predefined expiration date. What should the IS auditor recommend?
SELECT THE CORRECT ANSWER
Review of the access control privilege authorization process
Implementation of an identity management system (IMS)
Enhancement of procedures to audit changes made to sensitive customer data
Granting of fire call accounts only to managers

Correct Option: A
EXPLANATION
In this case, the IS auditor should recommend reviewing the process of access control management.
Emergency system administration-level access should only be granted on an as-needed basis and
configured to a predefined expiration date. Accounts with temporary privileges require strong
controls to limit the lifetime of the privileges and use of these accounts should be closely monitored.
Choice B is not correct because, while implementing an IMS may solve the problem, it would be
most cost-efficient to first review access privileges. Enhancing procedures to audit changes made to
sensitive customer data (choice C) does not prevent the misuse of these accounts and should be
performed after reviewing the process. It is not realistic to grant fire call accounts only to managers
(choice D).
25
The PRIMARY responsibility of an IT manager employed by a multinational sales organization that
is pursuing a new initiative to provide information services to customers through mobile
telephones is to:
SELECT THE CORRECT ANSWER
conduct a feasibility study.
assess technical capacity.
prepare a business case.
identify a solution provider.

Correct Option: B
EXPLANATION
In this scenario, an IT manager would be responsible for assessing the technical capacity for this
initiative. Conducting a feasibility study and preparing a business case would more likely be
performed by a business or process owner, not an IT manager. The identification of a solution
provider would be performed by a cross-functional group; it would not be the primary responsibility
of the IT manager.

27
When conducting substantive testing, an IS auditor should be MOST concerned with:
SELECT THE CORRECT ANSWER
the evidence to determine whether controls are functioning as designed.
the evidence to determine the level of risk.
the gathering of evidence to evaluate the validity of data.
the quality of data to be gathered and reviewed.

Correct Option: C
EXPLANATION
Substantive testing is the gathering of data to substantiate the integrity of data processing, i.e.,
determining whether the data is accurate. The gathering of evidence to determine whether controls
are functioning or applied as designed is compliance testing. Vulnerabilities exist when controls are
not functioning as planned. If risk is low, the need for substantive testing will be limited. The quality
and quantity of evidence is determined by the purpose of the audit and an IS auditor's judgment.

29
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet
banking application?
SELECT THE CORRECT ANSWER
User registration and password policies
User security awareness
Use of intrusion detection/intrusion prevention systems (IDSs/IPSs)
Domain name system (DNS) server security hardening

Correct Option: D
EXPLANATION
The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of
the DNS server. In order to avoid this kind of attack, it is necessary to eliminate any known
vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this
kind of attack and should be patched. User registration, password policies, awareness, and the use of
IDSs/IPSs cannot mitigate pharming attacks because they do not prevent manipulation of DNS
records

31
Which of the following controls would be the MOST effective to ensure and maintain continuous
system availability?
SELECT THE CORRECT ANSWER
Appropriate authorization of system changes
Access to users on a need-to-know basis
Appropriately documented changes
Near real-time monitoring

Correct Option:A
EXPLANATION
Authorizing all changes effectively prevents a potential change that may affect system availability.
Authorization is generally based on successful testing and is put into production after acceptance by
a business user. Access to users on a need-to-know basis is a good preventive control, but does not
prevent the application of unauthorized changes to the system that may affect availability.
Appropriate documentation of change control procedures is recommended, but does not prevent
availability. Monitoring is a detective control and does not prevent availability.

37

When performance issues are discovered during an assessment of the organization's network, the
MOST efficient way for the IS auditor to proceed is to examine the:
SELECT THE CORRECT ANSWER
antivirus controls that have been put in place.

protocols used on the network.

network topology.

configuration of network devices.

Correct Option:C
EXPLANATION
By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of
potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the
network which may require more detailed analysis. The other choices require more time to assess
and are secondary to understanding the overall architecture of the network

41
Management instructs a junior IS auditor to prepare and deliver a final report using his/her best
judgment since no senior IS auditor is available to review the work papers. What is the PRIMARY
risk of this situation?
SELECT THE CORRECT ANSWER
The loss of reputation because the audit was not performed according to standards.
The audit report fails to identify and classify critical risks.
Client management will challenge the findings.
The audit report may not be approved by audit management.

Correct Option:A
EXPLANATION
ISACA IT Audit and Assurance Standard S6 (Performance of Audit Work), Substandard 03
(Supervision), states that IS audit staff should be supervised to provide reasonable assurance that
audit objectives are accomplished and applicable professional auditing standards are met." If one IS
auditor completes the entire audit

48

An auditor has a significant team of 13 members. Which of these data collection methods is the
best to use?
SELECT THE CORRECT ANSWER
Broad-based sample through questionnaire
Detailed documentation review
Departmental and auditee observation
Interviews

Correct Option: D
EXPLANATION
Interviewing selected personnel is a good technique with a large audit team.

49
What would be undertaken in the initial stages of an IS audit?
SELECT THE CORRECT ANSWER
Reviewing prior audit findings
Reviewing documentation
Reviewing access controls
Commencing the planning process

Correct Option: D
EXPLANATION
An audit planning process to identify the objectives, resources, and a risk-based approach is kicked-
off in initial stages.

51
The IT Governance team is not very happy with the auditor's suggestion of using CAAT. What could
be their objection?
SELECT THE CORRECT ANSWER
External and unknown software
Cost and complexity of operation
Evidence shared through automated tool
Documented evidence can be reviewed for corrective action

Correct Option: B
EXPLANATION
CAATs produce more accurate data, but operational costs and the complex training of this
automated tool leads to objection.

55
Which of these define the external auditor standing, and also documents the agreed terms and
conditions?
SELECT THE CORRECT ANSWER
Audit Charter
Audit Calendar
Audit Engagement
Audit Plan

Correct Option: C
EXPLANATION
Audit Engagement letter is used to define the relationship with independent auditors, and it
documents the agreement between audit committee and the independent auditor, providing
responsibility, accountability, and authority for an audit.

57
Which of these methods is used by the audit team to plan an audit when the requirements and
the process to audit are unclear?

SELECT THE CORRECT ANSWER

Simulation method

Process method

Observation method

Interview method

Correct Option: B
EXPLANATION
Process methods such as Plan-Do-Check-Act can be used to gather requirements. The cycle is
iterative until there is adequate information to conduct the audit.

59
An IT Governance Board is seeking to transfer the risk to an outsourced contractor. Which of these
would be of great concern?
SELECT THE CORRECT ANSWER
Costs and budget would be significantly higher
Contractor may not be able to bear the loss consequences
Liability still rests with the parent company
There is a risk that highly skilled manpower in the parent organization is lost

Correct Option: C
EXPLANATION
Even though the IS component has been outsourced, the liability for failure remains with the parent
organization.

65
The CISA is asked to perform a computer forensic investigation and is collecting evidence. What
would be the primary concern?
SELECT THE CORRECT ANSWER
Collection
Data integrity
Preservation
Disclosure

Correct Option: C
EXPLANATION
The CISA would be aware that failure to properly preserve evidence could jeopardize admissibility in
legal proceedings. Therefore, preservation and documentation of evidence for review by law
enforcement and judicial authorities are paramount in this type of audit.

77
An IS auditor has been asked to review logical access controls. What should be the next step?
SELECT THE CORRECT ANSWER
Review documented logical and physical controls.
Understand the security risks to information processing.
Review access controls authorized personnel.
Review security policies and practices.

Correct Option: B
EXPLANATION
The IS auditor can understand the security risks to information processing by reviewing relevant
documentation, by inquiries, and conducting a risk assessment. The IS auditor must ensure the
logical controls are adequate to address risk.

81
Which type of audit would the auditor use to check the characteristics against design conditions ?
SELECT THE CORRECT ANSWER
Compliance
Project
Application
Product

Correct Option: D
EXPLANATION
Product audits compare design specifications against the attributes of a finished product. Auditors
use this audit during certification of a customized software or before a software product releases.

82
Which of these processes are not required by the configuration management?
SELECT THE CORRECT ANSWER
Configure each item
Release schedule
Change control
Version control

Correct Option: B
EXPLANATION
Configuration management requires three essential components: configuration of each item, version
control of every change, and reporting of the current configuration as it is built and has been
facilitated to the customer. Release schedule is not required.
83

Which of these entities contain methods and programming that can be modified by the user or
operator?
SELECT THE CORRECT ANSWER
Application interfaces
Open systems
Graphical user interfaces
Closed system

Correct Option: B
EXPLANATION
An open system includes the source code that can be read as well as utilized to design documents
for the user or operator to make the required changes.

84
Which business process reengineering strategies require large amounts of time reviewing the
current process?
SELECT THE CORRECT ANSWER
Step Model
Big Bang
Incremental
Interactive

Correct Option: C
EXPLANATION
An incremental process requires longer time to review the current process, and therefore has little
or no impact.

86
Which of these are uses of regression testing?
SELECT THE CORRECT ANSWER
Tests individual software modules
Regresses the software to compensate for internal controls
Ensures that changes do not have undesirable effect on other components
Reverses the user acceptance testing to an earlier phase of development

Correct Option: C
EXPLANATION
Regression testing checks the software for problems that would have a negative effect on other
components.
87
Which of the given tests checks the authorization and completeness of information contained in a
record?
SELECT THE CORRECT ANSWER
Substantive
Regression
Data integrity
Systems

Correct Option: C
EXPLANATION
A data integrity test checks the correctness of data traced through the processing cycle and reviews
the input authorization and extensiveness of data processing. It also verifies if the results are correct

88

What is the meaning of critical path in project scheduling?

SELECT THE CORRECT ANSWER

Activities to complete the project in the shortest total time

Total time for critical activities

Successive activities with the longest total time

View the project in a critical fashion

Correct Option: C
EXPLANATION
A critical path is a series of successive project activities necessary to fulfill the minimum
requirement, and is represented by the longest total time and the shortest route to completion.

89
User acceptance testing should occur in which of the following environments?
SELECT THE CORRECT ANSWER
Stand-alone systems
In the configuration controlled testing or staging library
On development systems for program
Production systems

Correct Option: B
EXPLANATION
One can perform acceptance testing in a ideal configuration controlled environment with versioned
software modules.

91
In software analysis, why are the entity-relationship diagrams used?
SELECT THE CORRECT ANSWER
To detail data relationships
To detail the architecture
To detail user requirements
To detail implementation needs

Correct Option: A
EXPLANATION
The ERD are used to detail the relationship of data records and data attributes.

93
Why is the Function Point Analysis (FPA) methodology used?
SELECT THE CORRECT ANSWER
Detail the functions in an organization
Forecast of resources, and the complexity of requirements
Use parameters to determine the requirement scope and complexity
Diagram of the organization chart with responsibilities

Correct Option: B
EXPLANATION
Function Point Analysis technique uses parameters such as the inputs' number or the total count of
outputs, and the intricacy to estimate all requirements in terms of size and schedule.

97
At which layer of the OSI model does a gateway operate?
SELECT THE CORRECT ANSWER
Networking
Session
Presentation
Application

Correct Option: D
EXPLANATION
The gateway is an application running on OSI layer 7. The function of a gateway is to solve the
problem related to the formatting of data. A computer program running on layer 7 will extract the
data in its original format, and then reformat the data and transmit it to the new system.
100
Which is not an acceptable method of disposal for magnetic media?
SELECT THE CORRECT ANSWER
Reformatting
Overwriting
Physical destruction
Electrical degaussing

Correct Option:A
EXPLANATION
Reformatting and deleting files do not remove the contents from the drive; it simply marks the space
occupied by the files as eligible for overwriting. A disk wiping (overwriting) utility should be used if
the disk will be reused. Physical destruction and electrical degaussing will also remove the data.

102

Which encryption key is not needed by the recipient to decrypt a message when using public key
infrastructure (PKI)?
SELECT THE CORRECT ANSWER
Sender's public key

Receiver's public key

Sender's private key

Receiver's private key

Correct Option: C
EXPLANATION
The sender's private key is never used by the recipient. Only three of the four keys are ever used on
each end to encrypt and decrypt messages. Private keys remain absolutely secret. The PKI algorithm
is designed to allow the public key to unlock (decrypt) files that were encrypted using the sender's
private key.

105
When auditing to determine the IT operational capability, which of the following would be the
best evidence of whether adequate recovery and restart procedures exist?
SELECT THE CORRECT ANSWER
Reviewing program documentation
Interviewing support personnel
Reviewing operations documentation
Checking the system configuration

Correct Option: C
EXPLANATION
The presence of up-to-date recovery and restart procedures is an excellent source of evidence. If the
opportunity is available, it would be a good idea to observe the support personnel using the
procedure effectively. The auditor may inquire when was the last time the procedure was tested
or used. The lack of documentation is a control failure

106
Which of the following represents the weakest type of authentication?
SELECT THE CORRECT ANSWER
User ID and password
Biometrics
Token-based access control
Voice-print analysis

Correct Option: A
EXPLANATION
The user ID and password is the weakest type of authentication. The password simply indicates that
somebody typed the characters on the screen during login. It does not provide an assurance as to
who that individual actually is.

109
What is the principal issue regarding the use of biometrics?
SELECT THE CORRECT ANSWER
Implementation cost
User acceptance
Enrollment process
System accuracy

Correct Option:B
EXPLANATION
User acceptance is the primary issue to the widespread use of biometrics. Some individuals regard
the use of biometrics as an invasion of privacy or express health concerns related to using the
system.

110
Which of the following best defines the failure of a biometric system to keep out unwanted
intruders?
SELECT THE CORRECT ANSWER
Equal error rate (ERR)
Type 2 error (FAR)
Type 1 error (FRR)
Crossover error rate (CER)

Correct Option: B
EXPLANATION
The type 2 error refers to a false acceptance, which allows an unwanted intruder to gain access to
the system. A type 1 error rejects authorized users.

111
Which type of system attack is normally not visible to network monitoring systems?
SELECT THE CORRECT ANSWER
Active
Brute force
Passive
Snipe

Correct Option: C
EXPLANATION
Passive attacks are designed to collect data without being detected. Passive attacks include
eavesdropping to collect data by listening to the communication between network devices. The
results of passive attacks are used to launch an active attack

113
Which of the following property does not relate to one-way hash function?
SELECT THE CORRECT ANSWER
It needs to be infeasible to compute and find the corresponding message, when the digest value is
given.
It transforms a message with an arbitrary length to a fixed length value.
It transforms a message with a fixed length to a value of arbitrary length.
It should be rare or not possible to get the same digest from two different messages.

Correct Option:C
EXPLANATION
A hashing algorithm inputs a variable-length string and the message of any size. It computes a value
of fixed length, which is the message digest. The SHA family creates the value of fixed length of 160
bits, while the MD family creates the value of 128 bits.

114
The effective length of the DES key consists of how many bits?
SELECT THE CORRECT ANSWER
64
56
16
32
Correct Option: B
EXPLANATION
The key size of DES is 64 bits; however, it uses 8 bits for parity. Therefore, the exact key size is 56
bits. The DEA algorithm is utilized for the DES standard. Therefore, its true key size is 56 bits, as the
same algorithm here is being discussed. DEA is the algorithm, while DES is actually the standard. It is
called DES in the industry, as it is easier.

116
Which of the following technology can be considered as the best identity management
technology for accomplishing a few needs of the company?
SELECT THE CORRECT ANSWER
Digital identity provisioning
Active Directory
LDAP directories for authoritative sources
Federated identity

Correct Option: D
EXPLANATION
With the help of federation identification, the company and its partners can enable themselves to
share the authentication information of the customer. The retail company can have the
authentication information when a customer authenticates to a partner website. Therefore, when
visiting the website of the retail company, the customer needs to submit less user profile
information. As a result, the steps of the purchase process get reduced. This type of functionality
and structure becomes feasible when companies possess and share the similar or same settings of
federated identity management software under a set trust model.

17
Positive pressurization pertaining to ventilation implies:
SELECT THE CORRECT ANSWER
Air comes in when a door opens.
The power supply is disabled when a fire takes place.
The smoke is diverted to one room when a fire takes place.
The air goes out when a door opens.

Correct Option:D
EXPLANATION
Positive pressurization implies that the air goes out when a door is opened. The air from outside
does not enter. If the doors of a facility were opened when it were on fire, positive pressure causes
the smoke to exit and not get pushed back inside the building.
119
An administrative control that does not pertain to emergency procedures Is:
SELECT THE CORRECT ANSWER
Awareness and training
Intrusion detection systems
Delegation of duties
Drills and inspections

Correct Option: B
EXPLANATION
Apart from intrusion detection systems, rest other controls directly correlate with proper emergency
procedures. The management needs to make sure that these controls are in place, tested properly,
and implemented. Intrusion detection systems are physical or technical controls that are not
administrative.

121
A system that is not considered as a delaying mechanism is:
SELECT THE CORRECT ANSWER
Defense-in-depth measures
Locks
Access controls
Warning signs

Correct Option: D
EXPLANATION
Each physical security program needs to have delaying mechanisms with the objective to slow down
an intruder for alerting the security personnel and arriving at the scene. Warning signs are not
delaying controls, but deterrence controls.

122
The two common proximity identification devices types are:
SELECT THE CORRECT ANSWER
Swipe card devices and passive devices
Biometric devices and access control devices
User-activated devices and system sensing devices
Preset code devices and wireless devices

Correct Option: C
EXPLANATION
With a user-activated system, the user needs to enter a code or swipe the card using the reader.
With a system sensing device, the presence of the card is recognized and communicated, without
the requirement of the user to perform any activity.

123
The goal of the strategy planning phase is to:
SELECT THE CORRECT ANSWER
Select a response to cover every situation
Pick up a vendor that offers the best solution
Full fill the interests of all the stakeholders to their satisfaction
Recognize time windows and minimum service

Correct Option: D
EXPLANATION
The main goal of this phase is to recognize the time window that is available and minimum service
necessary that is required for recovery. A specific product or a vendor should never be involved in
this discussion. The objective is forcing to develop a specification and find solutions thats fit the
specification.

128

What does it mean if a cipher lock includes a door delay option?

SELECT THE CORRECT ANSWER
The alarm goes off when a door remains opened for a specific period.

The lock can be opened only is emergency situations.

It supports the capability of hostage alarm.

It supports the capability of supervisory override.

Correct Option: A
EXPLANATION
When a door remains opened for long period, the security guard would need to be alerted. This may
show that apart from a person exiting or entering the door, something is taking place. A threshold is
set for a security system so that an alarm sounds if the door remains opened beyond the specific
time period.

129
What is the difference between a tumbler and warded lock?
SELECT THE CORRECT ANSWER
As compared to warded lock, a tumbler lock is easier to circumvent.
A warded lock makes use of internal cylinders, while a tumbler lock makes use of an internal bolt.
As compared to a warded lock, a tumbler lock has more components.
A tumbler lock is used internally, while a warded lock is primarily used externally.

Correct Option: C
EXPLANATION
As compared to a warded lock, a tumbler lock includes more parts and pieces. The metal pieces of
the lock are raised to the right height for the bolt to slide to the unlocked or locked position. This
happens when the key fits into a cylinder. As compared to a tumbler lock, a warded lock is simpler to
circumvent

131
When a post-implementation enterprise resource management system review is being done, an IS
auditor generally:
SELECT THE CORRECT ANSWER
Reviews the configuration of access control
Evaluates interface testing
Reviews the documentation of the detailed design
Evaluates system testing

Correct Option: A
EXPLANATION
As the first step, the auditor reviews access control configuration for determining if security has
been mapped in the system appropriately. The review is performed once user acceptance testing
and actual implementation is complete. Therefore, no one engages in documentation of detailed
design and interface testing.

137

When an enterprise resource planning (ERP) financial system's audit for the logical access control
was being done, an IS auditor discovered that there were some user accounts that were being
shared by more than one users. The user IDs were made on the basis of roles rather and not on
individual identities. With these accounts, one could access the ERP financial transactions. In this
situation, the IS auditor should:

SELECT THE CORRECT ANSWER

Review the logs of financial transactions.
Find compensating controls.
Ask to disable these accounts.
Review the audit scope.
Correct Option: B
EXPLANATION
To define accountability, the best access control would be to create user IDs for every user. One can
do so only by creating a one-to-one relationship between users and IDs. On the other hand, if the IDs
have been created on the basis of role designations, the auditor must first understand the objective
behind this before evaluating the efficiency of the controls.

138
A modification test results in a system dealing with payment calculation are evaluated by an IS
auditor. The auditor discovers that 50% of the computations do not match with the determined
totals. Most likely, the next audit step would be to:
SELECT THE CORRECT ANSWER
Identify variables that may have caused the test results to be inaccurate.
Design further tests of the calculations that are in error.
Document the results and prepare a report of findings, conclusions and recommendations.
Examine some of the test cases to confirm the results.

Correct Option: D
EXPLANATION
An auditor, as the next step, should examine and confirm the cases with incorrect computations.
Further tests can be then be performed and reviewed. Until all results are confirmed, preparation of
reports, findings and recommendations are not made.

139
The process that utilizes test data for an all-inclusive program controls test in a constant online
manner is:
SELECT THE CORRECT ANSWER
Base-case system evaluation
Test data/deck
Parallel simulation
Integrated test facility

Correct Option: A
EXPLANATION
In a base-case system evaluation, test data sets are used and developed for all-inclusive testing
programs. Before acceptance and periodic validation, this is done for verifying the right systems
operations. On the other hand, test data/deck mimics transactions with the use of real programs.
Parallel simulation is a process in which the production of processed data takes place with the use of
computer programs that mimic the program logic of application. However, an ITF makes false files in
the database and processes test transactions along with live input
140
Recently, a company has been downsized and, an IS auditor makes the decision of testing logical
access controls. In this context, what should be the main concern of the auditor?
SELECT THE CORRECT ANSWER
Management has the required and authorized access for users who have been newly hired.
The entire system access is appropriate and authorized for the role and responsibilities of an
individual.
For granting or modifying access to individuals, access authorization forms are used.
For granting or modifying access to individuals, only the system administrator has the authority.

Correct Option: B
EXPLANATION
If a company has downsized, it means employee take actions in a large number over a comparatively
short time period. Some new duties can be assigned to employees while some of the former duties
are retained. A number of employees may go jobless. The concern of the IS auditor should be to
maintain an appropriate segregation of duties, limit the access to as per the employee's role and
responsibilities, and revoke the access of employees who are no longer in the organization.

143
A security manager who needs to develop a solution to allow his company's mobile devices to be
authenticated in a standardized and centralized manner using digital certificates. The applications
these mobile clients use require a TCP connection. Which of the following is the best solution to
implement?
SELECT THE CORRECT ANSWER
SESAME using PKI
RADIUS using EAP
Diameter using EAP
RADIUS using TTLS

Correct Option: C
EXPLANATION
Diameter is a protocol that has been developed to build upon the functionality of RADIUS and to
overcome many of its limitations. Diameter is an AAA protocol that provides the same type of
functionality as RADIUS and TACACSPlus but also provides more flexibility and capabilities, including
working with EAP. RADIUS uses UDP, and cannot effectively deal well with remote access, IP
mobility, and policy control.

144
Which of the following choices represents the best description of a proxy firewall?
SELECT THE CORRECT ANSWER
Packet filter
Intrusion detection
Circuit level gateway
Sixth generation

Correct Option: C
EXPLANATION
The proxy firewall is designed to execute a request on behalf of the user without granting direct
access. The proxy runs on the firewall. A proxy selectively filters and relays service requests between
the internal and external networks. There is no direct connection between the internal and external
network, other than the proxy software program. A circuit-level gateway is a firewall that provides
connection security, and works between an Open Systems Interconnection (OSI) network model's
session layer.

146
Which of the following represents a search for correlations in the data?
SELECT THE CORRECT ANSWER
Data mart
Data snapshot
Data mining
Data warehouse

Correct Option: C
EXPLANATION
The process of data mining is to search the available data in the data warehouse for correlations.
Data is collected from various databases with a snapshot utility, and copied to the data warehouse.
The data is searched for correlations that may provide useful information. These correlations are
then stored in the data mart for the user to review.

147
An IS auditor evaluating some database controls finds out that the revisions made to the database
during regular working hours were managed with the help of standard procedures. Eventually, it
was discovered that the changes that were undertaken after the regular hours needed an
abbreviated sequence of steps. In such a situation, which of the following would prove to be a
suitable set of compensating controls?
SELECT THE CORRECT ANSWER
Allowing changes to the database administrator (DBA) user account only.
Making changes to the database once an access is granted to a normal user account.
Using the normal user account to execute changes, log them, and review them in the log on the next
day.
Using the DBA user account to execute changes, log them, and review them in the logon the next
day.
Correct Option: D
EXPLANATION
Using a DBA user account is usually meant for logging all the changes that have been made. This is
the most appropriate way for monitoring the changes made outside the regular hours. This is why,
logging along with reviewing prove to be an applicable set of compensating controls.

148
Several documents are produced as part of an audit plan. Which among these identifies an
individual's responsibility for specific audit jobs to ensure quality?
SELECT THE CORRECT ANSWER
Skills matrix
Skills matrix
Auditor assignment matrix
Activities matrix

Correct Option: A
EXPLANATION
A skills matrix is used to identify audit skills required to ensure the right person is performing the
task.

150
For governance of enterprise IT to be successful, management and control of IT must be the
responsibility of:
SELECT THE CORRECT ANSWER
the executive management
both the business and IT functions
the IT function only
the business function only

Correct Option: B
EXPLANATION
The responsibility for management and control of enterprise IT should be shared between the
business and the IT function. For example, the business must fulfill its data ownership
responsibilities, while IT must fulfill its custodianship responsibilities.
19. An IS auditor finds that an enterprise neither restricts the use nor has a policy addressing the
use of universal serial bus (USB) storage devices. Which of the following would be MOST
important for the IS auditor to recommend?
SELECT THE CORRECT ANSWER
Implementing security software to prevent the use of USB ports for data transfer
Introducing a policy to address the use of portable drives
Implementing a virtual private network (VPN) solution to ensure encrypted sessions during
transmission of data
Disabling USB ports on all machines

Correct Option: A
EXPLANATION
The best method to prevent the use of portable media is through a hardware or software solution.
Since the enterprise does not have a policy to address the use of portable drives, it is possible that
management did not consider the risks associated with their use. Because of the portable nature of
these drives, they are prone to being misplaced or lost. Option B is not correct because, while a
policy would address use, it is not a strong enough method to prevent use. If there were an
indication that management accepts the risks, then this would be the correct answer. Management
should first understand the risks associated with the drives, and a decision should be made as to
how risks will be controlled. Option C is not correct because a VPN solution does not address the use
of portable media. A VPN is used for a secure method of remote access to a private network. Option
D is not correct because it is not practical to disable all USB ports because they may be used for a
mouse, local printer, or other legitimate devices.

27
When conducting substantive testing, an IS auditor should be MOST concerned with:
SELECT THE CORRECT ANSWER
the evidence to determine whether controls are functioning as designed.
the evidence to determine the level of risk.
the gathering of evidence to evaluate the validity of data.
the quality of data to be gathered and reviewed.

Correct Option : C
EXPLANATION
Substantive testing is the gathering of data to substantiate the integrity of data processing, i.e.,
determining whether the data is accurate. The gathering of evidence to determine whether controls
are functioning or applied as designed is compliance testing. Vulnerabilities exist when controls are
not functioning as planned. If risk is low, the need for substantive testing will be limited. The quality
and quantity of evidence is determined by the purpose of the audit and an IS auditor's judgment.