MOCK EXAM

Certified Information System Auditor Review

October 2020

1. Which of the following is an attribute of the control self-assessment (CSA) approach?

A. Broad stakeholder involvement

B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven

2. Which of the following components is responsible for the collection of data in an intrusion
detection system (IDS)?

A. Analyzer
B. Administrative console
C. User interface
D. Sensor

3. During which of the following phases in system development would user acceptance test plans
normally be prepared?

A. Feasibility study
B. Requirements definition
C. Implementation planning
D. Postimplementation review

4. Vendors have released patches fixing security flaws in their software. Which of the following
should an IS auditor recommend in this situation?

A. Assess the impact of patched prior to installation.

B. Ask the vendors for a new software version with all the fixes included
C. Install the security patch immediately
D. Decline to deal with these vendors in the future

5. The ultimate purpose of IT governance is to:

A. Encourage optimal use of IT.

B. Reduce IT costs.
C. Decentralize IT resource across the organization.
D. Centralize control of IT.
6. A team conducting a risk analysis is having difficulty projecting the financial losses that could
result from a risk. To evaluate the potential impact, the team should:

A. Compute the amortization of the related assets

B. Calculate a return on investment (ROI)
C. Apply a qualitative approach
D. Spend the time needed to define the loss amount exactly.

7. A top-down approach to the development of operational policies helps ensure:

A. That they are consistent across the organization.

B. That they are implemented as a part of risk assessment.
C. Compliance with all polices
D. That they are reviewed periodically.

8. The FIRST step in a successful attack to a system would be:

A. Gathering information
B. Gaining access
C. Denying services
D. Evading detection

9. Which of the following represents the GREATEST potential risk in an electronic data interchange
(EDI) environment?

A. Lack of transaction authorizations

B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of application
controls

10. There are several methods of providing telecommunication continuity. The method of routing
traffic through split-cable or duplicate-cable facilities is called:

A. Alternative routing.
B. Diverse routing
C. Long-haul network diversity
D. Last-mile circuit protection
11. While auditing third-party IT service provider, an IS auditor discovered that across reviews were not
being performed as required by the contract. The IS auditor should:

A. Report the issue to IT management

B. Discuss the issue with the service provider
C. Perform a risk assessment
D. Perform an access review

12. An organization has created a policy that defines the types of websites that users are forbidden to
access. What is the MOST effective technology to enforce this policy?

A. Stateful inspection firewall

B. Web content filter
C. Web cache server
D. Proxy server

13. An IS auditor performing an audit has determined that developers have been granted
administrative access to the virtual machine (VM) management console to manage their own
servers used for software development and testing. Which of the following choices would be of
MOST concern for the IS auditor?

A. Developers have the ability to create or de-provision servers

B. Developers could gain elevated access to production servers
C. Developers can affect the performance of production servers with their applications
D. Developers could install unapproved applications to any servers

14. Which of the following BEST ensures that business requirements are met prior to implementation?

A. Feasibility study
B. User acceptance testing
C. Postimplementation review
D. Implementation plan

15. When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST concerned with the
lack of:

A. Process owner involvement.

B. Well-documented testing procedures.
C. An alternate processing facility.
D. A well-documented data classification scheme.
16. An IS auditor is carrying out a system configuration review. Which of the following would be the
BEST evidence in support of the current system configuration settings?

A. System configuration values imported to a spreadsheet by the system administrator

B. Standard report with configuration values retrieved from the system by the IS auditor
C. Dated screenshot of the system configuration settings make available by the system
administrator
D. Annual review of approved system configuration values by the business owner

17. A company is planning to install a network-based intrusion detection system (IDS) to protect the
web site that it hosts. Where should the device be installed?

A. On the local network

B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the website

18. Which of the following is the MOST important for an IS auditor to consider when reviewing a service
level agreement (SLA) with an external IT service provider?

A. Payment terms
B. Uptime guarantee
C. Indemnification clause
D. Default resolution

19. When reviewing a project where quality is a major concern, an IS auditor should use the project
management triangle to explain that:

A. Increases in quality can be achieved, even if resources allocation is decreased

B. Increases in quality are only achieved if resource allocation is increased
C. Decreases in delivery time can be achieved, even if resource allocation is decreased
D. Decreases in delivery time can only be achieved if quality is decreased

20. The responsibility for authorizing access to application data should be with the:

A. Data Custodian
B. Database Administrator
C. Data Owner
D. Security Administrator
21. In planning an IS audit, the MOST critical step is the identification of the:

A. Areas of significant risk

B. Skill sets of the audit staff
C. The mechanism for monitoring the risk
D. The threats/vulnerabilities affecting the assets

22. When reviewing the configuration of network devices, an IS auditor should be FIRST identify:

A. The good practices for the type of network devices deployed.

B. Whether components of the network are missing.
C. The importance of the network devices topology.
D. Whether subcomponents of the network are being used appropriately.

23. An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which
of the following will BEST identify the issues to be resolved?

A. Self-assessment
B. Reverse engineering
C. Prototyping
D. Gap Analysis

24. What is the BEST approach to mitigate the risk of a phishing attack?

A. Implementation of an intrusion detection system (IDS)

B. Assessment of web site security
C. Strong Authentication
D. User education

25. Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?

A. Incident response plan

B. Business impact analysis (BIA)
C. Threat and risk analysis
D. Recovery time objective (RTO)

26. Which of the following will MOST successfully identify overlapping key controls in business
application systems?

A. Reviewing system functionalities that are attached to complex business processes

B. Submitting test transactions through an integrated test facility (ITF)
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective
27. Disaster recovery planning (DRP) addresses the:

A. Technological aspect of business continuity planning (BCP)

B. Operational part of BCP
C. Functional aspect of BCP
D. Overall coordination of BCP

28. Which of the following groups is the BEST source of information for determining the criticality of
application systems as part of a business impact analysis (BIA)?

A. Business processes owners

B. IT Management
C. Senior business management
D. Industry experts

29. An IS auditor performing a review of a major software development project finds that it is on
schedule and under budget even though the software developers have worked considerable
amount of unplanned overtime. The IS auditor should:

A. Conclude that the project is progressing as planned because dates are being met
B. Question the project manager further to identify whether overtime costs are being tracked
accurately
C. Conclude that the programmers are intentionally working slowly to earn extra overtime pay
D. Investigate further to determine whether the project plan may not be accurate

30. To protect a Voice-over-Internet Protocol (VoIP) Infrastructure against a denial-of service (DoS)
attack, it is MOST important to secure the:

A. Access control servers

B. Session border controllers
C. Backbone gateways
D. Intrusion detection system (IDS)

31. In evaluating programmed controls over password management, which of the following is the IS
auditor MOST likely to rely on?

A. A size check
B. A hash total
C. A validity check
D. A field check
32. Which of the following is the MOST reasonable option for recovering a noncritical system?

A. Warm site
B. Mobile Site
C. Hot Site
D. Cold Site

33. In a public key infrastructure (PKI), Which of the following may be relied upon to prove that an
online transaction was authorized by a specific customer?

A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity

34. Due to a reorganization a business application system will be extended to other departments.
Which of the following should be of the GREATEST concern for an IS auditor?

A. Process owners have not been identified.

B. The billing cost allocation method has not been determined.
C. Multiple application owners exist.
D. A training program does not exist.

35. A benefit of open systems architecture is that it:

A. Facilitates interoperability
B. Facilitates the integration of proprietary components
C. Will be a basis for volume discounts from equipment vendors
D. Allows for the achievement of more economies of the scale for equipment

36. Which of the following represents an example of a preventive control with respect to IT personnel?

A. Review of visitor logs for the data center

B. A log server that tracks log-on IP addresses of users
C. Implementation of a badge entry system for the IT facility
D. An accounting system that tracks employee telephone calls

37. An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment
questionnaires are sent using URL shortening services. The use of URL shortening would MOST likely
increase the risk of which of the following attacks?

A. Internet Protocol (IP) spoofing

B. Phishing
C. Structured query language (SQL) injection
D. Denial-of-service (DoS)
38. The phases and deliverables of a system development life cycle (SDLC) project should be
determined:

A. During the initial planning stages of the project

B. After early planning has been completed but before work has begun
C. Throughout the work stages, based on risk and exposures.
D. Only after all risk and exposures have been identified and the IS auditor has recommended
appropriate controls.

39. An IS auditor is performing a review of the disaster recovery hot site used by a financial institution.
Which of the following would be the GREATEST concern?

A. System administrators used shared accounts which never expire at the hot site.
B. Disk space utilization data are not kept current
C. Physical security controls at the hot site are less robust than at the main site
D. Servers at the hot site do not have the same specifications as at the main site.

40. Inadequate programming and coding practices introduce the risk of:

A. Phishing
B. Buffer overflow exploitation
C. Synchronized (SYN) flood
D. Brute force attacks

41. Which of the following does a lack of adequate controls represent?

A. An impact
B. A vulnerability
C. An asset
D. A threat

42. Recovery procedures for an information processing facility are BEST based on:

A. Recovery time objective (RTO)

B. Recovery point objective (RPO)
C. Maximum tolerable outage (MTO)
D. Information security policy

43. Change control for business application systems being developed using prototyping could be
complicated by the:

A. Iterative nature of prototyping.

B. Rapid pace of modifications in requirements and design
C. Emphasis on reports and screens
D. Lack of integrated tools
44. An enterprise hosts its data center onsite and has outsourced the management of its key financial
applications to a service provider. Which of the following controls BEST ensures that the service
provider’s employees adhere to the security policies?

A. Sign-off is required on the enterprise’s security policies for all users.

B. An indemnity clause is included in the contract with the service provider.
C. Mandatory security awareness training is implemented for all users.
D. Security policies should be modified to address compliance by third-party users.

45. An IS auditor reviewing access controls for a client-server environment should FIRST:

A. Evaluate the encryption technique

B. Identify the network access points
C. Review the identity management system
D. Review the application level access controls

46. Data Flow diagrams are used by IS auditors to:

A. Identify key controls

B. Highlight high-level data definitions
C. Graphically summarize data paths and storage
D. Portray step by step details of data generation

47. The MAIN reason for requiring that all computer clocks across an organization by synchronized is
to:

A. Prevent omission or duplication of transactions

B. Ensure smooth data transition from client machines to servers
C. Ensure that email messages have accurate time stamps
D. Support the incident investigation process

48. The knowledge base of an expert system that uses questionnaires to lead the user through a series
of choices before a conclusion is reached is known as:

A. Rules.
B. Decision trees.
C. Semantic nets.
D. Dataflow diagram.
49. In a contract with a hot, warm or cold site, contractual provision should PRIMARILY cover which of
the following considerations?

A. Physical security measures

B. Total Number of subscribers
C. Number of subscribers permitted to use a site at one time
D. Reference by other users

50. Which of the following public key infrastructure (PKI) elements provides detailed descriptions for
dealing with a compromised private key?

A. Certificate revocation list (CRL)

B. Certificate practice statement (CPS)
C. Certificate Policy (CP)
D. PKI disclosure statement (PDS)

51. What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?

A. It detects risk sooner

B. IT replaces the audit function
C. It reduces audit workload
D. IT reduces audit resources

52. If a database is restored using before-image dumps, where should the process begin following an
interruption?

A. Before the last transaction

B. After the last transaction
C. As the first transaction after the latest checkpoint
D. As the last transaction before the latest checkpoint

53. Which of the following is the PRIMARY purpose for conducting parallel testing?

A. To determine whether the system is cost-effective

B. To enable comprehensive unit and system testing
C. To highlight errors in the program interfaces with files
D. To ensure the new system meets user requirements

54. Validated digital signatures in an email software application will:

A. Help detect spam

B. Provide confidentiality
C. Add to the workload of gateway servers
D. Significantly reduce available bandwidth
55. Which of the following is the PRIMARY objective of the business continuity plan (BCP) process?

A. To provide assurance to stakeholders that the business operations will continue in the
event of disaster
B. To establish an alternate site for IT services to meet predefined recovery time objectives
(RTOs)
C. To manage risk while recovering from an event that adversely affected operations.
D. To meet the regulatory compliance requirements in the event of natural disaster

56. An IS auditor who was involved in designing an organization’s business continuity plan (BCP) has
been assigned to audit the plan. The IS auditor should:

A. Decline the assignment

B. Inform management of the possible conflict of interest after completing the audit
assignment
C. Inform the BCP team of the possible conflict of interest prior to beginning the assignment
D. Communicate the possibility of conflict of interest to audit management prior to starting
the assignment

57. Which of the following would BEST support 24/7 availability?

A. Daily backup
B. Offsite storage
C. Mirroring
D. Periodic testing

58. Which of the following is the BEST enabler for strategic alignment between business and IT?

A. A maturity model
B. Goals and metrics
C. Control objectives
D. A responsible, accountable, consulted and informed (RACI) chart

59. During a postimplementation review, which of the following activities should be performed?

A. User acceptance testing (UAT)

B. Return on investment (ROI) analysis
C. Activation of audit trails
D. Update of the state of enterprise architecture (EA) diagram
60. IS Management recently replaced its existing wired local area network (LAN) with a wireless
infrastructure to accommodate the increase use of mobile devices within the organization. This will
increase the risk of which of the following attacks?

A. Port scanning
B. Back door
C. Man-in-the-middle
D. War driving

61. Which of the following should an IS auditor use to detect duplicate invoice records within an invoice
master life?

A. Attribute sampling
B. Computer-assisted audit and techniques (CAATs)
C. Compliance testing
D. Integrated test facility (ITF)

62. The BEST overall quantitative measure of the performance of biometric control devices is:

A. False-rejection rate (FRR)

B. False-acceptance rate (FAR)
C. Equal-error rate (EER)
D. Estimated-error rate

63. When two or more systems are integrated, the IS auditor must review input/output controls in the:

A. Systems receiving the output of other systems.

B. Systems sending output to other systems.
C. Systems sending and receiving data.
D. Interfaces between the two systems.

64. Which of the following is MOST important to determine the recovery point objective (RPO) for a
critical process in an enterprise?

A. Number of hours of acceptable downtime

B. Total cost of recovering critical systems
C. Extent of data loss that is acceptable
D. Acceptable reduction in the level of service
65. If inadequate, which of the following would be the MOST likely contributor to a denial-of-service
(DoS) attack?

A. Router configuration and rules

B. Design of the internal network
C. Updates to the router system software
D. Audit testing and review techniques

66. The decisions and actions of an IS auditor are MOST likely to affect which of the following types of
risk?

A. Inherent
B. Detection
C. Control
D. Business

67. The MAIN purpose of a transaction audit trail is to:

A. Reduce the use of storage media

B. Determine accountability and responsibility for processed transactions
C. Help an IS auditor trace transactions
D. Provide useful information for capacity planning

68. An organization is considering using a new IT service provider. From an audit perspective, which of
the following would be the MOST important item to review?

A. References from other clients for the service provider

B. The physical security of the service provider site
C. The draft service level agreement (SLA) with the service provider
D. Background checks of the service provider’s employee

69. Which of the following does a lack of adequate security controls represent?

A. Threat
B. Asset
C. Impact
D. Vulnerability

70. When planning an audit of a network setup, an IS Auditor should give highest priority to obtaining
which of the following network documentation?

A. Wiring and schematic diagram

B. User’s lists and responsibilities
C. Application lists and their details
D. Backup and recovery procedures
71. For a retail business with a large volume of transactions, which of the following audit techniques is
the MOST appropriate for addressing emerging risk?

A. Use of computer-assisted audit techniques (CAATs)

B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing

72. A decision support system (DSS) is used to help high-level management:

A. Solve highly structured problems

B. Combine the use of decision models with predetermined criteria
C. Make decisions based on data analysis and interactive models
D. Support only structured decision making tasks

73. An IS auditor reviewing an organization’s disaster recovery plan should PRIMARILY verify that it is:

A. Tested every six months

B. Regularly reviewed and updated
C. Approved by the chief executive officer (CEO)
D. Communicated to every department head in the organization

74. An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a
critical application that is hosted in the cloud. Management response states that the cloud vendor
is responsible for DR and DR-related testing. What is the NEXT course of action for the IS auditor to
pursue?

A. Plan an audit of the cloud vendor

B. Review the vendor contract to determine its DR capabilities
C. Review an independent auditor’s report of the cloud vendor
D. Request a copy of the DRP from the cloud vendor

75. A company is implementing a Dynamic Host Configuration Protocol (DHCP). Given that the following
conditions exist, which represents the GREATEST concern?

A. Most employees use laptops

B. A packet filtering firewall is used
C. The IP address space is smaller than the number of PCs
D. Access to a network port is not restricted
76. Which of the following is the MOST important skill an IS auditor should develop to understand the
constraints of conducting an audit?

A. Contingency planning
B. IS management resource allocation
C. Project management
D. Knowledge of internal controls

77. When developing a business continuity plan (BCP), which of the following tools should be used to
gain an understanding of the organization’s business processes?

A. Business continuity self-audit

B. Resource recovery analysis
C. Risk assessment
D. Gap analysis

78. A financial institution that process millions of transactions each day has a central communications
processor (switch) for connecting teller machines (ATMs). Which of the following would be the BEST
contingency plan for the communications processor?

A. Reciprocal agreement with another organization

B. Alternate processor in the same location
C. Alternate processor at another network node
D. Installation of duplex communication links

79. An IS auditor reviewing a series of completed projects finds that the implemented functionality
often exceeded requirements and most of the projects ran significantly over budget. Which of these
area of the organization’s project management process is the MOST likely cause of the issue?

A. Project scope management

B. Project time management
C. Project risk management
D. Project procurement management

80. Which of the following results in a denial-of-service (DoS) attack?

A. Brute force attack

B. Ping of death
C. Leapfrog attack
D. Negative acknowledgment (NAK) attack
81. The PRIMARY purpose of an IT forensic audit is:

A. To participate in investigation related to corporate fraud

B. The systematic collection and analysis of evidence after a system irregularity
C. To assess the correctness of an organization’s financial statements
D. To preserve evidence of criminal activity

82. What is the BEST method to facilitate successful user testing and acceptance of a new enterprise
resource planning (ERP) payroll system that is replacing an existing legacy system?

A. Multiple testing
B. Parallel testing
C. Integration testing
D. Prototype testing

83. Which of the following manages the digital certificate life cycle to ensure adequate security and
controls exist in digital signature applications related to e-commerce?

A. Registration authority
B. Certificate authority (CA)
C. Certification revocation list (CRL)
D. Certification practice statement

84. Before implementing an IT balanced scorecard (BSC), an organization must:

A. Deliver effective and efficient services

B. Define key performance indicators
C. Provide business value to IT projects
D. Control IT expenses

85. Digital signature requires the:

A. Signer to have a public key and the receiver to have a private key.
B. Signer to have a private key and the receiver to have a public key.
C. Signer and receiver to have a public key.
D. Signer and receiver to have a private key.
86. An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor
should FIRST review:

A. The controls in place

B. The effectiveness of the controls
C. The mechanism for monitoring the risk
D. The threats/vulnerabilities affecting the assets

87. A local area network (LAN) administrator normally would be restricted from:

A. Having end-user responsibilities.

B. Reporting to the end-user manager.
C. Having programming responsibilities
D. Being responsible for LAN security administration.

88. An organization is reviewing its contract with a cloud computing provider. For which of the following
reasons would be the organization want to remove a lock-in clause from the contract?

A. Availability
B. Portability
C. Agility
D. Scalability

89. Which control is the BEST way to ensure that the data in a file have not been changed during
transmission?

A. Reasonableness check
B. Parity bits
C. Hash values
D. Check digits

90. Which of the following would be the MOST cost-effective recommendation for reducing the
number of defects encountered during software development projects?

A. Increase the time allocated for system testing.

B. Implement formal software inspections.
C. Increase the development staff
D. Require the sign-off of all project deliverables
91. An organization’s IS audit charter should specify the:

A. Plans for IS audit engagements

B. Objectives and scope of IS audit engagements
C. Detailed training plan for the IS audit staff
D. Role of the IS audit function

92. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls
should the IS auditor recommend to avoid this situation?

A. Log all table update transactions

B. Implement before-and-after image reporting
C. Use tracing and tagging
D. Implement integrity constraints in the database

93. Which of the following BEST ensure the integrity of a server’s operating system (OS)?

A. Protecting the server in a secure location

B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging

94. A small organization has only one database administrator (DBA) and one system administrator. The
DBA has root access to the UNIX server, which hosts the database application. How should
segregation of duties be enforced in this scenario.

A. Hire a second DBA a split the duties between the two individuals.
B. Remove the DBA’s root access on all UNIX servers.
C. Ensure that all actions of the DBA are logged and that all logs are backed up to tape.
D. Ensure that database logs are forwarded to a UNIX server where the DBA does not have
root access.

95. Assessing IT risk is BEST achieved by:

A. Evaluating threats and vulnerabilities associated with existing IT assets and IT projects.
B. Using the firm’s past actual loss experience to determine current exposures.
C. Reviewing published loss statistics from comparable organizations.
D. Reviewing IT control weaknesses identified in audit reports.
96. A financial institution with multiple branch offices has an automated control that requires the
branch manager to approve transactions more than a certain amount. What type of audit control
is this?

A. Detective
B. Preventive
C. Corrective
D. Directive

97. In the event of a data center disaster, which of the following would be the MOST appropriate
strategy to enable a complete recovery of a critical database?

A. Daily data backup to tape and storage at a remote site

B. Real-time replication to a remote site
C. Hard disk mirroring to a local server
D. Real-time data backup to local storage area network (SAN)

98. Which of the following insurance types provide for a loss arising from fraudulent acts by
employees?

A. Business interruption
B. Fidelity coverage
C. Errors and omissions
D. Extra expense

99. An organization sells books and music online at its secure web site. Transactions are transferred to
the accounting and delivery systems every hour to be processed. Which of the following controls
BEST ensures that sales processed in the secure web site are transferred to both the delivery and
accounting systems?

A. Transaction tools are recorded on a daily bases in the sales systems. Daily sales system totals
are aggregated and totaled.
B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in
continuity are accounted for.
C. Processing systems check for duplicated transaction numbers. If a transaction number is
duplicated (already present), it is rejected.
D. System time is synchronized hourly using a centralized time server. All transactions have a
date/time stamp.
100. When reviewing an organization’s logical access security to its remote systems, which of the
following would be GREATEST concern to an IS auditor?

A. Passwords are shared.

B. Unencrypted passwords are used.
C. Redundant logon IDs exist.
D. Third-party users are granted administrator-level access.

101. Which of the following does a lack of adequate controls represent?

A. An impact
B. A vulnerability
C. An asset
D. A threat

102. Which of the following is an advantage of elliptic curve encryption (ECC) over RSA encryption?

A. Computation speed
B. Ability to support digital signatures
C. Simpler key distribution
D. Message integrity controls

103. Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would
be to assess whether:

A. All threats can be completely removed

B. A cost-effective, built-in resilience can be implemented
C. The recovery time objective (RTO) can be optimized
D. The cost of recovery can be minimized

104. An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

A. Address all of the network risk.

B. Be tracked over time against the IT strategic plan
C. Take into account the entire IT environment
D. Result in the identification of vulnerability tolerances.

105. The reason a certification and accreditation (C&A) process is performed on critical systems is to
ensure that:

A. Security compliance has been technically evaluated

B. Data have been encrypted and are to be stored
C. The systems have been tested to run on different platforms
D. The systems have followed the phases of a waterfall model
106. An IS Auditor is comparing equipment in production with inventory records. This type of testing is
an example of:

A. Substantive testing
B. Compliance testing
C. Analytical Testing
D. Control Testing

107. A certificate authority (CA) can delegate the process of:

A. Revocation and suspension of a subscriber’s certificate.

B. Generation and distribution of the CA public key.
C. Establishing a link between the requesting entity and its public key.
D. Issuing and distributing subscriber certificates.

108. Which of the following is the BEST indicator of the effectiveness of backup and restore procedures
while restoring data after a disaster?

A. Members of the recovery team were available

B. Recovery time objectives (RTOs) were met
C. Inventory of backup tapes was properly maintained
D. Backup tapes were completely restored at an alternate site.

109. The PRIMARY objective of testing a business continuity plan is to:

A. Familiarize employees with the business continuity plan.

B. Ensure that all residual risk is addressed.
C. Exercise all possible disaster scenarios.
D. Identify limitations of the business continuity plan.

110. Which of the following controls would be the MOST comprehensive in a remote access network
with multiple and diverse subsystems?

A. Proxy server
B. Firewall installation
C. Demilitarized zone (DMZ)
D. Virtual private network (VPN)
111. During an audit, the IS auditor notes that the application developer also performs quality assurance
testing on a particular application. Which of the following should the IS auditor do?

A. Recommend compensating controls.

B. Review the code created by the developer
C. Analyze the quality assurance dashboard
D. Report the identified condition

112. The review of router access control lists should be conducted during:

A. An environmental review.
B. A network security review.
C. A business continuity review.
D. A data integrity review.

113. Which of the following is MOST important when an operating system (OS) patch is to be applied to
a production environment?

A. Successful regression testing by the developer

B. Approval from the information asset owner
C. Approval from the security officer
D. Patch installation at alternate sites

114. Which of the following should impair the independence of a quality assurance team?

A. Ensuring compliance with the development methods

B. Checking the test assumptions
C. Correcting coding errors during the testing process
D. Checking the code to proper documentation

115. Which of the following types of risk could result from inadequate software project baselining?

A. Sign-off delays
B. Software integrity violations
C. Scope creep
D. Inadequate controls

116. During the collection of forensic evidence, which of the following actions would MOST likely result
in the destruction or corruption of evidence in a compromised system?

A. Dumping the memory content to a file

B. Generating disk images of compromised system
C. Rebooting the system
D. Removing the system from the network
117. The PRIMARY benefit of implementing a security program as part of a security governance
framework is the:

A. Alignment of the IT activities with IS audit recommendations.

B. Enforcement of the management of security risk.
C. Implementation of the chief information security officer’s (CISO’s) recommendation.
D. Reduction of the cost for IT security.

118. An IS auditor is auditing an IT disaster recovery plan (DRP). The IS auditor should PRIMARILY ensure
that the plan covers:

A. A resilient IT infrastructure
B. Alternate site information
C. Documented disaster recovery (DR) test results
D. Analysis and prioritization of business functions

119. Which of the following system and data conversion strategies provides the GREATEST redundancy?

A. Direct cutover
B. Pilot study
C. Phased approach
D. Parallel run

120. Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to
meet service level agreement (SLA) requirements for a critical IT security service?

A. Compliance with the master agreement

B. Agreed-on key performance metrics
C. Results of business continuity tests
D. Results of independent audit reports

121. While reviewing sensitive electronic work papers, the IS auditor noticed that they were not
encrypted. This could compromise the:

A. Audit trail of the versioning of the work papers.

B. Approval of the audit phases.
C. Access rights to the work paper.
D. Confidentiality of the work paper.
122. A new business application has been designed in a large, complex, organization and the business
owner has requested that the various reports be viewed on a ‘need to know” basis. Which of the
following access control methods would be the BEST method to achieve this requirement?

A. Mandatory
B. Role-based
C. Discretionary
D. Single sign-on (SSO)

123. A failure discovered in which of the following testing stages would have the GREATEST impact on
the implementation of new application software?

A. System testing
B. Acceptance testing
C. Integration testing
D. Unit testing

124. An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is
preserved. Which of the following choices would be of MOST concern to the IS auditor?

A. End users are not aware of incident reporting procedures.

B. Log servers are not on a separate network.
C. Backups are not performed consistently.
D. There is no chain of custody policy.

125. The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not
having a disaster recovery plan, will MOST likely:

A. Increase
B. Decrease
C. Remain the same
D. Be unpredictable

126. The final decision to include a material finding in an audit report should be made by the:

A. Audit committee.
B. Auditee’s manager.
C. IS auditor
D. Chief executive officer (CEO) of the organization.
127. The feature of a digital signature that ensures the sender cannot later deny generating and sending
the message is called:

A. Data integrity.
B. Authentication.
C. Nonrepudiation
D. Replay protection.

128. An IS auditor analyzing the audit log of a database management system (DBMS) finds that some
transactions were partially executed as a result of an error and have not been rolled back. Which
of the following transaction processing features has been violated?

A. Consistency
B. Isolation
C. Durability
D. Atomicity

129. The BEST method for assessing the effectiveness of a business continuity plan is to review the:

A. Plans and compare them to appropriate standards.

B. Results from previous tests.
C. Emergency procedures and employee training.
D. Offsite storage and environmental controls.

130. When conducting a penetration test of an IT system, an organization should not be MOST
concerned with:

A. The confidentiality of the report.

B. Finding all possible weakness on the system.
C. Restoring all systems to the original state.
D. Logging all changes made to the production system.

131. Which techniques would BEST test for the existence of dual control when auditing the wire transfer
systems of a bank?

A. Analysis of transaction logs

B. Re-performance
C. Observation
D. Interviewing personnel
132. An IS auditor reviewing access controls for a manufacturing organization. During the review, the IS
auditor discovers the data owners have the ability to change access controls for a low-risk
application. The BEST course of action for the IS auditor is to:

A. Recommend that mandatory access controls (MAC) be implemented.

B. Report this as an issue.
C. Report this issue to the data owners to determine whether it is an exception.
D. Not report this issue because discretionary access controls (DAC) are in place.

133. An IT steering committee should:

A. Include a mix of members from different departments and staff levels.

B. Ensure that information security policies and procedures have been executed properly.
C. Maintain minutes of its meetings and keep the board of directors informed.
D. Be briefed about new trends and products at each meeting by a vendor.

134. Which of the following is an implementation risk within the process of decision support systems
(DSSs)?

A. Management control
B. Semi structured dimensions
C. Inability to specify purpose and usage patterns
D. Changes in decision process

135. Which of the following network components is PRIMARILY set up to serve as a security measure by
preventing unauthorized traffic between different segments of the network?

A. Firewall
B. Routers
C. Layer 2 switch
D. Virtual local area networks (VLANs)

136. Which of the following is the primary requirement in reporting results of an IS Audit? The report is:

A. Prepared according to a predefined and standard template

B. Backed by sufficient and appropriate audit evidence
C. Comprehensive in coverage of enterprise processes
D. Reviewed and approved by audit management
137. Many IT projects experience problems because the development time and/or resource
requirements are underestimated. Which of the following techniques would provide the GREATEST
assistance in developing an estimate of project duration?

A. Function point analysis (FPA)

B. Program evaluation review technique (PERT) chart
C. Rapid application development
D. Object-oriented system development

138. An IS auditor notes that failed login attempts to a core financial system are automatically logged
and the logs are retained for a year by the organization. The IS auditor should conclude that this is:

A. An effective preventive control

B. A valid detective control
C. Not an adequate control
D. A corrective control

139. Which of the following BEST ensures that users have uninterrupted access to a critical, heavily
utilized web-based application?

A. Disk mirroring
B. Redundancy array of inexpensive disks (RAID) technology
C. Dynamic domain name system (DNS)
D. Load balancing

140. Which of the following should be of MOST concern to an IS auditor reviewing the business
continuity plan (BCP)?

A. The disaster levels are based on scopes of damaged functions but not on duration.
B. The difference between low-level disaster and software incidents is not clear.
C. The overall BCP is documented, but detailed recovery steps are not specified.
D. The responsibility for declaring a disaster is not identified.

141. Which of the following is the BEST factor for determining the required extent of data collection
during the planning phase of an IS compliance audit?

A. Complexity of the organization’s operation

B. Findings an issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor’s familiarity with the organization
142. During the review of an enterprise’s preventive maintenance process for systems at a data center,
the IS auditor has determined that adequate maintenance is being performed on all critical
computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to
ensure that the organization:

A. Has performed background checks on all service personnel

B. Escorts service personnel at all times when performing their work
C. Performs maintenance during non-critical processing times
D. Independently verifies that maintenance is being performed

143. The GREATEST advantage of using web services for the exchange of information between two
systems is:

A. Secure communication
B. Improve performance
C. Efficient interfacing
D. Enhanced documentation

144. Which of the following tasks should be performed FIRST when preparing a disaster recovery plan
(DRP)?

A. Develop a recovery strategy

B. Perform a business impact analysis (BIA)
C. Map software systems, hardware and network components
D. Appoint recovery teams with defined personnel, roles and hierarchy.

145. There is a concern that the risk of unauthorized access may increase after implementing a single
sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to:

A. Ensure that all failed authentication attempts are monitored.

B. Review log files regularly.
C. Ensure that all unused accounts are deactivated.
D. Mandate a strong password policy.

146. The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is
to:

A. Comply with regulatory requirements

B. Provide a basis for drawing reasonable conclusions
C. Ensure complete audit coverage
D. Perform the audit according to the defined scope
147. Which of the following would an IS auditor consider to be the MOST helpful when evaluating the
effectiveness and adequacy of a preventive computer maintenance program?

A. A system downtime log

B. Vendor’s reliability figures
C. Regularly scheduled maintenance log
D. A written preventive maintenance schedule

148. Which of the following is the MOST important for an IS auditor to consider when reviewing a service
level agreement (SLA) with an external IT service provider?

A. Payment terms
B. Uptime guarantee
C. Indemnification clause
D. Default resolution

149. When planning to add personnel to tasks imposing time constraints on the duration of a project,
which of the following should be revalidated FIRST?

A. The project budget

B. The critical path for the project
C. The length of the remaining tasks
D. The personnel assigned to other tasks

150. An IS auditor wishes to determine the effectiveness of managing user access to a server room.
Which of the following is the BEST evidence of effectiveness?

A. Observation of a logged event

B. Review of the procedure manual
C. Interview with management
D. Interview with security personnel