Select The Correct Answer

1
During an IT control review to support a financial statement audit, users of the general ledger (GL)
complained to the IS auditor about the considerable delay in accessing data. The MOST
appropriate action for the IS auditor is to
SELECT THE CORRECT ANSWER
note the delay as a control deficiency that could be improved
recommend the use of load balancing to improve throughput
include complaints in the management letter
exclude complaints from an audit opinion about the IT controls
Correct Option:D
EXPLANATION
Understanding the root-cause of response-time issues is out of scope in the current audit. The
impact of IT controls on the integrity of financial statements is the primary objective of audit, and
thus, operational issues with the database should not be the primary focus of audit opinion. A
reduction of throughput does not imply there is a control deficiency that may lead to misstatements
in the financial accounts. Load balancing may not address the underlying cause in the reduction of
throughput. The complaints should be substantiated before including in the management letter.
2
Which of these best ensures permanency of a wide area network (WAN) across the organization?
Built-in alternative routing
Ensure daily backup of the entire system
A service provider providing a WAN with stringent SLA
Have all the servers continuously mirrored
Correct Option:A
EXPLANATION
Alternative routing ensures the network continues when a server loses connection, or if a link is
disconnected, as the message rerouting can be made automatic.
21
An IS auditor reviewing the operating system integrity of a server would PRIMARILY:
verify that user programs do not invoke privileged programs and services
determine whether administrator accounts have proper password controls
ensure that file permissions are correct on configuration files
verify that programs or services running on the server are from valid sources
Correct Option: A
EXPLANATION
If user-level programs affect privileged programs or services, then changes to system parameters
and operating system (OS) integrity issues may ensue. Privilege escalation attack happen when an
unapproved user is able to achieve actions.
35
During an audit of application access, the IS auditor discovers the systems administrator manages
logical access to a critical application. The IS auditor should
be concerned because the application owner should restrict access to applications as required for
users to perform their job functions
not be concerned because the systems administrator manages the application
be concerned because the information security function should restrict user access according to
business requirements
not be concerned because the systems administrator knows which individuals should and should not
have access to the application
Correct Option: C
EXPLANATION
The information security administrator has the ability to grant or revoke access to applications;
however, authorization for the access must come from the application owner, who would approve
access based on business requirements. The other options are not correct because the duties
described are normally performed by the IS administrator.
41
A CISA has found an inadequate policy definition for data and systems ownership during audit.
What is the primary concern?
The IS administrator will be overburdened
Specific data owners are unknown, so accountability could be an issue
Unapproved users may have access to originate, modify, or delete data
Security Policies and procedures are incomplete
Correct Option:C
EXPLANATION
If there's no policy defining the responsibility for granting access to specific systems, system access
can be gained without proper authorization. Authority to grant access to specific users must be
documented.
45
Which of the following is the GREATEST benefit to implementing open source software (OSS)?
Reduction of the total cost of ownership (TCO)
Ability to more easily customize program source code
Mitigation of the risk of being locked into a single provider
Reduction of the effort of performing system upgrades
Correct Option: C
EXPLANATION
If an organization decides not to rely on a single provider for a software solution, they may go for an
Open Source Software strategy. There are multiple providers of OSS and while many are available
free of charge, although there may be some costs related to converting to OSS. Generally, the overall
TCO will be lower with OSS compared to using proprietary software. Being able to customize source
code is a benefit of OSS. Although the methods of performing system upgrades are similar, the effort
is not significantly lower when using OSS. It is possible that OSS may come with frequent upgrades,
and it is up to the organization to decide whether the upgrades are necessary.
63
A CISA is performing an audit of access rights. Which of the below that has been executed by a
computer operator would be a risk?
Data read/write access
Delete access to transaction data files
Execute access to programs
Update access
Correct Option:B
EXPLANATION
Deletion of transaction data files is a job of the application support team, not computer operator
and should raise alarms.
64
Which of these is a benefit of the continuous audit approach?
does not require evidence collection of system consistency during processing
permits instant review and follow up on information collected
improves system security in time-sharing environments with huge amount of transactions
does not hinge on difficulty of computer systems
Correct Option: C (correct ans is B)

EXPLANATION
The use of continuous auditing techniques can increase system security when used in time-sharing
environments that process a great number of transactions and leaves a limited paper trail.
74
A CISA who is auditing a software system under development has found the quality assurance
testing and user acceptance testing were combined. What would be the MAJOR concern?
users participate in testing and assurance
test documentation combined
inadequate functional testing
delays in problem resolution
Correct Option: C
EXPLANATION
The major concern of linking quality assurance testing and user acceptance testing is the inadequacy
of functional testing.
75
An IS auditor is conducting a compliance test to determine whether controls support management
policies and procedures. The test will assist an IS auditor in
obtaining an understanding of the control objective
assuring the control is operating as designed
determining the integrity of data controls
determining the reasonableness of financial reporting controls
Correct Option: B
EXPLANATION
Compliance tests can be used to test the existence and effectiveness of a defined process. IS auditors
want reasonable assurance the controls are effective. Understanding the control objectives is key,
but is not the reason to conduct a compliance test. Substantive tests, not compliance tests, are
associated with data integrity and financial reporting.
92
An IS auditor auditing a network operating system reviews which of these as a user feature?
Availability of online network documentation
Access control logs
File transfer details
Incident reports
Correct Option: A
EXPLANATION
Network operating system user features comprise of online availability of network documentation as
well as user access to other systems, user special authorization, network, and host servers without
distinct user actions or commands. These must be reviewed by the auditor.
93
Which among these is the MOST critical aspect of effective business continuity management?
The recovery site is secure and located in an appropriate distance from the primary site
The recovery plans are periodically tested
Fully tested backup hardware is available at the recovery site
Network links are available from multiple service providers
Correct Option: B
EXPLANATION
Periodic testing of the recovery plan is critical to ensure that whatever has been planned and
documented is feasible. The other options are more tactical considerations that are secondary to the
need for testing. If a disaster occurs, choices A, C and D would be more important.
95
What is the cause for prototyping to create issues in change control for software systems?
iterative nature of prototyping
swift speed of modifications in requirements and design
speedy approval of screens by users
different versions are produced
Correct Option: B
EXPLANATION
Changes in requirements and design occur so rapidly that they are seldom documented or approved
and are the biggest issue in prototyping projects.
96
The PRIMARY purpose of a capability maturity model (CMM) to evaluate an application
development project is to:
ensure that adequate system processes and procedures are developed
verify that reliable applications are developed
ensure that system security requirements are appropriate
validate that programmers are working efficiently
Correct Option: B
EXPLANATION
By evaluating the organization's development projects using a CMM, an IS auditor can determine
whether the development organization follows a stable, predictable software process. A CMM is not
used for developing processes and procedures, designing system security requirements or testing
programmer productivity.
98
A firm is looking at biometric fingerprint identification for all the systems that access critical data.
This would need __________.
registration process is implemented for all endorsed PC users
fingerprint matches to actual users
Fingerprint scanner supported by unique id
contractual agreement that no unapproved access to critical information would occur
Correct Option: A
EXPLANATION
The fingerprints of endorsed users must be read, identified and recorded through a registration
process before the user can use the system. Other choices are incorrect.
104
Which of these can be considered an essential feature of a network management system?
Graphical interface to plot the network topology
Regular updates to the system
Support desk for problem resolution
Expert advice on load and capacity management of network
Correct Option: A
EXPLANATION
A graphical interface would be indispensable to trace the topology of the network. All other choices
are not correct.
106
An IS auditor has found an organization is using an unlicensed software. Which of these steps
should an IS auditor do?
include the declaration of management in the audit report
ascertain whether unlicensed software is being used by the organization
mention the misgivings and findings in the report
discuss the issue orally to avoid negative impression on the organization
Correct Option: B
EXPLANATION
As there is a warning that the organization may be using unlicensed software, the IS auditor must
acquire adequate evidence before including it in the report. If found true, the IS auditor must uphold
objectivity and independence and include it in the report.
114
An IS auditor is reviewing evidence during an audit. Which among these could be considered as
MOST reliable?
Auditee providing oral evidence during interview
Sample data results from an external IS auditor
An system generated accounting report
A confirmation received from a customer
Correct Option:B
EXPLANATION
An independent test with data results performed by an IS auditor can be considered the most
reliable source as an audit is carried out through inspection, observation and inquiry determined by
risk.
116
An IS auditor has been asked to review the controls that govern system-generated exception
reports. Which of these could BEST prove control effectiveness?
CEO confirms control effectiveness
Review the access control for these reports
Review the System-generated exception reports over a period
Review template of the system-generated exception report
Correct Option: C
EXPLANATION
The IS auditor would find the Best form of evidence in the form of system-generated reports as it is
documented evidence of the effective operation of the control.
121
The CISA has concluded his closing meeting when an auditee informs him that corrective action
has already been taken on a finding. What should the CISA do?
Include all the findings in the final report
Not include this finding in the final report
Include this finding in the final report stating the corrective action
Include this finding in the final report with a closed status
Correct Option:A
EXPLANATION
The CISA must include all findings in the final report even if an action is taken before an audit ended.
The audit report must identify the finding and describe the corrective action taken. An audit report
should reflect the status as it existed at the start of the audit.
129
How is the completed software development rendered for the end-users?
Through user acceptance testing
Through implementation
Through release management
Through configuration control
Correct Option: C
EXPLANATION
Software development is compiled and released to the end-users through a formal release
procedure that reviews all changes and incorporates them into a final release. This is moved out of
the development environment to production, and made available to the end users.
133
What are the primary risks in a system development project?
Risk of undisciplined development and poor project management practices
Risks of end users not accepting deliverables
Risk of inadequate technology skills
Risk of unclear requirements
Correct Option: A
EXPLANATION
Indiscipline in system development and poor project management practices are the primary risks in
a project.
134
When is user acceptance testing carried out in the Waterfall software development cycle?
Design
Implementation
Development
Requirement analysis
Correct Option: B
EXPLANATION
User acceptance tests are run during the Implementation phase of the Waterfall cycle. The user
determines whether the requirements are met and the end product is acceptable.
138
As per ISACA, which of these are the five business process reengineering (BPR) steps?
Envision, initiate, evaluate, diagnose, redesign
Initiate, envision, evaluate, redesign, reconstruct
Envision, initiate, diagnose, redesign, reconstruct
Initiate, envision, redesign, reconstruct, evaluate
Correct Option: C
EXPLANATION
The six general steps are envisioning the goal, initiating a project, diagnosing the current process,
redesigning the process, reconstructing with change management, and evaluating results by
checking the new process to find if it meets the original objective.
143
What is the same message with different keys that generate the same ciphertext called?
Secure hashing
Collision
Key clustering
MAC
Correct Option: C
EXPLANATION
The result is ciphertext Y when message A is encrypted with key A. If key B is used to encrypt the
same message A, the result should be different from ciphertext Y because a different key was used.
However, the occurrence is called key clustering if the ciphertext is the same.
144
After a system failure, what action should be taken to restore a system and its data files?
Perform a parallel test
Restore from storage media backup
Perform a walk-through test
Implement recovery procedures
Correct Option: D
EXPLANATION
Recovery procedures should be implemented in such situations, which in most of the cases include
data recovery from the backup media. These recovery procedures could comprise of steps to rebuild
a system from the start, apply the required configurations and patches, and ensure what needs to
happen for ensuring that productivity is not affected. A redundant system may also need to be
considered.

Select The Correct Answer

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Select The Correct Answer

Uploaded by

Copyright:

Available Formats

1

not be concerned because the systems administrator manages the application

Correct Option: C (correct ans is B)

You might also like