It Audit Exam Questions PDF

CISA Review Questions, Answers & Explanations Manual 2014

Supplement
by ISACA
ISACA. (c) 2013. Copying Prohibited.

Reprinted for Kiran Khan, ISACA

jamil.kiran@gmail.com
Reprinted with permission as a subscription benefit of Books24x7,
http://www.books24x7.com/
All rights reserved. Reproduction and/or distribution in whole or in part in electronic,paper or

other forms without written permission is prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
Questions, Answers & Explanations by Domain

Domain 1—The Process of Auditing Information Systems (14%)
AS1-1 When planning an IS audit, the auditor should FIRST:
A. identify the business process to be audited.
B. perform a risk assessment.
C. determine the objective of the audit.
D. identify needed audit resources.
C is the correct answer.
Justification:
A. The business process to be audited cannot be identified until the audit objective has been determined.
B. The risk-based approach requires the IS auditor to first understand the entity and its environment in order to identify
risk. The risk assessment cannot be performed until the audit objective is determined.
C. The IS auditor should develop an audit plan that takes into consideration the objectives of the auditee
relevant to the audit area and its technology infrastructure.
D. Audit resources needed for the audit can only be determined after the scope of the audit has been set.
AS1-2 What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?
A. It detects risk sooner.
B. It replaces the audit function.
C. It reduces audit workload.
D. It reduces audit resources.
A is the correct answer.
Justification:
A. CSAs require employees to assess the control stature of their own function. CSAs help increase the
understanding of business risk and internal controls. Because they are conducted more frequently than audits,
CSAs help identify risk in a more timely manner.
B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present.
C. CSAs may not reduce the audit function’s workload and are not a major difference between the two approaches.
D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the
audit process, they do not affect the scope or depth of audit work that needs to be performed.
AS1-3 An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to
confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business
areas the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk
Page 2 / 17
Reprinted for isaca\449222, ISACA ISACA (c) 2013, Copying Prohibited.
Justification:
A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not
be due to the number of users or business areas affected.
B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and
may not be impacted by the number of users and business areas affected.
C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent
risk is the risk level or exposure without taking into account the actions that management has taken or might
take.
D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number
of user or business areas affected.
AS1-4 An IS auditor discovers a potential material finding. The BEST course of action is to:
A. report the potential finding to business management.
B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.
D is the correct answer.
Justification:
A. The item should be confirmed through additional testing before it is reported to management.
B. The item should be confirmed through additional testing before it is discussed with the audit committee.
C. Additional testing to confirm the potential finding should be within the scope of the engagement.
D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if
it is later discovered that the finding was not justified.
AS1-5 Which of the following is in the BEST position to approve changes to the audit charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
B is the correct answer.
Justification:
A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.
B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit
committee and the audit charter should be approved by the committee.
C. Executive management is not required to approve the audit charter. The audit committee is in the best position to
approve the charter.
D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final
approval of the charter.
Page 3 / 17
AS1-6 An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process.
Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
Justification:
A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full
understanding of the overall process and identify potential control weaknesses.
B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to
determine whether the control performer has an in-depth understanding of the control.
C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant

documentation and reperformance of controls. A walk-through of the manual log review process follows the
manual log review process from start to finish to gain a thorough understanding of the overall process and
identify potential control weaknesses.
D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the
auditee.
AS1-7 An IS auditor is evaluating processes put in place by management at a storage location containing computer
equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing
procedure executed by the IS auditor is an example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
Justification:
A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or
transactions during the audit period.
B. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures.
This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data
or other information.
C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship.
D. Control testing is the same as compliance testing.
AS1-8 Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
Page 4 / 17
D. A threat
Justification:
A. Impact is the measure of the financial loss that a threat event may have.
B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk
of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive
information, financial loss, legal penalties or other losses.
C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure,
finances and reputation.
D. A threat is a potential cause of an unwanted incident.
AS1-9 An IS auditor is evaluating the controls around provisioning visitor access cards to the organization’s IT facility. The
IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory
count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should:
A. disregard the lack of reconciliation because no discrepancies were discovered.
B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.
C. report the lack of daily reconciliation as an exception.
D. recommend the implementation of a biometric access system.
Justification:
A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook
failure of operation of the control.
B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report
when the current process is deficient.
C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory
count gives assurance only at a point in time and is not a management-mandated activity.
D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the
current process is deficient.
AS1-10 During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a
particular application. Which of the following should the IS auditor do?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
Justification:
A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.
B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor
may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response
Page 5 / 17
should be to report the condition.
C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but
does not address the underlying risk. The primary response should be to report the condition.
D. The software quality assurance role should be independent and separate from development and
development activities. The same person should not hold both roles because this would cause a segregation of
duties concern. The IS auditor should report this condition when identified.
AS1-11 An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank’s financial risk
is properly addressed, the IS auditor will most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
Justification:
A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be
granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of
duties of the end users to help prevent fraud.
B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not
allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the
procedures as they relate to the wire system.
C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control.
D. While controls related to background checks are important, the controls related to segregation of duties as found in the
wire transfer procedures are more critical.
AS1-12 An IS auditor is determining the appropriate sample size for testing the existence of program change approvals.
Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for
the review period. In this context, the IS auditor can adopt a:
A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.
Justification:
A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use
of a smaller sample size.
B. A higher confidence coefficient will result in the use of a larger sample size.
C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong.
D. A lower confidence coefficient will result in the use of a smaller sample size.
AS1-13 Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than
10 years of experience?
Page 6 / 17
A. Supervision is required to comply with internal quality requirements.
B. Supervision is required to comply with the audit guidelines.
C. Supervision is required to comply with the audit methodology.
D. Supervision is required to comply with professional standards.
Justification:
A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with
professional standards.
B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they
may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve
compliance with professional standards.
C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is
a meaningful tool, supervision is generally driven by compliance with professional standards.
D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of
Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with
competence, professional proficiency and documentation requirements, and more.
AS1-14 Which of the following is the PRIMARY reason IS auditors conduct risk assessments?
A. To focus effort on areas of highest business impact
B. To maintain the organization’s risk register
C. To enable management to choose the correct risk response
D. To provide assurance on the risk management process
Justification:
A. Risk assessments form the basis of audit department management and are used to determine potential
areas on which to focus audit efforts and resources. A risk assessment is the process used to identify and
evaluate risk and its potential effects.
B. Updating the risk register is the responsibility of operations management, not the IT audit department.
C. Management chooses the correct risk response strategy based on the enterprisewide risk assessment, evaluation and
analysis.
D. Assurance on risk management is not the main reason why risk assessments are performed by the audit department.
The IT department performs risk assessments for two purposes: to create a risk-based audit schedule and to manage the
risk related to each audit engagement from a delivery and project management perspective.
Domain 2—Governance and Management of IT (14%)
AS2-1 An IS auditor is reviewing the disaster recovery plan (DRP) for a large organization with multiple locations requiring
high systems availability. Which of the following causes the GREATEST concern?
A. There is no agreement for a third-party alternate processing center.
B. Backup media are not tested.
C. The entire DRP is not periodically tested.
Page 7 / 17
D. A physical copy of the plan is not available at the alternate processing site.
Justification:
A. While an agreement for an alternate processing site is important, a large organization with multiple locations will most
likely have other alternate processing sites within the organization without needing a third-party processing center. Data
could be sent to another site within the organization, but if the backup data are not reliable, the risk to availability is not
managed.
B. Testing backups provides assurance that the backup data are reliable and will be available when needed.
Without backup data, the organization is not addressing the risk of availability.
C. While it is important to periodically test the DRP, it is also effective to periodically test the plan using certain scenarios
instead of testing the entire plan. In many cases the restoration of backup media will not change for different disasters. For
organizations with high availability requirements, data must be reliable and available when needed. If the primary
processing center is not available, recovery of backup media is typically the same for each location as long as it is reliable
and available.
D. The DRP must be available to all personnel involved with recovery efforts. With the availability of the Internet, there are
alternative methods of delivery/retrieval of the plan. Reliability and availability of backup data are priorities for organizations
that require high availability.
AS2-2 An IS auditor reviewing a project’s risk and related risk responses would be MOST concerned with a lack of
management sign-off for a risk that was:
A. avoided.
B. transferred.
C. mitigated.
D. accepted.
Justification:
A. The avoidance strategy involves not implementing certain activities or processes that incur risk, thus eliminating the risk.
The IS auditor would not expect a formal sign-off for an avoided risk.
B. Risk that is transferred is shared among partners such as through insurance or contractual agreement. Lack of a
documented management sign-off would be of concern, but not as high a concern as with an accepted risk because the
overall risk to the organization is reduced.
C. Because the risk has been mitigated, management has signed off and approved the approach used to mitgate the risk.
The IS auditor would be more concerned if management did not approve a risk that was accepted.
D. In order to accept the risk, management must first be made aware of the risk and its consequences. This
includes a formal acceptance of the risk, which is usually evidenced by a sign-off.
AS2-3 For key performance indicators (KPIs) to be an effective and useful metric, it is MOST important that:
A. KPIs are measured at consistent intervals.
B. specific goals are defined.
C. critical success factors (CSFs) are considered.
D. KPIs are purely quantitative measures.
Page 8 / 17
Justification:
A. Measurement at consistent intervals is not likely to be important because trends and the extent to which goals are
achieved can be determined.
B. The most important metric is the extent to which the key goal indicators (KGIs) are achieved.
C. CSFs are important considerations for determining that a goal is being achieved, but are not a metric.
D. Quantitative measures are usually preferable, but not always possible and not essential.
AS2-4 Which of the following documents is the BEST source for an IS auditor to understand the requirements for
employee awareness training?
A. Information security policy
B. Acceptable usage policy
C. Human resources (HR) policy
D. End-user computing policy
Justification:
A. The information security policy states the organization’s approach to managing information security. The
policy contains the company’s security objectives and explains the security policies, principles and standards.
In addition, the policy outlines requirements such as compliance with regulations and employee education,
training and awareness.
B. The acceptable usage policy outlines guidelines and rules for employee use of the company’s information resources. It
is focused and does not include requirements for security awareness training.
C. The HR policy refers to the information security policy, but does not specifically list the requirements for security
awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity
and ethics, and compliance with regulations.
D. The end-user computing policy describes the parameters and usage of desktop tools by users. It does not contain
requirements for security awareness training.
AS2-5 To be effective, risk management should be applied to:
A. those elements identified by a risk assessment.
B. any area that exceeds acceptable risk levels.
C. all organizational activities.
D. only areas that have potential impact.
Justification:
A. Elements of unacceptable risk will require treatment, but all activities are subject to risk management oversight.
Assessing risk and determining which risk is acceptable and which risk has the potential for impact are functions of risk
management.
B. Risk management must be holistic and should not be limited to areas that exceed acceptable risk levels. Areas within
acceptable risk levels may be optimized by reducing control measures or assuming more risk.
C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is still
applied to determine which risk requires treatment.
Page 9 / 17
D. When assessing risk, determining which risk is acceptable, which risk exceeds acceptable levels and which risk has the
potential for impact are functions of risk management.
AS2-6 The goal of IT risk analysis is to:
A. enable the alignment of IT risk management with enterprise risk management (ERM).
B. enable the prioritization of risk responses.
C. satisfy legal and regulatory compliance requirements.
D. identify known threats and vulnerabilities to information assets.
Justification:
A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management
process. However, risk analysis does not enable such an alignment.
B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk
analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are
managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize
return on investment for risk responses.
C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and
other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy
legal and regulatory compliance requirements.
D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and
vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the
vectors of likelihood and impact to facilitate the prioritization of risk responses.
AS2-7 Which of the following is a PRIMARY objective of an acceptable use policy?
A. Creating awareness about the secure use of proprietary resources
B. Ensuring compliance with information security policies
C. Defining sanctions for noncompliance
D. Controlling how proprietary information systems are used
Justification:
A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the
acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is
often signed after employee orientation and during periodic user awareness training.
B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic.
Information security policies are much broader in overall content and include a wider audience.
C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary
objective of the acceptable use policy; prevention is the primary objective.
D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios,
including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such
risk, a policy supported by guidelines is put into effect to define how information system resources will be
used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to
acknowledge that they are aware.
AS2-8 What is the GREATEST risk of a bank outsourcing its data center?
Page 10 / 17
A. Loss or leakage of information
B. Noncompliance with regulatory requirements
C. Vendor failure or bankruptcy
D. Loss of internal knowledge and experience
Justification:
A. The risk of loss or leakage of information is the greatest risk because it can subject the company to
regulatory fines, lawsuits and reputation risk.
B. Although noncompliance with regulations subjects a company to potential fines, it is not necessarily as great a risk as a
security breach.
C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well
as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in
place then it should not materially affect the bank as much as a loss or leakage of information.
D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that
resulting from a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract
termination, can also help mitigate the risk of loss of internal knowledge.
AS2-9 Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan
(BCP) of an organization?
A. Daily full backups are not performed for critical production files.
B. A team of IT and information security staff conducted the business impact analysis (BIA).
C. Sensitive information processes are manually performed during a disruption.
D. An annual test of the BCP is not being performed.
Justification:
A. Daily full backups may not be required if incremental or differential backups are in place.
B. To be effective, the BIA should be conducted with input from a wide array of stakeholders. The business
requirements included within the BIA are integral in defining mean-time-to-repair and the data point recovery.
Without business stakeholder input, these critical requirements may not be correctly defined, leading to critical
assets being overlooked.
C. As long as the service delivery objective is met and data are handled in alignment with the data classification and
handling policy, it is appropriate for “sensitive” functions to be performed manually in the case of a BCP event.
D. The frequency of testing is less important than business involvement in the creation of the BCP.
AS2-10 Which of the following compensating controls should management implement when a segregation of duties conflict
exists because an organization has a small IT department?
A. More frequent review of audit logs
B. Tighter controls over user provisioning
C. More frequent reviews of administrative access
D. Independent review of exception reports
Page 11 / 17
Justification:
A. While frequent review of audit logs is a compensating control, if there is no clear segregation of duties, this is an
ineffective control. An IT person with administrative access to a system could potentially delete audit logs or disable audit
logging altogether. From a practical perspective, logs typically contain large volumes of data; an in-depth review of these
data would be a time-consuming and impractical method for finding issues related to segregation of duties conflicts.
B. User provisioning is the process of granting access to an application or system. While a normal part of the provisioning
process is to make sure that no segregation of duties conflicts exist, this cannot be done in the present case due to the
small size of the IT department. Therefore, tighter controls over user provisioning would be of limited value.
C. While it important to ensure that only authorized individuals have administrative access to critical systems to prevent
segregation of duties conflicts, in this case those conflicts cannot be prevented. Therefore, a frequent review of
administrative access would be of limited value as a control.
D. Assuming that the integrity of the exception reporting process can be validated through audit testing, an
independent review of the exception reports is the best compensating control.
AS2-11 An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate
the quality of alignment between IT and the business?
A. Security policies
B. Operational procedures
C. Project portfolio
D. IT balanced scorecard (IT BSC)
Justification:
A. Security policies are important; however, they are not designed to align IT to the business.
B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business.
C. The project portfolio is the set of projects owned by the organization. The portfolio provides a status quo, but is not a
good basis to assess alignment of IT with the business.
D. The IT BSC represents the translation of the business objectives into what IT needs to do to achieve these
objectives.
AS2-12 Value delivery from IT to the business is MOST effectively achieved by:
A. aligning the IT strategy with the enterprise strategy.
B. embedding accountability in the enterprise.
C. providing a positive return on investment (ROI).
D. establishing an enterprisewide risk management process.
Justification:
A. IT’s value delivery to the business is driven by aligning IT with the enterprise’s strategy.
B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance).
C. While ROI is important, it is not the only criterion by which the value of IT is assessed.
Page 12 / 17
D. Enterprisewide risk management is critical to IT governance; however, by itself it will not guarantee that IT delivers
value to the business unless the IT strategy is aligned with the enterprise strategy.
AS2-13 Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event
of a disaster?
A. Enforced procedures for regular plan updates
B. A tabletop exercise with disaster scenarios
C. A comprehensive reciprocal agreement
D. Long-haul diversity and last-mile redundancy
Justification:
A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it
involves people and processes.
B. A tabletop exercise is used to test the effectiveness of a BCP without the interruption of a full-scale drill. The
test team walks through a simulated disaster to determine whether the plan will work as designed. Of the
options given, a tabletop exercise is the best way to ensure that the BCP will function as intended without live
testing to reveal plan deficiencies.
C. Reciprocal agreements will specify the conditions among counterparties for sharing facilities in case of disaster, but
provide no assurance plans that the BCPs will work.
D. Long-haul diversity and last-mile redundancy are important considerations for business continuity planning, but by
themselves are insufficient to ensure that the plans will work.
AS2-14 Which of the following is the BEST indicator of IT alignment with organizational strategies and objectives?
A. A well-defined enterprise architecture
B. Established policy compliance metrics
C. The results of a business process owner survey
D. The findings of an internal controls assessment
Justification:
A. EA helps define standards and designs for IT systems; however, it does not measure how IT is aligned with the
business.
B. Policy compliance metrics do not indicate IT’s alignment with the business.
C. Business owners are in the best position to provide direct feedback on the extent to which IT provides
support for business objectives and strategies.
D. An internal controls assessment will not provide evidence of IT’s alignment with the business.
Domain 3—Information Systems Acquisition, Development and Implementation (19%)
AS3-1 An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose
would the auditor be interested in using a check digit?
A. To detect data transposition errors.
B. To ensure that transactions do not exceed predetermined amounts.
Page 13 / 17
C. To ensure that data entered are within reasonable limits.
D. To ensure that data entered are within a predetermined range of values.
Justification:
A. A check digit is a numeric value added to data to ensure that original data are correct and have not been
altered.
B. Ensuring that data have not exceeded a predetermined amount is a limit check.
C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check.
D. Ensuring that data entered are within a predetermined range of values is a range check.
AS3-2 Which of the following is the BEST indicator that a newly developed system will be used after it is in production?
A. Regression testing
B. User acceptance testing (UAT)
C. Sociability testing
D. Parallel testing
Justification:
A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or
processes and whether those changes altered or broke previous functionality.
B. UAT is undertaken to provide confidence that a system or system component operates as intended, to
provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or
efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be
adopted by the users.
C. Sociability test results indicate how the application works with other components within the environment and is not
indicative of the user experience.
D. Parallel testing is performed when the comparison of two applications is needed, but will not provide feedback on user
satisfaction.
AS3-3 The project steering committee is ultimately responsible for:
A. day-to-day management and leadership of the project.
B. allocating the funding for the project.
C. project deliverables, costs and timetables.
D. ensuring that system controls are in place.
Justification:
A. Day-to-day management and leadership of the project is the function of the project manager.
B. Providing the funding for the project is the function of the project sponsor.
C. The project steering committee provides overall direction; ensures appropriate representation of the major
stakeholders in the project’s outcome; and takes ultimate responsibility for the deliverables, costs and
Page 14 / 17
timetables.
D. Ensuring that system controls are in place is the function of the project security officer.
AS3-4 Which of the following BEST helps ensure that deviations from the project plan are identified?
A. A project management framework
B. A project management approach
C. A project resource plan
D. Project performance criteria
Justification:
A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the
consistent method to be applied when initiating a project, but does not define the criteria used to measure project success.
B. A project management approach defines guidelines for project management processes and deliverables, but does not
define the criteria used to measure project success.
C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team
members, but does not wholly define the criteria used to measure project success.
D. In order to identify deviations from the project plan, project performance criteria must be established as a
baseline. Successful completion of the project plan is indicative of project success.
AS3-5 An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of
parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the
GREATEST concern?
A. The implementation phase of the project has no backout plan.
B. User acceptance testing (UAT) was not properly documented.
C. Software functionality tests were completed, but stress testing was not performed.
D. The go-live date is over a holiday weekend when key IT staff are on vacation.
Justification:
A. One of the benefits of deploying a new system in parallel with an existing system is that the original system
can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create
significant issues because it can take considerable time and cost to restore operations to the prior state if there
is no viable plan to do so.
B. The documentation of UAT is a much less important concern than not having a viable backout plan; therefore, this is not
the correct answer.
C. The lack of stress testing is a much less important concern than not having a viable backout plan; therefore, this is not
the correct answer.
D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project
managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no
backout plan.
AS3-6 Which of the following software testing methods provides the BEST feedback on how software will perform in the
live environment?
Page 15 / 17
A. Alpha testing
B. Regression testing
C. Beta testing
D. White box testing
Justification:
A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally
involves a software version that does not contain all the features of the final product and may be a simulated test.
B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality.
C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta
testing is the last stage of testing, and involves sending the beta version of the product to independent beta
test sites or offering it free to interested users.
D. White box testing is used to assess the effectiveness of program logic.
AS3-7 Which of the following is the BEST method of controlling scope creep in a system development project?
A. Defining penalties for changes in requirements
B. Establishing a software baseline
C. Adopting a matrix project management structure
D. Identifying the critical path of the project
Justification:
A. While defining penalties for changes in requirements may help to prevent scope creep, software baselining is a better
way to accomplish this goal.
B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user
requirements. Any changes thereafter will undergo strict formal change control and approval procedures.
Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements.
C. In a matrix project organization, management authority is shared between the project manager and the department
heads. Adopting a matrix project management structure will not address the problem of scope creep.
D. Although the critical path is important, it will change over time and will not control scope creep.
AS3-8 Which of the following is a PRIMARY objective of embedding an audit module while developing online application
systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
Justification:
A. Embedding a module for continuous auditing within an application processing a large number of transactions
Page 16 / 17
provides timely collection of audit evidence during processing and is the primary objective. The continuous
auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.
B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required
evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the
question pertains to the development process for new application systems, and not to subsequent internal audits.
C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify
fraudulent transactions inherently.
D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
Page 17 / 17
Practice Questions
1. If an organization c hooses to implement a c ontrol self-assessment program, the

auditor should participate primarily as a:
□ A. Monitor
□ B. Fac ilitator
□ C. Project leader
□ D. The auditor should not participate in the organization’s

CSA program because doing so would create a potential
c onflict of interest.
A1: Answer: B. The traditional role of an IS auditor in a c ontrol self-assessment (CSA)

should be that of a fac ilitator.
2. Which of the following elements must be present to properly log activities and ac hieve
acc ountability for actions performed by a user?
□ A. Identific ation and authorization only

□ B. Authentic ation and authorization only
□ C. Identific ation and authentication only

□ D. Authorization only
A2: Answer: C. If proper identification and authentic ation are not performed during access
control, no acc ountability can exist for any action performed.
3. When initially planning a risk-based audit, whic h of the following steps is MOST
critical?
□ A. Evaluating the organization’s entire environment as a

whole
□ B. Establishing an audit methodology based on accepted
frameworks, such as CO BI T or COSO
□ C. Documenting proc edures to ensure that the auditor

achieves the planned audit objec tives
□ D. The identific ation of the areas of high risk for controls

failure
A3: Answer: D. In planning an audit, the MOST critical step is identifying areas of high risk.
4. What is the PRIMARY purpose of audit trails?

□ A. To better evaluate and correc t audit risk resulting from
potential errors the auditor might have committed by
failing to detec t c ontrols failure
□ B. To establish a c hronological chain of events for audit work
performed
□ C. To establish acc ountability and responsibility for processed

transactions
□ D. To c ompensate for a lac k of proper segregation of duties
A4: Answer: C. Although secure audit trails and other logging are used as a c ompensatory
control for a lack of proper segregation of duties, the primary purpose of audit trails is
to establish ac countability and responsibility for processed transac tions.
5. Which of the following is the MOST appropriate type of risk to be associated with
authorized program exits (trap doors)?
□ A. Inherent
□ B. Audit
□ C. Detec tion
□ D. Business
A5: Answer: A. Inherent risk is associated with authorized program exits (trap doors).
6. When performing an audit of an organization’s systems, the auditor’s first step should
be to:
□ A. Develop a strategic audit plan

□ B. Gain an understanding of the focus of the business of the
organization
□ C. Perform an initial risk assessment to provide the foundation
for a risk-based audit
□ D. Determine and define audit sc ope and materiality
A6: Answer: B. The IS auditor’s first step is to understand the business focus of the
organization. Until the auditor has a good understanding of the organization’s business
goals, objec tives, and operations, the auditor will not be able to competently c omplete
any of the other tasks listed.
7. Which of the following risks results when the auditor uses an insufficient test
procedure, resulting in the auditor’s ill-informed conc lusion that material errors do not
exist, when, in fac t, they do?
□ A. Business risk
□ B. Detec tion risk

□ C. Audit risk
□ D. Inherent risk
A7: Answer: B. Detec tion risk results when an IS auditor uses an inadequate test
procedure and conc ludes that material errors do not exist when, in fact, they do.
8. Which of the following is c onsidered the MOST signific ant advantage of implementing a
continuous auditing approac h?
□ A. It c an improve system security when used in time-sharing

environments that proc ess a large number of transactions.
□ B. It c an provide more actionable audit results because of

the increased input from management and staff.
□ C. It c an identify high-risk areas that might need a detailed

review later.
□ D. It c an significantly reduc e the amount of resources
nec essary for performing the audit because time
c onstraints are more relaxed.
A8: Answer: A. The PRIMARY advantage of a c ontinuous audit approac h is that it can
improve system security when used in time-sharing environments that proc ess a large
number of transactions.
9. When an IS auditor finds evidence of minor weaknesses in c ontrols, such as use of

weak passwords, or poor monitoring of reports, which of the following courses of
action is MOST appropriate for the auditor?
□ A. Take c orrec tive ac tion by informing affected users and

management of the controls vulnerabilities
□ B. Realize that suc h minor weaknesses of c ontrols are usually
not material to the audit
□ C. Immediately report suc h weaknesses to IT management
□ D. Take no c orrec tive ac tion whatsoever, and simply rec ord

the observations and assoc iated risk arising from the
c ollective weaknesses into the audit report
A9: Answer: D. While preparing the audit report, the IS auditor should record the
observations and the risk arising from the c ollective weaknesses.
10. Which of the following is c onsidered to present the GREATEST c hallenge to using test
data for validating processing?
□ A. Potential corruption of actual live data
□ B. Creation of test data that c overs all possible valid and

invalid c onditions
□ C. Test results being compared to expec ted results from live
processing
□ D. Data isolation issues associated with high-speed

transaction proc essing
A10: Answer: B. Creating test data that c overs all possible valid and invalid conditions is
often the greatest challenge in using test data.
CISA Practice Exam Questions D. The auditor is objective, not associated with the
organization, and free of any connections to the client
1. Which type of sampling is best when dealing with
population characteristics such as dollar amounts and 7. Which of the following meets the description “the
weights? primary objective is to leverage the internal audit
A. Attribute sampling function by placing responsibility of control and
B. Variable sampling monitoring onto the functional areas”?
C. Stop-and-go sampling A. Integrated auditing
D. Discovery sampling B. Control self-assessment
C. Automated work papers
2. Which of the following sampling techniques is D. Continuous auditing
generally applied to compliance testing?
A. Attribute sampling 8. Which of the following sampling techniques would
B. Variable sampling be best to use if the expected discovery rate is
C. Stop-and-go sampling extremely low?
D. Discovery sampling A. Attribute sampling
B. Variable sampling
3. To guarantee the confidentiality of client C. Stop-and-go sampling
information, an auditor should do which of the D. Discovery sampling
following when reviewing such information?
A. Contact the CEO or CFO and request what sensitive 9. Which of the following offers how-to information?
information A. Standards
can and cannot be disclosed to authorities B. Policy
B. Assume full responsibility for the audit archive and C. Guidelines
stored data D. Procedures
C. Leave all sensitive information at the owners’
facility 10. The type of risk that might not be detected by a
D. Not back up any of his or her work papers system of internal controls is defined as which of the
following?
4. Which of the following best describes materiality? A. Control risk
A. An audit technique used to evaluate the need to B. Audit risk
perform an auditB. The principle that individuals, C. Detection risk
organizations, and the community are responsible for D. Inherent risk
their actions and might be required to explain them
C. The auditor’s independence and freedom from 11. Which of the following items makes computer-
conflict of interest assisted audit techniques (CAAT) important to an
D. An auditing concept that examines the importance auditor?
of an item of information in regard to the impact or A. A large amount of information is obtained by using
effect on the entity being audited specific techniques to analyze systems.
B. An assistant or untrained professional with no
5. Which of the following sampling technique is best to specialized training can utilize CAAT tools, which frees
use to prevent excessive sampling? up the auditor to participate in other activities.
A. Attribute sampling C. CAAT requires more human involvement in the
B. Variable sampling analysis than multifunction audit utilities.
C. Stop-and-go sampling D. CAAT requires the auditor to reduce the sampling
D. Discovery sampling rate and provides a more narrow audit coverage.
6. Which of the following descriptions best defines 12. The risk that a material error will occur because of
auditor independence? weak controls or no controls is known as which of the
A. The auditor has high regard for the company and following?
holds several hundred shares of the company’s stock A. Control risk
B. The auditor has a history of independence and even B. Audit risk
though the auditor has a niece that is employed by the C. Detection risk
company, he has stated that this is not a concern D. Inherent risk
C. The auditor has previously given advice to the
organization’s design staff while employed as the
auditor
13. You have been asked to audit a series of controls. C. System-development methodologies and change-
Using Figure E.1 as your reference, what type of control control procedures that have been implemented to
have you been asked to examine? protect the organization and maintain compliance
A. Amount total D. Procedures that provide reasonable assurance to
B. Hash total control and manage data-processing operations
C. Item total
D. Data checksum 18. Which of the following is the best example of a
Figure E.1. detective control?
[View full size image] A. Access-control software that uses passwords,
tokens, and/or
biometrics
B. Intrusion-prevention systems
C. Backup procedures used to archive data
D. Variance reports
19. Which of the following is not one of the four

common elements needed to determine whether
fraud is present?
A. An error in judgment
B. Knowledge that the statement was false
C. Reliance on the false statement
D. Resulting damages or losses
14. Which of the following is the best tool to extract 20. You have been asked to implement a continuous
data that is relevant to the audit? auditing program. With this in mind, which of the
A. Integrated auditing following should you first identify?
B. Generalized audit software A. Applications with high payback potential
C. Automated work papers B. The format and location of input and output files
D. Continuous auditing C. Areas of high risk within the organization
D. Targets with reasonable thresholds
15. You have been asked to perform an audit of the
disaster-recovery procedures. As part of this process, 21. Which of the following should be the first step for
you must use statistical sampling techniques to organizations wanting to develop an information
inventory all backup tapes. Which of the following security program?
descriptions best defines what you have been asked to A. Upgrade access-control software to a biometric or
do? token system
A. Continuous audit B. Approve a corporate information security policy
B. Integrated audit statement
C. Compliance audit C. Ask internal auditors to perform a comprehensive
D. Substantive audit review
D. Develop a set of information security standards
16. According to ISACA, which of the following is the
fourth step in the risk based audit approach? 22. Which of the following is primarily tasked with
A. Gather information and plan ensuring that the IT department is properly aligned
B. Perform compliance tests with the goals of the business?
C. Perform substantive tests A. Chief executive officer
D. Determine internal controls B. Board of directors
C. IT steering committee
17. Which general control procedure most closely D. Audit committee
maps to the information systems control procedure
that specifies, “Operational controls that are focused 23. The balanced score card differs from historic
on day-to-day activities”? measurement schemes, in that it looks at more than
A. Business continuity and disaster-recovery what?
procedures that provide reasonable assurance that the A. Financial results
organization is secure against disasters B. Customer satisfaction
B. Procedures that provide reasonable assurance for C. Internal process efficiency
the control of database administration D. Innovation capacity
28. Which of the following is the best method to
24. Which of the following is the purpose of enterprise identify problems between procedure and activity?
architecture (EA)? A. Policy review
A. Ensure that internal and external strategy are B. Direct observation
aligned C. Procedure review
B. Map the IT infrastructure of the organization D. Interview
C. Map the IT infrastructure of the organization and
ensure that its 29. You are working with a risk-assessment team that
design maps to the organization’s strategy is having a hard time calculating the potential financial
D. Ensure that business strategy and IT investments loss to the company’s brand name that could result
are aligned from a risk. What should the team do next?
A. Calculate the return on investment (ROI)
25. Which of the following types of planning entails an B. Determine the single loss expectancy (SLE)
outlook of greater than three years? C. Use a qualitative approach
A. Daily planning D. Review actuary tables
B. Long-term planning
C. Operational planning 30. What operation-migration strategy has the highest
D. Strategic planning possible level of risk?
A. Parallel
26. A new IT auditor has been asked to examine some B. Hard
processing, editing, and validation controls. Can you C. Phased
help define the control shown in Figure E.2? D. Intermittent
A. Validity check
B. Reasonableness check 31. Many organizations require employees to rotate to
C. Existence check different positions. Why?
D. Range check A. Help deliver effective and efficient services
Figure E.2. B. Provide effective cross-training
[View full size image] C. Reduce the opportunity for fraud or improper or
illegal acts
D. Increase employee satisfaction
32. The balanced score card looks at four metrics.

Which of the following is not one of those metrics?
A. External operations
B. The customer
C. Innovation and learning
D. Financial data
33. You have been assigned to a software-

development project that has 80 linked modules and is
being developed for a system that handles several
million transactions per year. The primary screen of the
application has data items that carry up to 20 data
attributes. You have been asked to work with the audit
staff to determine a true estimate of the development
effort.
Which of the following is the best technique to
27. Senior management needs to select a strategy to determine the size of the project?
determine who will pay for the information system’s A. White-boxing
services. Which of the following payment methods is B. Black-boxing
known as a “pay as you go” system? C. Function point analysis
A. Single cost D. Source lines of code
B. Shared cost
C. Chargeback 34. Which of the following is the preferred tool for
D. Sponsor pays estimating project time when a degree of uncertainty
exists?
A. Program Evaluation and Review Technique (PERT)
B. Source lines of code (SLOC)
C. Gantt
D. Constructive Cost Model (COCOMO)
35. Which of the following techniques is used to

determine what activities are critical and what the
dependencies are among the various tasks?
A. Compiling a list of each task required to complete
the project
B. COCOMO
C. Critical path methodology (CPM)
D. Program Evaluation and Review Technique (PERT)
36. Which of the following is considered a traditional

system development lifecycle model?
A. The waterfall model
B. The spiral development model
40. You have been asked to suggest a control that could
C. The prototyping model
be used to determine whether a credit card transaction
D. Incremental development
is legitimate or potentially from a stolen credit card.
Which of the following would be the best tool for this
37. You have been assigned as an auditor to a new
need?
software project. The team members are currently
A. Decision support systems
defining user needs and then mapping how the
B. Expert systems
proposed solution meets the need. At what phase of
C. Intrusion-prevention systems
the SDLC are they?
D. Data-mining techniques
A. Feasibility
B. Requirements
41. You have been asked to suggest a control that can
C. Design
be used to verify that batch data is complete and was
D. Development
transferred accurately between two applications.
What should you suggest?
38. Which of the following is not a valid output control?
A. A control total
A. Logging
B. Check digit
B. Batch controls
C. Completeness check
C. Security signatures
D. Limit check
D. Report distribution
42. Which of the following types of programming
39. The following question references Figure E.3. Item
language is used to develop decision support systems?
A refers to which of the following?
A. 2GL
A. Foreign key
B. 3GL
B. Tuple
C. 4GL
C. Attribute
D. 5GL
D. Primary key
Figure E.3.
43. You have been asked to work with a new project
[View full size image]
manager. The project team has just started work on the
payback analysis. Which of the following is the best
answer to identify the phase of the system
development lifecycle of the project?
A. Feasibility
B. Requirements
C. Design
D. Development
44. In many ways, IS operations is a service

organization because it provides services to its users.
As such, how should an auditor recommend that the
percentage of help-desk or response calls answered
within a given time be measured? 52. The following question references Figure E.4. Item
A. Uptime agreements C refers to which of the following?
B. Time service factor A. Foreign key
C. Abandon rate B. Tuple
D. First call resolution C. Attribute
D. Primary key
45. What is the correct term for items that can occur Figure E.4.
without human interaction? [View full size image]
A. Lights out
B. Automated processing
C. “Follow the sun” operations
D. Autopilot operations
46. Which of the following is an example of a 2GL

language?
A. SQL
B. Assembly
C. FORTRAN
D. Prolog
47. When discussing web services, which of the

following best describes a proxy server?
A. Reduces load for the client system
B. Improves direct access to the Internet
C. Provides an interface to access the private domain
53. Which layer of the OSI model is responsible for
D. Provides high-level security services
packet routing?
A. Application
48. Regarding cohesion and coupling, which is best?
B. Transport
A. High cohesion, high coupling
C. Session
B. High cohesion, low coupling
D. Network
C. Low cohesion, low coupling
D. Low cohesion, high coupling
54. Which of the following types of testing is usually
performed at the implementation phase, when the
49. Bluetooth class 1 meets which of the following
project staff is satisfied with all other tests and the
specifications?
application is ready to be deployed?
A. Up to 5 m of range and .5 mW of power
A. Final acceptance testing
B. Up to 10 m of range and 1 mW of power
B. System testing
C. Up to 20 m of range and 2.5 mW of power
C. Interface testing
D. Up to 100 m of range and 100 mW of power
D. Unit testing
50. When discussing electronic data interface (EDI),
55. Which of the following devices can be on the edge
which of the following terms best describes the device
of networks for basic packet filtering?
that transmits and receives electronic documents
A. Bridge
between trading partners?
B. Switch
A. Value Added Network (VAN)
C. Router
B. X12
D. VLAN
C. Communications handler
D. Electronic Data Interchange For Administration
56. MAC addresses are most closely associated with
Commerce And Transport (EDIFACT)
which layer of the OSI model?
A. Data link
51. Which type of network is used to connect multiple
B. Network
servers to a centralized pool of disk storage?
C. Session
A. PAN
D. Physical
B. LAN
C. SAN
D. MAN
57. The IP address of 128.12.3.15 is considered to be D. Spiral
which of the following?
A. Class A 65. Which type of database is shown in Figure E.5?
B. Class B A. Relational
C. Class C B. Network
D. Class D C. Hierarchical
D. Floating flat
58. Which of the following statements is most correct? Figure E.5.
RIP is considered...
A. A routing protocol
B. A routable protocol
C. A distance-vector routing protocol
D. A link-state routing protocol
59. Which of the following test types is used after a

change to verify that inputs and outputs are correct?
A. Regression testing
B. System testing
C. Interface testing
D. Pilot testing
60. Which of the following is an example of a 5GL 66. As a new auditor, you have been asked to review
language? network operations. Which of the following
A. SQL weaknesses should you consider the most serious?
B. Assembly A. Data files can be amended or changed by
C. FORTRAN supervisors.
D. Prolog B. Data files can be lost during power outages because
of poor backup.
61. Which of the following types of network topologies C. Sensitive data files can be read by managers.
is hard to expand, with one break possibly disabling the D. Copies of confidential reports can be printed by
entire segment? anyone.
A. Bus
B. Star 67. Which of the following is the best example of a
C. Token Ring control mechanism to be used to control component
D. Mesh failure or errors?
A. Redundant WAN links
62. What is the most important reason to use plenum- B. Just a Bunch of Disks/Drives (JBOD)
grade cable? C. RAID 0
A. Increased network security D. RAID 1
B. Less attenuation
C. Less cross-talk 68. Which of the following is the best technique for an
D. Fire-retardant coating auditor to verify firewall settings?
A. Interview the network administrator
63. Which of the following copper cable network B. Review the firewall configuration
configurations is considered the most secure from C. Review the firewall log for recent attacks
eavesdropping or interception? D. Review the firewall procedure
A. A switched VLAN using multimode fiber cable
B. A Token Ring network using Cat 5 cabling 69. Which of the following is not a circuit-switching
C. A switched network that uses Cat 5e shielded cable technology?
D. A bus network using 10BASE2 cabling A. DSL
B. POTS
64. Which of the following is an iterative development C. T1
method in which repetitions are referred to as sprints D. ATM
and typically last 30 days?
A. Scrum 70. Which of the following uses a process to
B. Extreme programming standardize code modules to allow for cross-platform
C. RAD operation and program integration?
A. Component-based development (CBD) 77. According to ISACA, the second step in the business
B. Web-based application development (WBAD) continuity planning (BCP) process is which of the
C. Object-oriented systems development (OOSD) following?
D. Data-oriented system development (DOSD) A. Project management and initiation
B. Plan design and development
71. Data warehouses are used to store historic data of C. Recovery strategy
an organization. As such, which of the following is the D. Business impact analysis
most accurate way to describe data warehouses?
A. Subject-oriented 78. You have been asked to review the documentation
B. Object-oriented for a planned database. Which type of database is
C. Access-oriented represented by Figure E.6?
D. Control-oriented A. Relational
B. Network
72. Which of the following access-control models C. Hierarchical
allows the user to control access? D. Floating flat
A. Mandatory access control (MAC) Figure E.6.
B. Discretionary access control (DAC)
C. Role-based access control (RBAC)
D. Access control list (ACL)
73. While auditing the identification and

authentication system, you want to discuss the best
method you reviewed. Which of the following is
considered the strongest?
A. Passwords
B. Tokens
C. Two-factor authentication
D. Biometrics
74. If asked to explain the equal error rate (EER) to

another auditor, what would you say? 79. Which of the following issues ticket-granting
A. The EER is used to determine the clipping level used tickets?
for password lockout. A. The Kerberos authentication service
B. The EER is a measurement that indicates the point B. The RADIUS authentication service
at which FRR equals FAR. C. The Kerberos ticket-granting service
C. The EER is a rating used for password tokens. D. The RADIUS ticket-granting service
D. The EER is a rating used to measure the percentage
of biometric 80. Which of the following is the most important
users who are allowed access and who are not corrective control that an organization has the
authorized users. capability to shape?
A. Audit plan
75. You have been asked to head up the audit of a B. Security assessment
business application system. What is one of the first C. Business continuity plan
tasks you should perform? D. Network topology
A. Interview users
B. Review process flowcharts 81. Which one of the following is not considered an
C. Evaluate controls application system testing technique?
D. Determine critical areas A. Snapshots
B. Mapping
76. Closed-circuit TV (CCTV) systems are considered C. Integrated test facilities
what type of control? D. Base case system evaluation
A. Corrective
B. Detective 82. Which of the following statements regarding
C. Preventive recovery is correct?
D. Delayed A. The greater the recovery point objective (RPO), the
more tolerant the process is to interruption.
B. The less the recovery time objective (RTO), the 89. Class A fires are comprised of which of the
longer the process can take to be restored. following?
C. The less the RPO, the more tolerant the process is to A. Electronic equipment
interruption. B. Paper
D. The greater the RTO, the less time the process can C. Oil
take to be restored. D. Metal
83. Which of the following best defines the service 90. You are performing an audit of an organization’s
delivery objective (SDO)? physical security controls, specifically, emergency
A. Defines the maximum amount of time the controls. When doors that use relays or electric locks
organization can provide services at the alternate site are said to fail soft, what does that mean?
B. Defines the level of service provided by alternate A. Locks of this type fail open.
processes B. Locks of this type are easy to pick.
C. Defines the time that systems can be offline before C. Locks of this type fail closed.
causing damage D. Locks of this type are hard to pick.
D. Defines how long the process can take to be
restored 91. Which type of database is represented by Figure
E.7?
84. During which step of the business continuity A. Relational
planning (BCP) process is a risk assessment performed? B. Network
A. Project management and initiation C. Hierarchical
B. Plan design and development D. Floating flat
C. Recovery strategy Figure E.7.
D. Business impact analysis
85. When auditing security for a data center, the

auditor should look for which of the following as the
best example of long-term power protection?
A. Standby generator
B. Uninterrupted power supply
C. Surge protector
D. Filtered power supply
92. Systems control audit review file and embedded
86. Which of the following would be considered the audit modules (SCARF/EAM) is an example of which of
most complex continuous audit technique? the following?
A. Continuous and intermittent simulation (CIS) A. Output controls
B. Snapshots B. Continuous online auditing
C. Audit hooks C. Input controls
D. Integrated test facilities D. Processing controls
87. Which of the following is not a replacement for 93. Which type of access rights control model is widely
Halon? used by the DoD, NSA, CIA, and FBI?
A. FM-200 A. MAC
B. NAF-S-3 B. DAC
C. FM-100 C. RBAC
D. Argon
D. ACL
88. When discussing biometrics, what do Type 1 errors 94. Why is the protection of processing integrity
measure? important?
A. The point at which the false rejection rate (FRR) A. To maintain availability to users so they have the
equals the false acceptance rate (FAR) availability to copy and use data without delay
B. The accuracy of the biometric system B. To protect data from unauthorized access while in
C. The percentage of illegitimate users who are given transit
access C. To prevent output controls from becoming tainted
D. The percentage of legitimate users who are denied
access
D. To maintain data encryption on portable devices so 102. Transport-layer security (TLS) can best be
that data can be relocated to another facility while described as being found between which two layers of
being encrypted the OSI model?
A. Layers 2 and 3
95. A privacy impact analysis (PIA) is tied to several B. Layers 3 and 4
items. Which of the following is not one of those items? C. Layers 4 and 5
A. Technology D. Layers 5 and 6
B. Processes
C. People 103. Which of the following descriptions highlights the
D. Documents importance of domain name service (DNS)?
A. Address of a domain server
96. Which of the following is ultimately responsible for B. Resolves fully qualified domain names to IP
the security practices of the organization? addresses
A. Security advisory group C. Resolves known IP address for unknown Internet
B. Chief security officer addresses
C. Executive management D. Resolves IP and MAC addresses needed for delivery
D. Security auditor of Internet
data
97. Which of the following guarantees that all foreign
keys reference existing primary keys? 104. Using Figure E.8 as a reference, which of the
A. Relational integrity following best describes a 10BASE5 network design?
B. Referential integrity A. Item A
C. Entity integrity B. Item B
D. Tracing and tagging C. Item C
D. Item D
98. Which of the following would a company extend to Figure E.8.
allow network access to a business partner?
A. Internet
B. Intranet
C. Extranet
D. VLAN
99. What term is used to describe the delay that

information will experience from the source to the
destination?
A. Echo
B. Latency
C. Delay
D. Congestion 105. You have been asked to describe a program that
can be classified as
100. You have been asked to describe what security terminal-emulation software. Which of the following
feature can be found in the wireless standard 802.11a. would you mention?
How will you respond? A. Telnet
A. Wi-Fi Protected Access (WPA) B. FTP
B. Wired Equivalent Privacy (WEP) C. SNMP
C. Temporal Key Integrity Protocol (TKIP) D. SMTP
D. Wi-Fi Protected Access 2 (WPA2)
106. Which of the following services operates on ports
101. Which of the following is not a packet-switching 20 and 21?
technology? A. Telnet
A. X.25 B. FTP
B. ISDN C. SMTP
C. Frame Rely D. DHCP
D. ATM
107. Which layer of the OSI model is responsible for
reliable data delivery?
A. Data link
B. Session C. A processing control that is considered detective
C. Transport D. A validation edit control that is considered detective
D. Network
115. Referential integrity is used to prevent which of
108. An objective of the implementation phase of a the following?
newly installed system can include which of the A. Attribute errors
following? B. Relational errors
A. Conducting a certification test C. Dangling tuples
B. Determining user requirements D. Integrity constraints
C. Assessing the project to see if expected benefits
were achieved 116. Which of the following best describes the
D. Reviewing the designed audit trails difference between accreditation and certification?
A. Certification is initiated after the accreditation of the
109. Which of the following is the best example of a system to ensure that the system meets required
processing control? standards.
A. Exception reports B. Certification is initiated before accreditation to
B. Sequence check ensure that quality personnel are using the new
C. Key verification designed systems.
D. Logical relationship check C. Accreditation is issued after certification.
Accreditation is a management function, while
110. Which of the following devices is most closely certification is a technical function.
related to the data link layer? D. Production and management might see
A. Hub accreditation and certification as basically one and the
B. Repeater same.
C. Bridge
D. Router 117. You have been asked to review the organization’s
planned firewall design. As such, which of the following
111. Which of the following provide the capability to best describes the topology shown in
ensure the validity of data through various stages of
processing? Figure E.9?
A. Manual recalculations A. Packet filter
B. Programming controls B. Screened subnet
C. Run-to-run totals C. Screened host
D. Reasonableness verification D. Dual-homed host
Figure E.9.
112. You overheard the database administrator
discussing normalizing some tables. What is the
purpose of this activity?
A. Decrease redundancy
B. Increase redundancy
C. Decrease application malfunction
D. Increase accuracy
113. Which of the following is not included in a PERT

chart?
A. The most optimistic time the task can be completed
in
B. The most cost-effective scenario for the task
C. The worst-case scenario or longest time the task can
take 118. Which of the following database designs is
D. The most likely time the task will be completed in considered a lattice structure because each record can
have multiple parent and child records? Although this
114. Verifications such as existence checks can best be design can work well in stable environments, it can be
described as: extremely complex.
A. A processing control that is considered preventive A. The hierarchical database-management systems
B. A validation edit control that is considered B. The relational database-management systems
preventive C. The network database-management systems
D. The structured database-management systems 125. Which of the following descriptions best describes
a delay window?
119. Which of the following is not used when A. The time between when an event occurs and when
calculating function point analysis? the audit
A. Number of user inquires record is reviewed
B. Number of files B. The time between when an incident occurs and
C. Number of user inputs when it is addressed
D. Number of expected users C. The time between when an event occurs and when
the audit record is recorded
120. Which of the following is an example of an D. The difference between a threshold and a trigger
interpreted programming language?
A. FORTRAN 126. You have been asked to review a console log.
B. Assembly What type of information should you expect to find?
C. Basic A. Names and passwords of system users
D. Java B. Application access and backup times
C. System errors
121. Which of the following is an example of a 4GL D. Errors from data edits
language?
A. SQL 127. During a software change process, auditors might
B. Assembly be asked to verify existing source code at some point.
C. FORTRAN What is the most effective tool for auditors to compare
D. Prolog old and new software for unreported changes?
A. Function point analysis (FPA)
122. Which of the following database takes the form of B. Manual review of the software
a parent/child structure? C. Variation tools
A. The hierarchical database-management systems D. Source code comparison software
B. The relational database-management systems
C. The network database-management systems 128. Which of the following is not a valid processing
D. The structured database-management systems control?
A. Authorization
123. You have been asked to explain rings of protection B. Processing
and how the concept applies to the supervisory mode C. Validation
of the operating system (OS). Which of the following is D. Editing
the best description?
A. System utilities should run in supervisor mode. 129. Which of the following is not part of the project-
B. Supervisor state allows the execution of all management triangle?
instructions, including A. Scope
privileged instructions. B. Time
C. Supervisory mode is used to block access to the C. Resources
security kernel. D. Cost
D. Rings are arranged in a hierarchy from least-
privileged to the most-privileged as the most trusted 130. Using Figure E.10 as a reference, place the four
usually has the highest ring number recovery time objectives in their proper order.
A. Items A, B, C, D
124. You have been asked to design a control. The B. Items B, C, D, A
organization would like to limit what check numbers C. Items D, A, C, B
are used. Specfically, they would like to be able to flag D. Items C, B, D, A
a check numbered 318 if the day’s first check had the Figure E.10.
number 120 and the day’s last check was number 144.
What type of validation check does the department
require?
A. Limit check
B. Range check
C. Validity check
D. Sequence check
in modern development programs because additional
factors that are not
considered will affect the overall cost?
A. Facilited Risk Assessment Process (FRAP)
B. Gantt
C. Function point analysis (FPA)
D. Source lines of code (SLOC)
135. Which of the following is the best example of a

quantitative risk assessment
technique?
A. The Delphi technique
B. Facilitated risk-assessment process
C. Actuarial tables
D. Risk rating of high, medium, or low
CreCrePrin Html ThuZooZooToggle to PrevNex
131. When dealing with project-management issues,
which of the following is
ultimately responsible and must ensure that
stakeholders’ needs are met?
A. Stakeholders
B. Project steering committee
C. Project manager
D. Quality assurance
132. Projects must take on an organizational form.

These organizational forms or
frameworks can be either loosely structured or very
rigid. Which project
form matches the description “The project manager
has no real authority,
and the functional manager remains in charge”?
A. Weak matrix
B. Pure project
C. Balanced matrix
D. Influence
133. Which of the following is the best description of

the Constructive Cost
Model (COCOMO)?
A. COCOMO is a model that forecasts the cost and
schedule of software development, including the
number of persons and months required for the
development.
B. COCOMO is a model that forecasts network costs
associated with hardware, the physical medium, and
trained personnel.
C. COCOMO is a forecast model that estimates the time
involved in producing a product and shipping to the
end user.
D. COCOMO is a model that forecasts the construction
of additional companies associated with organizational
growth.
134. Which of the following software-estimating

methods does not work as well

It Audit Exam Questions PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

It Audit Exam Questions PDF

Uploaded by

Copyright:

Available Formats

CISA Review Questions, Answers & Explanations Manual 2014

Reprinted for Kiran Khan, ISACA

All rights reserved. Reproduction and/or distribution in whole or in part in electronic,paper or

Questions, Answers & Explanations by Domain

AS1-1 When planning an IS audit, the auditor should FIRST:

A. identify the business process to be audited.

B. perform a risk assessment.

C. determine the objective of the audit.

D. identify needed audit resources.

C is the correct answer.

A. It detects risk sooner.

B. It replaces the audit function.

C. It reduces audit workload.

D. It reduces audit resources.

A is the correct answer.

C is the correct answer.

A. report the potential finding to business management.

B. discuss the potential finding with the audit committee.

C. increase the scope of the audit.

D. perform additional testing.

D is the correct answer.

D. Director of internal audit

B is the correct answer.

C is the correct answer.

C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant

A is the correct answer.

D. Control testing is the same as compliance testing.

AS1-8 Which of the following does a lack of adequate controls represent?

B is the correct answer.

D. A threat is a potential cause of an unwanted incident.

A. disregard the lack of reconciliation because no discrepancies were discovered.

B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.

C. report the lack of daily reconciliation as an exception.

D. recommend the implementation of a biometric access system.

C is the correct answer.

A. Recommend compensating controls.

B. Review the code created by the developer.

C. Analyze the quality assurance dashboards.

D. Report the identified condition.

D is the correct answer.

should be to report the condition.

A. Privileged access to the wire transfer system

B. Wire transfer procedures

C. Fraud monitoring controls

D. Employee background checks

B is the correct answer.

A. lower confidence coefficient, resulting in a smaller sample size.

B. higher confidence coefficient, resulting in a smaller sample size.

C. higher confidence coefficient, resulting in a larger sample size.

D. lower confidence coefficient, resulting in a larger sample size.

A is the correct answer.

A. Supervision is required to comply with internal quality requirements.

B. Supervision is required to comply with the audit guidelines.

C. Supervision is required to comply with the audit methodology.

D. Supervision is required to comply with professional standards.

D is the correct answer.

A. To focus effort on areas of highest business impact

B. To maintain the organization’s risk register

C. To enable management to choose the correct risk response

D. To provide assurance on the risk management process

A is the correct answer.

Domain 2—Governance and Management of IT (14%)