CISA Study Guide Exam 427 Questions with Verified Answers,100% CORRECT

CISA Study Guide Exam 427 Questions with Verified Answers Most important step in risk analysis is to identify a. Competitors b. controls c. vulnerabilities d. liabilities - CORRECT ANSWER c. vulnerabilities In a risk based audit planning, an IS auditor's first step is to identify: a. responsibilities of stakeholders b. high-risk areas within the organization c. cost centre d. profit centre - CORRECT ANSWER b. high-risk areas within the organization When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: a. segregation of duties to mitigate risks is in place b. all the relevant vulnerabilities and threats are identified c. regularity compliance is adhered to d. business is profitable - CORRECT ANSWER b. all the relevant vulnerabilities and threats are identified IS auditor identified certain threats and vulnerabilities in a business process. Next, an IS auditor should: a. identify stakeholder for that business process b. identifies information. assets and the underlying systems c. discloses the threats and impacts to management d. identifies and evaluates the existing controls - CORRECT ANSWER d. identifies and evaluates the existing controls Major advantaged of risk based approach for audit planning is: a. Audit planning can be communicated to client in advance b. Audit activity can be completed within allotted budget c. use of latest technology for audit activities d. Appropriate utilisation of resources for high risk areas - CORRECT ANSWER d. Appropriate utilisation of resources for high risk areas While determining the appropriate level of protection for an information asset an IS auditor should primarily focus on: a. Criticality of information assets b. cost of information assets c. Owner of information asset d. result of vulnerability assessment - CORRECT ANSWER a. Criticality of information assets The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? a. Inherent b. Detection c. Control d. Business - CORRECT ANSWER b. Detection The risk of an IS auditor certifying existence of proper system and procedures without using an inadequate test procedure is an example of: a. internet risk b. control risk c. detection risk d. audit risk - CORRECT ANSWER c. Detection risk Overall business risk for a particular threat can be expressed as: a. a product of the probability. and impact b. probability of occurrence c. magnitude of impact d. assumption of the risk assessment team - CORRECT ANSWER a. a product of the probability. and impact An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: a. the controls already in place b. the effectiveness of the controls in place c. mechanism for monitoring the risks related to the assets d. the threats/vulnerabilities affecting the assets - CORRECT ANSWER d. the threats/vulnerabilities affecting the assets An IS auditor is reviewing data centre security review. Which of the following steps would an IS auditor normally perform FIRST: a. evaluate physical access controls b. determine the risks/threats to the data centre site c. review screening process for hiring security staff d. evaluate logical access control - CORRECT ANSWER b. determine the risks/threats to the data centre site Risk Assessment approach is more suitable when determining the appropriate level of protection for an information asset because it ensures: a. all information assets are protected b. a basic level of protection is applied regardless of assets value c. appropriate levels of protection are applied to information assets d. only most sensitive information assets are protected - CORRECT ANSWER c. appropriate levels of protection are applied to information assets In a risk-based audit approach, an IS auditor should FIRST complete a(n): a. inherent risk assessment b. control risk assessment c. test of control assessment d. substantive test assessment - CORRECT ANSWER a. inherent risk assessment In planning an audit, the MOST critical step is the identification of the: a. areas of high risk b. skill sets of the audit staff c. test steps in the audit d. time allotted for the audit - CORRECT ANSWER a. areas of high risk Risk assessment process is: a. subjective b. objective c. mathematical d. statistical - CORRECT ANSWER a. subjective The result of risk management process is used for: a. forecasting profit b. post implementation review c. designing controls d. user acceptance testing - CORRECT ANSWER c. designing controls Managing the risk up to acceptable level is tithe responsibility of: a. risk management team b. senior business management c. the chief information officer d. the chief security officer - CORRECT ANSWER b. senior business management Evaluation of IT risks can be done by: a. finding threats/vulnerabilities associated with current IT assets b. trend analysis on the basis of past year losses c. industry benchmark d. reviewing IT control weaknesses identified in audit reports - CORRECT ANSWER a. finding threats/vulnerabilities associated with current IT assets An IS auditor is reviewing payroll application. He identified some vulnerability in the system. What would be the next task? a. Report the vulnerabilities to the management immediately b. examine application development process c. identify threats and likelihood of occurrence d. recommend for new application - CORRECT ANSWER c. identify threats and likelihood of occurrence Absence of proper security measures represents a (n): a. threat b. asset c. impact d. vulnerability - CORRECT ANSWER d. vulnerability IS auditor is developing a risk management program, the FIRST activity to be performed is a(n): a. vulnerability assessment b. evaluation of control c. identification of assets d. gap analysis - CORRECT ANSWER c. identification of assets Benefit of development of organizational policies buy bottom-up approach is that they: a. covers whole organization b. is derived as a result of risk assessment c. will be in line with overall corporate policy d. ensures consistency across the organization - CORRECT ANSWER b. is derived as a result of risk assessment Risk can be mitigated by: a. implementing controls b. insurance d. audit and certification d. contracts and service level agreements (SLAs) - CORRECT ANSWER a. implementing controls (security and control practices) Most important factor while evaluating controls is to ensure that the controls: a. addresses the risk b. does not reduce productivity c. is less costly than risk d. is automotive - CORRECT ANSWER a. addresses the risk The susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls: a. inherent risk b. control risk c. detection risk d. correction risk - CORRECT ANSWER a. inherent risk The risk that the controls put in place will not prevent, correct, for detect errors on a timely basis a. inherent risk b. control risk c. detection risk d. correction risk - CORRECT ANSWER b. control risk Which of the following factors an IS auditor should primarily consider when determining the acceptable level of risk: a. risk acceptance is the responsibility of senior management b. all risks do not need to be eliminated for a business to be profittable c. risks must be identified and documented in order to perform proper analysis on them d. line management should be involved in the risk analysis because management sees risks daily that others would not recognize - CORRECT ANSWER c. risks must be identified and documented in order to perform proper analysis on them An audit charter should state management's objectives for and delegation of authority to IS audit and MUST be: a. approved by the top management approved by Chief Audit Officer c. approved bye IS department d. approved by IT steering committee - CORRECT ANSWER a. approved by the top management The audit chapter should be approved by the highest level of management and should: a. is updated often to upgrade with the changing nature of technology and the audit profession b. include audit calendar along with resource allocation c. include plan of action in case of disruption of business services d. outlines the overall authority, scope, and responsibilities of the audit function - CORRECT ANSWER d. outlines the overall authority, scope, and responsibilities of the audit function Primary purpose of an audit chapter is two: a. describe audit procedure b. define resource requirement for audit department c. prescribe the code of ethics used by the auditor d. to prescribe authority and responsibilities of audit department - CORRECT ANSWER d. to prescribe authority and responsibilities of audit department The document used buy the top management of organizations too delegate authority to the IS audit function is tthe : a. audit calendar b. audit charter c. risks register d. audit compendium - CORRECT ANSWER b. audit charter An IS auditor reviews an organization chart PRIMARILY for: a. getting information about data-flow b. to assess number of employees in each department c. understanding the responsibilities and authority of individuals d. to assess number of laptops/desktops in each department - CORRECT ANSWER c. understanding the responsibilities and authority of individuals Ina risk-based audit approach, an IS auditor, in addition two risk, would be influences PRIMARILY by: a. the audit charter b. management's representation c. organizational structure d. no. of outsourcing contracts - CORRECT ANSWER a. the audit charter The result of risk management process is used for making: a. business strategy plans b. audit charters c. security policy decisions d. decisions related to outsourcing - CORRECT ANSWER c. security policy decisions Audit charter should include: a. yearly audit resource planning b. audit function's reporting structure c. audit report drafting guidelines d. yearly audit calendar - CORRECT ANSWER b. audit function's reporting structure The authority, scope, and responsibility of the Information System Audit function is: a. defined by the audit charter approved by the senior management/ Board b. defined by the I.T. Head of the organizations, as the expert in the matter c. defined by the various functional divisions, depending upon criticality d. generated by the Audit division of the organizations - CORRECT ANSWER a. defined by the audit charter approved by the senior management/ Board The prime objective of Audit Charter is to govern: a. IS function b. External Auditor C. Internal Audit Function D. Finance Function - CORRECT ANSWER C. Internal Audit Function IS auditor is reviewing the internal control of an application software. the sampling method that will be MOST useful when testing for compliance is: a. attribute sampling b. variable sampling c. random sampling d. judgmental sampling - CORRECT ANSWER a. attribute sampling Test tot determine whether last 50 new user requisitions were correctly processed is an example of: a. discovery sampling b. substantive testing c. compliance testing d. stop-or-go sampling - CORRECT ANSWER c. compliance testing Which of the following is a substantive test? a. reviewing compliance with firewall policy b. reviewing adherence to change management policy c. using a statistical sample to inventory the tape library d. reviewing password history reports - CORRECT ANSWER c. using a statistical sample to inventory the tape library Major difference between compliance testing and substantive testing is that compliance testing tests: a. details, while substantive testing tests controls b. controls, while substantive testing tests details c. financial statements, while substantive testing tests items in trial balance d. internal requirements, while substantive testing tests internal controls - CORRECT ANSWER b. controls, while substantive testing tests details When an IS auditor performs a test to ensure that only active users have access to a critical system, the IS auditor is performing a: a. compliance test b. substantive test c. statistical sample d. judgment sampling - CORRECT ANSWER a. compliance test IS auditors are MOST likely to reduce substantive test procedure if after compliance test they conclude that: a. substantive test would be too costly b. the control environment is poor c. inherent risk is low d. control risks are within the acceptable limits. - CORRECT ANSWER d. control risks are within the acceptable limits. Which of the following is a substantive audit test? a. versifying that a management check has been performed regularly b. observing that user IDs and passwords are required too sign on the computer c. reviewing reports listing short shipments of goods received d. reviewing an aged trial balance of accounts receivable - CORRECT ANSWER d. reviewing an aged trial balance of accounts receivable The objective of compliance tests is to ensure: a. controls are implemented as prescribed b. documentation is complete c. access to users is provided as specified d. Data validation procedures are provided - CORRECT ANSWER a. controls are implemented as prescribed An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered? a. substantive b. compliance c. integrated d. continuous audit - CORRECT ANSWER a. substantive Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? a. a substantive test of program library controls b. a compliance test of program library controls c. a compliance test of the program compiler controls a substantive test of the program compiler controls - CORRECT ANSWER b. a compliance test of program library controls Evidence gathering to evaluate the integrity of individual transactions, data, or other information is typical of which of the following? a. substantive testing b. compliance testting c. detection testing d. control testing - CORRECT ANSWER a. substantive testing What is the difference between compliance testing and substantive testing? - CORRECT ANSWER Compliance testing involves verification of process whereas substantive testing involves verification of transactions or data What is the difference between attribute sampling and variable sampling? - CORRECT ANSWER Attribute sampling is used for compliance testing whereas variable sampling is used for substantive testing The development of substantive tests is often dependent on what? - CORRECT ANSWER dependent on the outcome of compliance tests An IS auditor is evaluating control self-assessment program in an organization, What is MAIN objective for implementing control self-assessment (CSA) program? a. tot replace audit responsibilities b. to enhance employee's capabilities c. to comply with regulatory requirements d. to concentrates on high risk area - CORRECT ANSWER d. to concentrates on high risk area An IS auditor has been asked by the management to support its CSA program. Tthe role of an IS auditor in a control self-assessment (CSA) should be that of: a. program incharge b. program manager c. program partner d. program facilitator - CORRECT ANSWER d. program facilitator For successful control self-assessment (CSA) program, it is essential to: a. design stringent control policy b. have auditors take responsibility for control monitoring c. have line managers take responsibility for control monitoring d. implement stringent control policy - CORRECT ANSWER c. have line managers take responsibility for control monitoring An IS auditor has been asked to participate in implementation of control self-assessment program. The auditor should participate primarily as a. team leader b. the auditor should not participate as it would create a potential conflict of interest c. facilitator d. project controller - CORRECT ANSWER c. facilitator An IS auditor has been asked to facilitate a control self-assessment (CSA) program. Which of the following is an objective of a CSA program? a. replacement of audit responsibilities b. enhancement of audit responsibilities c. to evaluate risk management program d. to provide audit training - CORRECT ANSWER b. enhancement of audit responsibilities Which of the following is BEST time to perform a control self-assessment involving all concerned parties? a. posts issuance of audit report b. during preliminary survey c. during compliance test d. preparation of the audit report - CORRECT ANSWER b. during preliminary survey Main objective of a control self-assessment (CSA) program is to: a. substitute audit program b. substitute risk management program c. support regulatory requirements d. enhance audit responsibilities - CORRECT ANSWER d. enhance audit responsibilities A PRIMARY advantage of control self-assessment (CSA) techniques is that: a. it ascertains high-risk areas that might need a detailed review later b. risk can be assessed independently buy IS auditors c. it replaces audit activities d. it allows management to delegate responsibility for control - CORRECT ANSWER a. it ascertains high-risk areas that might need a detailed review later IS auditor is facilitating a CSA program. Which of the following is the MOST important requirement for a successful CSA? a. ability of auditor to act as a workshop facilitator b. simplicity of the CSA programme c. frequency of CSA programme d. involvement of line managers - CORRECT ANSWER d. involvement of line managers Which of the following is an objective of a control self-assessment program? A. concentration on areas of high risk b. conducting training and workshop c. to increase risk awareness d. to replace risk management programme - CORRECT ANSWER A. concentration on areas of high risk An organization has implemented CSA programme. What is the advantage of CSA over a traditional audit? a. early identification of risk b. reduction I audit workload c. increase in cost of control d. Reduction in audit resources - CORRECT ANSWER a. early identification of risk What is the objective of control self-assessmentt? - CORRECT ANSWER the objective of control self assessment is to concentrate on areas of high risk and to enhance control monitoring by function staff What is the role of an IS auditor in a control self-assessment (CSA)? - CORRECT ANSWER In any given scenario, role of an IS auditor in a control self-assessment (CSA) should be that of facilitator What is the most important success factor for CSA? - CORRECT ANSWER Involvement of line managementt What is the purpose of CSA? - CORRECT ANSWER Is to enhance the audit responsibilities ( and not audit replacement) Use of statistical sampling will be more relevant as compared to judgement (non-statistical) sampling when: a. its is required to mitigate sampling risk b. auditor is inexperienced c. the probability of error must be objectively quantified d. it is required too mitigate audit risk - CORRECT ANSWER c. the probability of error must be objectively quantified Statistical sampling reduces which of the following risk? a. audit risk b. detection risk c. inherent risk d. sampling risk - CORRECT ANSWER b. detection risk IS auditor is reviewing the internal control of application software. the sampling method that will be MOST useful when testing for compliance is: a. attribute sampling b. variable sampling c. discovery sampling d. stop or go sampling - CORRECT ANSWER a. attribute sampling With regard to confidence correlation, it can be said that: a. small sample size will give high confidence correlation b. if an auditor knows internal controls are strong, the confidence coefficient may be lowered c. small confidence correlation will result into high sample size d. if an auditor knows internal controls are strong, the confidence coefficient may be increased - CORRECT ANSWER b. if an auditor knows internal controls are strong, the confidence coefficient may be lowered Test to determine whether last 50 new user requisitions were correctly processed is an example oof: a. discovery sampling b. substantive testing c. compliance testing d. stop-or- go sampling - CORRECT ANSWER c. compliance testing IS auditor reviewing a critical financial application is concerned about fraud. Which of the following sampling methods would BEST assist the auditors? a. attribute sampling b. variable sampling c. discovery sampling d. stop or goo sampling - CORRECT ANSWER c. discovery sampling Which of he following sampling methods would be the most effective to determine whether access rights to staffs have been authorized as per the authorization matriculates? a. stratified mean per unit b. attribute sampling c. discovery sampling d. stop and go sampling - CORRECT ANSWER b. attribute sampling An IS auditor is determine the appropriate sample size for testing the effectiveness of change management process. No deviation noted in last 2 years audit review and management has assured no deviation I the process for the period under review. Auditor can adopt a: a. higher confidence coefficient resulting in a smaller sample size b. lower confidence coefficient resulting in a higher sample size c. high confidence coefficient resulting in a higher sample size d. lower confidence coefficient resulting in a lower sample size - CORRECT ANSWER d. lower confidence coefficient resulting in a lower sample size Statistical samples is used when? - CORRECT ANSWER Used when the probability of error must be objectively quantified Following samplings are best suitable for compliance and substantive testing - CORRECT ANSWER Compliance testing -- Attribute sampling Substantive tesing - variable sampling What is the best sampling technique where fraud is being suspected? - CORRECT ANSWER Discovery sampling A higher confidence coefficient will result tin the use of a ________ sample size. - CORRECT ANSWER Larger high sample size will give higher confidence coefficient When internal controls are strong, confidence coefficient/ sample size may be _____________. - CORRECT ANSWER Lowered Statistical sampling minimizes what? - CORRECT ANSWER Detection risk Which of the following clauses in outsourcing contract help MOST to improve service level and minimize the costs? a. use of latest O/S and hardware b. gain- sharing performance bonuses c. penalties for noncompliance d. training to outsourced staff - CORRECT ANSWER b. gain- sharing performance bonuses An organization has outsourced some of its IS processes. What is the MOST important function to be performed by IS management in such scenario? a. ensuring that outsourcing charges are paid as per SLA b. Training to staffs of outsourced vendors c. Levy of penalty for non-compliances d. monitoring the outsourcing provider's performance - CORRECT ANSWER d. monitoring the outsourcing provider's performance IS auditor observed that outsourcing vendors have been appointed without formal written agreements? the IS auditor should recommend that management: a. obtains independent assurance of the third-party service providers b. sets up a process for monitoring the service delivery of the third party c. ensures that formal contracts are in place d. appointment of outsourcing vendors too be revoked - CORRECT ANSWER c. ensures that formal contracts are in place An organization has outsourced IT support service. A probable advantage of outsourcing is that: a. reliance can be placed on expertise of outsourcing vendors b. more control can be exercised over IT processing c. organization can transfer their accountability in terms of privacy laws d. employee satisfaction may increases - CORRECT ANSWER a. reliance can be placed on expertise of outsourcing vendors An organization has outsourced designing of IT security policy. Which of the following function cannot be outsourced? a. accountability for the IT security policy b. benchmarking security policy with other organization In industry c. implementing the IT security policy d. user awareness for ITTT security policy - CORRECT ANSWER a. accountability for the IT security policy An organization has outsourced IT support service to a provider in another country. Which of the following conclusions should be the main concern of the IS auditor? a. legal jurisdiction can be questioned b. increase in overall cost c. delay in providing service due to time difference d. difficult to monitor performance of outsourced vendor duet to geographical distance - CORRECT ANSWER a. legal jurisdiction can be questioned An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: Select an answer: A. types of hardware B. software configuration C. ownership of intellectual property. D. employee training policy - CORRECT ANSWER c. ownership of intellectual property. An organization has outsourced data operations service to a provider in another country. Which of the following conclusions should be the main concern of the IS auditor? a. communication issues dur to geographical differences b. scope creep due to cross-border differences in project implementation c. privacy laws could prevent cross-border flow of information d. dissatisfaction of in0house IT team - CORRECT ANSWER c. privacy laws could prevent cross-border flow of information An IS auditor is reviewing request for proposal (RFP) floated by IT department to procure services from independent service provider. inclusion of which of the below clause is MOST important while floating such RFP? a. details about Maintenance plan b. details about Proof of Concept (POC) c. references from other customers d. details about BCP - CORRECT ANSWER c. references from other customers An organization has outsourced IT support service to an independent service provider. Which of the following clause would be the best to define in the SLA to control performance of service provider? a. total number of user to be supported b. minimum percentage of incidents solved in the first call c. minimum percentage fo incidents reported to the help desk d. minimum percentage of agents answering the phones - CORRECT ANSWER b. minimum percentage of incidents solved in the first call An organization is in process of entering into agreement with outsourced vendor. Which of the following should occur FIRST? a. deciding periodicity of contract b. approval from compliance team c. decide the level of penalties d. draft the service level requirements - CORRECT ANSWER d. draft the service level requirements Which of the following document will serve the purpose for vendor performance review buy an IS auditor? a. market feedback of the vendor b. service level agreement (SLA) c. penalty levied reports d. performance report submitted by vendor - CORRECT ANSWER b. service level agreement (SLA) An Is auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOST effective control? a. penalty clause in service level agreement (SLA) b. User accounts are created as per defined role (least privilege) with expiration dates dc. dull access is provided for a limited period d. vendor management to be given right to delete ids when work is completed - CORRECT ANSWER b. User accounts are created as per defined role (least privilege) with expiration dates Which of the following is the greatest concern in reviewing system development approach? a. user manages acceptance testing b. a quality plan is not part of the contracted deliverables c. application will be rolled out in 3 phases d. compliance with business requirements are done through prototyping - CORRECT ANSWER b. a quality plan is not part of the contracted deliverables An IS auditor is reviewing process of acquisition of application software. Which of the following is MOST important consideration? a. documented operating procedure to be available b. a backup server be loaded with all the relevant software data c. training to staff d. escrow arrangement for source code - CORRECT ANSWER d. escrow arrangement for source code What for the clauses that are a must in any outsourcing contracts from IS auditor point of view: - CORRECT ANSWER - clause with respect to 'Right to Audit' - clause with respect to ownership of intellectual property rights - clause with respect to data confidentiality and privacy - clause with respect to BCP and DRP What are two main advantages of outsourcing in their preferential order are: - CORRECT ANSWER 1. expert service can be obtained from outside (so organization can concentrate on its core business) 2. cost saving True or false? No organization can outsourced or transfer its accountability even if any process has been outsourced, final accountabilities lies with the organization - CORRECT ANSWER True What will be the main concern of IS auditor if service provider is in other country? - CORRECT ANSWER Main concern will be legal jurisdiction What will be the main concern of IS auditor If there is an absence of proper clarification on legal jurisdiction? - CORRECT ANSWER it can have compliance and legal issues Which of the following is the role of IT Steering Committee? a. advise board on IT strategy b. Approve and monitor funds for IT strategy c. scheduling meetings d. monitoring of outsourcing agreements - CORRECT ANSWER b. Approve and monitor funds for IT strategy Which of the following authority is responsible for monitoring the overall project, achievement of milestones and alignment of project with business requirements? a. user management b. IT steering committee c. IT strategy committee d. System development management - CORRECT ANSWER b. IT steering committee Which of the following sit he role of IT steering committee? a. Issuance of Purchase Order (PO) to empaneled vendor b. providing hardware support c. prioritization of IT projects as per business requirement d. advises board on IT strategy - CORRECT ANSWER c. prioritization of IT projects as per business requirement Tthe chairperson for steering committee who can have significant impact on a business area would be the : a. board member b. executive level officer c. chief information officer (CIO) d. Business analyst - CORRECT ANSWER b. executive level officer An IS steering committee should constitute of: a. board members b. user management c. key executives and representatives from user management d. members from IT dept. - CORRECT ANSWER c. key executives and representatives from user management Which of the following is a PRIME role of an IT steering committee? a. IT support tot user management b. monitoring IT proprieties and milestones c. monitoring IT vendors d. advise board members about new projects - CORRECT ANSWER b. monitoring IT proprieties and milestones An IT steering committee should review the IT process to determine: a. alignment of IT processes with business requirement b. capacity management c. functionality of existing software d. stability of installed technology - CORRECT ANSWER a. alignment of IT processes with business requirement Which of the following is a function of an IS steering committee? a. monitoring change management and control testing b. monitoring role conflict assessment c. approving and monitoring major projects, the sautés of IS plans and budgets d. monitoring service level agreements with third party vendors. - CORRECT ANSWER c. approving and monitoring major projects, the sautés of IS plans and budgets IS department is in process of floating the request for proposal (RFP) for the acquisition of an application system. Who would MOST likely to approve content of RFP: a. project steering committee b. project sponsor c. project manager d. IS strategy committee - CORRECT ANSWER a. project steering committee Which of the following is a major control weakness that can adversely affect a system development project? a. out of 10 recommendation from IT strategy committee, board has approved only 8 recommendations b. project deadlines have not been specified in project approval plan c. project manager has not been specified in project approval plan d. the organization has decided that a project steering committee is not required. - CORRECT ANSWER d. the organization has decided that a project steering committee is not required. An organization has established a steering committee to oversee its application development program. Following is the function of the steering committee: a. documentation of requirements b. escalation of project issues c. design of interface controls d. specification of reports - CORRECT ANSWER b. escalation of project issues What tis the difference between IT strategy committee and IT steering committee? - CORRECT ANSWER It strategy committee advises board on various IT strategy and initiatives whereas IT steering committeee focuses on implementation part. What are responsibilities of Strategy Committee? - CORRECT ANSWER Determining exposure of IT and strategic direction to board What's the responsibilities of steering committee - CORRECT ANSWER Setting priorities and milestones, monitoring and approving funds and efficient use of IT resources. The prime objective of review of information systems buy IT steering committee should be to assess: a. alignment of IT processes as per business requirement b. alignment t of business process as per IT requirement c. The capacity of existing software d. the capacity of installed technology - CORRECT ANSWER a. alignment of IT processes as per business requirement An IS auditor is reviewing an organization's IT strategic plan. He should FIRST review? a. Alignment of IT processes as per business requirement b. the business plan c. the capacity of installed technology d. latest technology trends - CORRECT ANSWER b. the business plan Information security governance requires strategic alignment in terms of: a. enterprise requirements are the basis for security requirements b. security requirements are the basis for enterprise requireemttns c. current technology trend d. benchmarking with industry standards - CORRECT ANSWER a. enterprise requirements are the basis for security requirements As a part of effective IT governance, IT plan should be consistent with the organization's: a. business plan b. information security plan c. business continuity plan d. risk management plan - CORRECT ANSWER a. business plan Best way to determine that whether IS functions support the organization's business objective is to ensure that: a. IS has latest available equipments b. IS plans are designed as per business objectives c. all resources are utilized effectively and efficiently d. IS has proper control over outsourcing partners - CORRECT ANSWER b. IS plans are designed as per business objectives To improve the IS alignment with business, which of the following tis the best practice? a. outsourcing risks are managed b. use of latest technology to operate business c. structured way of sharing of business information d. involvement oft top management to mediate between business and information system - CORRECT ANSWER d. involvement oft top management to mediate between business and information system An IS auditor is evaluating an organization's IS strategy. Which of the following would be the MOST important consideration? a. organization's IS strategy has been approved by CIO b. organization's IS strategy is defined as per IS department's budget c. organization's IS strategy is considered on the basis of latest technology available in the market d. organization's IS strategy supports the business objectives of the organization - CORRECT ANSWER d. organization's IS strategy supports the business objectives of the organization An IS auditor is evaluating an organization's IT security policy. The PRIMARY objective is to ensure that: a. IT security policy is available with all the users b. IT security policy support business and IT objectives c. IT security policy is considered on the basis of latest technology available in the market d. IT security policy is approved by top management - CORRECT ANSWER b. IT security policy support business and IT objectives IT governance to be effective requires that: a. the business strategies and objectives supports the IT strategy b. the business strategy is derived from an IT strategy c. Cost effective IT governance d. The IT strategy supports the business strategies and objectives - CORRECT ANSWER d. The IT strategy supports the business strategies and objectives IS auditor is reviewing software development process. Which of the following islets way to ensure that business requirements are met during software development? a. proper training to developer b. Programmers with good business knowledge c. Adequate docuumentaiton d. User engagement in development process - CORRECT ANSWER d. User engagement in development process An IS auditor is reviewing an organization's IS strategy. Which among below is the most important criteria for such review? a. in includes a mission statement b. it includes usage of latest technology c. it includes best security practices d. it supports the business objectives - CORRECT ANSWER d. it supports the business objectives The purpose of IT balanced scorecard is to evaluate and monitor performance indicators other than: a. financial result b. customer satisfaction c. internal processes d. innovation capacity - CORRECT ANSWER a. financial result Following is the pre-requisite before implementing an IT balanced scorecard: a. existence of effective and efficient IT services b. define key performance indicators c. IT projects should add value to the business d. IT expenses within allotted budget - CORRECT ANSWER b. define key performance indicators IS auditor observed lac of senior management's involvement in IT strategy planning. the MOST likely risk is: a. lack of investment in technology b. absence of structured methodology for IT security c. Absence of IT alignment with business objectives d. An absence of control over outsourced vendors - CORRECT ANSWER c. Absence of IT alignment with business objectives Which of the following is the PRIMARY objective of an IT performance measurement process? a. to reduce error b. too obtain performance data c. to finalize the requirement baseline d. to improve performance - CORRECT ANSWER d. to improve performance Which of the following authority is ultimately responsible for the development of an IS security policy? a. IS department b. security committee c. IS audit department d. board of directors - CORRECT ANSWER d. board of directors Senior management's involvement is very vital in the development of: a. strategic plans b. IS security guidelines c. IS security procedures d. IS functions - CORRECT ANSWER a. strategic plans Which of the following is a function of an IS steering committee? a. managing outsourced vendors for IS services b. proper segregation of duties for IS processes c. approving and monitoring major projects, the status of IS plans and budgets d. implementing IS security procedures - CORRECT ANSWER c. approving and monitoring major projects, the status of IS plans and budgets Who's is primarily responsible for IT governance? a. IT strategy committee b. board of directors c. IT steering committee d. Audit committee - CORRECT ANSWER b. board of directors Which of the following team should assume overall responsibility for system development projects? a. audit committee b. project steering committee c. user management d. system development management - CORRECT ANSWER b. project steering committee Which of the following should take ownership of project for system development? a. user management b. project strategy committee c. project steering committee d. systems development management - CORRECT ANSWER a. user management IS department is in process of floating the request for proposal (RFP) for the acquisition of an application system. Who would MOST likely to approve content of RFP: a. project steering committee b. project sponsor c. project manager d. IS strategy Committee - CORRECT ANSWER a. project steering committee Who among the following is responsible for internal control in the organization? a. accounting department b. management c. the external auditor d. IS auditor - CORRECT ANSWER b. management Requirement specifications is ultimately responsible of: a. top management b. project sponsor c. system analyst d. steering committee - CORRECT ANSWER b. project sponsor An organisation has established a steering committee to oversee its application development program. Following is the function of the steering committee: a. documentation of requirements b. escalation of project issues c. design of interface controls d. specification of reports - CORRECT ANSWER b. escalation of project issues Accountability for maintenance of appropriate security measures over information assets resides with the: a. security administrator b. database administrator c. resource owners d. IT group - CORRECT ANSWER c. resource owners Who of the following is ultimately responsible for providing requirement specifications to the software development project team? a. team leader b. project sponsor c. system analyst d. steering committee - CORRECT ANSWER b. project sponsor Who assumes ownership of a systems- development project and the resulting system? a. user management b. project steering committee c. IT management d. System developers - CORRECT ANSWER a. user management Management of an organization is evaluating automated audit tool for its critical business processes. Which of the following audit tools is MOST useful when an audit trail is required? a. integrated test facility (ITF) b. Continuous and intermittent stimulation (CIS) c. Audit hooks D. Snapshots - CORRECT ANSWER D. Snapshots Integraetted test facility (ITF) has advantage over other automated audit tools because of its following characteristics: a. creation of dummies/fictitious entity is not required as testing is done on actual master files b. ITF does not require setting up separate test environments/test processes c. ITF is continuous audit tools and validates the ongoing operation of the system d. ITF eliminates the need to prepare test data - CORRECT ANSWER b. ITF does not require setting up separate test environments/test processes Characteristics that BEST describe an integrated test facility: a. technique to verify system processing b. technique to very system integration c. technique to generate test data d. technique to validate the ongoing operation of the system - CORRECT ANSWER a. technique to verify system processing Management of an organization is evaluating automated audit tool for its critical business processes. Which of the following audit tools is MOST useful for the early detection of errors or irregularities? a. Embedded audit module b. integrated test facility c. Snapshots d. Audit hooks - CORRECT ANSWER d. Audit hooks Which of the below online auditing tools should best identify transactions as per predefined criteria? a. Systems control audit review file and embedded audit modules (SCARF/ EAM) b. Continuous and Intermittent Stimulation (CIS) c. Integrated Test Facilities (ITF) d. Audit Hooks - CORRECT ANSWER b. Continuous and Intermittent Stimulation (CIS) Characteristics that BEST describes and integrated test facility: a. actual transactions are validated on ongoing basis b. enables the IS auditors too generate test data c. Pre-determined results are compared with processing output to ascertain correctness of system processing d. enables the IS auditors to analyze large range of information - CORRECT ANSWER c. Pre-determined results are compared with processing output to ascertain correctness of system processing To identify excess inventory for the previous year, which online auditing technique can be used? a. test data b. generalized audit software c. integrated test facility d. Embedded audit modules - CORRECT ANSWER b. generalized audit software Whats ITF - CORRECT ANSWER Yummy entities are created in live production environment What's SCARF? - CORRECT ANSWER Inbuilt audit softwaree used when regular processing cannot be interupted Audit Hook is useful when - CORRECT ANSWER early detection of error or fraud is required What's Snapshot and when is it used - CORRECT ANSWER Take pictures Snaps Used when audit trial is required What's CIS and when is It used - CORRECT ANSWER Used with DBMS CIS stimulates the application system processing As high complex criteria can be set in CIS, its the best technique to identify transactors as per pre-defined criteria A System is in development phase. Which of the following test is MOST likely to be conducted? a. User acceptance test b. Stress test c. Regression Test d. Unit Test - CORRECT ANSWER d. Unit Test Which of the following approach is applied during unit testing? a. top-up b. black box c. Bottom-up d. White box - CORRECT ANSWER d. White box Testing the network of two or more system for accurate flow of information between them is : a. unit testing b. interface testing c. sociability testing d. regression testing - CORRECT ANSWER b. interface testing In several instances, system interface failures are occurred when correction to previously detected errors are resubmitted. This would indicate absence of which of the following types of testing? a. pilot testing b. Integration testing c. Parallel testing d. Unit testing - CORRECT ANSWER b. Integration testing Unit testing indicates that individual modules are operating correctly. The IS auditor should: a. Conclude that system as a whole can produce the desired results b. Document the test result as a proof for system functionality c. Review the findings of integrated tests d. conduct the test again to confirm the findings - CORRECT ANSWER c. Review the findings of integrated tests Purpose of regression testing is to determine if: a. new or modified system can work without adversely impacting existing system b. flow of information between two or more system is correct and accurate c. new requirements have been met d. changes have not introduced any new errors in the unchanged code. - CORRECT ANSWER d. changes have not introduced any new errors in the unchanged code. An organization is conducting regression testing for rectified bugs in the system. What Datta should be used for regression testing? a. same data as used in previous test b. random data c. different data as used in previous test d. data product by a test data generator - CORRECT ANSWER a. same data as used in previous test A new system has been added to client-server environment. Which of the following tests would confirm that modification in window registry will not impact performance of existing environment? a. regression testing b. parallel testing c. white box testing d. sociability testing - CORRECT ANSWER d. sociability testing An organization wants to evaluate whether a new or modified system can operate in its target environment without adversely impacting other existing systems. Which of the following testing would be relevant? a. regression testing b. Sociability testing c. Interface/ integration testing d. pilot testing - CORRECT ANSWER b. Sociability testing Which of the following characteristics of white box testing differentiates between white box testing and black box testing? a. white- box testing involves IS auditor b. white- box testing testing of program's logical structure c. white- box testing involves bottom-up approach d. white- box testing does not involve testing of programs's logical structure - CORRECT ANSWER b. white- box testing testing of program's logical structure An organization implementing a new system adopted parallel testing. Which of the following is the PRIMARY purpose for conducting parallel testing? a. to ensure cost is within the budget b. to document system functionality c. to highlight errors in the program logic d. to validate system functionality with user requirements - CORRECT ANSWER d. to validate system functionality with user requirements An organization is implementing bottom- up approach for software testing. An advantage in using a botttom-up against a top-down approach is that: a. errors in critical modules can be found early b. test can be performed online once all programs are complete c. errors in interface can be found early d. Confidence in the system is achieved earlier - CORRECT ANSWER c. errors in interface can be found early An IS auditor is reviewing process of acceptance testing. What should be the IS auditor's major concern? a. test objectives not documented b. expected test results not documented by used c. test problem log not update d. unsolved major issues - CORRECT ANSWER d. unsolved major issues For a software development, an organization has planned following tests. Failure in which stage can have the GREATESTT adverse impact on cost and time budgets? a. Unit testing b. Integration testing c. System testing d. Acceptance testing - CORRECT ANSWER d. Acceptance testing An organization is conducting system testing for newly developed software. The primary purpose of a system test is t: a. test efficiency of security controls built in the system b. determine appropriate documentation of system functionality C. Evaluate the system functionality d. identify and document the benefit of new system - CORRECT ANSWER C. Evaluate the system functionality A major vulnerability was observed in a application by IS team. To mitigate risk, a patch was applied to a significant number of modules. Which of the following tests should an IS auditor recommend? a. Security testing b. Load testing c. System testing D. Interface testing - CORRECT ANSWER c. System testing An organization has implemented prototyping approach for development of system. Which of the following methods is MOST effective during the initial phases of prototyping? a. Bottom-up b. parallel c. Volumes d. top-down - CORRECT ANSWER d. top-down Best approach for conducting stress testing is: a. using test data and in test environment b. using live data and in production environment c. Using live data and in test environment d. Using test data and in production environment - CORRECT ANSWER c. Using live data and in test environment In final acceptance testing, QAT and UAT were combined. The MAJOR concern will be: a. increase in cost of testing b. inadequate documentation c. insufficient functional testing d. delays in test results - CORRECT ANSWER c. insufficient functional testing When creating data for testing the logic in a new system, Which of the following is MOST critical? a. quantity of the data b. data designed as per expected live processing c. Sample oof actual data d. completing the test as per schedule - CORRECT ANSWER b. data designed as per expected live processing Determine the difference between Regression, Sociability and integration - CORRECT ANSWER Regression: is test to check again that changes/ modifications have not introduced any new errors Sociability: test to determine adoptability of new system to settle in existing environment Integration: test to ensure flow of information between two or more system is correct and accurate What is the appropriate strategy for unit testing? - CORRECT ANSWER white box approach Test data should be designed as what for accurate test resuults - CORRECT ANSWER As per live workload for accurate test results An IS auditor should recommend which of following check (control) for completeness of data transmission? a. check digits b. one-for=one checking c. Parity bits d. atom city - CORRECT ANSWER c. Parity bits An IS auditor should suggest which of the following data validation edits for banks to avoid transposition and transcription errors and thereby ensuring the correctness of bank account numbers assigned to customers? a. parity check b. checksum c. check digit d. existence check - CORRECT ANSWER c. check digit An IS auditor is reviewing a process where frequency of transposition and transcription errors are very high for data entry. Which of the following data validation edits will be effective in detecting such errors? a. parity check b. duplicate check c. validity check d. check digit - CORRECT ANSWER d. check digit An IS auditor is reviewing EDI application and observed that validation edit 'checksum' has been implemented for communication of financial transactions. Purpose of ' checksum' is to ensure: a. source validation b. authenticity c. integrity d. non-repudiation - CORRECT ANSWER c. integrity Principle of data integrity that a transaction is either completed win its entirety or not at all is known as: a. atomicity b. consistency c. Isolation d. durability - CORRECT ANSWER a. atomicity Main reason for implementing parity bits as a control is to validate: a. data source b. data completeness c. data availability d. data accuracy - CORRECT ANSWER b. data completeness which of the following control BEST detects transmission errors by appending extra bits onto the end of each segment? a. checksum b. parity check c. redundancy check d. check digits - CORRECT ANSWER c. redundancy check Detection of bursts of errors in network transmissions is Best ensured by: a. parity check b. echo check c. checksum d. cyclic redundancy check - CORRECT ANSWER d. cyclic redundancy check To ensure detection and correction of errors, redundant information is transmitted with each character or frame. This control is known as: a. parity bits b. block sum checks c. forward error control d. cyclic redundancy check - CORRECT ANSWER c. forward error control An IS auditor is reviewing a ERP system. To evaluate data integrity he should review atomicity to ensure that: a. hardware or software failure will not impact the database b. each transaction is isolated from other transactions c. database consistency is maintained d. a transaction is completely in its entirety. - CORRECT ANSWER d. a transaction is completely in its entirety. As an IS auditor is reviewing EDI application and observed that validation edit ' Check Digit' has been implemented for financial transactions. Purpose of 'Check Digit' is to: a. Detect only Datta-transcription errors b. detect data- transposition and transcription errors c. detect data-transmission error d. Detect only data-transposition errors - CORRECT ANSWER b. detect data- transposition and transcription errors Which control would you used to identify transcription and transpositions errors (accuracy)? - CORRECT ANSWER Check digit Which control would you use to identify data transmission errors (completeness and integrity) - CORRECT ANSWER CRC and checksum Which control would you use to correct data transmission errors - CORRECT ANSWER Forward error control (FEC) Which control would you use to ensure that a transaction must either fully happen or not happen at all - CORRECT ANSWER atomicity An IS auditor evaluating how the project manager has monitored the process of the project. Which of the following is MOST relevant in this context? a. Critical Path Methodologies B PERT C. Gantt Chart d. Function point analysis (FPA) - CORRECT ANSWER C. Grantt Chart Which of the following should an IS auditor review to understand project progress in terms of time, budget, and deliverables and for projecting estimates at completion (EACs)? a. earned value analysis (EVA) b. PERT c. Gantt Chart d. Function Point Analysis (EVA) - CORRECT ANSWER a. earned value analysis (EVA) The purpose of Function Point analysis (FPA): a. to define functionalities of a software b. to identify risk in software development program c. to estimate efforts required to develop software d. to monitor the process the software development - CORRECT ANSWER c. to estimate efforts required to develop software Which of the following is a advantage of the program evaluation review techniques (PERT) over other techniques? PERT: a. considers single scenario for planning and control projects b. considers different scenarios for planning and control projects c. Defines functionalities of the software under development d. Allows the user to define program and system parameters - CORRECT ANSWER b. considers different scenarios for planning and control projects A system under development has multiple linked modules which will handle several million queries and transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort? a. Critical Path methodology (COM) b. Counting Source lines of code (SLOC) c. Function point analysis d. Program evaluation review technique (PERT) - CORRECT ANSWER c. Function point analysis Which of the following techqnieues would provide the GREATEST assistance in developing an estimate of project duration? a. function point analysis b. PERT c. Critical Path Methodology (CPM) d. Object - oriented system developement - CORRECT ANSWER b. PERT When identifying an earlier project completion time, the activities that should be selected for early completion and more concentration are those: a. activities with shortest completion time b. activities with zero slack time c . activities with longest completion time including slack time. d. activities with highest slick time - CORRECT ANSWER b. activities with zero slack time A project has budget of 16 hours (over 2 days). While reviewing, the IS auditor notes that the development teach has spent eight house of activity at the end of first day. The projected time to complete the remainder of the activity is 12 hours. The IS auditor should report that the project: a. is ahead of schedule b. is behind schedule c. is on schedule d. to be evaluated only after activity is completed. - CORRECT ANSWER b. is behind schedule An IS auditor is reviewing a project controlled through time box management. Which fo the following is a characteristic of timebox management? a. not suitable for prototyping or rapid application development where projects need to be completed within timeframe b. it prevents project cost overruns and delays from scheduled delivery c. it requires separate system testing and user accepting testing d. Performance can be evaluated only after activity is completed - CORRECT ANSWER b. it prevents project cost overruns and delays from scheduled delivery An organization is planning to add personnel to activities imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? a. budget of the project b. critical path of the project c. duration for remaining task d. resources availability for the project - CORRECT ANSWER b. critical path of the project Which of the following would BEST help to determine the timeline for a project and prioritize project activities? a. CPM b. PERT C. Gantt Chart d. FPA (Function Point Analysis) - CORRECT ANSWER b. PERT Which of the following is a characteristic of decision support system (DSS)? a. DSS allows flexibility in the decision-making approach of users b. DSS supports only structured decision-making tasks c. DSS is aimed at solving highly structured problems d. DSS uses techniques with non-traditional data access and retrieval function - CORRECT ANSWER a. DSS allows flexibility in the decision-making approach of users Expert system's knowledge base that uses questionnaires to lead the user through a serious of choices before a conclusion is reached is known as: a. diagram trees b. decision trees c. semantic nets d. network trees - CORRECT ANSWER b. decision trees Major risk of implementation of decision support system is: a. not able to specify purpose and usage requirements b. Decision making is a semi-structured dimensions c. inability to specify purpose and usage patterns d. frequent changes in decision processes - CORRECT ANSWER c. inability to specify purpose and usage patterns Questionnaires to lead the user through a serious of choices to reach a conclusion are used by: a. network tree b. decision trees c. logic trees d. logic algorithms - CORRECT ANSWER b. decision trees A decision support system (DSS): a. concentrates on highly structrued problems b. supports the requirements of only top management c. emphasizes flexibility in the decision making approach of users d. fails to survive in changing environments - CORRECT ANSWER c. emphasizes flexibility in the decision making approach of users The Business Information System which provides answers to semi-structured problems and for validation of business decisions is: a. decision support system b. strctured information syystem c. transaction processing syystem d. executive support system - CORRECT ANSWER a. decision support system An IS auditor reviewing the decision support system should be MOST concerned with the : a. quality of input data b. level of experience and skills contained in the knowledge base c. logical access control of the system d. processing controls implemented in the system, - CORRECT ANSWER b. level of experience and skills contained in the knowledge base An organization is developing one of its applications using agile approach. Which of the following would be a risk in agile development process? a. insufficient documentation b. insufficient testing c. poor requirements definition d. insufficient user involvement - CORRECT ANSWER a. insufficient documentation Which of the following is the characteristic of agile software development approach? a. systemic documentation b. more importance is placed on formal paper-based deliverables c. extensive use of software development tools to maximize steam productivity d. reviews a the end of each iteration to identify lessons learned for future use in the project - CORRECT ANSWER d. reviews a the end of each iteration to identify lessons learned for future use in the project Which of the following is considered as limitation of the agile software development methodology? a. quality of system may be impacted due to speed of development and limited budget b. absence of well-defined requirements may end up with more requirements than needed c. absence of review mechanism to identify lesions learned for future use in the project d. incomplete documentation due to time management - CORRECT ANSWER d. incomplete documentation due to time management An organization is developing one of its applications using prototyping approach. Which of the following would be an advantage of using prototyping for systems development? a. sufficient controls will rebuilt in the system b. sufficient audit trail will be built in the system c. reduction in deployment time d. sufficient change control will be built in the system - CORRECT ANSWER c. reduction in deployment time An organization is developing one of mitts applications using prototyping approach. Which of tthe following testing methods is MOS effective during the initial phases of prototyping? a. bottom-up b. Parallel c. Volume d. Top- down - CORRECT ANSWER d. Top- down Which of the following techniques uses a prototype that can be updated regularly to meet ever changing user or business requirements? a. reverse engineering b. object-oriented system development (OOD) c. Software reengineering (BPR) d. Rapid application development (RAD) - CORRECT ANSWER d. Rapid application development (RAD) Which of the following is an advantage of prototyping? a. prototyping ensures strong internal controls b. prototyping ensures significant time and costs savings c. prototyping ensures strong change controls d. prototyping ensures that extra functi