CISA EXAM QUESTIONS AND
CORRECT ANSWERS
Chapter 1 Answers
Source code Answers uncompiled, archive code
Object code Answers compiled code that is distributed and put into
production; not able to be read by humans
Inherent risk Answers the risk that an error could occur assuming no
compensating control exist
Control risk Answers the risk that an error exists that would not be
prevented by internal controls
Detection risk Answers the risk that an error exists, but is not detected.
The risk that an IS auditor may use an inadequate test procedure and
conclude that no material error exists when in fact errors do exist.
Audit risk Answers the overall level of risk; the level of risk the auditor is
prepared to accept.
Compliance testing Answers determines if controls are being applied in a
manner that complies with mgmt's policies and procedures
Substantive testing Answers evaluates the integrity of individual
transactions, data, and other information.
Regression testing Answers used to retest earlier program abends that
occurred during the initial testing phase.
Sociability testing Answers to ensure the application works as expected in
the specified environment where other applications run concurrently.
Includes testing of interfaces with other systems.
,Parallel testing Answers Feeding test data into two systems and comparing
the results.
White box testing Answers test the software's program logic.
Black box testing Answers Testing the functional operating effectiveness
without regard to internal program structure.
Redundancy check Answers detects transmission errors by appending
calculated bits onto the end of each segment of data.
Variable sampling Answers used to estimate the average or total value of a
population.
Discovery sampling Answers used to determine the probability of finding an
attribute in a population.
Attribute sampling Answers selecting items from a population based on a
common attribute. Used for compliance testing.
Chapter 2 Answers
Steering Committee Answers Appointed by senior management. Serves as a
general review board for projects and acquisitions... not involved in routine
operations. The committee should include representatives from senior
management, user management, and the IS department. Escalates issues to
senior management.
Request for Proposal (RFP) Answers A document distributed to software
vendors requesting their submission of a proposal to develop or provide a
software product. RFP should include: Project Overview, Key Requirements
and Constraints, Scope Limitations, Vendor questionnaire, customer
references, demonstrations, etc.
Quality Assurance Answers Check to verify policies are followed.
Quality Control Answers Check to verify free from defects.
Bottom-up approach for policy development Answers begins by defining
operational-level requirements and policies which are derived and
implemented as a result of a risk assessment.
Chapter 3 Answers
OSI Model Answers All People Seem To Need Dominos Pizza
, Layer 7 - Application layer Answers The application layer interfaces directly
to and performs common application services for the application processes.
Layer 6 - Presentation layer Answers The presentation layer relieves the
Application layer of concern regarding syntactical differences in data
representation within the end-user systems. MIME encoding, data
compression, encryption, and similar manipulation of the presentation of
data is done at this layer.
Layer 5 - Session layer Answers The session layer provides the mechanism
for managing the dialogue between end-user application processes (By
dialog we mean that whose turn is it to transmit). It provides for either
duplex or half-duplex operation. This layer is responsible for setting up and
tearing down TCP/IP sessions.
Layer 4 - Transport layer Answers The transport layer is responsible for
reliable data delivery. The transport layer provides transparent transfer of
data between end users, thus relieving the upper layers from any concern
with providing reliable and cost-effective data transfer. The transport layer
controls the reliability of a given link. The transport layer can keep track of
packets and retransmit those that fail. Also addresses packet sequencing.
The best known example of a layer 4 protocol is TCP.
Layer 3 - Network layer Answers The network layer provides the functional
and procedural means of transferring variable length data sequences from a
source to a destination via one or more networks while maintaining the
quality of service requested by the Transport layer. The Network layer
performs network routing, flow control, segmentation/desegmentation, and
error control functions. Routers operate at this layer -- sending data
throughout the extended network
Layer 2 - Data link layer Answers The data link layer provides the functional
and procedural means to transfer data between network entities and to
detect and possibly correct errors that may occur in the Physical layer. The
addressing scheme is physical which means that the addresses (MAC
address) are hard-coded into the network cards at the time of manufacture.
The addressing scheme is flat. Note: The best known example of this is
Ethernet.
Layer 1 - Physical layer Answers The physical layer defines all electrical
and physical specifications for devices. This includes the layout of pins,
CORRECT ANSWERS
Chapter 1 Answers
Source code Answers uncompiled, archive code
Object code Answers compiled code that is distributed and put into
production; not able to be read by humans
Inherent risk Answers the risk that an error could occur assuming no
compensating control exist
Control risk Answers the risk that an error exists that would not be
prevented by internal controls
Detection risk Answers the risk that an error exists, but is not detected.
The risk that an IS auditor may use an inadequate test procedure and
conclude that no material error exists when in fact errors do exist.
Audit risk Answers the overall level of risk; the level of risk the auditor is
prepared to accept.
Compliance testing Answers determines if controls are being applied in a
manner that complies with mgmt's policies and procedures
Substantive testing Answers evaluates the integrity of individual
transactions, data, and other information.
Regression testing Answers used to retest earlier program abends that
occurred during the initial testing phase.
Sociability testing Answers to ensure the application works as expected in
the specified environment where other applications run concurrently.
Includes testing of interfaces with other systems.
,Parallel testing Answers Feeding test data into two systems and comparing
the results.
White box testing Answers test the software's program logic.
Black box testing Answers Testing the functional operating effectiveness
without regard to internal program structure.
Redundancy check Answers detects transmission errors by appending
calculated bits onto the end of each segment of data.
Variable sampling Answers used to estimate the average or total value of a
population.
Discovery sampling Answers used to determine the probability of finding an
attribute in a population.
Attribute sampling Answers selecting items from a population based on a
common attribute. Used for compliance testing.
Chapter 2 Answers
Steering Committee Answers Appointed by senior management. Serves as a
general review board for projects and acquisitions... not involved in routine
operations. The committee should include representatives from senior
management, user management, and the IS department. Escalates issues to
senior management.
Request for Proposal (RFP) Answers A document distributed to software
vendors requesting their submission of a proposal to develop or provide a
software product. RFP should include: Project Overview, Key Requirements
and Constraints, Scope Limitations, Vendor questionnaire, customer
references, demonstrations, etc.
Quality Assurance Answers Check to verify policies are followed.
Quality Control Answers Check to verify free from defects.
Bottom-up approach for policy development Answers begins by defining
operational-level requirements and policies which are derived and
implemented as a result of a risk assessment.
Chapter 3 Answers
OSI Model Answers All People Seem To Need Dominos Pizza
, Layer 7 - Application layer Answers The application layer interfaces directly
to and performs common application services for the application processes.
Layer 6 - Presentation layer Answers The presentation layer relieves the
Application layer of concern regarding syntactical differences in data
representation within the end-user systems. MIME encoding, data
compression, encryption, and similar manipulation of the presentation of
data is done at this layer.
Layer 5 - Session layer Answers The session layer provides the mechanism
for managing the dialogue between end-user application processes (By
dialog we mean that whose turn is it to transmit). It provides for either
duplex or half-duplex operation. This layer is responsible for setting up and
tearing down TCP/IP sessions.
Layer 4 - Transport layer Answers The transport layer is responsible for
reliable data delivery. The transport layer provides transparent transfer of
data between end users, thus relieving the upper layers from any concern
with providing reliable and cost-effective data transfer. The transport layer
controls the reliability of a given link. The transport layer can keep track of
packets and retransmit those that fail. Also addresses packet sequencing.
The best known example of a layer 4 protocol is TCP.
Layer 3 - Network layer Answers The network layer provides the functional
and procedural means of transferring variable length data sequences from a
source to a destination via one or more networks while maintaining the
quality of service requested by the Transport layer. The Network layer
performs network routing, flow control, segmentation/desegmentation, and
error control functions. Routers operate at this layer -- sending data
throughout the extended network
Layer 2 - Data link layer Answers The data link layer provides the functional
and procedural means to transfer data between network entities and to
detect and possibly correct errors that may occur in the Physical layer. The
addressing scheme is physical which means that the addresses (MAC
address) are hard-coded into the network cards at the time of manufacture.
The addressing scheme is flat. Note: The best known example of this is
Ethernet.
Layer 1 - Physical layer Answers The physical layer defines all electrical
and physical specifications for devices. This includes the layout of pins,
