Professional Documents
Culture Documents
Help
Sign In
Safar i Books Onl ine is a digital l ibr ar y pr oviding on-demand subscr iption access to thousands of l ear ning r esour ces.
Reactivate
Fr e e Tri a l
This Book
CISA Exam Prep
Attribute sampling
B.
Variable sampling
C.
Stop-and-go sampling
D.
Discovery sampling
Table of C ontents
Index
C opyright
About the Author
Acknowledgments
We Want to Hear from You!
Reader Services
Introduction
Study and Exam Prep Tips
Pt. I: IT Governance and the
Audit Process
Pt. II: System and
Infrastructure Lifecycle
Management
Pt. III: IT Service Delivery
and Support
2.
Attribute sampling
B.
Variable sampling
C.
Stop-and-go sampling
D.
Discovery sampling
3.
4.
B.
Assume full responsibility for the audit archive and stored data
C.
D.
Subscribe
5.
6.
7.
8.
B.
C.
D.
Attribute sampling
B.
Variable sampling
C.
Stop-and-go sampling
D.
Discovery sampling
The auditor has high regard for the company and holds several
hundred shares of the companys stock
B.
C.
D.
Integrated auditing
B.
Control self-assessment
C.
D.
Continuous auditing
Attribute sampling
B.
Variable sampling
C.
Stop-and-go sampling
D.
9.
10.
11.
12.
Discovery sampling
Standards
B.
Policy
C.
Guidelines
D.
Procedures
Control risk
B.
Audit risk
C.
Detection risk
D.
Inherent risk
B.
C.
D.
The risk that a material error will occur because of weak controls or no
controls is known as which of the following?
A.
Control risk
B.
Audit risk
C.
Detection risk
D.
Inherent risk
13.
You have been asked to audit a series of controls. Using Figure E.1 as
your reference, what type of control have you been asked to examine?
A. Amount total
B. Hash total
C. Item total
D. Data checksum
Figure E.1.
[View full size image]
14.
15.
Which of the following is the best tool to extract data that is relevant to
the audit?
A.
Integrated auditing
B.
C.
D.
Continuous auditing
Continuous audit
B.
Integrated audit
C.
Compliance audit
D.
Substantive audit
16.
17.
18.
19.
According to ISACA, which of the following is the fourth step in the riskbased audit approach?
A.
B.
C.
D.
B.
C.
D.
B.
Intrusion-prevention systems
C.
D.
Variance reports
Which of the following is not one of the four common elements needed to
determine whether fraud is present?
A.
An error in judgment
B.
C.
D.
20.
21.
22.
23.
24.
You have been asked to implement a continuous auditing program. With this
in mind, which of the following should you first identify?
A.
B.
C.
D.
Which of the following should be the first step for organizations wanting to
develop an information security program?
A.
B.
C.
D.
B.
Board of directors
C.
IT steering committee
D.
Audit committee
The balanced score card differs from historic measurement schemes, in that
it looks at more than what?
A.
Financial results
B.
Customer satisfaction
C.
D.
Innovation capacity
25.
26.
B.
C.
D.
Daily planning
B.
Long-term planning
C.
Operational planning
D.
Strategic planning
A new IT auditor has been asked to examine some processing, editing, and
validation controls. Can you help define the control shown in Figure E.2?
A. Validity check
B. Reasonableness check
C. Existence check
D. Range check
Figure E.2.
[View full size image]
27.
28.
29.
30.
Single cost
B.
Shared cost
C.
Chargeback
D.
Sponsor pays
Policy review
B.
Direct observation
C.
Procedure review
D.
Interview
You are working with a risk-assessment team that is having a hard time
calculating the potential financial loss to the companys brand name that
could result from a risk. What should the team do next?
A.
B.
C.
D.
Parallel
31.
32.
33.
34.
B.
Hard
C.
Phased
D.
Intermittent
B.
C.
D.
The balanced score card looks at four metrics. Which of the following is not
one of those metrics?
A.
External operations
B.
The customer
C.
D.
Financial data
White-boxing
B.
Black-boxing
C.
D.
Which of the following is the preferred tool for estimating project time when
a degree of uncertainty exists?
A.
35.
36.
37.
38.
B.
C.
Gantt
D.
B.
COCOMO
C.
D.
B.
C.
D.
Incremental development
You have been assigned as an auditor to a new software project. The team
members are currently defining user needs and then mapping how the
proposed solution meets the need. At what phase of the SDLC are they?
A.
Feasibility
B.
Requirements
C.
Design
D.
Development
Logging
B.
Batch controls
C.
Security signatures
D.
39.
Report distribution
The following question references Figure E.3. Item A refers to which of the
following?
A. Foreign key
B. Tuple
C. Attribute
D. Primary key
Figure E.3.
[View full size image]
40.
41.
You have been asked to suggest a control that could be used to determine
whether a credit card transaction is legitimate or potentially from a stolen
credit card. Which of the following would be the best tool for this need?
A.
B.
Expert systems
C.
Intrusion-prevention systems
D.
Data-mining techniques
You have been asked to suggest a control that can be used to verify that
batch data is complete and was transferred accurately between two
applications. What should you suggest?
42.
43.
44.
45.
A.
A control total
B.
Check digit
C.
Completeness check
D.
Limit check
2GL
B.
3GL
C.
4GL
D.
5GL
You have been asked to work with a new project manager. The project
team has just started work on the payback analysis. Which of the following
is the best answer to identify the phase of the system development
lifecycle of the project?
A.
Feasibility
B.
Requirements
C.
Design
D.
Development
Uptime agreements
B.
C.
Abandon rate
D.
What is the correct term for items that can occur without human
interaction?
46.
47.
48.
49.
A.
Lights out
B.
Automated processing
C.
D.
Autopilot operations
SQL
B.
Assembly
C.
FORTRAN
D.
Prolog
B.
C.
D.
B.
C.
D.
B.
C.
D.
50.
51.
52.
B.
X12
C.
Communications handler
D.
PAN
B.
LAN
C.
SAN
D.
MAN
The following question references Figure E.4. Item C refers to which of the
following?
A. Foreign key
B. Tuple
C. Attribute
D. Primary key
Figure E.4.
[View full size image]
53.
54.
55.
Application
B.
Transport
C.
Session
D.
Network
B.
System testing
C.
Interface testing
D.
Unit testing
Which of the following devices can be on the edge of networks for basic
packet filtering?
A.
Bridge
B.
Switch
C.
Router
D.
56.
57.
58.
59.
60.
VLAN
MAC addresses are most closely associated with which layer of the OSI
model?
A.
Data link
B.
Network
C.
Session
D.
Physical
Class A
B.
Class B
C.
Class C
D.
Class D
A routing protocol
B.
A routable protocol
C.
D.
Which of the following test types is used after a change to verify that
inputs and outputs are correct?
A.
Regression testing
B.
System testing
C.
Interface testing
D.
Pilot testing
61.
62.
63.
64.
A.
SQL
B.
Assembly
C.
FORTRAN
D.
Prolog
Bus
B.
Star
C.
Token Ring
D.
Mesh
B.
Less attenuation
C.
Less cross-talk
D.
Fire-retardant coating
B.
C.
D.
Scrum
B.
Extreme programming
65.
C.
RAD
D.
Spiral
B. Network
C. Hierarchical
D. Floating flat
Figure E.5.
66.
67.
B.
C.
D.
B.
68.
69.
70.
71.
C.
RAID 0
D.
RAID 1
Which of the following is the best technique for an auditor to verify firewall
settings?
A.
B.
C.
D.
DSL
B.
POTS
C.
T1
D.
ATM
B.
C.
D.
Subject-oriented
B.
Object-oriented
C.
Access-oriented
D.
72.
73.
74.
75.
Control-oriented
B.
C.
D.
Passwords
B.
Tokens
C.
Two-factor authentication
D.
Biometrics
If asked to explain the equal error rate (EER) to another auditor, what
would you say?
A.
The EER is used to determine the clipping level used for password
lockout.
B.
C.
D.
Interview users
B.
C.
Evaluate controls
D.
76.
77.
78.
Corrective
B.
Detective
C.
Preventive
D.
Delayed
B.
C.
Recovery strategy
D.
You have been asked to review the documentation for a planned database.
Which type of database is represented by Figure E.6?
A. Relational
B. Network
C. Hierarchical
D. Floating flat
Figure E.6.
79.
80.
81.
82.
83.
B.
C.
D.
Audit plan
B.
Security assessment
C.
D.
Network topology
Snapshots
B.
Mapping
C.
D.
The greater the recovery point objective (RPO), the more tolerant
the process is to interruption.
B.
The less the recovery time objective (RTO), the longer the
process can take to be restored.
C.
The less the RPO, the more tolerant the process is to interruption.
D.
The greater the RTO, the less time the process can take to be
restored.
Which of the following best defines the service delivery objective (SDO)?
A.
84.
85.
86.
87.
B.
C.
D.
During which step of the business continuity planning (BCP) process is a risk
assessment performed?
A.
B.
C.
Recovery strategy
D.
When auditing security for a data center, the auditor should look for which
of the following as the best example of long-term power protection?
A.
Standby generator
B.
C.
Surge protector
D.
B.
Snapshots
C.
Audit hooks
D.
FM-200
B.
NAF-S-3
C.
FM-100
D.
88.
89.
90.
91.
Argon
The point at which the false rejection rate (FRR) equals the false
acceptance rate (FAR)
B.
C.
D.
Electronic equipment
B.
Paper
C.
Oil
D.
Metal
B.
C.
D.
B. Network
C. Hierarchical
D. Floating flat
Figure E.7.
[View full size image]
92.
93.
94.
95.
Output controls
B.
C.
Input controls
D.
Processing controls
Which type of access rights control model is widely used by the DoD, NSA,
CIA, and FBI?
A.
MAC
B.
DAC
C.
RBAC
D.
ACL
B.
C.
D.
96.
97.
98.
99.
A.
Technology
B.
Processes
C.
People
D.
Documents
B.
C.
Executive management
D.
Security auditor
Which of the following guarantees that all foreign keys reference existing
primary keys?
A.
Relational integrity
B.
Referential integrity
C.
Entity integrity
D.
Internet
B.
Intranet
C.
Extranet
D.
VLAN
What term is used to describe the delay that information will experience
from the source to the destination?
A.
Echo
B.
Latency
100.
101.
102.
103.
C.
Delay
D.
Congestion
You have been asked to describe what security feature can be found in the
wireless standard 802.11a. How will you respond?
A.
B.
C.
D.
X.25
B.
ISDN
C.
Frame Rely
D.
ATM
Layers 2 and 3
B.
Layers 3 and 4
C.
Layers 4 and 5
D.
Layers 5 and 6
B.
C.
D.
104.
B. Item B
C. Item C
D. Item D
Figure E.8.
105.
106.
Telnet
B.
FTP
C.
SNMP
D.
SMTP
Telnet
B.
FTP
C.
SMTP
D.
DHCP
107.
108.
109.
110.
111.
Which layer of the OSI model is responsible for reliable data delivery?
A.
Data link
B.
Session
C.
Transport
D.
Network
B.
C.
D.
Exception reports
B.
Sequence check
C.
Key verification
D.
Which of the following devices is most closely related to the data link layer?
A.
Hub
B.
Repeater
C.
Bridge
D.
Router
Which of the following provide the capability to ensure the validity of data
through various stages of processing?
A.
Manual recalculations
112.
113.
114.
115.
B.
Programming controls
C.
Run-to-run totals
D.
Reasonableness verification
Decrease redundancy
B.
Increase redundancy
C.
D.
Increase accuracy
B.
C.
D.
B.
C.
D.
Attribute errors
B.
Relational errors
C.
Dangling tuples
D.
Integrity constraints
116.
117.
B.
C.
D.
You have been asked to review the organizations planned firewall design.
As such, which of the following best describes the topology shown in
Figure E.9?
A. Packet filter
B. Screened subnet
C. Screened host
D. Dual-homed host
Figure E.9.
[View full size image]
118.
B.
C.
D.
119.
120.
121.
122.
123.
Which of the following is not used when calculating function point analysis?
A.
B.
Number of files
C.
D.
FORTRAN
B.
Assembly
C.
Basic
D.
Java
SQL
B.
Assembly
C.
FORTRAN
D.
Prolog
B.
C.
D.
You have been asked to explain rings of protection and how the concept
applies to the supervisory mode of the operating system (OS). Which of the
following is the best description?
A.
124.
125.
126.
127.
B.
C.
D.
You have been asked to design a control. The organization would like to
limit what check numbers are used. Specfically, they would like to be able
to flag a check numbered 318 if the days first check had the number 120
and the days last check was number 144. What type of validation check
does the department require?
A.
Limit check
B.
Range check
C.
Validity check
D.
Sequence check
The time between when an event occurs and when the audit
record is reviewed
B.
C.
The time between when an event occurs and when the audit
record is recorded
D.
You have been asked to review a console log. What type of information
should you expect to find?
A.
B.
C.
System errors
D.
128.
129.
130.
B.
C.
Variation tools
D.
Authorization
B.
Processing
C.
Validation
D.
Editing
Scope
B.
Time
C.
Resources
D.
Cost
Using Figure E.10 as a reference, place the four recovery time objectives
in their proper order.
A. Items A, B, C, D
B. Items B, C, D, A
C. Items D, A, C, B
D. Items C, B, D, A
Figure E.10.
131.
132.
133.
Stakeholders
B.
C.
Project manager
D.
Quality assurance
Weak matrix
B.
Pure project
C.
Balanced matrix
D.
Influence
B.
C.
D.
134.
135.
CreCrePrin
B.
Gantt
C.
D.
B.
C.
Actuarial tables
D.
Html
ThuZooZooToggle to PrevNex