Domain 1
plan and finds that the previous plan
1. An IS auditor is evaluating data
mining and auditing software to be
used in future IS audits. What is the
PRIMARY ability that the IS auditor
should look for in the software tool?
The software tool should?
- Preserve data integrity and not
modify source data in any way
2. Management instructs a junior IS
auditor to prepare and deliver a final
report using his/her best judgment
since no senior IS auditor is available:
- The loss of reputation because the
audit was not performed according
to standards
3. An IS auditor is reviewing the
process performed for the
protection of digital evidence. Which
of the following findings should
present the MOST concern to the IS
auditor?
- There are no documented logs of
the transportation of evidence
4. Which of the following is the most
significant risk of changing from
using a traditional audit approach to
a facilitated control self-assessment
(FCSA) workshop approach without
adequate planning and preparation?
- Critical risk issues may not
identified by the process
5. An IS auditor is developing an
audit plan for a repeat client. The
auditor reviews the prior year audit
was designed to review the company
network and e-mail systems, which
were newly implemented last year,
but the plan did not include
reviewing the e-commerce web
server. The company IT manager
indicates that this year the
organization prefers to focus the
audit on a newly-implemented
enterprise resource planning (ERP)
application. How should the IS
auditor respond?
- Determine the highest-risk systems
and plan the audit based on the
result
6. An IS auditor has been asked to
review the security controls for a
critical web-based order system
shortly before the scheduled go-live
date. The auditor conducts a
penetration test which produces
inconclusive results and additional
testing cannot be concluded by the
completion date agreed for the
audit. Which of the following is the
BEST option for the auditor?
- Publish a report based on the
available information, highlighting
the potential security weaknesses
and the requirement for the follow
up audit testing
7.In a risk based audit approach, the
IS auditor must consider the
inherent risk as well as considering:
- The balance of loss potential vs the
cost to implement controls
8. The internal audit department of
organization has been developed
and maintained ACL scripts for
continuous auditing purposes. These
scripts were provided to IT
management for continuous
monitoring purposes. This situation
resulted in a potential conflict
related to the auditor's
independence and objectivity.
Which of the following actions would
BEST resolve this issue?
- It management should continue to
use the script for continuous
monitoring purposes with the
understanding that it is responsible
for testing and maintaining the
scripts that it uses.
9. When performance issues are
discovered during an assessment of
the organization's network, the
MOST efficient way for the IS auditor
to proceed is to examine the:
- network topology
10. Which of the following
represents an example of a
preventive control with respect to IT
personnel?
- Implementation of a badge entry
system for the IT facility
Domain 2 – IT Governance
11. Which of the following is the
BEST reason to implement a policy
which address secondary
employment for IT employees?
- To prevent conflict of interest
12. An IS auditor has been assigned
to review an organization’s
information security policy. Which of
the following issues represent the
highest potential risk?
- The policy is approved by the
security administrator.
13. An IS auditor is verifying the IT
policies and found that some of the
policies have not been approved by
management (as required by policy)
but the employees strictly follow the
policies. Should the IS auditor do
FIRST?
- Report the absence of document
approval.
14. When auditing the IT governance
framework and IT risk management
practices that exist within an
organization the IS auditor identified
responsibilities regarding IT
management and the governance
roles. Which is the following
recommendation is the MOST
appropriate?
- Implement accountability rules
with in the organization.
15. An IS auditor is performing a
review of the software quality
management process in an
organization The FIRST step should
be to:
- Request all standards that have
been adopted by the organization.
16. When auditing the archiving of
the company’s email
communication, the auditor should
pay the MOST attention to:
- The existence of a data retention
policy
17. An IS auditor is reviewing
changes to a company’s disaster
recovery (DR). The auditor notices
that the recovery point objectives
(RPO) has been shortened for the
company’s application. What is the
MOST significant risk of this change?
- Backups are not done frequently
enough to archive the new RPO
18. An IT auditor found that the
enterprise architecture recently
adopted by an organization has an
adequate current state
representation. However the
organization has started a separate
project to develop an optimized
future state representation. The IT
auditor should :
- Report this issue as a finding in the
audit report
19. Which of the following situation
is addresses by a software escrow
agreement?
- The vendor of custome written
software goes out of business
20. When conducting an IT security
risk assessment the IS auditor asked
the IT security officer to participate
in a risk identification workshop with
users and unit representative. What
is the MOST important
recommendation that the IS auditor
should make to obtain successful
result and avoid future conflicts/
- Ensure that the IT security risk
assessment has a clearly defined
scope
Domain 3
21. An IS auditor has been asked to
review proposals to implement a
standardized IT infrastructure.
Which of the following findings
would likely be featured in the
auditor’s report? The proposals
likely to:
- Improve the cost-effectiveness of IT
service delivery and operational
support.
22. Which of the following would
BEST help to prioritize project
activities and determine the timeline
for a project?
- Program evaluation review
technique (PERT)
23. An IS auditor reviewing a series
of completed projects finds that the
implemented functionality often
exceeded requirements and most of
the projects can significantly over
budget. Which of these areas of the
organization’s project management
process is the MOST likely cause of
this issue?
- Project Scope Management
24. An IS auditor is reviewing the
software development process for
an organization. Which of the
following functions would be
appropriate for the end users to
perform?
- Program output testing
25. An IS auditor is reviewing system
development for a healthcare
organization with two application
environments—production and test.
During an interview, the auditor
notes that production data are used
in the test environment to test
program changes. What is the MOST
significant potential risk from this
situation?
- The test environment may not have
adequate access controls
implemented to ensure data
confidentiality
26. The IS auditor is reviewing a
recently completed conversion to a
new enterprise resource planning
(ERP) system. As the final stage of
the conversion process, the
organization ran the old and new
systems in parallel for 30 days before
allowing the new systems to run on
its own. What is the MOST significant
advantage to the organization by
using this strategy?
- Assurance that the new system
meets functional requirements
27. What kind of software
application testing is considered the
final stage of testing and typically
includes users outside the
development team?
- Beta Testing
28. During which phase of software
application testing should an
organization perform the testing of
architectural design?
- Integration testing
29. Which of the following is the
MOST efficient way to test the
design effectiveness of a partially
automated change control process?
- Perform an end to end walk
through of the process
30. An organization is replacing a
payroll program that it developed in
house, with the relevant subsystem
of a commercial enterprise resource
planning (ERP) system. Which of the
following would represent the
highest potential risk?
- faculty migration of historical data
from the old system to the new
system
31. An IS auditor is evaluating a
virtual machine-based (VM-based)
architecture used for
programming and testing
environments. The production
architecture is a three-tier physical
architecture. What is the MOST
important IT control to test in order
to ensure availability and
confidentiality of the web
application in production?
- Server configuration hardening
32. During a post-implementation
review, which of the following
activities should be performed?
- ROI analysis
33. . An IS auditor reports that the
financial module of an enterprise
resource planning (ERP) application
is very slow because the audit trails
are activated on some sensitive
tables. The vendor has asked to
disable audit trails on these
transactional tables and restrict
auditing only to successful and
unsuccessful logons to the system.
What is the GREATEST threat if this
recommendation is implemented?
- The integrity of the financial data
could not be guaranteed
34. An IS auditor should ensure that
review of online electronic funds
transfer (EFT) reconciliation
procedures should include:
- Tracing
35. Web application developers
all
sometimes use hidden fields on web
pages to save information about a
client session. This technique is used
in some cases to store session
variables that enable persistence
across web pages, such as
maintaining the contents of a
shopping chart on a retail web site
application. The MOST likely web-
based attack due to this practice is:
- Parameter Tampering
36. . After consulting with senior
management, and organization’s IT
department decided that all IT
hardware would be replaced three
years from the procurement date.
The MOST likely reason for doing this
is to:
- Manage IT assets in a cost effective
manner.
Domain 4
37. An organization is considering
using new it service provider. From
an audit perspective, which of the
following would be the MOST
important items to review?
- The services level agreement (SLA)
with the service provider
38. The IS auditor is reviewing the
implementation of storage area
network (SAN). The SAN
administrator indicates that logging
and monitoring is active, hard zoning
is used to isolate data from different
business units and all unused SAN
port disabled. The administrator
implemented the system performed
and documented security testing
during implementation and
determined that he/she is the only
user with administrative rights to the
system. What should auditor’s initial
determination be?
- The SAN present potential risk
because only one employee has
access.
39. When reviewing the desktop
software compliance of an
organization, the IA auditor should
be MOST concerned if the installed
software:
- Is not listed in the approved
software standards document
40. Due to recent economic
downturn, an IT organization has
terminated several administration at
remote sites and consolidated all IT
administration to the organization’s
control headquarters. During the
annual IT audit, the auditor
determines that the organization has
implemented remote admin
connectivity to each site using low
cost DSL connections and an
automated SNMP based monitoring
system to detect any hardware or
software issues that may occur. In
the auditor’s mind, what should be
the biggest area of concern?
- the connection to remote sites is
secure through the use of virtual
private network (VPN)
41. An IT executive of insurance
company asked an external auditor
to evaluate the user IDs for
emergency access (fire call ID). The IS
auditor found that fire call accounts
are granted without predefined
expiration date. What should the IS
auditor recommend?
- Review of the access control
privilege authorization process
42. An IS auditor is reviewing
database security for an
organization. Which of the following
is the MOST important consideration
for database hardening
- The default configurations are
change
43. In auditing a database
environment, an IS auditor will be
MOST concerned if the database
administrator (DBA) is performing
which of the following function
- Installing patches or upgrades to
the operation system
44. An IS auditor reviewing local area
network (LAN) performance in an
organization should FIRST examine:
- Data, Voice, and video throughput
requirement
45. As IS auditor is evaluating the
effectiveness of the organization’s
change management process. What
is the MOST important control that
the IS auditor should look for to
ensure system availability?
- That test plans and procedures
exist and are closely followed
46. An IS auditor reviewing a new
outsourcing contract with a service
provide would be MOST concerned if
which of the following was missing?
- A clause providing a “right to audit”
service provider
47.Which of the following
specifically addresses how to detect
cyber attacks against an
organization’s IT systems an how to
recover from an attack?
- An Incident response plan (IRP)
48. An IS auditor is reviewing the
expansion plans for an organization
which is opening a new office about
80 meters away from their existing
facility. The plan is to implement
fiber optic cabling within the new
facility and it has been determined
that a 100 m, category 5 (cat 5).
Unshielded twisted pair (UTP) cable
can be installed to provide
connectivity between both building.
What is the PRIMARY risk that the
auditor should identify with this
expansion plan?
- The link between building may not
meet the long term business
requirement.
49. An IS auditor is to assess the
suitability of a service level
agreement (SLA) between
organization and the supplier of
outsourced services. To which of the
following observation should the IS
auditor pay the MOST attention?
The SLA does not contain a:
-Transition clause frim the old
supplier to a new supplier in he case
of expiration or termination.
50. During an application audit an IS
auditor is asked to provide assurance
of the database referential integrity.
Which of the following should be
reviewed?
- Foreign key structure
Domain 5
51. An IS auditor is planning an audit
of a bank wire transfer system in the
contest of a regulation that requires
banks to accurately report
transactions. Which of the following
represents the PRIMARY focus of the
audit scope:
- Data Integrity.
52. An IS auditor reviewing the
operating system integrity of server
would PRIMARYLY:
- verify that privileged programs or
services cannot ben invoked by user
program.
53. Which of the following is the
MOST common concern for an IS
auditor regarding audit logs?
- Logs are collected but not analysed.
54. Which of the following would
BEST help in preventing structured
query language (SQL) injection
attacks of a web application?
- Built in input validation within the
application.
55. Which is the following is the BEST
control to implement in order to
mitigate the risk of an insider attack?
- Limit access to what is required for
an individual’s job duties.