Text-DISA Review Questions-1 PDF

DISA Review Questions, Answers
Manual – Module
The Institute of Chartered Accountants of India

(Set up by an Act of Parliament)
New Delhi
i
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in

a retrieval system, or transmitted, in any form, or by any means, electronic
mechanical, photocopying, recording, or otherwise, without prior permission, in
writing, from the publisher.
DISCLAIMER
The views expressed in this material are those of author(s). The Institute of
Chartered Accountants of India (ICAI) may not necessarily subscribe to the views
expressed by the author(s).
The information in this material has been contributed by various authors based
on their expertise and research. While every effort have been made to keep
the information cited in this material error free, the Institute or its officers do not
take the responsibility for any typographical or clerical error which may have
crept in while compiling the information provided in this material. There are no
warranties/claims for ready use of this material as this material is for educational
purpose. The information provided in this material are subject to changes in
technology, business and regulatory environment. Hence, members are advised
to apply this using professional judgement. Please visit CIT portal for the latest
updates. All copyrights are acknowledged. Use of specific hardware/software in
the material is not an endorsement by ICAI.
Edition : October, 2015

Committee/Department : Committee of Information Technology
E-mail : cit@icai.in
Website : www.icai.org/http://cit.icai.org
Price :
` ______/- (For Module Including DVD)
ISBN :
978-81-8441-
Published by : The Publication Department on behalf of the Institute
of Chartered Accountants of India, ICAI Bhawan, Post
Box No. 7100, Indraprastha Marg, New Delhi-110 002.
Printed by : Sahitya Bhawan Publications, Hospital Road, Agra-03
October/2015/P0000 (New)
ii
Contents
DISA Review Questions, Answers Manual – Module Page Nos.
1. Module – 1 1-119
2. Module – 2 120-178
3. Module – 3 179-290
4. Module – 4 291-404
5. Module – 5 405-461
6. Module – 6 462-557
7. Module – 7 558-611
iii
viii
DISA Review Questions, Answers Manual – Module 1
Module 1 Questions
Q1. The primary function of the CPU is to take care of
A. Input, Output and arithmetic-logic activities
B. Control and Output activities
C. Control and arithmetic-logic activities
D. Input and Control activities
Q2. Which of the following would be classified as a corrective control?

A. Business continuity planning
B. Transaction authorisation
C. Terminal security
D. Passwords
Q3. A major design consideration for local area networks that replaces stand
alone computing in an organisation include:
A. Ensuring sophisticated and state-of-the-art recovery mechanism
B. Ensuring concurrent access control
C. Ensuring seamless integration
D. Allowing distribution processing
Q4 Which one would be a material irregularity?

A. Programmers forgot to indicate file retention periods
B. Operation personnel did not follow a procedure due to an
oversight
C. Librarian forgot to log tape movement
D. Knowingly, an IS Manager, approved a payment for his uncles IS
software firm for a job not done by them.
1
Q5. With respect to AI, a heuristic refers to :

A. Rule of thumb
B. Known fact
C. Known procedure
D. Guaranteed procedure
Q6. Which of the following usually is a purpose of a modem:

A. increase line errors caused by noise
B. produce encrypted messages
C. increase the speed of data transmission
D. dynamically share a smaller number of output channels
Q7. The most appropriate concurrent audit tool whose complexity is very
high and useful when regular processing cannot be interrupted is :
A. SCARF/EAM
B. ITF
C. Snapshot
D. Audit hooks
Q8. A large organization with numerous applications running on its

mainframe system is experiencing a growing backlog of undeveloped
applications. As part of a master plan to eliminate this backlog, end-user
computing with prototyping is being introduced, sup
A. Data Control
B. Systems Analysis
C. Systems Programming
D. Application Programming
2
Q9. Which of the following converts digital pulses from the computer into
frequencies within the audio signals
A. multiplexor
B. protocol converter
C. modem
D. concentrator
Q10. Introduction of computer-based information system has affected auditing.

Which of the following is NOT an effect of IS on auditing?
A. To identify a control weakness and trace its effects has become
harder
B. Collection evidence process has been rendered more difficult
C. Introduction of newer technology by the day has made their
understanding a difficult task for the auditor
D. The basic objectives of auditing have undergone change
Q11. While conducting the audit, the auditor shall allocate the audit resources
to
A. Sequentially selected areas
B. Prioritised areas
C. Randomly selected areas
D. All areas subject to audit
Q12. In data processing, which of the following causes the maximum losses
A. poor computer centre design
B. theft of machine time
C. errors and omissions
D. machine room fires
3
Q13. An MIS Manager has only enough resources to install either a new
payroll system or a new data security system, but not both. Which of
the following actions is most appropriate?
A. Giving priority to the security system
B. Leaving the decision to the MIS manager
C. Increasing MIS staff output in order for both systems to be
installed
D. Having the information systems steering committee set the priority
Q14. As an IS auditor, which would you consider the MOST CRITICAL

CONTROL over an employee performing a function.
A. Supervisory Control
B. Periodic rotation of duties
C. Keep them motivated
D. Continuous training
Q15. Which of the following types of subversive attacks on a communication

network is not an active attack:
A. message modification
B. denial of message services
C. traffic analysis
D. message deletion
Q16. Which of the following utilities can be used to directly examine the
quality of data in the database:
A. Pointer validation utility
B. HIPO charter
C. Terminal simulator
D. Decision- table preprocessor
4
Q17. Which one of the following controls would protect the production libraries
without compromising the efficiency of open access?
A. Restrict updating and read access to one position
B. Permit updating and read access for everyone in IS
C. Permit updating for everyone in IS but restrict read access to
source code to one position
D. Restrict updating to one position but permit read acccess to
source code for everyone in IS
Q18. An apparent error in input data describing an inventory item was

detected and the issue was referred back to the originating department
for correction. A few days later, the department complained that the
inventory in question was not correct. EDP could n
A. Input edit checks
B. missing data validity checks
C. transmittal control
D. error log
Q19. Hardware controls are important to IS auditors for they:

A. Ensure correct programming of operating system functions
B. Assure that the vendors support current versions of the software.
C. Assure the correct execution of machine instructions
D. Ensure that run-to-run totals in application systems are consistent
Q20. Use of public key infrastructure by an eCommerce site, where public

key is widely distributed and the private key is for the hosting server, is
MOST likely to provide comfort to the:
A. customer over the confidentiality of messages received from the
hosting site
B. hosting site over the confidentiality of message sent to the
customer
C. hosting site over the authenticity of the customer
D. customer over the authenticity of the hosting site
5
Q 21. Which of the following is considered potential benefits of Electronic Data

Interchange (EDI)?
A. improving a vendors response time to buyer orders
B. increasing data integrity by defining standards for retrieving paper
based information
C. enabling use of a multiplicity of formats and coding standards
D. increasing inventory by reducing order lead-time
Q22. A company has entered into a contract with a service provider to

outsource network and desktop support, and the relationship has
been quite successful. To mitigate some risks, which remain due to
connectivity issues, which of the following controls should
A. adequate reporting between the company and the service
provider
B. install secured sockets layer (SSL)
C. adequate definition in contractual relationship
D. network defence program
Q23. A system has adequate set of preventive controls. The installation of

detective controls:
A. Since they address the same exposures, it is redundant
B. It is necessary to provide information on the effectiveness of the
preventive controls
C. To provide an audit trail
D. Would be needed in a manual system.
Q24. Which of the following statistical selection technique is least desirable

for use by the IS auditor.
A. Systematic sampling selection technique
B. Stratified sampling selection technique
C. Cluster sampling selection technique
D. Sequential sampling selection technique
6
Q25. In an organisation, Integrated Test Facility (ITF) is not used in:

A. Maintenance
B. Automatic testing
C. Quantity control
D. Quality control
Q26. Which one of the following is not a substantive test?

A. Determining program changes are approved
B. Performing aging analysis
C. Performing system activity analysis
D. Performing job activity analysis
Q27. The audit trails are useful to

A. Auditors
B. Management
C. Users
D. All of the above
Q28. ___________ is an estimate of the degree of certainty that the

population average will be within the precision level selected
A. Standard deviation
B. Confidence level
C. Precision
D. Range
Q29. Which of the following functions SHOULD NOT BE combined with

Systems Analyst
A. Control Group
B. DBA
C. Data Entry
D. Application programmer
7
Q30. Of the following, the most critical component in a LAN is likely to be the:
A. LAN cables
B. parallel port
C. file server
D. user workstations
Q31. Possible errors related to a security issue during application

development can be identified by reviewing-
A. System logs
B. Security policies
C. Code reviews
D. System configuration files
Q32. The IS Control Group is NOT responsible for performing

A. Logging of data input
B. Review and scrutiny of error listing.
C. Rectification of errors
D. Managing distribution of outputs.
Q33. The auditor plans to select a sample of transactions to assess the

extent that purchase cash discounts may have been lost by the
company. After assessing the risks associated with lost purchase
discounts, the auditor was most likely to select a sample fro
A. Open purchase orders
B. Paid EDI invoices
C. Paid non-EDI invoices
D. Paid EDI and non-EDI invoices
8
Q34. The following message service provides the strongest protection about
the occurrence of a specific action:
A. delivery proof
B. submission proof
C. authentication messages origin
D. non-repudiation
Q35. The primary consideration for a System Auditor , regarding internal

control policies, procedures, and standards available in the IS
department, is whether they are:
A. Approved
B. Documented
C. Implemented
D. Distributed
Q36. The success of Control Self Assessment (CS depends on culture of the
organisation, project leader and the skills of the people involved in CSA.
While implementing, the pitfall to be avoided is
A. Generalisation of the planning process
B. Implementation on small projects
C. Management support
D. Broadening the focus of CSA s effectiveness
Q37. Which of the following requires the creation of a dummy entity for
Concurrent Auditing Techniques?
A. Snapshot/ Extended Record
B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facility (ITF)
D. System Control Audit Review File (SCARF)
9
Q38. A firewall ruleset should not block

A. Inbound traffic without Internet Control Message Protocol
B. Inbound traffic from a non-authenticated source
C. Inbound traffic without the source address of the local host
D. Inbound traffic from an authenticated source having Simple
Network Management Protocol SNMP).
Q39. Access may be filtered by a firewall access control list based on each
of the following EXCEPT:
A. network interface card (NIC)
B. port
C. service type
D. Internet Protocol (IP) address
Q40. The media that is rarely used in present day LANs is:
A. Fibre optics cable
B. Twisted-pair (shielded) cable
C. Twisted-pair (unshielded) cable
D. Coaxial cable
Q41. While appointing an auditor to conduct the IS audit the company need
not look into ________ of the auditor?
A. Legal capability
B. Experience
C. Proficiency in different computer languages
D. Secrecy bond, if penetration test is to be done
10
Q42. You are planning to use monetary-unit sampling for testing the rupee
value of a large inventory population. The advantages of using
monetary-unit sampling include all of the following except
A. It is an efficient model for establishing that low error rate
population is not materially misstated
B. It does not require the normal distribution approximation required
by variable sampling
C. Since the sampling units are homogenous it can be applied to a
group of accounts
D. As errors increase, it results in a smaller sample size than that
required when using classical sampling.
Q43. Which one of the following is not a compliance test ?

A. Reconciling accounts
B. Determining whether security policy is available
C. Determining whether access controls are in place
D. Determining whether system specification documents are
available
Q44. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
A. Continuous Sampling
B. Discrete Sampling
C. Attribute Sampling
D. Statistical Sampling
Q45. The class of control used to minimise the impact of a threat is :

A. Preventive
B. Detective
C. Corrective
D. Suggestive
11
Q46. Which of the following is FALSE with regard to a symmetric key

cryptosystem?
A. the encryption and decryption process is fast
B. two different keys are used for the encryption and decryption
C. Data Encyption Standard (DES) is a typical type of private key
cryptosystem
D. For the decryption, the decryption key should be equivalent to the
encryption key
Q47. Which one of the following standards is relevant for a company dealing
with inspection and final testing?-
A. ISO 9000
B. ISO 9001
C. ISO 9002
D. ISO 9003
Q48. A Systems Analyst’s duties and roles comprises of:

A. Scheduling of computer resources.
B. Testing and evaluating programmer and optimisation tools.
C. Ascertaining user needs for application programming.
D. Corporate database definition.
Q49. An advantage of outsourcing data processing activities in a company is

obtained by:
A. Requirement of more user involvement in communicating user
needs.
B. Establishment and enforcement of processing priorities internally.
C. Best IS expertise from the outside source.
D. Exercising direct control over computer operations.
12
Q50. A sampling technique that estimates the amount of overstatement in an

account balance is termed as :
A. Variable Sampling
B. Monetary Unit Sampling
Q51. Which one of the following audit techniques would likely provide an
Systems Auditor assurance about the effectiveness and efficiency of a
system operators work?
A. Interviewing the system operator
B. Reading the operators manual
C. Observing the system operators work
D. Interviewing the system operators supervisor
Q52. An on line bookseller decides to accept online payment from customers

after implementing agreements with major credit card companies. Which
of the following parameters will LEAST impact such online transactions?
A. firewall architecture hides the internal network
B. encryption is required
C. timed authentication is required
D. traffic is exchanged through the firewall at the application layer
only
Q53. Assuming some irregularities exist in a population, the sampling plan to

identify at least one irregularity, and then to discontinue sampling when
one irregularity is found is called :
A. Stop-or-go sampling
B. Variables sampling
C. Discovery sampling
D. Attributes sampling
13
Q54. At what stage the risk assessment should be included in the security
program in event of new system additions or modification of the old
system?
A. When the new system is added or old system is modified
B. At the end of the year along with all other additions or
modifications during the year
C. Need not be done
D. After a defined period say every 3 months
Q55. In a situation where a public key cryptosystem is in use, the message

sent by the sender is signed by the:
A. senders private key
B. receivers public key
C. senders public key
D. receivers private key
Q56. Penetration testers in an attempt to penetrate into the system or the

network use different techniques to break in. Which of the following
techniques do they employ to obtain critical information for the
company’s employees?
A. Password cracking
B. Social engineering
C. Physical security
D. Logical security
Q57. Which of the following is not a characteristic of audit evidence?

A. Relevance
B. Reliability
C. Sufficiency
D. Consistency
14
Q58. A LAN policy should define which of the following persons should be
made responsible for reporting maintenance problems or disk errors
A. Network administrator
B. Users
C. Security officer
D. Systems administrator
Q59. A well written and concise job description is IRRELEVANT to

A. Providing a little indication of segregation of duties.
B. Assisting in defining the relationship between various job
functions.
C. Often being used as tool in evaluation of performance.
D. An important means of discouraging illegal acts.
Q60. While conducting the audit of security in an organisation, the procedure

of LEAST concern to the IS auditor is:
A. Validation of environmental, logical and physical access policies
for each of the job profiles.
B. Conduct sample tests to ensure that access to assets is
adequate.
C. Evaluation of procedures for safeguarding and prevention of
unauthorised access to assets.
D. Reviewing the effectiveness in utilisation of the assets.
Q61. “In its truest sense, which of the following applications is a real time
application ?
A. Missile launching system
B. Railway Reservation System
C. Banking application
D. Financial Accounting system
15
Q62. SQL is an example for

A. 1GL
B. 2GL
C. 3GL
D. 4GL
Q63. Which of the following is NOT an element of a LAN environment?

A. Packet switching technology
B. Baseband
C. Ring or short bus topology
D. Public circuit switching technology
Q64. Which of the following is not a substantive test:

A. Confirmation of data with outside sources
B. A test to access the quality of data.
C. A test to compare data with an output source
D. A test to evaluate the validation controls in an input program.
Q65. Which of the following is NOT an advantage of continuous auditing

approach ?
A. Cumulative effects for the year is tested
B. Findings are generally more material to the organisation
C. Audit resources are more effectively directed.
D. Current decisions can be based on audited information.
Q66. Which of the following is NOT TRUE about a database management

system application environment?
A. Multiple users use data concurrently
B. Data are shared by passing files between programs or systems
16
C. The physical structure of the data is independent of user needs

D. Each request for data made by an application program must be
analysed by DBMS.
Q67. “If a program is written using mnemonics and op-codes then the
program is in
A. Machine language
B. Assembly Level Language
C. Procedural Language
D. Non-procedural language
Q68. “An agreement between two computer systems related to methods of

data transmission that is packed and interpreted is called
A. Communications channel
B. Communications protocol
C. Synchronous mode of transmission
D. Asynchronous mode of transmission
Q69. “A service provided to businesses by telecommunication companies

or long distance carriers that provides a permanent direct connection
between two geographically separate local area networks is called a:
A. Point-to-point link
B. Message switching
C. Distributed network
D. Packet switching
Q70. “A transmission technique in which a complete message is sent to a

concentration point for storage and routing to the destination point when
a communication path is available is called:
A. Circuit Switching
B. Message Switching
17
C. Packet Switching
D. Junction Switching
Q71. “In Internet architecture, a domain name service (DNS) is MOST

important because it provides the:
A. Address of the domain server.
B. Address of the naming client.
C. Resolution of the name to the IP address on the Internet.
D. Domain name characteristics
Q72. “In an Internet URL,†http://www.infosys.co, what does the†.co signify?

A. Identifies the protocol being used
B. Identifies that the site is on the Internet
C. It is an additional information and is not needed
D. Identifies the purpose of the site. It stands for commercial.
Q73. Which of the following actions provides the IS Auditor with the greatest
assurance that certain weaknesses in internal control procedures have
been corrected by the management?
A. Discussing with the management the corrective procedures that
were implemented to strengthen the internal controls.
B. Obtaining a letter of representation from management stating that
the weakness has been corrected.
C. Performing compliance tests and evaluating the adequacy of
procedures that were implemented by the management to correct
the weaknesses.
D. Reviewing management’s response to the weaknesses in their
formal report to the Board of Director’s audit committee.
Q74. Which of the following device is a random access media?

A. Magnetic Tape
B. DAT
18
C. CD-ROM
D. None of the above
Q75. “Which of the following transmission media would NOT be affected by

cross talk or interference?
A. Fiber optic systems
B. Twisted pair circuits
C. Microwave radio systems
D. Satellite radio-link systems
Q76. Which type of cable uses a BNC connector

A. Twisted pair
B. UTP
C. STP
D. Coaxial cable
Q77. “Which of the following is not provided by a public key infrastructure

(PKI)?
A. Access control
B. Network Reliability
C. Authentication
D. Non-Repudiation
Q78. Which of the following is not a method of Control Self Assessment

(CSA?
A. Delphi technique
B. Interview technique
C. Interactive workshop
D. Control guide
19
Q79. Which of the following is NOT included in the digital certficate:

A. The private key of the sender
B. Name of the TTP/CA
C. Public key of the sender
D. Time period for which the key is valid
Q80. Which of the following is not the objective of the establishment of

security management structure?
A. Organisation management structure is identified
B. Security management has the required independence
C. There exists an optimal coordination and communication between
the IT and the security structure
D. Security management has the overall responsibility of security
Q81. While evaluating the IT control environment for obtaining an

understanding of the management’
A. The functions of the IT steering committee
B. The Security policy
C. The IT strategy of the management
D. The user’s perception of IT
Q82. While reviewing the outsourcing agreement with an external agency, the
IS auditor would be LEAST interested in verifying the clause containing
:
A. Continuity of service by the agency in case of a happening of a
disaster.
B. Statement of due care and confidentiality.
C. Detailed specifications of the vendor’s hardware.
D. The ownership rights for the programs and files.
20
Q83. Project management is considered a separate division on the basis of:

A. Interdependencies among departments
B. Sharing of resources
C. Size of the project
D. All the above
Q84. An Invitation to Tender (ITT) does not address which of the following?
A. Availability of service personnel
B. Application portfolio and transaction volumes
C. Budget for the project
D. Compatibility of the new systems with the existing ones
Q85. The process of database tuning is carried out by

A. Data Administrator
B. Database Administrator
C. Application Programmer
D. Systems Programmer
Q86. Middleware is implemented by :

A. Server Monitor
B. Transaction Processing Monitor
C. CPU utilisation monitor
D. Network connectivity monitor
Q87. “An organization is about to implement a computer network in a new

office building. The company has 200 users located in the same
physical area. No external network connections will be required. Which
of the following network configurations would be the MO”
A. Bus
B. Ring
21
C. Star
D. Mesh
Q88. “Which of the following can a local area network (LAN) administrator
use to protect against exposure to illegal or unlicensed software usage
by the network user?
A. Software metering
B. Virus detection software
C. Software encryption
D. Software decryption
Q89. Machine maintenance engineers pose some difficult control programs

because:
A. they possess very high level of computing skills
B. they are prone to changing jobs frequently. This may lead to the
loss of experience about a particular machine
C. they have available special hardware/software tools that enable
them to breach data integrity
D. for them to carry out their work, normally the application system
controls have to be relaxed
Q90. Which of the following provide complete information about a database?

A. Database model
B. The internal schema of the database
C. Data Dictionary
D. Database Views
Q91. “Which of the following is NOT considered as a method for data

representation in a DBMS?
A. Hierarchical model
B. Indexed Sequential model
22
C. Network model
D. Relational model
Q92. “Which of the following translates e-mail formats from one network to
another so that the message can travel through all the networks?
A. Gateway
B. Protocol converter
C. Front-end communication processor
D. Concentrator/multiplexer
Q93. “An IS auditor who intends to use penetration testing during an audit of
Internet connections would:
A. Evaluate configurations.
B. Examine security settings.
C. Censure virus-scanning software is in use.
D. Use tools and techniques that are available to a hacker
Q94. Which activity is taken up during post-test phase of penetration testing?

A. Cleaning up
B. Vulnerability detection
C. Preparation of legal documents
D. Penetration attempt
Q95. Preventive controls are usually preferred to detective controls because:

A. Easier to design and operate
B. Requires elaborate performance measurement systems
C. Are intended to stop losses before they occur
D. No performance standard
23
Q96. Which of the following is deemed as good system design practice?

A. High cohesion of modules, low coupling of modules, and high
modularity of programs
B. Low cohesion of modules, high coupling of modules, and high
C. High cohesion of modules, high coupling of modules, and high
D. Low cohesion of modules, low coupling of modules, and low
Q97. Which of the following is not a database model :

A. Hierarchical structure
B. Batched sequential structure
C. Network structure
D. Relational structure
Q98. The network of the company must be protected from remote access that
may damage the company’
A. All employees
B. Vendors
C. Contractors
D. All the above
Q99. Which of the following is FALSE with respect to Systems Software?

A. Provides facilities for debugging systems
B. Provides facilities to optimally use the resources of the system
C. Provides software for cryptographic purpose
D. Provides facilities to manage users connected to the system
24
Q100. Which network typically demands more knowledgeable users?

A. Server-based network
B. Peer-to-peer network
C. Local area network
D. Wide area network
Q101. “Which of the following functions cannot be performed using a

communications network control terminal?
A. Resetting queue lengths
B. Starting and terminating line processes
C. Generating a control total for a point of sale device
D. Correcting a hardware error in a modem
Q102. “Which of the following would typically be considered the fastest to

restore?
A. Normal backup
B. Incremental backup
C. Differential backup
D. Copy backup
Q103. All of the following are significant Internet exposures EXCEPT:

A. Loss of integrity
B. Denial of Service attacks.
C. Insufficient resources to improve and maintain integrity
D. Unauthorized access
Q104. When a store uses a point of sale device to record the sale of an item,
which of the following sequences of activities best describes the input
process:
A. data preparation, data capture, data input
B. data capture, data preparation, data input
25
C. data preparation, data input

D. data capture, data preparation, data capture, data input
Q105. Which of the following controls may not be associated with point-of-sale
equipment?
A. edit
B. data validation
C. batch
D. access
Q106. “As an IS auditor, what precautionary method would you suggest to

the company when old computers that held confidential data are being
disposed off:
A. Dispose it off to reliable people
B. Format the hard disk
C. Delete all files in the hard disk
D. Demagnetize the hard disk
Q107. A session can be defined as

A. A link between two network nodes
B. Series of transmission without any disconnection
C. A specific place in a system
D. Bi-directional data flow between two network nodes.
Q108. All of the following are true relating to the use of fiber optics EXCEPT:
A. Data is transmitted rapidly
B. Fiber optic cable is small and flexible
C. They are unaffected by electrical interference
D. They provide the highest level of signal attenuation
26
Q109. “When an organizatio⁮Section 1s network is connected with an external

network in an Internet client-server model not under that organization’s
control, security becomes a concern. In providing adequate security in
this environment, which of the following assurance”
A. Server and client authentication
B. Data integrity
C. Data recovery
D. Data confidentiality
Q110. Penetration testing helps in identifying the vulnerabilities in a network

security. Which of the following is not a reason for conducting the test?
A. Make the top management aware of the security issues
B. Test intrusion detection and response capabilities
C. Help in decision making process
D. Identifying the systems to be tested
Q111. Which of the following is a substantive audit test?

A. Verifying that a management check has been regularly performed
B. Observing that user Ids and passwords are required to sign on
to the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable
Q112. Which of the following is NOT a proper responsibility of functional users.

A. Establishing data ownership guidelines
B. Establishing data custodianship outlines
C. Establishing data usage guidelines
D. Establishing data disclosure guidelines
27
Q113. Which of the following statements about automated operations facility

parameters is not true?
A. operating system will identify an inaccuracy
B. they need to be maintained in a secure file
C. standards should be prepared to guide their maintenance
D. an offsite back copy should be maintained
Q114. Which of the following is NOT addressed in data and capacity

management?
A. Rapid growth of volumes of data
B. Rapid growth in the number of computer systems in the
organisation
C. Effective data backup schemes
D. Ensuring 24 X 7 availability
Q115. “Which of the following is the best option with regard to an Information
Processing Facility (IPF)?
A. High MTBF and Low MTTR
B. Low MTBF and High MTTR
C. Low MTBF and Low MTTR
D. High MTBF and High MTTR
Q116. A hub is a device that connects:

A. Two LANs using different protocols.
B. A LAN with a WAN.
C. A LAN with a MAN.
D. Two segments of a single LAN.
28
Q117. “It is essential to monitor elecommunication processes and ensure that

data transmission is complete and accurate. Which of the following
automated processes / reports measure this?
A. Turnaround time reports
B. Help Desk response monitoring reports
C. Breakdowns/downtime reports
D. Online monitoring tools
Q118. “All of the following are considered characteristics of N-Tier computing

architecture EXCEPT:
A. Distributed computing
B. Open Industry standards
C. Thin Client interfaces
D. Monolithic architecture
Q119. “In which of the following, tags are placed within text to accomplish
document formatting, visual features such as font size, italics and bold,
and the creation of links:
A. FTP
B. HTTP
C. Telnet
D. ActiveX
Q120. One main reason for using Redundant Array of Inexpensive Disks
(RAID) is :
A. all data can still be reconstructed even if one drive fails
B. all data are split evenly across pairs of drives
C. snap shots of all transactions are taken
D. write time is minimised to avoid concurrency conflicts
29
Q121. Output controls ensure that output is accurate, complete and produced
when required. The auditor during the course of his audit of output
controls does not look into which of the following:
A. All pages of the report are numbered consecutively
B. Comparison between the actual data totals and totals of record
counts is done at regular interval
C. Proper procedure for classification of output exists
D. Output of test runs and procedure runs are kept separately
Q122. “Which of the following tool would be used when program coding has
to be done?
A. Compiler
B. Editor
C. Loader
D. Linker
Q123. Which of the following statements about a DBMS is INCORRECT?

A. Data redundancy is minimised
B. Applications share data
C. Provides the logic to solve a problem in an application
D. Provides facilities to access & store data which is accessed by
users
Q124. “The database administrator is NOT responsible for which one of the
following functions?
A. Physical design of a database
B. Security of a database
C. Coordinate and resolve conflicting needs and desires of users Iin
their diverse application areas
D. Logical design of a database
30
Q125. Which of the following OSI layers communicates with the user
programs?
A. Physical
B. Application
C. Presentation
D. Session
Q126. “Measuring utilization of all important network resources so that

individual or group uses on the network can be regulated appropriately
is called:
A. Performance management
B. Security management
C. Accounting management
D. Configuration management
Q127. “Which of the following controls would be MOST comprehensive in a

remote access network with multiple and diverse sub-systems?
A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration
Q128. “A reasonably controlled practice in the distributed executable programs

that execute in background of a web browser client, like Java applets
and Active X controls, is:
A. Installation of a firewall
B. Usage of a secure web connection
C. “Acceptance of executable only from the established and trusted
source“
D. Hosting the website as part of your organization
31
Q129. Which of the following is FALSE with regard to a public key

cryptosystem?
A. the encryption key can be known to all communication users
B. the processing time required in private key cryptosystem is faster
than that of public key cryptosystem
C. the decryption key should be kept a secret
D. the decryption key is the same as the encryption key
Q130. Which of the following is not true with regard to the establishment of a
security management structure?
A. Security management should have authority in accordance with
the responsibility
B. Security management should have the overall responsibility of
security
C. Security management structure should be approved by all the
employees
D. Security management should have the required independence
Q131. “When the computer is switched on, the system performs some tasks
before loading the operating system. Such ROM chips can be classifed
as:
A. Hardware
B. Software
C. Firmware
Q132. “Which of the following media would be MOST secure in a

telecommunication network? “
A. Dedicated lines
B. Base band network
C. Dial up
D. Broadband network digital transmission
32
Q133. “Which of the following transmission media is MOST resistant to a

sniffing attack?“
A. Optical fiber
B. Satellite microwave
C. Twisted-pair wire
D. Infrared
Q134. “An electronic device that combines data from several low speed
communication lines into a single high speed line is called “
A. Modem
B. Multiplexer
C. Channel
D. Link Editor
Q135. Monetary-unit sampling is most useful when:

A. in testing the accounts receivable balance
B. Cannot cumulatively arrange the population items
C. Expects to find several material errors in the sample
D. One is concerned with over-statements
Q136. When an accounting application is processed by computer, an auditor

cannot verify the reliable operation of programmed controls by
A. Manually comparing detail transaction files used by an edit
program with the programs generated error listings to determine
that errors were properly identified by the edit program
B. Constructing a processing system for accounting applications and
processing actual data from throughout the period through both
the clients program and the auditors program
C. Manually reperforming, as of a moment in time, the processing
of input data and comparing the simulated results with the actual
results
D. Periodically submitting auditor prepared test data to the same
computer process and evaluating the results
33
Q137. Which of the following actions should be undertaken when plastic debit/
credit cards are issued:
A. mail the cards in an envelope that identifies the name of the
issuing institution
B. make the same groups responsible for the mailing of cards and
the investigation of returned cards
C. communicate the PIN to the cardholder over phone
D. mail the card and PIN mailer separately in registered envelopes
Q138. “Which one of the following is the most essential activity for effective
computer capacity planning? “
A. “Doing the process of liaison with the management and hardware
suppliers “
B. “Talking to security administrator for incorporating security
procedures “
C. “To perform the process of Disaster Recovery Planning and
Business Continuity Planning “
D. Determining the workload of applications
Q139. “Which of the following is NOT a key concept of object-oriented

technology? “
A. Encapsulation
B. Cohesion and Coupling
C. Polymorphism
D. Inheritance
Q140. “Which of the following would typically be considered a LAN?”

A. 10 computers in your office connected together and hooked up
to a printer
B. A connection of one computer in Mumbai to another in Delhi
C. The city-wide connection between ATMs
D. The 3 stand-alone PCs in your home
34
Q141. “Which of the following allow users on the Internet to communicate with
each other by typing text mode in real time:”
A. IM
B. RFC
C. FYI
D. FAQ
Q142. “Secure socket layer (SSL) protocol addresses the confidentiality of a

message through: “
A. Symmetric encryption
B. Message authentication code
C. Hash function
D. Digital signature certificates
Q143. “A manufacturer has been purchasing materials and supplies for its
business through an e-commerce application. Which of the following
should this manufacturer rely on to prove that the transactions were
actually made? “
A. Reputation
B. Authentication
C. Encryption
D. Non-Repudiation
Q144. In Wide Area Networks (WANs):

A. Data flow must be half duplex
B. Communication lines must be dedicated.
C. Circuit structure can be operated only over a fixed distance.
D. The selection of communication lines will affect reliability.
35
Q145. “An IS auditor performing a telecommunication access control review

would focus his / her attention MOST on the: “
A. Maintenance of usage logs of various system resources
B. “Authorization and authentication of the user prior to granting
access to system resources”
C. “Adequate protection of stored data on servers by encryption or
other means.”
D. “Accountability system and the ability to properly identify any
terminal accessing system resources.”
Q146. Which among the following components is of PRIMARY concern for

evolving a recovery plan after a communication failure?
A. Software
B. Documentation
C. Telecommunication
D. Hard disk free space
Q147. Which of the following a company need not prepare or decide upon after
appointing an IS auditor?
A. Documents related to processes or procedures
B. Area of surprise audit
C. Letter foregoing legal course of action related to penetration
testing
D. Number of days the audit should be carried out
Q148. Which of the following best describes feature of statistical sampling?

A. It allows the auditors to have the same degree of confidence as
with judgement sampling
B. It allows the auditor to substitute sampling technique for his
judgement.
C. It provides a means for measuring the actual misstatement
statement in assertions
36
D. It provides a means for assessing the risk that the sample results
will not accurately represent the population characteristics.
Q149. Which of the following step forms part of an approach to IT audit

A. Review of systems
B. User controls
C. Compliance testing
D. All of the above
Q150. ___________ is not a component of the network security policy

A. Encryption policy
B. HR policy
C. Authentication policy
D. Access control policy
Q151. Which of the following persons is not a member of the IT steering

committee?
A. Senior managers
B. User departments
C. The control group
D. The information system department
Q152. The auditor of an IS can exercise control over

A. Desired audit risk
B. Inherent risk
C. Control risk
D. Detection risk
Q153. Data in a PC is represented by

A. ASCII Code
B. EBCDIC Code
37
C. Gray Code
D. Excess - 3 Code
Q154. “One feature provided by the OS is to store all the data and program in
the auxiliary memory and bring only selective and needed portions into
the main memory for processing. This feature is termed as:”
A. Spooling
B. Multiplexing
C. Caching
D. Paging
Q155. “DBMS is a software package used to create, access and maintain a

database. The sub-language of a DBMS that defines a database is:”
A. Data Description Language
B. Data Manipulation Language
C. Data Control Language
D. Data Access Language
Q156. DSS addresses which of the following?

A. Structured problems
B. Semi-Structured problems
C. Un-Structured problems
D. Problems that focus on exceptional reporting
Q157. “With regard to a DSS, which of the following statements are TRUE: i) It
deals with semi-structured problems ii) It tackles problems dealing with
uncertainity iii) Permits ‘What-if” analysis “
A. i & ii
B. ii & iii
C. i & iii
D. i & ii & iii
38
Q158. “The device primarily used to extend the network that must have the
ability to act as a storage and forwarding device is a: “
A. Router
B. Bridge
C. Repeater
D. Gateway
Q159. “All the following are phases in the establishment of a Switched Virtual
Circuit EXCEPT “
A. Circuit termination
B. Data transfer
C. Circuit expansion
D. Circuit establishment
Q160. “A sequence of bits appended to a digital document that is used to

authenticate an e-mail sent through the Internet is called a: “
A. Digest signature
B. Encrypted message
C. Digital signature
D. Hash signature
Q161. Software that translates a program in 2GL to 1GL is:

A. Compiler
B. Interpreter
C. Assembler
D. Editor
39
Q162. “An organisation decides to migrate from conventional file system

to a DBMS. Which of the following will increase on account of such
migration? “
A. Programming errors
B. Data Entry Errors
C. Improper file access
D. Loss of parity
Q163. The advantage of a Ring topology is that

A. It is easy to install
B. It is easy to add or replace computers to the network
C. It minimizes network traffic congestion
D. It uses a number of high speed hubs and switches
Q164. “A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem? “
A. Data formatting
B. Allocating adequate bandwidth
C. Centralized control
D. All of the above
Q165. Which of the following is NOT a function of the kernel of the OS?
A. To determine which processes are to be executed
B. To prepare the access matrix for accessing resources.
C. To allocate quantum of main memory for each and every user.
D. To overcome the problem of deadlock
Q166. Which of the following is not a job scheduling algorithm?

A. Round Robin
B. Demand Paging
40
C. Shortest Setup time

D. Jobs with a Red Tag
Q167. “An organization is considering installing a local area network (LAN) in a

site under construction. If system availability is the main concern, which
of the following topologies is MOST appropriate? “
A. Ring
B. Line
C. Star
D. Bus
Q168. “Which of the following devices connects two or more dissimilar

computer systems by interpreting and translating the different protocols
that are used? “
A. Router
B. Repeater
C. Gateway
D. Firewall
Q169. “A firewall access control list may filter access based on each of the
following parameters EXCEPT: “
A. Port
B. Service type
C. Network interface card (NIC)
D. Internet protocol (IP) address
Q170. “Electromagnetic emissions from a terminal represent an exposure

because they: “
A. Affect noise pollution.
B. disrupt processor functions.
C. Produce dangerous levels of electric current.
D. Can be detected and displayed
41
Q171. “Which of the following would an IS auditor consider a MAJOR risk of

using single sign-on in a networked environment?”
A. It enables access to multiple applications
B. It represents a single point of failure
C. It causes an administrative bottleneck
D. It leads to a lockout of valid users
Q172. Which of the following activities is NOT within the scope of a DBA?
A. Defining the conceptual schema
B. Performing the task of database tuning
C. Determining the storage capacity for applications
D. Granting and revoking rights of users
Q173. In a TCP/IP based network, an IP address specifies a:

A. Network connection.
B. Router/gateway.
C. Computer in the network.
D. Device on the network such as a gateway/router, host, server etc
Q174. “Which of the following is most often used for collecting statistical
and configuration information about network devices such as
computers,hubs, switches, routers, etc.? “
A. Simple Network Management Protocol
B. Online reports
C. Downtime reports
D. Help desk reports
Q175. “Which of the following provides the GREATEST assurance in achieving

message integrity and non-repudiation ? “
A. “The recipient uses the sende Section 1s public key, verified with
a certificate authority, to decrypt the message digest “
B. The recipient uses his private key to decrypt the secret key
42
C. “The encrypted message digest and the message are encrypted

using a secret key “
D. “The encrypted message digest is derived mathematically from
the message to be sent “
Q176. Networks are growing day-by-day. Which one of the following

component of such growth is most difficult to predict?
A. Modifications to physical and facilities
B. Network utilization by the existing users
C. Increased business activity and revenue
D. Extension of the network to new users
Q177. A normally expected outcome of a business process re-engineering is

that:
A. Information technologies will remain unaltered.
B. It improves the product, service and profitability.
C. Information from clients and customers will not be required.
D. Business priorities will not be modified.
Q178. The IS activity that is IRRELEVANT to information processing is:

A. Systems Programming
B. Librarian functions
C. Computer Operations
D. System analysis.
Q179. Which sampling plan will be used to find evidence of at least one
improper transaction in the population?
A. Discovery sampling
B. Acceptance sampling
C. Dollar unit sampling
D. Attribute sampling
43
Q180. Audit risk is a negative representation of an audit

A. Process
B. Analysis
C. Objective
D. Software
Q181. Network performance monitoring tools will MOST affect which of the
following?
A. accuracy
B. completeness
C. secrecy
D. availability
Q182. An IS auditor performing a telecommunication access control review

would focus the MOST attention on the:
A. whether access logs are maintained of use of various system
resources
B. whether data stored on servers are adequately protected by
means of encryption or any other means
C. accountability system and the ability to properly identify any
terminal accessing system resources
D. whether users are authorised and authenticated prior to granting
access to system resources
Q183. In System Development Life Cycle (SDLC) the functional specification

are translated into the logical and physical design during ___________
stage
A. Functional specification
B. Program specification
C. Detailed design specification
D. Business requirement specification
44
Q184. The auditor during the course of audit takes into consideration the
materiality of the transaction. Which of the following would not be
considered by the auditor to assess the materiality in case of non-
financial transaction
A. Cost of system or operations
B. Cost of errors
C. Activities supported by system or operations
D. Cost of providing physical access controls to the system
Q185. The difference between SCARF and Continuous and Intermittence

Simulation (CIS) is :
A. CIS can not collect data for performance monitoring purposes
B. CIS requires modification of the database management system
used by the application
C. Only targeted transactions can be examined using CIS.
D. CIS is can not write exceptions identified to a log file
Q186. The first step the IS Internal Audit manager should take, when preparing
the Annual audit plan is to:
A. Meet the audit committee members to discuss the IS audit plan
B. Ensure that the audit staff is competent in the areas to audited
and wherever required to provide for appropriate training.
C. Priorities the audit area by performing risk analysis.
D. Begin with previous year‘s IS audit plan and carry over any IS
audit that had not been accomplishe
Q187. Due to an important work, the senior computer operator has gone on a
leave for ten days. In his place, the security officer has been asked to
officiate. In this scenario, as an IS auditor which of the following would
be the most appropriate.
A. Inform the top management of the complexities and risks in doing
so.
B. Develop a small program that will give a picture of what is
happening during the absence of the operator
45
C. Examine the accounting data recorded in the system for any

irregularities
D. Appoint a qualified computer operator on a temporary basis.
Q188. Internal controls are not designed to provide reasonable assurance that:
A. Irregularities will be eliminated
B. logical access is permitted only in accordance with authorization
C. Segregation of duties is maintained
D. IS operations are performed in accordance with appropriate
authorizations
Q189. System Auditor primarily uses, the information provided by a detailed,

understanding of the Information system controls and risk assessment
,to determine the nature, timing, and extent of the:
A. Substantive tests
B. Attribute sample tests
C. Variable sample tests
D. Compliance tests
Q190. The class of control used to overcome problems before they acquire
gigantic proportions is :
A. Preventive
B. Detective
C. Corrective
D. Suggestive
Q191. A general guideline of a security policy does not

A. Identify and determine what is to be protected
B. Identify acceptable activities
C. Update the policy
D. Keep the policy a secret
46
Q192. To conduct a System audit the IS auditor should:

A. Be technically at par with clients technical staff
B. Be able to understand the system that is being audited
C. Possess knowledge in the area of current technical words.
D. Only possess a knowledge of auditing
Q193. Which of the following activities is undertaken during data preparation:

A. errors identified during the input validation phase are corrected
B. captured data are converted into machine readable form
C. economic events that are relevant to the ongoing operations of
an organisation are identified and recorded
D. data are recorded on source documents so it can be keyed to
some type of magnetic medium
Q194. Which of the following applet intrusion issues poses the GREATEST risk
of disruption to an organisation?
A. applets damaging machines on the network by opening
connections from the client machine
B. a program that deposits a virus on a client
C. applets recording keystrokes made by the client and, therefore
passwords
D. downloaded codes reading files on the client’s hard disk
Q195. Which of the following is true with regard to a computerised

environment?
A. Separation of duties is not possible
B. A clear line of authority and responsibility exists
C. Highly skilled persons are not required to develop, modify and
operate the system
D. Audit trails are not available by default on all software
47
Q196. The class of control used to monitor inputs and operation is :

A. Preventive
B. Detective
C. Corrective
D. Suggestive
Q197. Which of the following steps provide the highest assurance in achieving
confidentiality, message integrity and non-repudiation by either sender
or recipient?
A. the recipient uses his/her private key to decrypt the secret key.
B. the recipient uses the senders public key, verified with a
certificate authority, to decrypt the pre-hash code
C. the encrypted pre-hash code and the message are encrypted
using a secret key
D. the encrypted pre-hash code is derived mathematically from the
message to be sent
Q198. Several risk are inherent in the evaluation of evidence that has been
obtained through the use of statistical sampling .A beta or type II error
related to sampling risk is the failure to :
A. Properly define the population
B. Draw a random sample from the population.
C. Reject the statistical hypothesis that value is not misstated when
the true value is materially misstated.
D. Accept the statistical hypothesis that value is not materially
misstated when the true value is not materially misstate
Q199. The following statement about controls over computer operators is true:
A. segregation of operator duties is not a very effective control
B. If operators are given access to the system documentation, they
may help in tracing the cause of a potential error
48
C. a malicious operator can undermine a disaster recovery operation

by corrupting backup files progressively over time
D. operators do not need to rely on documentation during a disaster
recovery operation
Q200. Corporate guidelines to download anti-virus software from the official

site help to
A. Detect virus
B. Prevent virus
C. Correct virus
D. Contain virus
Q201. The installation of a database management system (DBMS) does not

have any direct impact on :
A. Data redundancy within files
B. Sharing of common data
C. The internal control of data accuracy and access and
inconsistencies within common data fields
D. The logic needed to solve a problem in an application program
Q202. The risk that the conclusion based on a sample might be different from
the conclusion based on examination of the entire population is called
A. Confidence risk
B. Sampling risk
C. Statistical sampling
D. Tolerable rate and the expected deviation rate.
Q203. The LAN policy is framed by

A. The IT steering committee
B. The Top management
C. A business analyst
D. A project manager
49
Q204. Which of the following represents a typical prototype of an interactive

application?
A. Screens and process programs
B. Screens, interactive edits, and sample reports
C. Interactive edits, process programs and sample reports
D. Screens, interactive edits, process programs and sample reports
Q205. A function NOT possible of being accomplished using CAATs is :

A. Calculating the age-wise outstandings of Receivables and
Payables.
B. Checking and reconciling of postings done in the General Ledger.
C. Calculation of Foot Totals
D. Selection of testing sample data
Q206. A sampling technique used to estimate the average or total value of a

population based on a sample is termed as :
Q207. In selecting the applications to be audited, which criteria is LEAST likely

to be used:
A. Technological complexity
B. Inherent Risk
C. Sensitivity of transactions
D. Legal requirements
Q208. Which one of the following is ideally suited for multimedia applications?
A. Integrated services digital network (ISDN) and broadband ISDN
B. Broadband ISDN, fiber optics, and ATM
50
C. Narrowband ISDN, central office switches, Voice Mail system

D. ISDN LAN Bridges, fiber optics, and asynchronous transfer mode
(ATM)
Q209. During an audit of the tape management system at a data center, an

IS auditor discovered that some parameters are set to bypass or ignore
the labels written on tape header records. However, the IS auditor did
not e that there were effective staging and jo
A. tape header should be manually logged and checked by the
operators
B. staging and jo set-up procedures are not appropriate
compensating controls
C. staging and job set-up procedures compensate for the tape label
control weakness
D. tape management system is putting processing at risk and that
the parameters must be set correctly.
Q210. For electronic-Commerce deals through web-based transactions

involving acceptance of payment through credit cards, installation
of firewall with strict parameters is required, having impact on the
transaction itself. State the parameter having the LEAST i
A. Encryption of all transactions
B. Authentication of all transaction in time
C. Architecture of the firewall hiding the internal network
D. Exchange of traffic through the firewall at the application layer
only
Q211. In which phase Rapid prototyping is used in Waterfall life cycle

development model?
A. Requirements
B. Design
C. Coding
D. Testing
51
Q212. The following estimates the probability of a computer system being

destroyed in a natural disaster and the corresponding overall business
loss. Which system has the greatest exposure to loss?
A. System A - Likelihood 10%, Losses in ($) 6 million
B. System B - Likelihood 15%, Losses in ($) 5 million
C. System C - Likelihood 20%, Losses in ($) 2.5 million
D. System D - Likelihood 25%, Losses in ($) 4 million
Q213. When implementing local area networks, the major implementation

choices involve decisions about all of the following except:
A. Repeaters
B. File servers
C. Routers
D. Terminal controllers
Q214. Which of the following functions SHOULD NOT BE combined with

Control Group.
A. Systems Analyst
B. DBA
C. Security Administration
D. QA
Q215. Which of the following are considered while determining the sensitivity
of information-
A. Availability and integrity
B. Integrity and Confidentiality
C. Availability and Confidentiality
D. Availability, Integrity and Confidentiality
52
Q216. A control is NOT designed and implemented to:

A. reduce the enormity of the loss when a threat materializes
B. reduce the probability of the threat materializing
C. reduce the expected loss from a threat
D. control the normality of the distribution curve of the loss from the
threat
Q217. An example for a concurrent audit tool whose complexity is low is :

A. SCARF/EAM
B. ITF
C. Snapshot
D. Audit hooks
Q218. The initial validation control for a credit card transaction capture
application would MOST like be to:
A. check that the transaction is not invalid for that card type
B. ensure that the transaction amount entered is within the
cardholders credit limit
C. verify the format of the number entered and then locate it on the
database
D. confirm that the card is not listed as hot
Q219. Which of the following utilities can be used to directly examine the ability
of the program to maintain data integrity?
A. Data dictionary
B. Macro
C. Output analyser
D. Code optimiser
53
Q220. Due diligence of third party service providers need not cover
A. Evaluation of testimonials
B. Evaluation of infrastructure
C. Evaluation of experience
D. Evaluation of ownership
Q221. _________ tests individual programs.

A. Unit testing
B. System testing
C. Acceptance testing
D. Parallel testing
Q222. “Which of the computer assisted audit techniques and tools help the
auditor to identify the impact of delays and rescheduling audit plans”
A. Planning and scheduling
B. Project management and audit tracking
C. Inventory of the audit universe
D. Risk analysis
Q223. Which of the following is NOT TRUE with regard to network reliability
enhancement:
A. Redundant switching equipment
B. Parallel physical circuits
C. Licensed software
D. Standby power supplies
Q224. A LAN administrator is forbidden from:

A. Having programming responsibilities.
B. Reporting to the end use manager.
54
C. Being responsible for LAN security administration.

D. Having end user responsibilities.
Q225. Custom Software Agreement should include a pre-acceptance

performance standard to measure the software’
A. Unit Testing
B. Regression Testing
C. Load Testing
D. Acceptance testing
Q226. A procedure to have an overall environmental review which is NOT

performed by an IS auditor during pre audit planning is
A. Understanding of business risks by interviewing management’s
key personnel.
B. Determining adherence of regulatory requirements by conducting
compliance tests.
C. Reviewing audit reports of the previous years.
D. Touring key activities of the organisation.
Q227. Which of the following would be an appropriate compensating control

when an IS auditor notices that after normal office hours, changes are
made with a shorter number of steps than complying with the normal
set standard procedures.
A. Using the of regular account of the user with access to make
changes to the database.
B. Using the DBA’s account to make changes, logging of changes,
and the following day reviewing the before and after image.
C. Using the normal user account to make changes, logging of
change, and the following day reviewing the before and after
image.
D. Using the account of the DBA and make the changes.
55
Q228. An acceptable situation when IS product selection and purchase are

done internally is when:
A. A thorough cost benefit analysis is done by the managers before
ensuring what is to be purchased.
B. The purchases are done in line with the company’s long and
short term technology plans.
C. The exchange data is done on casual basis in the local offices
which are independent.
D. The company uses a similar database management system
throughout.
Q229. While conducting an audit, the auditor should

A. Insist that a security policy exists
B. Not insist for a security policy
C. Insist that a security policy exists, and accept the existing policy
D. Insist that a security policy exists. However he may not accept
the existing policy
Q230. Which of the following would NOT be a reason for IS Audit involvement
in information systems contractual negotiations?
A. Often hardware does not interface in an acceptable manner
B. Many information systems projects incur additional costs over the
contract cost
C. Vendors may go out of business and discontinue service support
on their products
D. Only the IS Auditor can determine whether the controls in the
system are adequate
Q231. Compliance auditing is used to do?

A. Complete audit under accepted auditing standards
B. Eliminate the need for substantive auditing
56
C. Verify specifi balance-sheet and Profit and loss account values

D. Determine the degree to which substantive auditing may be limite
Q232. Each of the following is a general control concern EXCEPT:

A. Security policy
B. Environmental control within the IS department.
C. Daily control totals.
D. Physicals and logical access controls.
Q233. To measure variability the most useful sampling technique is the:

A. Median
B. Range
C. Standard deviation
D. Mean
Q234. To examine the existence of the entities described by the data , which
of the functional capabilities in the generilise audit software would be
used:
A. File assess capabilities
B. Analytical review capability
C. Stratification and frequency analysis capability
D. Statistical sampling capabilities
Q235. Which of the following is a responsibility of computer operations

department?
A. analysing system degradation
B. analysing user specifications
C. reviewing software quality
D. troubleshooting electrical connections failure
57
Q236. Which of the following need not be emphasised while choosing

technology insurance policy?
A. Evaluation of the company
B. Reading the terms and conditions of the policy carefully
C. Not making any assumptions and obtaining clarifications where
required
D. Focussing on purchasing a general insurance policy
Q237. A detailed policy on firewalls should not

A. Include log reports
B. Include guidelines for assessment of logs
C. Ensue that it is physically secured
D. Ensure that it is logically secured
Q238. The feasibility study is conducted after _____________ phase

A. Business requirement
B. Need/ user request
C. Design specification
D. Program specification
Q239. Which of the following is not a component of audit risk?

A. Inherent risk
B. Control risk
C. Detection risk
D. Restrictive risk
Q240. The HR policy of a company should state that

A. Employees should take leave
B. If the employee has not taken leave, he should be given an
incentive
58
C. Employees should be forced to go on leave for a few days

D. Employees should take leave only when they have some
important personal work
Q241. The primary advantage of a derived Personal Identification Number

(PIN) is that :
A. it is easy to remember
B. new account numbers must be issued to customers if their PINs
are lost or compromised
C. it does not have to be stored. Hence preserving privacy is easier
D. changing the cryptographic key has no implications for existing
PINs
Q242. In which phase of a system development life cycle would you perform
Mutation analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q243. Accuracy of data is important most likely to a

A. Decision Support System (DSS)
B. Strategic Planning System
C. Expert system
D. Management control system
Q244. The complete information about all data in a database is found in :

A. Database schema
B. Data dictionary
C. Data encryptor
D. Decision table
59
Q245. The auditor should ensure that the policy has been formulated and
communicated by
A. Asks employees for related documents that they have in hand
B. Identifies areas where relevant information has not been
communicated
C. Assesses the commitment of the management
D. Identifies its misuse
Q246. To ensure the operating system integrity the web server configuration
should be monitored. Which of the following is not necessary to achieve
this objective?
A. Baseline for the configuration
B. Periodical review of the web configuration and where needed a
secondary review of the same
C. Internal web sites are inside the company
D. All internal communication must be digitally signed
Q247. Which of the following does NOT need to be considered in determining

statistical sample sizes?
A. Desired precision
B. Size of the population
C. Nature of the population
D. Standard deviation of the population
Q248. Which of the following statement is FALSE for Equipment mean-time-

between-failure (MTBF)?
A. It is the average length of time the hardware is functional
B. Low MTBF values imply good reliability
C. It is the total functioning life of an item divided by the total
number of failures during the measurement interval
D. High MTBF values imply good reliability
60
Q249. User controls are designed to ensure that data collected and entered
into the system is
A. Authorised
B. Accurate
C. Complete
D. All of the above
Q250. Which of the following techniques ensure an e-mail messages,

authenticity, confidentiality, integrity and non-repudiation?
A. encrypt the message with the senders public key, and sign the
message with the receivers private key
B. encrypt the message with the senders private key and sign the
message with the receivers public key
C. encrypt the message with the receivers public key and sign the
message with the senders private key
D. encrypt the message with the receivers private key and sign the
message with the senders public key
Q251. Echo Check belongs to hardware controls, which usually are those built
into the equipment. Echo Check is best described as:
A. a component that signals the control unit that an operation has
been performed
B. two units that provide read-after-write and dual-read capabilities
C. double wiring of the CPU and peripheral equipment to prevent
malfunctioning
D. validations logic to fields and records based o their
interrelationships with controls established for the batch.
Q252. Incompatible functions may be performed by the same individual either

in the Information System department or in the User department. One
compensating control for this situation is the use of:
A. A log
B. Check digit
61
C. Batch control totals

D. Range check
Q253. Intentional Standards Organisation (ISO) has defined risk as “the

potential that a given threat will exploit vulnerability of an asset or group
of assets to cause loss or damage to the assets”. This means , risk has
all of the following elements EXCEPT:
A. Vulnerabilities of assets
B. Probabilities of occurrence of threats
C. Exposure based on threats and vulnerabilities
D. Controls to contain the threat.
Q254. An auditor performing a statistical sampling of the financial transactions

in a financial MIS would BEST use :
A. Generalised Audit Software
B. Regression Testing
C. Spreadsheets
D. Paralled simulation
Q255. You as an IS Auditor observed that technical support personnel have

unlimited access to all data and program files in the computer. Such
access authority is:
A. appropriate, but all access should be logged
B. appropriate, because technical support personnel need to access
all data and program files
C. inappropriate, since access should be limited to a need-to-know
basis, regardless of position
D. inappropriate, because technical support personnel are capable
of running the system
62
Q256. An Information System Auditor observed that technical support

personnel have unlimited access to all data and program files in the
computer. Such access authority is:
A. appropriate, but all access should be logged
B. appropriate, because technical support personnel need to access
all data and program files
C. inappropriate, since access should be limited to a need-to-know
basis, regardless of position
D. inappropriate, because technical support personnel are capable
of running the system
Q257. In a data processing environment, which one of the following is not

Compliance review?
A. Security policies are available
B. Performing analysis of system storage media
C. Review of system logs
D. Review of System errors
Q258. In order to prevent the loss of data during the processing cycle, the First
point at which control totals should be implemented?
A. in transit to the computer
B. during the return of the data to the user department
C. during the data preparation
D. between related computer runs
Q259. In the System Development life Cycle (SDLC) the user should be
involved in (1) design (2) development (3) implementation of new
system and changes to the existing system. Which of the following is
true?
A. 1, 2
B. 2, 3
63
C. 1, 3
D. 1, 2, 3
Q260. If fraud or errors are suspected in the population , the auditor would
use:
A. Attribute sampling
B. Discover sampling
C. Dollar – unit sampling
D. Ratio and difference estimation.
Q261. The functions of operations management relating to the microcomputers

in organisations where microcomputers are used extensively should be:
A. formulated by the person who develops the application system
for the microcomputers
B. performed by the operations manager responsible for the
mainframe computer
C. determined by and the individuals who use the microcomputers
D. formulated by the operations manager and promulgated as a
standard through-out the organisation
Q262. The primary objective in testing the integrity of information is to ensure

that:
A. Confidential information is protected
B. Data are complete, accurate and valid
C. Information for making decisions
D. Data are used for achieving business objectives.
Q263. Which of the following is a common security practice in a LAN.

A. Matching user ID and name with password
B. Principle of highest privilege should be implemented to perform
the file backup function
64
C. Limiting access to local drives and directories

D. Controlling file-transfer rights
Q264. The auditor during the course of his audit of IT steering committee
interviews the members of the committee. This process helps the
auditor to ascertain
A. Members of the committee are the persons who have more
number of years of experience in the company
B. Members are appointed by the IS project sponsor
C. Committee is in charge of allocation of resources and prioritising
the projects
D. The organisation culture is in no way influencing the committee
and its management practices
Q265. To obtain competent evidential matter about control risk, an Information

Systems Auditor uses a variety of techniques, including:
A. Re performance
B. Statistical Analysis
C. Code Comparisons
D. Expert system
Q266. In the LAN environment, _____________officer is responsible for

prevention and detection of virus
A. Web administrator
B. Security officer
C. Network administrator
D. A project manager
65
Q267. When the Auditor uses generalised audit software to access a data
maintained by a database management system, which file structure is
most likely to be difficult to assess:
A. A tree structure
B. A sequential file structure
C. A random structured
D. A index sequential
Q268. Which is the primary reason for replacing cheques with Electronic Funds
Transfer (EFT) systems in the accounts payable area?
A. to ensure compliance with international EFT standard
B. to decrease the number of paper-based forms
C. to increase the efficiency of the payment process
D. to eliminate the risk that unauthorised changes may be made to
the payment transactions
Q269. Which of the following statement is true about a mandatory access

control policy?
A. it is not possible for users to change their classification level,
though they can change their clearance levels
B. it must be enforced by a more complex access control
mechanism compared with a discretionary access control policy
C. it is less likely to be used in a business systems environment
than a discretionary access control policy
D. an audit trail is not required with a mandatory access control
policy
Q270. An Integrated Test Facility (ITF) is BEST described as:

A. Tagging and extending master records.
B. Programming options permitting printout of specific transactions.
C. Technique enabling to enter test data into a live computer for
processing verification.
D. Utilisation details of hardware and software for reviewing
functioning of the system.
66
Q271. An IS auditor came across an instance of a security administrator

working occasionally as a senior computer operator. The BEST followup
action to be taken by the IS auditor is to :
A. Continue to work along with the Security Officer on such
occasions as a precautionary preventive control.
B. Inform and advise the Senior Management of the high risks
involved in it.
C. Develop CAATs in detecting such instances.
D. Review system logs on such occasions to identify irregularities
encountered if any.
Q272. Insecure information, which could threaten the existence of an

organisation is classified under:
A. Low sensitivity
B. Average sensitivity
C. Medium sensitivity
D. High sensitivity
Q273. Which one of the following poses a major threat in using remote
workstations?
A. Standard software packages
B. Response time
C. Data transfer speed
D. Security
Q274. The main objective of separation of duties is to ensure that:

A. The workload in the organisation is shared
B. Controls exist over efficient usage of hardware
C. a single person do not have the complete control over a
transaction from start to finish
D. none of the above
67
Q275. The objective of compliance testing is to find :

A. Whether statutory regulations are complied with
B. Whether assets are properly valued.
C. Whether appropriate controls have been incorporated.
D. The time and cost parameters for software projects are within
schedule and comply with the estimated ones.
Q276. The snapshot technique involves:

A. Selecting transaction that must pass through input program
B. Capturing the working of an application at a point in time.
C. Taking the afterimages of all data items changed for accuracy and
completeness.
D. Taking picture of transaction as it flows through a system
Q277. A network security policy need not include

A. A security matrix table
B. Penetration testing
C. Risk analysis
D. Network assets
Q278. An insurance company is planning to implement new standard software

in all its local offices. The new software has a fast response time, is
very user friendly, and was developed with extensive user involvement.
The new software captures, consolidates, edi
A. Increased workloads
B. Lengthy retraining
C. More accountability
D. Less computer equipment
68
Q279 The best method to detect and correct errors is before the data are
entered into an application system. But this is not always possible. In
that case the best alternative approach for ensuring data integrity?
A. Test data generator
B. Having monitoring modules
C. Use of generalised audit software
D. Expert systems
Q280. Which of the following is:

A. The auditor should take into consideration the subsequent events
B. The auditor should issue the report to all interested parties
C. The report need not touch upon standards and the internal control
of the organisation
D. The auditor should state in his report that all his
recommendations should be implemented
Q281. In an IPF (Information processing facility) is typically a large computer

centre, which of the following has the primary consideration for selecting
of a site.
A. minimise the distance that data control personnel must travel to
deliver data and reports
B. provide security
C. be easily accessible by a majority of company personnel
D. be in the top floor
Q282. In determining the sample size for a test of control using attribute
sampling, a System Auditor would be least concern with the
A. Expected rate of occurrence
B. Precision limit
C. Result of substantive audit procedure
D. Assessing control risk too high
69
Q283. The basic purpose of an IS audit is :

A. To identify control objectives
B. To suggest the best possible hardware for the company
C. To help the top management in assessing the capabilities of
personnel.
D. To ensure that no statutory regulations are violated using
networks.
Q284. The IT auditor considers the controls that are present for the evaluation
of the internal controls. Which of the following controls cuts across the
hierarchical line and follow the data as it flows in the organisation?
A. Corrective controls
B. Management controls
C. Application controls
D. Detective controls
Q285. There are various techniques for telecommunication controls.

Confidentiality of data is BEST maintained by
A. parallel simulation technique
B. data encryption technique
C. password encryption technique
D. maintaining a test deck
Q286. A decision table is used for testing the test data. The purpose of the
results stub in the decision table:
A. Exhibits the expected and actual results
B. Document the conditions that lead to a particular action.
C. Exhibits the rules for different conditional value
D. Indicates the action to be taken when a rules is saisfie
70
Q287. A good email policy should state that:

A. All mails sent and received should be monitored
B. All messages should be encrypted
C. Emails should be used only for official purpose
D. All personal mail should be labelled
Q288. The risk in auditing an information system is dependent on various other

risks. Which of the following results in decrease of the achieved audit
risk?
A. A decrease in desired audit risk
B. A decrease in detection risk
C. An increase in inherent risk
D. An increase in control risk
Q289. The weakness that the IS auditor would be LEAST concerned with while
reviewing an access control review in an organisation is:
A. The application programmers have the access rights to the live
data environment.
B. There is no provision for enabling the audit trails in the package.
C. Initiating transactions and changing the related parameters could
be done by a single user.
D. Group login access is being used for accessing critical functions.
Q290. The work schedule of a clerk in a Control Group is of

A. Authorising all the transactions.
B. Carrying out corrections in the master file.
C. Maintaining the error log.
D. Custody and control over the non IS assets.
71
Q291. To enforce the email policy, the management in order need not:
A. Educate employees
B. Educate third parties
C. Take prompt action in case of misuse or complaints
D. Prohibit subscription to e-newspapers and e-groups
Q292. To ensure proper separation of duties, the function NOT to be performed

by the Scheduling and Operations personnel is :
A. Code Correction
B. Job submission
C. Resource management
D. Output distribution
Q293. When an organisation outsources its activities, it also provides data to

the service provider. In such cases, the ownership of data ‘
A. Is transferred to the service provider
B. Is with the client/organisation that outsources services
C. Is shared by both parties
D. Is not transferred
Q294. When the company acquires custom made software it enters into a
custom software agreement with the vendor. What should company not
consider before entering into such agreement?
A. Present and future demands of the company
B. Contingency plan of the vendor
C. Frequency at which the vendor updates the software
D. Number of users of the software
72
Q295. Which among the following statements about information systems

personnel is NOT true?
A. IS personnel have always lacked ethics
B. There has been a dearth of IS personnel from the initial days
C. Generally, the tasks performed by IS personnel are more complex
than those in manual systems
D. IS personnel do not enjoy the as much power and clout in
organizations as manual systems personnel do like the HR
personnel
Q296. Which of the below is a TRUE statement concerning Test Data

Techniques.
A. Requires the usage of a Test Data Generator.
B. Tests only pre-conceived situations
C. Requires the minimum computer usage and manual personnel.
D. High Level of IS expertise is essential.
Q297. Which of the comments about Business Process Re-engineering (BPR)

is NOT false?
A. Lesser accountability and Weaker Organisational structures are
the outcome of a BPR.
B. Information protection has a high risk and always deviates from
with BPR.
C. Decrease in complexity and volatility in IT leads to considerable
decrease in costs.
D. Increased number of people using the technology causes a
serious concern for BPR projects.
Q298. Which of the following areas would an IS auditor NOT do while

conducting a review of an organisation’s IS Strategies.
A. Interviewing concerned Corporate Management personnel.
B. Consideration of external environment likely to benefit / affect the
organisation.
73
C. Assessing the required Security procedures for the IS

environment.
D. Review of Short and Long term IS strategies.
Q299. Which of the following functions, if combined, would provide the

GREATEST risk to an organisation.
A. Systems analyst and Database administrator.
B. Quality assurance and computer operator.
C. Computer Operator and Tape Librarian.
D. Application Programmer and Data entry clerk
Q300. Which of the following is not true (with regard passwords)?

A. It should be communicated to the top management
B. It should not be written anywhere
C. It should not be written in plain text
D. Users should not be allowed to use the previous password
Q301. Which of the following statements about controls is FALSE?

A. A threat materializing can be prevented by implementing more
than one control
B. Controls are focussed primarily at unlawful events or threats
C. Controls can be implemented to prevent all unlawful events
D. Controls are subsystems in an IS consisting of interacting
components
Q302. An IS auditor came across instances where the users failed to review
the invoices prior to submitting them for processing since discounts
from vendors could be availed only within three business days of the
invoicing. Which of the following should the IS
A. Confirm that copies of invoices are compared with edit reports
with detail of invoice value and discount prior to releasing the
payment.
74
B. Confirm that copies of invoices are compared with edit reports

with detail of invoice value and discount.
C. Confirm copies of invoices are reviewed on submission to
Accounts payable department.
D. Confirm that invoices are reviewed by accounts payable
department.
Q303. An organisation’s strategic plan would normally comprise of the

organisation’s goal of:
A. Implementation a new project planning system during the
forthcoming year.
B. Testing of control in the new accounting package to be
implemented.
C. Growing to become the unanimous supplier of choice among the
buyers in a given period of time for the product / service to be
offered by the organisation.
D. Performing an evaluation of information technology needs of the
organisation.
Q304. As compared with other Information Systems, Executive Information

Systems does NOT have the characteristic of
A. Ease to use compared with other systems
B. User friendly features built in.
C. Focusing on broad problems to a specific view.
D. Including other features of word processing, spreadsheets and
e-mails.
Q305. Can an IS auditor of a company outsourcing its operations insist to

review the vendor’s Business Continuity plan document?
A. No, since the BCP is a personal document of the vendor.
B. Yes, because it helps the IS auditor to evaluate the vendor’s
financial stability and capacity to abide to the contract.
75
C. Yes, since the vendor’s plan could be adequately evaluated for

preparing a complementary plan for the outsourcing company.
D. No, since this backup provision is adequately provided for in the
agreement.
Q306. Control of employee activities in a computerized environment is, vis-à-vis

manual systems,
A. more difficult as the IS personnel resent being supervised at
every step
B. more difficult because employees access the system remotely
and perform duties electronically
C. less difficult because audit trails can be looked upon for tracing
out unauthorized activities
D. less difficult because monitoring the employee activities
electronically is feasible
Q307. Due Professional Care” requires an IS auditor to possess which of the

following quality
A. Good amount of programming skills in the required software.
B. Arriving at an correct conclusion based on the facts and figures
available.
C. Evaluating methodology of the audit test results.
D. Skills and judgement that are commonly possessed by IS
practitioners of that speciality.
Q308. During the audit of automated Information systems, responsibility and

reporting lines CANNOT be established since :
A. In sharing of resources, ownership is difficult to be established.
B. In the rapid development of technology, the duties change very
frequently.
C. The staff change the jobs with high frequency.
D. Ownership is irrelevant on account of diversified control.
76
Q309. Employees are compulsorily asked to proceed on a week long vacation

in many organisations to
A. Remove possible disruption caused when going on leave for a
day at a time.
B. Cross train with another employee of another department.
C. Diminish chances of committing improper / illegal acts by the
employee.
D. Ensure a standard quality of life is lead by the employee which
could enhance productivity.
Q310. Evaluation of which of the following functional areas CANNOT be carried

out by risk assessment techniques.
A. Time and cost involved and resources utilised in conducting an
audit.
B. Audit programs and audit procedures.
C. Recommendations and conclusions based on the findings from
the audit.
D. Functional business areas under audit.
Q311. Information that must be provided in the register is part of the

_________ guideline of the server security policy
A. Ownership and responsibility
B. Monitoring
C. General configuration
D. Compliance
Q312. For a company carrying on the business of leasing of computers, the

GREATEST threat would be:
A. The issues concerning licensing of software running on the leased
out machines.
B. The accounting control of peripherals being shared.
77
C. The leased out machines becoming obsolete prior to termination

of the lease contract.
D. The re-assignment of the hardware quite frequently.
Q313. For an effective implementation of a continuous monitoring system,

which of the following is identified as the FIRST and FOREMOST step
by an IS auditor.
A. The input and output process of data entry and reports
generated.
B. The higher the Return on Investment by the application.
C. The Organisation’s critical and high risk business areas
D. Availability of adequate manpower for the effective implementation
of the system.
Q314. For consideration of outsourcing of computer operations which is the

factor that would LEAST indicate the same.
A. There is a delay of more than 36 months in application
development.
B. System maintenance constitutes about 65% of the programming
costs.
C. Concurrent / parallel existence of Duplicate Information system
functions.
D. Development time of a high priority system is more than 12
months.
Q315. For eliminating data loss in processing, control totals are to be

INITIALLY introduced:
A. During the return of data to the user department.
B. In transit to the computer.
C. During data preparation.
D. Between related computer runs.
78
Q316. Generalised Audit Software (GAS) are NOT used for:

A. Selecting unusual data as per the auditor’s choice.
B. Performing intricate and complex calculations
C. Preparation of multiple reports and output files.
D. Calculation verifications.
Q317. Implementation and maintenance of new and existing systems with the
aid of programmers and analysts is the responsibility of the:
A. Database administrator.
B. Systems development manager.
C. Operations Manager.
D. Quality assurance manager.
Q318. Improper segregation of duties amongst programmers and computer

operators may lead to the threat of :
A. Unauthorised program changes.
B. Loss of data while executing a program.
C. Oversight omissions of dat
D. Inadequate volume testing.
Q319. In a network security policy, a statement on methods of data

communication will be listed under
A. Identification and authentication
B. Accountability and audit
C. Data exchange
D. Access control
Q320. In an audit of the outsourcing process, the IS auditor would LAST

perform the task of:
A. Control Risk assessment.
B. Contract reviews with the legal counsel.
79
C. Assumptions and analysis of costs and benefits.

D. Assessing the organisation’s business needs.
Q321. In determining good preventive and detective security measures

practised by an employee, the IS auditor places the HIGHEST reliance
on :
A. Compliance Testing
B. Risk Assessment
C. Observation
D. Detailed Testing
Q322. In evaluating and reviewing the effectiveness of the management’s

communication of IS policies to concerned personnel, the IS auditor
would be LEAST interested in reviewing / conducting
A. Systems and procedure manuals of the user department.
B. Interviews with the IS personnel and the end users.
C. Working Notes of the IS audit staff of the minutes of the IS
Steering committee meetings.
D. Information processing facilities operations and procedures
manuals.
Q323. In evaluation of an organisation’s IS strategy, which of the following

would an IS auditor consider to be the MOST important criteri
A. Adequately supporting the business objectives of the organisation.
B. Consistent with the IS department’s preliminary budget
C. Procurement procedures are complied with.
D. Improvement done by the line management.
Q324. In the absence of full segregation of duties in an on-line system, the

distinct activity not to be combined with the other IS activities is:
A. Authorising
B. Originating
80
C. Correcting
D. Recording
Q325. In resolving legal complications, e-mail systems act as an important

medium of evidence since:
A. Classification of data is frequently used to control the information
to be communicated through e-mails.
B. The evidences are clear since there are defined policies for using
e-mail within the enterprise.
C. Excessive cycles of backup files remain due to availability of poor
housekeeping.
D. Accountability of the activities on the e-mail system is well
established due to strong access controls.
Q326. In segregation of duties, the organisation will exposed to a very HIGH

risk if the duties of
A. Computer Operator and Quality Assurance are combined.
B. The work of a Data entry clerk is also done by a Tape Librarian.
C. A tape librarian are carried out by an application programmer.
D. Systems analyst and database administrator are done by the
same person.
Q327. In the case of Business Process re-engineering which of the following

is NOT true ?
A. Development of a project plan and defining the key areas to be
reviewed is a key factor for the success of a BPR.
B. Implementation and monitoring of the new process is the
management’s responsibility.
C. The Success of a BPR is reached when the business and the risk
suits the re-engineering process.
D. The IS auditor is not concerned with the key controls that once
existed but with the one which exists in the new business
process.
81
Q328. ISO stands for -

A. International Statement of Organisation
B. International Organisation for Standardisation
C. International Standards Organisation
D. International Organisation for Stability
Q329. Intrusion can BEST be detected by:

A. Monitoring of all unsuccessful logon attempts by the security
administrator.
B. If on reaching the specified number of unsuccessful logon
attempts, the system is automatically logged off.
C. Authorised procedures are followed for user creation and user
privileges.
D. Automatic logoff if workstation is inactive for a specific period of
time.
Q330. IS activities can be outsourced to a third party. To evaluate the

performance of the service provider the auditor should
A. Benchmark the services
B. Identify the risk associated with outsourced activity
C. Determine the duration of the contract with the service provider
D. Determine the frequency at which the payment will be made for
services
Q331. ISO 9000:2000 standards are based on eight quality management

principles. One of the principles follows the systems approach to
management, which has various advantages. Which of the following
comes within the purview of this approach?
A. Defining different activities and their working within the system
B. Segregation of duties
C. Continuous monitoring
D. All of the above
82
Q332. IT operational efficiency is measured in terms of:

A. Technological value added to the organisation.
B. Its impact on other business processes and business units.
C. Decreased costs and increased revenue.
D. All the above
Q333. Maintenance of adequate security measures over IS assets and

accountability for the same rests with the:
A. Database administrator
B. Data and System owners
C. Data entry operators
D. Data Librarian
Q334. Many organisations are outsourcing specific activities to Service

Providers (SPs). Which is the least probable reason for such a move?
A. High security
B. Low cost
C. Reduced operational risk
D. Better service
Q335. Reconciliation of transactions in an application system is generally

carried out by the:
A. Application programmers
B. Systems design personnel
C. Employee in Computer operations.
D. End users in the respective business units
Q336. Segregation of duties is the procedure of dividing the critical functions

among different individuals so that no two critical aspects of a function
83
are performed by the same individual. Which of the following is not a

benefit of segregation of duties:
A. It reduces the possibility of frauds and misconducts
B. It increases the opportunity for someone to perpetuate misdeeds
and conceal errors
C. It makes the individual accountable for any unauthorised access
D. It reduces the dependency on one individual
Q337. Segregation of duties is TRUE in which of the following cases ?

A. Improvement of an organistion’s efficiency and communication
can be achieved through a restrictive separation of duties.
B. Policies on segregation of duties in IS must highlight the
variations between the logical and physical access to assets.
C. While evaluating an organisation’s policy of segregation of duty,
the competancy of the employees are of no relevance.
D. An organisation chart provides a precise definition of the
segregation of duties among the employees.
Q338. Service level agreements ensure that effective and efficient computer
services are provided to users. Which of the following is correct with
respect to service level agreements:
A. They are limited to certain IT resources
B. They are static agreements
C. They are arrangements between users and computer operation
facilities
D. It is the responsibility of user department to provide a framework
for each service level agreement
Q339. Shareware software acquired by a company can be used

A. Only by the company
B. By its employees for their personal purpose also
84
C. By all third parties associated with the company

D. By Everyone with whom the company chooses to share it
Q340. Testing of the accuracy of the interest collected on lending by a financial

institution is a/an
A. test of controls
B. analytical review
C. substantive test
D. understanding of internal controls
Q341. Substantive Testing and Compliance Testing can be best differentiated

as :
A. The latter tests details while the former tests procedures.
B. The former tests procedures while the latter tests plans.
C. Substantive testing tests validation while compliance testing tests
for regulatory requirements.
D. The latter tests for controls while the former tests for details
Q342. The activity of detective control in detecting virus relates to

A. Daily scanning of the entire file server and moving to a safer area
all the doubtful files
B. Linking to external systems thro a firewall
C. Pre-usage scan of all secondary storage media brought from
outside.
D. Updation of anti-virus configuration settings on logging in by the
user.
Q343. The activity which is NOT a control function of a database administrator

(DBA is:
A. Review of access logs in a supervisory level.
B. Approval of DBA activities by the management.
85
C. Database structure maintenance.

D. Separation of duties.
Q344. The advantage of an ISO 9001 quality system implementation is:

A. All business problems are assured of quality solutions.
B. Worries over cost effectiveness are well addressed.
C. Software Life Cycle activities are improved.
D. Maturity of the implemented quality system is irrelevant.
Q345. The advantage tagging live transactions in an Integrated Test Facility

(ITF) as against designing new test data is that:
A. Special audit routines do not have to be embedded
B. The limiting the conditions to be tested in the system
C. Source documents do not have to be redesigned.
D. Test transactions are representative of normal application system
processing.
Q346. The application run manual would normally comprise of :

A. Change records for the application source code.
B. Program Logic flow charts and file definition.
C. Data base structures and the source codes.
D. Recovery actions for the error codes.
Q347. The basic character / purpose of an audit charter is best described by

which of the following.
A. Outlines the overall authority scope and responsibilities of the
audit function.
B. State the audit’s objective for the delegation of authority for
maintenance and review of internal controls.
C. Document the procedures designed to achieve the planned audit
objectives.
D. Be dynamic and often change with the technology and profession.
86
Q348. The BEST and reliable form of evidence that assists the IS auditor to
develop audit conclusions is :
A. Control Self Assessment assurance received on the working of
the application from a line management personnel.
B. A Letter of confirmation received from an outsider regarding the
account balance.
C. An analytical review of the ratios by the IS auditor from the
information received from the internal line management.
D. Internet trend analysis of the industry’s performance.
Q349. The BEST and the most reliable form of evidence that an IS auditor
would look for in audit of an IS environment is
A. The IS auditor’s test results
B. The auditee’s oral explanation / statement of the evidence
C. A confirmation letter received by the IS auditor directly from an
outside source
D. A report generated by the accountant from internal evidence
Q350. The BEST method of detecting the copying of illegal softwares onto a
network is by:
A. Periodically checking all the hard disks.
B. Using diskless workstations.
C. Framing policies for immediate termination of service of the
employee if he violates.
D. Always using an updated version of an anti-virus software
package.
Q351. The BEST set of attribute of Functionality in evaluating the quality of the
software product during its lifecycle is:
A. Relationship between the amount of resources used and the level
of performance of the software.
B. Ability of the software in maintaining its quality of performance
under various conditions.
87
C. Availability of a set of functions and its relevant properties.

D. Possibility of the software to be migrated from one environment.
Q352. The comment which is NOT true regarding ISO 9000 is

A. Documentation of activities is the main focus of the standard.
B. Quality compliance requirement sets are defined in ISO 9000.
C. Aspects affecting the customer satisfaction in an organisation are
dealt in the ISO 9000 standard.
D. Both the Internal and External business processes are covered
under the standar
Q353. The definition of expected loss from a threat is:

A. the anticipated loss from the failure of the system to meet its
functional, efficiency and effectiveness objectives
B. the loss likely to occur in the ordinary course of business
C. the loss likely to occur if the threat materializes multiplied by the
probability of the threat
D. the loss likely to occur if the threat materializes
Q354. The DISADVANTAGE in cross training employees is that:

A. Succession planning is not provided for.
B. Increases the dependence on a single employee.
C. Allow individuals to understand all parts of a system.
D. Does not provide backup in the event of absence.
Q355. The duties and role of an IS Steering Committee is:

A. Performance review of the system department.
B. Preparation and monitoring of System implementation plans.
C. Initiating computer applications.
D. Ensuring data processing resources are efficiently use
88
Q356. The Duties of a Computer operations does NOT comprise of :

A. Trouble shooting teleprocessing problems.
B. Analysis of degradation of the system.
C. Review and analysis of user specifications.
D. Analysing system schedules
Q357. The duties of a Data Security Officer does NOT comprise of :

A. Monitoring whether security of data is adequate and effective.
B. Suggesting and enforcing security measures ex. Changes in
password)
C. Ensuring completeness and correctness of the data
D. Preparation of data classification methodology.
Q358. The Duties of a Database administrator does NOT comprise of :

A. Monitoring database usage
B. Altering physical data definitions for improving performance.
C. Designing database applications
D. Specifying physical data definition
Q359. The duty and responsibility of the security administrator without affecting
the interests of the organisation CAN be combined with that of the:
A. Computer operator
B. Systems Analyst
C. Systems programmer
D. Quality assurance
Q360. The duty of the Quality Assurance Group is

A. Ensuring completeness of the output on processing.
B. Adherence of established standards by programs, program
changes and documentation.
89
C. Developing and designing standards and procedures to protect

data in case of accidental disclosure, modification or destruction.
D. Reviewing execution of computer processing tasks.
Q361. The FIRST and preliminary step in the process of information security
program establishment is :
A. Acquisition of a software for the purpose of controlling the
security access.
B. Framing and adherence of a Corporate IS policy statement
C. Developing and implementing an IS security standards manual
D. The IS auditor conducting a comprehensive security control study.
Q362. The FIRST step an IS auditor while conducting a software licensing

audit should do on noticing that unauthorise software are used on most
of the machines is:
A. Inform auditee of the same and follow-up to confirm deletion of
the software.
B. Physically delete all copies of the unauthorised software in the
machines.
C. Do not initiate any action, as it is a common practice and only the
operations management is liable for observing the use of such
unauthorised softwares.
D. Report that unauthorised software is being used to auditee
management and the requirement to prevent such future
happenings.
Q363. The FIRST step in the review of an IT strategic plan is the review of
the:
A. Business plan of the organisation.
B. Information technology environment available at present.
C. Recent trends in the technology.
D. IT budget approved in the latest meeting of the Management.
90
Q364. The IMPORTANT benefit of risk assessment approach compared to

baseline approach to IS security management is that:
A. Irrespective of the asset value, a basic level of protection is
applied.
B. Adequate levels of protection are applied to information assets.
C. Equal resources are devoted to protect all information assets.
D. There is excess protection of the information assets.
Q365. The independence of an IS auditor who was involved in the

development of an appliction system shall be impaired when he :
A. Actively involves himself while designing and implementing the
application system.
B. Performs a post-implementation evaluation of the application
independently.
C. Suggests the management of control and system enhancements.
D. Conducts a review of the application develope
Q366. The inherent risk in an applicable system is NOT likely to be influenced

by
A. the criticality of the application
B. the reliability of the controls in the system as perceived by the
auditor
C. the implementation of advanced technology in the application
D. the strategic nature of the system
Q367. The Job responsibilities and rights of an application programmer does

NOT include
A. Access to system program libraries.
B. Defining backup procedures.
C. Maintaining the systems in production.
D. Moving test versions into the production environment.
91
Q368. The LAN policy describes the job of persons who work on the network.
The duties of a network administrator are
A. Monitoring security violations
B. Password administration
C. Configuring and optimising storage systems
D. Monitoring network environmental conditions
Q369. The main difference between manual and computerized systems in so

far as separation of duties is concerned is :
A. separation of duties is essential in manual systems whereas in-
built checks and balances take care in computerized systems
B. separate persons are responsible for initiation and authorization
in manual systems whereas execution and maintenance of
programs are entrusted to different persons in computerized
environment
C. separation of duties is easy to achieve in manual systems and
impossible in computerized systems
D. separation of duties does not totally eliminate frauds in manual
systems whereas computerized systems do not allow frauds to
be perpetrated.
Q370. The main difference in terms of control between a manual system and
a computer system is:
A. there is a difference in the internal control principles
B. the methodology for implementing the controls is not the same in
both
C. there is a perceptible difference in the basic control objectives
D. the control objectives pose more problems for implementing
Q371. The MAIN purpose of having Compensating Controls are to

A. Report the errors and omissions noticed.
B. Solve the problems encountered by the detective controls.
92
C. Foresee important problems prior to occurring.

D. Reduce risks of existing or anticipated control weaknesses.
Q372. The MOST critical situation that an IS auditor should report when he
observes a computer operator also performing the duties of a backup
tape librarian and security administrator is:
A. It is not necessary to report these situations to the senior
management.
B. Computer operators acting as a tape librarian and security
administrator.
C. Computer operators acting as security administrators.
D. Computer operators acting as tape librarians.
Q373. The MOST ideal documentation for an Enterprise Product Re-

engineering software installation is that
A. All phases of the installation must be documented.
B. Business requirement only needs to be documented.
C. Only specific developments are to be documented.
D. There is no need to develop a specific documentation for the
customer.
Q374. The MOST likely characteristic of an informational systems

OPERATIONAL plan is:
A. assessing the strengths and limitations of the hardware to be
installed and software platform to be used
B. focusing on the strategy for the next three years for the IS
division
C. documenting the major milestones to be achieved in the system
development process
D. narrate the competitive advantages of the proposed development
93
Q375. The objective of using System Control Audit Review File (SCARF within
the application is for collecting following information except:
A. Statistical sampling
B. Policy and procedural variations
C. Application system errors
D. Lack of internal program documentation
Q376. The purpose of establishing Information System Security Evaluation

Team is to
A. Guide the management and help them in protecting information
assets
B. Help in recruitment of the staff
C. Assist in appointing auditors
D. Frame the security and other policies of the company
Q377. The quality that should be determined by the IS auditor while reviewing
the functions of a Database administrator is
A. The database administrator has strong systems programming
capabilities.
B. The IS auditor’s audit software has the efficiency in accessing the
database.
C. The job responsibilities of the function are clearly defined.
D. The function reports to the data processing operations.
Q378. The quantification of the sample size depends on which of the following
criteria.
A. The sample size decreases as the precision amount decreases.
B. The expected population error rate does not affect the sample
size.
C. The sample size decreases with a decrease in the standard
deviation.
D. The confidence level increases as the sample size decreases.
94
Q379. The reason for the IS auditor NOT preparing a formal audit program
is :
A. To structure the IS auditor’s own planning.
B. Guiding the assistants in performing planned procedures.
C. Overall risk assessment of operations in the organisation.
D. Providing audit documentation for review and reference.
Q380. Which of the following is an application level firewall?

A. Packet filtering routers
B. Proxy systems
C. Stateful inspection
D. Circuit layer gateways
Q381. Which of the following is not a hash function?

A. MD Algorithm
B. Secure Hash Algorithm
C. Quantum Cryptography
D. HAVAL
Q382. Which one of the following is not a private IP address?

A. 10.5.09.210
B. 59.12.90.111
C. 172.16.99.100
D. 192.168.32.11
Q383. Which one of the following purposes is not served by Digital

Certificates?
A. Authentication
B. Validity of certificate
95
C. Non-Repudiation
D. Selection
Q384. Which is the component not found in a data dictionary?

A. Table definition
B. ER model of data
C. Actual data
D. Data element definition
Q385. In Public Key Infrastructure Confidentiality is ensured

A. Hash Code
B. Private Key
C. Public Key
D. Symetric Key
Q386. System software that informs the computer how to use a particular
peripheral device is known as
A. Loader
B. Linker
C. Device Driver
D. Compiler
Q387. Which of the following is not a data structure?

A. Hierarchical
B. Network
C. Relational
D. Traditional
96
Q388. Which of the following IP address class has maximum hosts in its
network?
A. Class A
B. Class B
C. Class C
D. Class D
Q389. A topology in which every node is physically connected to every other

node is_____ .
A. Tree
B. Star
C. Mesh
D. Bus
Q390. Which of the following is not an operating system?

A. Mainframe Systems
B. Multiprocessor Systems
C. Distributed Systems
D. Peer-to-peer systems
Q391. ARP stands for:

A. Address Reverse Protocol
B. Address Rapid Protocol
C. Address Resolution Protocol
D. Address Reserve Protocol
Q392. The voice data is transformed from analog to digital mode or vice-versa
by:
A. Internet Service Provider
B. Internet Service Provider
97
C. VoIP Service Provider

D. PSTN Station
Q393. What is the similarity between a multiplexer and a hub?

A. Both of them use TDM
B. Both use FDM and STDM
C. Both are hardware
D. Both route multiple connections
Q394. Data Dictionary contains?

A. Data about data.
B. Programs.
C. Programs and data.
D. None of above.
Q395. Complier is an example of:

A. System software
B. Programming software
C. Application software
D. Ulitility software
Q396. The IP address 205.189.256.71 is a

A. Class A address
B. Class B address
C. Class C address
D. None of above
Q397. IETF Stands for:

A. The Internet Engineering Task Force
B. The Internet Engineering Travel Force
C. The International Engineering Task Force
D. The International Engineering Travel Force
98
Q398. A specialized network device that determines the next network point to
which a data packet is forwarded toward its destination is called:
A. Gateway
B. Router
C. Firewall
D. Hub
Q399. Which one of the following is also known as a Proxy Server.

A. Dual Level Gateway
B. Application- Level Gateway
C. Circuit-Level Gateway
D. Packet Level Gateway
Q400. Switch is a:
A. Phyical Layer device
B. Data Link Layer device
C. Network Layer device
D. Transport Layer device
Q401. EBCDIC stands for

A. Expandable Binary-Coded Decimal Interchange Code
B. Extended Binary-Coded Decimal Interchange Code
C. Extended Bit-Coded Decimal Interchange Code
Q402. Embedded Systems make use of software called-

A. Middleware
B. Shareware
C. Firmware
99
Q403. Which of the following is not a protocol in the Application Layer of TCP/
IP suite?
A. SMTP
B. DNS
C. UDP
D. TELNET
Q404. Hash functions are also called:

A. One-way Encryption
B. Public Key Encryption
C. Symmetric Key Encryption
D. Asymmetric Key Encryption
Q405. Which of the following is not an OSI Layer?

A. Application Layer
B. Data Link Layer
C. Message Layer
D. Transport Layer
Q406. NAT stands for:

A. Network Address Translator
B. Network Address Translation
C. Network address Testing
D. None of these
Q407. Which one of the following is not true about DDR2 RAM?
A. It runs twice as fast as DDR
B. It is known as Dynamic Data Rate Two RAM
C. It is know as Double Data Rate Two RAM
D. It is volatile
100
Q408. The primary difference of a buffer from a cache is in terms of

___________
A. Memory space
B. Temporary storage
C. Process speed
D. Operational level
Q409. Property that does not permit any person who signed any document to
deny it later is called:
A. Integrity
B. Validation
C. Maintenance
D. Non-Repudiation
Q410. Which of the following is not a level of abstraction?

A. Conceptual Level
B. Chemical Level
C. User Level
D. Physical Level
Q411. Access to the firewall should be limited to:

A. Firewall administrators
B. Top management
C. Security administrators
D. IT personnel
Q412. Which one of the following databases supports programming languages?

B. Network model
101
C. Relational model
D. Object-oriented models
Q413. MAU is:

A. Miscellaneous Access Unit
B. Multi Access Unicode
C. Multi - station Access Unit
D. Miscellaneous Access Unicode
Q414. SMTP uses port:

A.
B.
C.
D.
Q415. Which one of the following is not an essential feature of LAN?

A. Range
B. Transmission Technology
C. Topology
D. Routing
Q416. A Packet Filter Firewall Ruleset ideally should:

A. Forward any packet with a source address of the local network
to the external network
B. Allow all access from the external network to the firewall system
itself
C. Expressly allow everything unless specifically prohibited
D. Expressly prohibit everything unless specifically allowed
102
Q417. The following device is used to connect one type of IEEE 802.x LAN to
another
A. Router
B. Repeater
C. Bridge
D. No device is necessary as they are all compatible and are hence
grouped under 802 series
Q418. The operating system is not responsible for which of the following
activities in connection with the process management
A. Creating and deleting both user and system processes.
B. Suspending and resuming processes.
C. Storage allocation.
D. Providing mechanism for deadlock handling
Q419. 127.0.0.1 is
A. Broadcase address
B. Loopback address
C. is default routing address
D. None of above
Q420. Which of the following is a feature of ActiveX controls that can both be
used as well as misused?
A. ActiveX controls can be reused
B. ActiveX controls can access system resources
C. Many pre-developed controls for performing many tasks are
available
D. Execution of ActiveX controls can be controlled using Internet
Explorer security settings
103
Q421. Client server architecture is:

A. System software architecture.
B. Application software architecture.
C. Hardware architecture.
D. All of above.
Q422. When data is accessed through both sequential and direct access
methods the process is called:
A. Sequential storage and retrieval
B. Direct access and retrieval
C. Indexed sequential storage and retrieval
Q423. A computer that is exeremly fast and used for specialized applications
requiring immense mathematical calculations is:
A. Mainframe computer
B. Mini Computer
C. Super Computer
D. Hand held Device
Q424. Which one of the following is not a key issues in data and capacity
management?
A. How to effectively manage rapidly growing volume of data?
B. How to leverage data and storage technology to support business
needs?
C. What is the best data and storage management framework for an
enterprising business environment?
D. How to maintain the performance of a sytem?
104
Q425. What is not true about Open System Interconnection (OSI) model:
A. is a reference model
B. describes how information from a software application in one
computer moves through a network medium to a software
application in another computer
C. is a seven layered model
D. is a communication protocol.
Q426. The sequence of steps followed in connection-oriented service are:

A. Connection Release, Data Transfer, and Connection
Establishment
B. Connection Establishment, Data Transfer, and Connection
Release
C. Connection Release, Connection Establishment, and Data
Transfer
D. Data Transfer, Connection Establishment, and Connection
Release
Q427. Which one of the following perform the similar function?

A. Assembler and compiler
B. The Web server and the Web browser
C. Port protection device (PPD) and packet assembly and
disassembly (PAD) device
D. Routers and gateways
Q428. Confidentiality and data integrity services are provided in a network in

which of the following layers of the ISO/OSI model?
A. Physical layer
B. Data Link layer
C. Presentation layer
D. Application layer
105
Q429. Which of the following is not true about firewalls?

A. They can not be circumvented by use of modems.
B. They are responsible for filteration of network traffic between
public and private network.
C. More than one types of firewalls can be used in a network.
D. Firewalls may be hardware devices or computers running firewall
software.
Q430. In an Internet URL, “http://www.icai.org”, what is the use of .org?

D. Identifies the domain and the purpose of the site
Q431. Hardware monitoring procedures those help in the hardware

maintenance program do not utilze:
A. Hardware Error Reports
B. Availability Reports
C. Utilization Reports
D. Preventive Maintenace Reports
Q432. The _______ is a mechanism used by hosts and routers to send

notification of datagram problems back to the sender.
A. ICMP
B. TCP
C. SMTP
D. TFTP
Q433. DMZ stands for:

A. De-military Zone
B. Demilitarized Zone
C. De-military Zone
D. None of these
106
Q434. Network-based Intrusion Detection Systems cannot do which of the

following:
A. Filter and analyse packets over a network
B. Operate in Real-Time
C. Match against database of known “attack signatures”
D. Recognise new types of attacks
Q435. When sending a signed message under a public key infrastructure, the
message is encrypted using the:
A. receiver’s private key
B. sender’s private key
C. receiver’s public key
D. sender’s public key and receiver’s private key
Q436. The Internet protocol (IP) address is

A. Always same for any server.
B. More than 32 bits to provide high security
C. Can change even if the Domain Name remains the same
D. Not a part of the DNS
Q437. The main disadvantage of peer-to-peer networking is:

A. The networks are difficult to configure
B. The networks are expensive
C. The network is less secure than a server based network
D. It follows a Master/Slave topology
Q438. Internet Protocol v.6

A. Address is shorter than Internet Protocol v.4 address
B. Migration from Internet Protocol v.4 will require extra cost
C. Migration from Internet Protocol v.4 will incrrease the IP address
space
D. is not being implemented in India.
107
Q439. Thin client fat server architecture means:

A. Client is dumb and server is intelligent.
B. Server is dumb and client is intelligent.
C. Client is less powerful than server.
D. Server is less powerful than client.
Q440. Where are the additional data and programs not used by the processor
stored?
A. Secondary storage
B. Input units
C. Output units
D. The CPU.
Q441. Hashing, get storage addresses, is the process of applying a formula to

a:
A. Key filed
B. File
C. Record
D. Character
Q442. A bus line consists of

A. Parallel data paths
B. Registers
C. Accumulators
D. Machine cycles
Q443. Pretty good privacy (PGP) is used in

A. Email security
B. Browser security
108
C. FTP security
D. None of the mentioned
Q444. Processing transactions in groups is called

A. Batch processing
B. Transaction processing
C. Offline processing
D. Data processing
Q445. A computer based system in which a telephone message is recorded in

digital form and then forwarded to other is
A. Voice mail
B. Tele conferencing
C. A bulletin board
D. Tele commuting
Q446. Computer systems that use data communication equipment to connect

two or more computers and their resources are a
A. Network
B. Host computer system
C. Teleprocessing system
D. Centralized processing system
Q447. The term used to describe the placement of the data entry function at
the scattered locations where the transactions occur is:
A. Distributed data entry
B. Distributed database
C. Distributed computing
D. Distributed risk management
109
Q448. In which way does the Combined Encryption combine symmetric and
assymmetric encryption?
A. The secret key is asymmetrically transmitted, the message itself
symmetrically.
B. First, the message is encrypted with symmetric encryption and
afterwards it is encrypted asymmetrically together with the key.
C. The secret key is symmetrically transmitted, the message itself
asymmetrically.
D. First, the message is encrypted with asymmetric encryption and
afterwards it is encrypted symmetrically together with the key.
Q449. A bus line consists of

A. Parallel data paths
B. Registers
C. Accumulators
D. Machine cycles
Q450. Hashing, get storage addresses, is the process of applying a formula

to a:
A. Key filed
B. File
C. Record
D. Character
Q451. The name for the screens clarity is

A. Resolution
B. Pixel
C. Refresh rate
D. LCD
110
Q452. Where are the additional data and programs not used by the processor
stored?
A. Secondary storage
B. Input units
C. Output units
D. The CPU.
Q453. IPSec is designed to provide the security at the

A. Network layer
B. Transport layer
C. Application layer
D. Session layer
Q454. A pictorial screen symbol that represents a computer activity/artifact is

called a(n):
A. Icon
B. Pointer
C. Cursor
D. Touch Screen
Q455. Processing transactions in groups is called

A. Batch processing
B. Transaction processing
C. Offline processing
D. Data processing
Q456. Computer systems that use data communication equipment to connect

two or more computers and their resources are a
A. Network
B. Host computer system
111
C. Teleprocessing system
D. Centralized processing system
Q457. A computer based system in which a telephone message is recorded in

digital form and then forwarded to other is
A. Voice mail
B. Tele conferencing
C. A bulletin board
D. Tele commuting
Q458. Microwave transmission, coaxial cables, and fiber optics are examples
of
A. Communication links
B. protocols
C. Internet working
D. Frames
Q459. The technique in shared programs that avoids interspersed printout from
several programe is:
A. Spooling
B. Queuing
C. Paging
D. Slicing
Q460. The term used to describe the placement of the data entry function at
the scattered locations where the transactions occur is:
A. Distributed data entry
B. Distributed database
C. Distributed computing
D. Distributed risk management
112
Q461. The effective size of the primary storage available for programs may
appear to be unlimited when the following concept is used:
A. Virtual storage
B. Memory caches
C. Buffering
D. Mirroring
Q462. Pretty good privacy (PGP) is used in

A. Email security
B. Browser security
C. FTP security
D. None of the mentioned
Q463. In which way does the Combined Encryption combine symmetric and
assymmetric encryption?
A. The secret key is asymmetrically transmitted, the message itself
symmetrically.
B. First, the message is encrypted with symmetric encryption and
afterwards it is encrypted asymmetrically together with the key.
C. The secret key is symmetrically transmitted, the message itself
asymmetrically.
D. First, the message is encrypted with asymmetric encryption and
afterwards it is encrypted symmetrically together with the key.
Q464. A pictorial screen symbol that represents a computer activity/artifact is

called a(n):
A. Icon
B. Pointer
C. Cursor
D. Touch Screen
113
Q465. The effective size of the primary storage available for programs may
appear to be unlimited when the following concept is used:
A. Virtual storage
B. Memory caches
C. Buffering
D. Mirroring
Q466. Microwave transmission, coaxial cables, and fiber optics are examples
of
A. Communication links
B. protocols
C. Internet working
D. Frames
Q467. The technique in shared programs that avoids interspersed printout from
several programe is:
A. Spooling
B. Queuing
C. Paging
D. Slicing
Q468. The name for the screens clarity is

A. Resolution
B. Pixel
C. Refresh rate
D. LCD
Q469. IPSec is designed to provide the security at the

A. Network layer
B. Transport layer
C. Application layer
D. Session layer
114
Answers for Module 1

Q1 Ans. c Q31 Ans. c Q61 Ans. a
Q2 Ans. a Q32 Ans. c Q62 Ans. d
Q3 Ans. c Q33 Ans. c Q63 Ans. d
Q4 Ans. d Q34 Ans. d Q64 Ans. d
Q5 Ans. a Q35 Ans. c Q65 Ans. b
Q6 Ans. c Q36 Ans. a Q66 Ans. b
Q8 Ans. b Q38 Ans. d Q68 Ans. b
Q9 Ans. c Q39 Ans. a Q69 Ans. a
Q10 Ans. d Q40 Ans. d Q70 Ans. b
Q11 Ans. b Q41 Ans. c Q71 Ans. c
Q12 Ans. c Q42 Ans. d Q72 Ans. d
Q13 Ans. d Q43 Ans. a Q73 Ans. c
Q16 Ans. a Q46 Ans. b Q76 Ans. d
Q17 Ans. d Q47 Ans. d Q77 Ans. c
Q18 Ans. d Q48 Ans. c Q78 Ans. a
Q20 Ans. d Q50 Ans. b Q80 Ans. a
Q22 Ans. c Q52 Ans. a Q82 Ans. c
Q23 Ans. b Q53 Ans. c Q83 Ans. d
Q26 Ans. a Q56 Ans. b Q86 Ans. b
Q28 Ans. b Q58 Ans. b Q88 Ans. b
Q29 Ans. a Q59 Ans. a Q89 Ans. c
Q30 Ans. c Q60 Ans. d Q90 Ans. c
115
Q91 Ans. b Q123 Ans. c Q155 Ans. a

Q92 Ans. a Q124 Ans. d Q156 Ans. b
Q93 Ans. d Q125 Ans. b Q157 Ans. c
Q94 Ans. a Q126 Ans. c Q158 Ans. c
Q97 Ans. b Q129 Ans. d Q161 Ans. c
Q98 Ans. d Q130 Ans. c Q162 Ans. c
Q99 Ans. c Q131 Ans. c Q163 Ans. c
Q100 Ans. b Q132 Ans. a Q164 Ans. d
Q101 Ans. d Q133 Ans. a Q165 Ans. b
Q103 Ans. b Q135 Ans. b Q167 Ans. c
Q104 Ans. a Q136 Ans. c Q168 Ans. a
Q105 Ans. d Q137 Ans. d Q169 Ans.
Q106 Ans. d Q138 Ans. d Q170 Ans. a
Q107 Ans. b Q139 Ans. b Q171 Ans. d
Q108 Ans. d Q140 Ans. a Q172 Ans. a
Q112 Ans. b Q144 Ans. d Q176 Ans. d
Q115 Ans. a Q147 Ans. d Q179 Ans. a
Q118 Ans. d Q150 Ans. b Q182 Ans. d
Q120 Ans. a Q152 Ans. d Q184 Ans. d
Q121 Ans. b Q153 Ans. a Q185 Ans. b
116

Q189 Ans. a Q221 Ans. a Q253 Ans. d
Q190 Ans. a Q222 Ans. b Q254 Ans. a
Q192 Ans. b Q224 Ans. a Q256 Ans. c
Q193 Ans. b Q225 Ans. c Q257 Ans. b
Q194 Ans. a Q226 Ans. b Q258 Ans. c
Q198 Ans. c Q230 Ans. d Q262 Ans. b
Q199 Ans. c Q231 Ans. d Q263 Ans. a
Q203 Ans. a Q235 Ans. a Q267 Ans. a
Q213 Ans. d Q245 Ans. c Q277 Ans. b
Q214 Ans. a Q246 Ans. d Q278 Ans. c
117

Q284 Ans. c Q316 Ans. b Q348 Ans. b
Q298 Ans. c Q330 Ans. a Q362 Ans. d
Q301 Ans. c Q333 Ans. b Q365 Ans. a
Q302 Ans. a Q334 Ans. a Q366 Ans. b
Q304 Ans. c Q336 Ans. b Q368 Ans. d
Q307 Ans. d Q339 Ans. a Q371 Ans. d
118
Q379 Ans. c Q411 Ans. A Q443 Ans. A

Q380 Ans. B Q412 Ans. D Q444 Ans. A
Q381 Ans. C Q413 Ans. C Q445 Ans. A
Q382 Ans. B Q414 Ans. B Q446 Ans. A
Q383 Ans. D Q415 Ans. D Q447 Ans. A
Q384 Ans. C Q416 Ans. D Q448 Ans. A
Q385 Ans. D Q417 Ans. C Q449 Ans. A
Q387 Ans. D Q419 Ans. B Q451 Ans. A
Q388 Ans. A Q420 Ans. B Q452 Ans. A
Q389 Ans. C Q421 Ans. B Q453 Ans. A
Q395 Ans. B Q427 Ans. A Q459 Ans. A
Q397 Ans. A Q429 Ans. A Q461 Ans. A
Q404 Ans. A Q436 Ans. C Q468 Ans. A
Q406 Ans. B Q438 Ans. C
Q407 Ans. B Q439 Ans. C
Q408 Ans. C Q440 Ans. A
Q409 Ans. D Q441 Ans. A
Q410 Ans. B Q442 Ans. A
119
Module 2 Questions
Q470. Which one of the following requirements of Virtual reality is concerned
with synchronisation?
A. User input
B. Visual perception
C. Spatiotemporal realism
D. Sound perception
Q471. Which of the following is a Movie file format?

A. .ra
B. .au
C. .mp3
D. .mpeg
Q472. Which stage in the software lifecycle does not require any maintenance?
A. Development or pre-delivery phase
B. Early operational phase
C. Mature operational phase
D. Evolution/replacement phase
Q473. In TPC benchmarks, the performance is measured in terms of

A. Transactions per second
B. Cycles per second
C. Bytes per second
120
Q474. Military and defence organisations are more likely to use

A. Discretionary access control.
B. Unrestricted access control.
C. Compulsory access control.
D. Mandatory access control
Q475. Which of the following should NOT be included in an Organisation

Section 1s information security policy?
A. Identity of sensitive security features
B. Access philosophy
C. Access authorisation
D. Importance of security awareness
Q476. A firewall cannot

A. Protect against unauthorized logins from external networks
B. Protect the network against users connecting to the Internet by
dialling to their ISP using their offi ce telephone and a modem
C. Appear transparent to their users
D. Log traffic to and from the local network
Q477. The purpose of employee bonding is to:

A. Reduce financial impact due to improper access/misuse of
physical access
B. Prevent fraud
C. Encourage employees to report access violations
D. Improve physical security
Q478. While auditing the environment controls the auditor should confirm that
A. LAN file server facility has dust, smoke and other particulate
matters
B. Consumption of food, beverage and tobacco is allowed
121
C. Fire protection equipment are adequate and appropriate

D. Air conditioning, humidity control system are followed as desired
by the users of the LAN
Q479. Which of the following is NOT an environmental control?

A. Biometric devices
B. Line conditioners
C. Air conditioners
D. Fire suppression systems
Q480. The internal view of data is also called-

A. Physical level
B. Logical level
C. View level
Q481. Which of these enable a super computer’s CPU to share operations for
enhanced performance?
A. Pipelining
B. Parallelism
C. RISC
D. SMP
Q482. Which term often means a piece of code left behind in the system that
will allow the original programmer back into the system?
A. Trap Door
B. Flap Jack
C. Unicode
D. Stealth Code
122
Q483. Which of the following terms describes a form of dial-up access control
whereby the user dials the desired phone number, authenticates with
the server, hangs up, and then the server dials the client, establishing
the connection?
A. Dial Back
B. Redialing
C. Call Waiting
D. Call Forwarding
Q484. Which of the following gas-based fire suppression system would you
find in an unmanned computer facility?
A. Argon
B. Halon
C. Carbon-dioxide
D. Oxygen
Q485. In an ideally equipped data centre, the wall, ceiling, etc should be made
of fire resistant materials. For how long is it recommended that they
should resist a fire?
A. 2 Hours
B. 1 Hour
C. 30 Minutes
D. 3 Minutes
Q486. As it applies to security, which selection best defines the difference

between the role of an Information Owner and the role of an Information
Custodian?
A. The Information Custodian applies the data classification scheme
and protection mechanisms after the initial assignment by the
Chief Information Officer.
B. The Information Owner is a managing partner of the organization
and the Information Custodian is an hourly employee.
123
C. The Information Custodian applies the data classification scheme

Owner.
D. The Information Owner applies the data classification scheme
Custodian.
Q487. Which of the following checks can significantly reduce transcription

errors?
A. Range checks
B. Limit checks
C. Check digits
D. Size checks
Q488. Which aspect of storage management incorporates redundancy into the

system to maintain performance:
A. Scalability
B. Performance
C. Reliability
D. Manageability
Q489. Which of the following lines prevents tapping?

A. an optical fiber line
B. a digital line
C. a microwave radio system
D. satellite line
Q490. Which of the following need NOT be considered before hosting a new
online privacy policy?
A. Business practices
B. Business partners
124
C. Proposed users
D. Nature of the site
Q491. While conducting an audit, the auditor should

A. Insist that a security policy exists.
B. Not insist for a security policy.
C. Insist that a security policy exists, and accept the existing policy.
D. Insist that a security policy exists. However he may not accept
the existing policy.
Q492. Cryptographic systems provide for:

A. Linearity of messages.
B. Integrity of messages.
C. Intelligibility of messages.
D. Availability of messages
Q493. While evaluating the IT control environment for obtaining an

understanding of the management’s control over IT activities, the auditor
should consider:
A. The functions of the IT steering committee
B. The IT strategy of the management
C. The Security policy
D. The user’s perception of IT
Q494. “Biometric authentication” is based on:

A. Design features
B. Logical features
C. Depends upon the application to be authenticated
D. Physical features
125
Q495. Which of the following is not a validation done on instruction input?

A. Holistic validation
B. Lexical validation
C. Semantic validation
D. Syntactic validation
Q496. Which of the following is a control problem associated with spooling

software?
A. It is error-prone because the software is highly complex
B. It can be used to obtain an unauthorized copy of a report.
C. The output could be redirected to another printer
D. The output could be cancelled before printing.
Q497. A scanner with 36-bit depth gives the output in:

A. Less than 36 colour depth
B. More than 36 colour depth
C. Depends on the document being scanned
D. 24 bit depth only
Q498. A general guideline of a security policy does NOT

A. Keep the policy a secret
B. Identify acceptable activities
C. Update the policy
D. Identify and determine what is to be protected
Q499 Passwords are used as a basic mechanism to identify and authenticate

a system user. Which of the following password-related factors cannot
be tested by an IS auditor?
A. Password length
B. Password lifetime
126
C. Password secrecy
D. Password storage
Q500. A message authentication code is used to protect against

A. Changes to the content of a message
B. Traffic analysis
C. Release of message contents.
D. Exposures that arise when PINs are transmitted in the clear
Q501. A device to detect breaches of physical security is

A. Switch controls
B. Deadman Doors
C. Motion detectors
D. Identification badges
Q502. The first step in any security administration is:

A. Implement good access control mechanisms.
B. Ensure that good backup procedures have been set up.
C. Ensure that each user has a separate login.
D. Develop a good security policy for the organisation.
Q503. A detailed policy on firewalls should NOT:

A. Ensure that the firewall is logically secured
B. Include guidelines for assessment of logs
C. Ensue that the firewall is physically secured
D. Include log reports
127
Q504. Which of the following types of database access control is the most
difficult to enforce?
A. Name-dependent access control
B. History-dependent access control
C. Content-dependent access control
D. Context-dependent access control
Q505. For physical and environmental security, in which of the following areas
should policies and procedures be framed?
A. Independent (third-party) assurances
B. Layout of facilities
C. System Development Life Cycle (SDLC)
Q506. How many emergency power-off switches should provided in a computer

facility?
A. One
B. Two
C. Three
D. Four
Q507. “If a thief steals an ATM card and tries to break the PIN number by
trying all combinations, what type of attack will it be classified as? “
A. Keystroke logging
B. Man in the middle
C. Biometric
D. Bruteforce
128
Q508. “Which of the following feature may seriously affect or nullify the utility
of audit trails? “
A. Passwords are not recorded in the audit trail.
B. Security administrator cannot amend the details in the audit trail.
C. Audit trail records can be amended by the users
D. Date and time stamps are recorded automatically.
Q509. “The risk of piggybacking, in which an unauthorized person could enter

the secured facility by closely following an authorized person, may be
controlled by “
A. Deadman Doors
B. Bolting door locks
C. Electronic Door Locks
D. Cipher locks
Q510. Banking organisations make use of which form of data processing?

A. Batch processing
B. Online processing
C. Time sharing
D. Remote job entry
Q511. While valuing the assets, an information systems(IS auditor is likely to

value MOST
A. Data files and backup
B. Programs
C. Personnel like the DBA and systems analysts
D. Hardware
129
Q512. “Identify the correct statement with respect to guidelines for data-entry
screens? “
A. Both bright colours and automatic tabbing are to be avoided
B. Both bright colours and automatic tabbing should be used as
often as possible
C. Bright colours should be avoided and automatic tabbing should
be used as often as possible
D. Bright colours should be used as often as possible while
automatic tabbing should be avoided.
Q513. A check to ensure that the same data is not keyed twice is called:
A. Sequence checks
B. Limit check
C. Missing data check
D. Duplicate check
Q514. Which of the following physical control would be most appropriate in a

high security environment?
A. Combination locks
B. Identification badges
C. Electronic Door Locks
D. Biometric Door Locks
Q515. Surge, spike and sag are types of

A. Biometric systems
B. Electrical fluctuations
C. Fire suppression systems
D. Electromagnetic radiations
130
Q516. In context of expert systems, moving down to the symptoms from a fault
is called as
A. Forward chaining
B. Forward integration
C. Backward chaining
D. Backward integration
Q517. “To prevent the unauthorized use of floppy drives, which of the following
controls is suitable? “
A. Switch controls
B. Cable locks
C. Port controls
D. Biometric mouse
Q518. Commercial organisations are more likely to use

A. Discretionary access control.
B. Unrestricted access control.
C. Mandatory access control.
D. Compulsory access control
Q519. When drafting an information security policy, why would it be important

to require that the use of communications test equipment be controlled?
A. The equipment may damage network hardware.
B. The equipment is complicated and the user needs specific
training to use it correctly.
C. “The equipment can be used to view information passing through
the network. “
D. The equipment is expensive and needs to be protected from theft.
131
Q520. Which of the following provides error detection and error correction?
A. Cyclic Redundancy Check
B. Checksum
C. Parity check
D. Hamming code
Q521. “Who has the authority to delegate the operational responsibility of an

organisation’s data? “
A. Data user
B. Senior manager
C. Data custodian
D. Data owner
Q522. “A requirement that information and programs are changed only in a

specified and authorized manner is called: “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q523. Which of the following is the best example of three-factor

authentication?
A. An ATM card and a PIN.
B. A thumbprint and password.
C. A smart card, password and thumbprint.
D. A RADIUS server.
Q524. “A software programmer writes a program to review the payroll records

each month to ensure that he is still employed. If the programmer’s
132
name is removed from the payroll, the program will activate another
piece of code to destroy vital files on the organi”
A. ActiveX
B. Logic Bomb
C. Virus
D. Denial of Service
Q525. “As a quality assurance measure in the batch processing of accounts

payable data, a firm sums the account numbers for all accounts
processed. This procedure results in a: “
A. Hash total
B. Batch number
C. Parity check
D. Check sum
Q526. The integrity of system cannot be lost due to

A. Trojan Horse
B. Packet Sniffers
C. Brute force attack
D. Firewalls
Q527. Identify the correct statement

A. There should be no water drains near a computing facility
B. “Water drains should be “negative”, that is, they should flow
inward, toward the building “
C. Water drains can be either “positive” or “negative”.
D. “Water drains should be “positive”, that is, they should flow
outward, away from the building “
133
Q528. To enforce the email policy, the management need NOT:

A. Educate employees
B. Take prompt action in case of misuse or complaints
C. Educate third parties
D. Prohibit subscription to e-newspapers and e-groups
Q529. Viruses that can change their appearance are known as:
A. Polymorphic virus
B. Boot sector virus
C. Stealth virus
D. Macro virus.
Q530. “If the series of data bits, 11001011, is received as 11001000 then it is
called a: “
A. Single bit error
B. Multiple-bit error
C. Burst error
D. Parity error
Q531. Which of the following would be used to deter casual intruders?

A. Biometric locks
B. Port controls
C. Perimeter fencing
D. Wireless Proximity Readers
Q532. Which one of the following can be attributed as a loss as a result of

poor network performance:
A. Lost revenues
B. Lost productivity
134
C. Intangible losses
D. All of the above
Q533. “A requirement that private or confidential information should not be

disclosed to unauthorized individuals is called: “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q534. “A requirement that a system performs its intended function in

an unimpaired manner, free from deliberate or inadvertent
unauthorizedmanipulation of the system is called “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q535. “A requirement intended to assure that systems work promptly and

service is not denied to authorized users is called: “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q536. Data entry screens should have:

A. A slow but consistent display rate.
B. A fast and consistent display rate.
C. A slow and varying display rate
D. A slow and varying display rate
135
Q537. “Which techniques is best described as method of providing information

for error detection, usually calculated by summing a set of values
by both the sender of the information and the receiver of the
transmission?“
A. Uuencode
B. Algorithm
C. Data Mining
D. Checksum
Q538. Identify the correct statement.

A. Fire suppression systems make smoke detectors redundant
B. Smoke detectors make fire suppression systems redundant
C. Smoke detector should supplement fire suppression systems
D. “Neither smoke detector nor supplement fire suppression are
necessary “
Q539. “A principle that advocates for minimal user profile privileges on

computers, based on users’ job necessities is called: “
A. Principle of maximum privilege.
B. Principle of zero privilege.
C. Principle of least privilege.
D. Mandatory access control.
Q540. “If the product number A5723 is coded as A5753, this is an example of
a: “
A. Truncation error
B. Double transposition error
C. Random error
D. Transcription error
136
Q541. “A compan Section 1s labour distribution report requires extensive

corrections each month because of labour hours charged to inactive
jobs. Which of the following data processing input controls appears to
be missing? “
A. Completeness test
B. Limit check
C. Validity test
D. Control total
Q542. Which of the following may be used to protect a laptop?

A. Wireless Proximity Readers
B. Switch controls
C. Port controls
D. Biometric mice
Q543. “As a security precaution, visitors are escorted by a pre-designated

responsible employee or security staff. Which of the following would be
classified as visitors? “
A. Vendors only
B. Vendors and maintenance personnel only
C. Vendors, maintenance personnel and contract workers only
D. Vendors, maintenance personnel, contract workers and auditors
Q544. “The greatest risk of inadequate definition of policy relating to ownership

of data and systems is: “
A. All users are authorised to originate, modify and delete data.
B. Accountability cannot be established.
C. Difficulty in coordinate change within large organisations.
D. Audit recommendations may not be established.
137
Q545. A firewall is a system for

A. Enforcing an access control policy
B. Preventing viruses
C. Preventing intruders
D. Assisting auditors.
Q546. A cookie gets data from

A. Whatever the user enters from the console on a web page
B. What the web server sends to the web browser
C. User application programs.
D. The operating system and the web browser used at the clientend
Q547. “A†138Dry pip Section 1, which is an arrangement to extinguish fires is:

“
A. A Sprinkler system where the water is in the pipe, but the outside
of the pipe is dry
B. A Halon gas system that contains a dry pipe
C. “A carbon dioxide (CO2) gas system that has a dry chemical to
extinguish a fire “
D. “A sprinkler system where the water is not kept charged in pipes
but pipes remain dry and upon detection of heat rise by a sensor,
water is pumped into the pipes. “
Q548. “Which of the following is the most recommended water-based fire

suppression system for a computer facility? “
A. Dry pipe system
B. Wet pipe system
C. Drip pipe system
D. Preaction system
138
Q549. “In which of the following access control model is it necessary to

for each resource to be classified and for each user be assigned a
clearance level. “
A. Supervisory access control
B. Mandatory access control
C. Discretionary access control
D. Reactionary access control
Q550. “Which of the following would NOT protect a system from computer
viruses? “
A. Write protect all diskettes once they have been virus checked
B. Scan any new software before it is installed
C. “Do not allow vendors to run demonstration on company owned
machines “
D. Boot only from diskettes that were initially checked for viruses
Q551. The purpose of a file retention date is to:

A. Enable files with the same generation number to be distinguished
B. “Prevent the file from being overwritten before the expiry of the
retention date “
C. “Indicate when the file should be recovered from production
activities “
D. “Prevent the file from being read before expiry of the retention
date “
Q552. Access time is quickest with of the following devices?

A. Bolting door locks
B. Electronic Door Locks
C. Combination door locks
D. Wireless Proximity Readers
139
Q553. Programming language used exclusively for artificial intelligence

is____________.
A. C++
B. Java
C. Prolog
D. VB
Q554. ____________ is a feature of cooperative architecture in distributed job

scheduling.
A. Dependence on central server
B. Less scalability
C. Performance degradation
D. Fault tolerance
Q555. In distributed computing all the jobs are processed in:

A. Serial order
B. “Altered“
C. parallel order
D. Depends upon the application to be processed
Q556. Software licenses fall under which of the following categories of

Information Technology assets?
A. Hardware assets
B. Software assets
C. Network assets
D. Intangible assets
Q557. The conceptual model of a database is an output of which process?

A. Prior analysis
B. Logical design
140
C. Physical design
D. Testing
Q558. A successful project management practice involves training a project

team to achieve desired goals. Under which process does this fall?
A. Planning
B. Organising
C. Controlling
D. Leading
Q559. The Resolution power of a Printer measures its:

A. Speed
B. Quality
C. Type
D. Memory
Q560. The primary difference of a buffer from a cache is in terms of

___________
A. Memory space
B. Temporary storage
C. Process speed
D. Operational level
Q561. Size of registers in mainframes generally are:

A. 8 bit
B. 16 bit
C. 32 bit
D. 64 bit
141
Q562. Which of the following is not a preventive maintenance approach?

A. Complexity analysis
B. Functionality analysis
C. Forward engineering
D. Reverse engineering
Q563. A supercomputer created by networking many small computers is called

________
A. ASCI white
B. Grid
C. LAN
D. Network Super
Q564. Which of the following does not fall under the category of operational
controls?
A. Personnel security
B. Logical access control
C. Physical protection
D. Environmental protection
Q565. Which form of job scheduling uses triggers?

A. Manual scheduling
B. Distributed scheduling
C. Mainframe scheduling
D. Automated scheduling
Q566. Which of the following employs client-server computing?

A. Interactive multimedia
B. Networked multimedia
142
C. MPEG video
D. Virtual reality
Q567. Concept of charging an end-user on the number of times he/she has

used the software is called:
A. Shareware
B. Samplers
C. Meterware
Q568. Which of the following network architecture is most reliable?

A. star network
B. mesh network
C. ring network
D. multidrop line network
Q569. Licensing an email software is an example of:

A. Node-locking
B. User-based licensing
C. Site licensing
D. Network licensing
Q570. Which of the following Embedded Operating Systems has a wide set of
features for networking?
A. Windows CE
B. Windows NT embedded
C. Embedded Linux
D. Palm OS
143
Q571. Which of the following is not computer software?

A. operating system
B. telephone modem
C. spreadsheet
D. language translator
Q572. All video conferencing systems employ ____________.

A. ISDN lines
B. “Satellite based link “
C. Point-to-point conference
D. CODEC
Q573. The application can be secured through

A. Implementing strong authentication and access controls
B. Error check controls
C. Risk assessment
D. Directory browsing
Q574. Which of the following image formats is for the Apple Macintosh range
of Computers?
A. GIF
B. JPEG
C. PICT
D. TIFF
Q575. In a Mouse, there are three rollers that can rotate. How many rollers
are actually responsible for the movement of the curser?
A. One
B. Two
144
C. Three
D. None
Q576. A brokerage firm is moving into new office premises already equipped
with extensive telephone wiring. The firm is planning to install a PBX to
connect computers and office devices such as photocopiers, printers,
and facsimile machines. A limitation of usi
A. the firm would be dependent on others for system maintenance
B. coaxial cabling would have to be installed throughout the building
C. the system cannot easily handle large volumes of data
D. relocating devices in the office is an expensive and difficult task
Q577. A company uses a wide area network (WAN) to allow salesmen in the
field to remotely log onto to the office server using notebook computers
and dial-in modems. Which of the following methods would provide best
data security in such a situation?
A. end to end data encryption
B. dedicated phone lines
C. call-back features
D. enforcing regular password changes
Q578. In a two-tier client server architecture, the client is called-

A. Fat client
B. Thin client
C. Very thin client
Q579. The Internet protocol (IP) address is

A. Always same for any server.
B. More than 32 bits to provide high security
C. Can change even if the Domain Name remains the same
D. Not a part of the DNS
145
Q580 A company’s management wants to implement a computerised system

to facilitate communications among auditors, who are widely dispersed.
The company proposes to have a central electronic repository where
auditors can place messages and all other auditors ca
A. electronic bulletin board system
B. electronic data interchange
C. fax/modem software
D. private branch exchange
Q581. Which one of these Virtual Reality applications is used in developing

models for architectural landscapes and buildings?
A. Simulator training
B. Augmented reality
C. Telepresence
D. Virtual prototyping
Q582. Whichever language an application program may be written in, it can

be executed on a computer only if the primary memory contains
A. job scheduler
B. compiler
C. assembler
D. an operating system
Q583. While arguing the need for an IS auditor to be involved in a system

development, which of the following is LEAST important?
A. the total cost of ownership
B. the importance of the system to the organisation
C. the number of lines to be written
D. the desired benefits from the system
146
Q584. While conducting a detailed system design, the IS Auditor would be

LEAST concerned with:
A. adequacy of procedures to ensure that all transactions are input
B. adequacy of backups
C. handling of rejected transactions
D. adequacy of hardware to handle the system
Q585. While implementing an automated job scheduling system in a computer

center, the following concern needs to be addressed:
A. providing the majority of users with the ability to schedule their
own workload
B. implementing logical access security controls so that one user
does not violate the work plan of another
C. eliminating the need to submit proper documents to schedule
routine or ad hoc jobs
D. providing the facility to submit job control parameters directly into
jobs without assistance from computer center personnel
Q586. With respect to hard disk, seek time is described as:

A. Time taken by the arm assembly to reach the respective track
B. Time taken by the arm assembly to find the respective sector
after the heads have reached the track
C. Total time taken to access the data
Q587. Which of the following statements is true with regard to Operating

Systems (OS)?
A. It may allow many users to operate simultaneously.
B. It can run on systems with different memory and storage space
after minor changes.
147
C. It takes control of the computer as soon as the power is turned

on.
D. The user can customise RTOS Real Time Operating System) by
making changes to the interface
Q588. Which of the following statements relating to packet switching networks

is True?
A. passwords cannot be included in the packet
B. packet lengths are variable and each packet contains the same
amount of information
C. Transmission cost is not charged by packet
D. packets travel through the network depending upon channel
availability
Q589. Which of the following terms is commonly used for the agreement about
packaging and interpreting both data and control information, when two
devices in a data communications system are communicating?
A. Asynchronous communication
B. Synchronous communication
C. Communication protocol
D. Communication channel
Q590. Which of the following is almost inevitable with respect to hardware

problems in Computers?
A. Power faults
B. Aging Failures
C. Viruses
D. Magnetic Effects
148
Q591. “Which of the following types of Video on Demand simulation of

functions are performed to realise forward and reverse transitions in
discrete time intervals?
A. Pay-per-view
B. Quasi-VoD
C. Near-VoD
D. Broad VoD
Q592. Which of the mail processing technologies given below affects message
storage at the client end?
A. POP (Post Office Protocol)
B. MAPI (Messaging Application Programming Interface)
C. IMAP (Internet Message Access Protocol)
D. SMTP Simple Mail Transfer Protocol)
Q593. An Assembler is a translator program that converts _________________

into machine level language.
A. Assembly level language
B. High level language
C. Procedure oriented language
D. Object oriented language
Q594. An efficient asset management system contributes to the smooth

functioning of an organisation. Which of the following is false with
respect to an asset management practice.
A. It helps in providing quick support to the end-user.
B. It helps is tracking the movement of equipment within the
organisation.
C. It should be taken up at fixed time periods.
D. It helps in switching from one platform to another.
149
Q595. An organisation acquired a PC on lease and upgraded its memory.

At the end of the lease period, the management failed to take into
account the value addition it had made to the system. Which of these
statements aptly sums up the scenario?
A. Hardware asset mismanagement
B. Software asset mismanagement
C. Intangible asset mismanagement
Q596. Artificial Intelligence is now being used in every sphere of life. Which of
the following options justifies the statement?
A. Ability to work in hazardous places
B. Ability to think like human beings
C. Ability to work in artificial environments
Q597. For dynamic storage of messages in an email system, powerful search

engines are developed, based on______________.
A. Random access
B. “Non-volatility and low cost “
C. Full text index and user-defined meta data
D. Record management
Q598. Given below are major types of storage devices 1) Cache 2) Magnetic
disk 3) Flash 4) Main Memory 5) Tape Storage 6) Optical Storage Rank
them in the increasing order of their reading/writing capability.
A. 1,2,3,4,5,6
B. “5,6,2,3,4,1“
C. 6,5,4,3,2,1
D. 2,5,3,1,6,4
150
Q599. How can hackers get access to password files or configuration

information from a web server?
A. Poorly written active content such as CGI scripts
B. Poorly designed System Development Life Cycle
C. Non logging of web traffic
D. Poor physical control
Q600. Network Capacity Planning comprises the following three activities:1)

Predicting future utilisation2) Gathering data over time 3) Establishing
baseline. Arrange the above in the order in which they are performed:
A. 1,2,3
B. “3,2,1“
C. 1,3,2
D. 2,1,3
Q601. Network-based Intrusion Detection Systems cannot do which of the

following:
A. Filter and analyse packets over a network
B. Operate in Real-Time
C. Match against database of known attack signatures
D. Recognise new types of attacks
Q602. Single copy of a software product installed on the server and used by
all the connected clients is an example of:
A. End user piracy
B. Industrial Piracy
C. Corporate Piracy
D. Copyright Infringement
151
Q603. Steganography is the art of dealing the data by -

A. Hiding it to make it necessarily invisible and not easily detectable.
B. Hiding but not necessarily invisible and not easily detectable.
C. Detecting and destroying the hidden data.
D. Only encrypting it.
Q604. The Fibre Distributed Data Interface (FDDI) is a dual ring LAN that uses
a fibre optic cable. The ring is segmented when
A. One ring fails
B. One station fails
C. Two rings fail
D. Two rings fail
Q605. The process of mapping with respect to virtual memory involves: -

A. Converting real address into virtual address
B. Converting virtual address into real address
C. Sending a page from the hard disk to the main memory
D. Sending a page from the main memory to the hard disk
Q606. Voice recognition software does/is not:

A. Convert user input of words or phrases into text
B. Convert text into voice
C. Used in automobiles to use hands free dialling.
D. Used in call centres to collect data
Q607. When planning a software audit, the management does not consider:
A. The timing of the audit
B. Persons who should conduct the audit
C. Keeping the audit objective secret
D. Providing access to the required facilities
152
Q608. Which is the function that the audit software does not perform?
A. Scan each machine separately
B. Decide on the sampling method to be used
C. Report the program that it does not recognise
D. Identify software that is loaded, completely or partially
Q609. Which of the following activities needs to be undertaken first to identify

those components of a telecommunications system that present the
greatest risk
A. determine the business purpose of the network
B. review the open systems interconnect network model
C. identify the operating costs of the network
D. map the network software and hardware products into their
respective layers
Q610. Which of the following alerts an administrator to a threat to web server

security?
A. Software controls
B. Directory browsing by a hacker
C. Intrusion detection mechanism
D. User authentication controls
Q611. Which feature of a distributed database supports multi-user access?

A. Distribution design
B. Concurrency control
C. Replication
153
Q612. Which of the following controls protects against message modification?

A. error propagation codes
B. stream ciphers
C. message authentication codes
D. all the above
Q613. Which of the following conditions lead to increase in white noise:

A. faulty switching gear
B. temperature increases
C. thunder and lighting
D. poor contacts
Q614. Which of the following is not a benefit provided by a distributed

database?
A. Local autonomy
B. Improved performance
C. Shareability
D. Reduced costs
Q615. Embedded Systems make use of software called-

A. Middleware
B. Shareware
C. Firmware
Q616. In object-oriented technology, hiding the complexity of characteristics is

called:
A. Abstraction
B. Encapsulation
154
C. Inheritance
D. Polymorphism
Q617. The smallest unit of information on a hard disk is called:

A. Track
B. Sector
C. Cluster
Q618. Which of the following is not a desirable control feature in a modem:

A. attenuation amplification
B. dynamic equalisation
C. automatic dial-up capabilities
D. multiple transmission speeds
Q619. Which of the following do not come under the Workload Operational
Policy?
A. Backup and disaster recovery systems
B. Naming conventions
C. Job specification design
D. Training and support functions
Q620. Which of the following data items is most likely to appear in the
operations audit trail and not the accounting audit trail for the
communication subsystem?
A. image of message received at each node traversed in the
network
B. unique identifier of the source node
C. message transit time between nodes and at nodes
D. unique identifier of the person/process authorising dispatch of the
message
155
Q621. Which of the following functions of the database language SQL

contributes to maintaining the integrity of the database?
A. transactional management
B. schema definition
C. data retrieval
D. data definition
Q622. Which of the following is likely to be a benefit of electronic data

interchange (EDI)
A. the transmission speed of actual documents increases
B. liability relating to protection of proprietary business data
decreases
C. decreased requirements for backup and contingency planning
D. improved business relationships with trading partners
Q623. Which of the following is not a true statement, with respect to the
implementation of an automated job scheduling system in the computer
center?
A. it ensures that all jobs are run
B. it ensures that jobs run in sequence
C. it prevents jobs from being delayed
D. it ensures the elimination of job definition and job set-up errors
Q624. Which of the following is not an advantage of distributed computing vis-

à-vis centralised computing?
A. Lower communication costs
B. availability of alternate processing sites, in case of a disaster
C. investment in hardware is smaller for each site than for a central
site
D. security measures are easier to provide
156
Q625. Which of the following is not an important control step of the input/output
control group?
A. verifying input authorisation
B. identifying questionable data
C. verifying control totals
D. establishing control over output
Q626. Which of the following is not an objective in the analysis and planning
of storage management?
A. To store and manage large amounts of data efficiently
B. To speed up data retrieval
C. To decide on software that has to be loaded on the server
D. To bring down the cost of data storage, while keeping risk under
manageable limits
Q627. Which of the following is true with regard to a good Intrusion Detection
System Software?
A. It can investigate intrusions without human intervention
B. It can compensate for exploits based on errors in network
protocols
C. It is able to resist unauthorised modifications to itself
D. It is able to analyse all of the traffic on a busy network
Q628. Which of the following is true with regard to a Hardware Inventory

Policy?
A. Automated Asset software management tools can scan all
hardware devices
B. Hardware devices that are not scanned by asset software
management tool need to be tagged manually
C. Hardware should be scanned during peak-hours when all systems
are running
157
D. In case an end user make changes in hardware configuration, he

need not inform the IT department
Q629. Which of the following is true with regards to system and application
software?
A. System software uses application software to interact with
computer hardware
B. Application software uses system software to interact with
computer hardware
C. Both system and application software independently interact with
computer hardware
Q630. Which of the following must be implemented for authorised users

outside the network to securely access the web server?
A. Remote access control
B. Web firewalls
C. Change controls
D. Physical security controls
Q631. Which of the following risks is not greater in an electronic funds transfer
(EFT) environment than in a manual system using paper transactions?
A. higher cost per transaction
B. unauthorised access and activity
C. duplicate transaction processing
D. inadequate backup and recovery capabilities
Q632. Which of the following statements is (are) correct regarding the Internet
as a commercially viable network?
A. companies must apply to the Internet to gain permission to create
a home page to engage in electronic commerce
158
B. organisations must use firewalls if they wish to maintain security

over internal data
C. companies that wish to engage in electronic commerce on the
Internet must meet required security standards established by the
coalition of Internet providers
D. all of the above
Q633. The class of control used to minimise the impact of a threat is :

A. Preventive
B. Detective
C. Corrective
D. Suggestive
Q634. In Vulnerability Accessment the tester has:

A. No knowledge of the network
B. Access to the network
C. To perform completely blind testing
D. All of above
Q635. A process by which a user provides a claimed identity to access a

system is:
A. User authorization
B. User registration
C. User identification
D. User logging
Q636. Which of the following is NOT a common method used to gain

unauthorized access to Computer System ?
A. Password sharing
B. Password guessing
159
C. Password capturing
D. Password spoofing
Q637. The major advantage of a checksum program is that it:

A. Adds more bytes to programs
B. Verifies integrity of files
C. Increases boot-up time
D. Misleads a program recompilation
Q638. Preventing disclosure of information to unauthorized individuals or

systems is defined as:
A. Integrity.
B. Confidentiality.
C. Availability.
D. Utility.
Q639. Buffer overflow is:

A. A feature of every operating system
B. A feature of application osftware
C. A vulneratbility
D. All of above
Q640. Which one of the following is not a component of Application Controls:

A. Boundary controls
B. Input controls
C. Processing controls
D. Communication contorls
160
Q641. VPN does not provide:

A. Secure communication
B. Authentication of the user
C. Data storage
D. Encrypted connection
Q642. War-Dialing is a type of

A. Firewall
B. Denial of service
C. Penetration testing
D. Wire testing
Q643. Creation of an electronic signature:

A. Encrypts the message.
B. Verifies where the message came from.
C. Cannot be compromised when using a private key.
D. Cannot be used with e-mail systems.
Q644. While classifying controls on the basis of the operations involved, input
control can be classified as -
A. Organisation control
B. General control
C. Processing control
D. Application control
Q645. Which of the following logical access exposures involves changing data
before, or as it is entered into the computer?
A. Data diddling
B. Trojan horse
161
C. Worm
D. Salami technique
Q646. While reviewing firewall logs, the auditor does not attempt to keep track
of:
A. Unsuccessful logins
B. Successful logins
C. Unsuccessful logins
D. Unsuccessful logouts
Q647. Deadman doors are also called:

A. Biometric door locks.
B. Mantrap systems.
C. Bolting door locks.
D. None of these
Q648. The audit trails are useful to

A. Auditors
B. Management
C. Users
D. All of the above
Q649. A decrease in amplitude as a signal propagates along a transmission

medium is known as:
A. Noise.
B. Crosstalk.
C. Attenuation.
D. Delay distortion.
162
Q650. Intrusion detection /prevention system (IDS/IPS) are network vulnerability

management systems implemented in the ………………….level.
A. Application
B. Data
C. Perimeter
D. Network
Q651. During a review of system access rules, an IS Auditor noted that the
System Administrator has unlimited access to all data and program files.
Such access authority is:
A. Appropriate, but all access should be logged.
B. Appropriate, because System Administrator has to back up all
data and program files.
C. Inappropriate, since access should be limited to a need-to-know
basis, regardless of position.
D. Inappropriate, because System Administrator has the capacity to
run the system.
Q652. Which of the following steps would be performed FIRST in a security

review of a proposed system?
A. Conducting a thorough walk-through of the described area
B. Determining the risks /threats to the data center site
C. Determining whether business continuity procedures have been
established
D. esting for evidence of physical accesses at suspected locations
Q653. Programmers frequently create entry points into a program for

debugging purposes and/or insertion of new program codes at a later
date. These entry points are called
A. Logic bombs
B. Worms
163
C. Trap doors
D. Trojan horses
Q654. Access to the work area restricted through a swipe card or only
through otherwise authorised process and when visitors enter the work
area they are issued a pass and escorted in and out by a concerned
employee. These type of controls are called -
A. Organisational controls
B. Physical access controls
C. Logical access controls
D. Operational controls
Q655. Which of the following concerns associated with the World Wide Web
would be addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. Delay in Internet connectivity
D. Delay in downloading using file transfer protocol
Q656. In a telecommunications system, the MOST effective method for

reducing the data interception exposure is :
A. Use of callback models
B. Encryption of data
C. Use of leased lines
D. Authentication of messages
Q657. A good email policy should state that:

A. All mails sent and received should be monitored
B. All messages should be encrypted
C. Emails should be used only for official purpose
164
Q658. Employees are compulsorily asked to proceed on a week long vacation

in many organisations to:
A. Remove possible disruption caused when going on leave for a
day at a time.
B. Cross train with another employee of another department.
C. Diminish chances of committing improper / illegal acts by the
employee.
D. Ensure a standard quality of life is lead by the employee which
could enhance productivity.
Q659. For a high security installation the most effective physical access control
devices is:
A. User ID and password
B. Magnetic Card reader
C. Bio-metric devices
D. Laser activated photo identification.
Q660. A firewall access control list may filter access based on each of the
following parameters EXCEPT:
A. Port.
B. Service type.
C. Network interface card (NIC).
D. Internet protocol (IP) address.
Q661. The Auditor checklist to check controls on network security requires to

take special considerations on
A. Management and change controls on network devices
B. Event logging and monitoring of logical access paths
C. Only a
D. Both a and b
165
Q662. During a fire in a data center, an automatic fire suppression would First:
A. Cut power to data processing equipment
B. Sound an alarm and begin a timed countdown
C. Discharge the fire suppression gas
D. Disengage the uninterruptible power supply
Q663. Authentication is a protection against fraudulent transactions. Which of

the following is NOT assured by the authentication process ?
A. The validity of messages being sent
B. The validity of work stations that sent the message
C. The integrity of the message being transmitted
D. The validity of the message originator
Q664. ____ is defined as policies, procedures, practices and enterprise

structure that are designed to provide reasonable assurance that
business objectives will be achieved and undesirable events are either
prevented or detected and corrected.
A. Audit
B. Access
C. Prevention
D. Control
Q665. …………… is an attack that adds spurious entries to a table in the

server that deals with the conversion of www.icai.org into network
address like 202.54.74.130.
A. Host Name Redirection
B. Traffic Name Server
C. Data Name Server Attacks
D. Domain Name Server Attacks
166
Q666. What is not true for firewall platforms:

A. Should be implemented on systems containing operating system
builds that have been stripped down and hardened for security
applications
B. Should never be placed on systems built with all possible
installation options
C. Should be based upon very wide feature sets
D. All appropriate operating system patches should be applied
before any installation of its components
Q667. Which of the following is most important when there is a lack of

adequate fire detection and control equipment in the computer areas?
A. Adequate fire insurance
B. Regular hardware maintenance
C. Offsite storage of transaction and master files
D. Fully tested backup processing facilities.
Q668. Which of the following environmental controls is appropriate to protect

computer equipment against short-term reductions in electrical power?
A. Power line conditioners
B. A surge protective device
C. An alternative power supply
D. An interruptible power supply
Q669. Naming conventions for system resources are an important prerequisite

for access control because they ensure that:
A. resource names are not ambiguous.
B. users’ access to resources is clearly and uniquely identified.
C. internationally recognized names are used to protect resources.
D. the number of rules required to adequately protect resources is
reduced.
167
Q670. The scope of a logical access controls review would include the
evaluation of:
A. effectiveness and efficiency of IT security and related controls.
B. confidentiality, integrity and availability of information to authorized
users.
C. access to systems software and application software to ensure
compliance with the access policy.
D. access to user authorization levels, parameters and operational
functions through application software.
Q671. Which of the following methods of suppressing a fire in a data center is

the MOST effective and environmentally friendly?
A. Halon gas
B. Wet-pipe sprinklers
C. Dry-pipe sprinklers
D. Carbon dioxide gas
Q672. Which of the following exposures could be caused by a line-grabbing

technique?
A. Unauthorized data access
B. Excessive CPU cycle usage
C. Lockout of terminal polling
D. Multiplexer control dysfunction
Q673. Which of the following techniques provides the BEST protection of

e-mail message authenticity and confidentiality?
A. Signing the message using the sender’s private key and
encrypting the message using the receiver’s public key.
B. Signing the message using the sender’s public key and
encrypting the message using the receiver’s private key.
168
C. Signing the message using the receiver’s private key and

encrypting the message using the sender’s public key.
D. Signing the message using the receiver’s public key and
encrypting the message using the sender’s private key.
Q674. An IS auditor is assigned to help design the data security, data integrity
and business continuity aspects of an application under development.
Which of the following provides the MOST reasonable assurance that
corporate assets are protected when the appl
A. A certification review conducted by the internal auditor.
B. A certification review conducted by the assigned IS auditor.
C. Specifications by the user on the depth and content of the
certification review.
D. An independent review conducted by another equally experienced
IS auditor.
Q675. Which of the following indicated CMM key processes is false?

A. Asset classification and control
B. Requirement management
C. Subcontract management
D. Software configuration management
Q676. Tools used to identify risks include all of the following, except
A. Audit workflow software
B. Risk analysis questionnaire
C. Flowchart of operations
D. Insurance policy checklist
Q677. A new field opportunity and career growth is

A. Computer forensic analyst
B. Network administrator
169
C. Business systems analyst

D. Information system auditor
Q678. Which IT audit area involves formal statements that describe a course
of action that should be implemented to restore or provide accuracy,
efficiency, or adequate control of audit subject?
A. Recommendations an audit report
B. Conclusion of an audit report
C. Audit tests
D. Findings of the audit reports
Q679. The advantage of trying the audit universe to organization objectives is

that it
A. Links the entire audit process to business objectives
B. Improves management’s understanding of the audit process
C. Develops the communication plan for the audit
D. Improves the quality of the audit report
Q680. Compliance with laws and regulations is a key business risk because
of
A. The sheet number of laws and regulations
B. The controls outlines in COBIT
C. The impact on security of an organization
D. The automation of financial processes
Q681. A technical review process helps ensure that

A. The right solution is selected that integrates with other technology
components
B. The project has included all the costs of the technology solution
C. The current infrastructure is sufficient to support the new
technology
170
D. The appropriate level of senior management approvals has been

received
Q682. Risk retention (self-insurance) methods should meet all the following
criteria, except
A. Develop an internal risk management group to monitor exposures
B. Risk should be spread physically to distribute exposure across
several locations
C. Determine whether a self-insurance reserve should be established
to cover a possible loss
D. Determine the maximum exposure to loss
Q683. Which of the following is false about ISO 9001 certification

A. All organizations can establish ISO 9001 compliance
B. Accreditation is accomplished after being certified by a notified
body
C. The most important benefit from the registration is access to
markets such as the EC that require compliance
D. The NACCB approves an organization to operate an assessment
an registration of certification scheme
Q684. A special condition where an auditor must be free of any bias or

influence, and have
A. Independence
B. IT skills
C. Good writing skills
D. Professional development
Q685. In the author’s opinion, an auditor must have

A. High ethical standards
B. Limited training
171
C. Poor communication skills

D. Poor time management skills
Q686. Cyberlaw is
A. Law governing use of the computer and the Internet
B. State law
C. Central law
D. International law
Q687. Which IT audit area involves formal statements that describe a course
of action that should be implemented to restore or provide accuracy,
efficiency, or adequate control of audit subject?
A. Recommendations an audit report
B. Conclusion of an audit report
C. Audit tests
D. Findings of the audit reports
Q688. The advantage of trying the audit universe to organization objectives is

that it
A. Links the entire audit process to business objectives
B. Improves management’s understanding of the audit process
C. Develops the communication plan for the audit
D. Improves the quality of the audit report
Q689. The task of examining a spreadsheet for reasonableness checks and

comparison with known output is
A. Verification of logic
B. Documentation
C. Extent of training
D. Support commitment
172
Q690. A new field opportunity and career growth is

A. Computer forensic analyst
B. Network administrator
C. Business systems analyst
D. Information system auditor
Q691. Measuring IT performance is dependent on

A. The strategy and objectives of the organization
B. Delivering successful projects
C. Keeping operations running
D. Reducing operating costs
Q692. Compliance with laws and regulations is a key business risk because
of
A. The sheet number of laws and regulations
B. The controls outlines in COBIT
C. The impact on security of an organization
D. The automation of financial processes
Q693. A technical review process helps ensure that

A. The right solution is selected that integrates with other technology
components
B. The project has included all the costs of the technology solution
C. The current infrastructure is sufficient to support the new
technology
D. The appropriate level of senior management approvals has been
received
173
Q694. Risk retention (self-insurance) methods should meet all the following
criteria, except
A. Develop an internal risk management group to monitor exposures
B. Risk should be spread physically to distribute exposure across
several locations
C. Determine whether a self-insurance reserve should be established
to cover a possible loss
D. Determine the maximum exposure to loss
Q695. Which of the following is false about ISO 9001 certification

A. All organizations can establish ISO 9001 compliance
B. Accreditation is accomplished after being certified by a notified
body
C. The most important benefit from the registration is access to
markets such as the EC that require compliance
D. The NACCB approves an organization to operate an assessment
an registration of certification scheme
Q696. Which of the following indicated CMM key processes is false?

A. Asset classification and control
B. Requirement management
C. Subcontract management
D. Software configuration management
Q697. A special condition where an auditor must be free of any bias or

influence, and have
A. Independence
B. IT skills
C. Good writing skills
D. Professional development
174
Q698. In the author’s opinion, an auditor must have

A. High ethical standards
B. Limited training
C. Poor communication skills
D. Poor time management skills
Q699. Measuring IT performance is dependent on

A. The strategy and objectives of the organization
B. Delivering successful projects
C. Keeping operations running
D. Reducing operating costs
Q700. Tools used to identify risks include all of the following, except
A. Audit workflow software
B. Risk analysis questionnaire
C. Flowchart of operations
D. Insurance policy checklist
Q701. The task of examining a spreadsheet for reasonableness checks and

comparison with known output is
A. Verification of logic
B. Documentation
C. Extent of training
D. Support commitment
Q702. Cyberlaw is
A. Law governing use of the computer and the Internet
B. State law
C. Central law
D. International law
175

Q471 Ans. d Q499 Ans. c Q527 Ans. d
Q478 Ans. c Q506 Ans. b Q534 Ans. c
Q488 Ans. c Q516 Ans. c Q544 Ans. b
176

Q558 Ans. b Q588 Ans. d Q618 Ans. a
Q570 Ans. b Q600 Ans. b Q630 Ans. a
Q572 Ans. d Q602 Ans. c Q632 Ans. b
Q573 Ans. a Q603 Ans. b Q633 Ans. C
Q574 Ans. c Q604 Ans. c Q634 Ans. B
Q575 Ans. b Q605 Ans. b Q635 Ans. C
Q576 Ans. c Q606 Ans. b Q636 Ans. A
Q577 Ans. a Q607 Ans. c Q637 Ans. B
Q578 Ans. a Q608 Ans. b Q638 Ans. B
Q579 Ans. c Q609 Ans. a Q639 Ans. C
Q580 Ans. a Q610 Ans. c Q640 Ans. D
Q581 Ans. d Q611 Ans. b Q641 Ans. C
Q582 Ans. d Q612 Ans. d Q642 Ans. C
Q583 Ans. c Q613 Ans. b Q643 Ans. B
177
Q644 Ans. D Q674 Ans. D

Q645 Ans. A Q675 Ans. A
Q673 Ans. A
178
Module 3 Questions
Q703. Which of these options is not a feature of VPN?
A. Uses Internet
B. Uses intranet
C. Uses extranet
D. Uses common standards
Q704. Path length, bandwidth, load are:

A. Routing metrics
B. Routing algorithms
C. Routing algorithms design type
D. Routing activities
Q705. What are the categories under which X.25 devices fall?
A. DCE only
B. DTE and PSEs
C. DTE and DCE only
D. DTE, DCE and PSEs
Q706. The PKI Architecture model in which latent trust is established on a

peer-to-peer basis is called the
A. Cross Certification Model
B. Hierarchical Model
C. Hybrid Model
D. Single Root Model.
179
Q707. Which of the following do not lend themselves to compression easily?

A. Text files
B. Files containing Programming language codes
C. Images
D. Dictionaries
Q708. Which of the following is NOT a Top-Level Domain (TLD)?

A. .com
B. mil
C. net
D. co
Q709. Telecommuting can be effectively facilitated by which one of the

following?
A. Intelligent modems
B. Integrated services digital network (ISDN)
C. Voice-Mail System
D. PBX equipment
Q710. Which one of the following local area network devices functions as a
data regenerator?
A. Network interface card
B. Switch
C. Repeater
D. Modems
Q711. Which one of the following databases supports programming languages?

B. Network model
180
C. Relational model
D. Object-oriented models
Q712. Which one of the following is not part of a computer capacity

management function?
A. Service management
B. Performance management
C. Capacity planning
D. Chargeback system
Q713. A large number of system failures are occurring when corrections to

previously detected faults are resubmitted for acceptance testing.This
would indicate that the development team is probably not adequately
performing which of the following types of testi
A. Unit testing
B. Integration testing
C. Design walkthroughs
D. Configuration management
Q714. “Unit testing is different from system testing because:“

A. Unit testing is more comprehensive.
B. Programmers are not involved in system testing.
C. System testing relates to interfaces between programs.
D. System testing proves user requirements are adequate.
Q715. Which is the component not found in a data dictionary?

A. Table definition
B. ER model of data
C. Actual data
D. Data element definition
181
Q716. “Which of the following is a primary purpose for conducting parallel

testing? “
A. To determine if the system is more cost-effective.
B. To enable comprehensive unit and system testing.
C. To highlight errors in the program interfaces with files.
D. To ensure the new system meets all user requirements.
Q717. A concept in geometry, that gives you the location of a point, given its
distance from three other points is-
A. GPS
B. Trilateration
C. Pseudo random code
D. Satellite Signals
Q718. Data normalization is typically found in which of the following database

management models?
A. Hierarchy data model
B. Network data model
C. Relational data model
D. File Inversion
Q719. Expansion of a network is easiest if the topology employed is:

A. Bus
B. “Ring“
C. Star
D. Mesh
Q720. “Software quality assurance takes care of: “

A. Error prediction
B. Error prevention
182
C. Error detection
D. Error correction
Q721. “When auditing the requirements phase of a software, an IS auditor

would: “
A. Assess the adequacy of audit trails.
B. Identify and determine the criticality of the need.
C. Verify cost justifications and anticipated benefits.
D. Ensure the control specifications have been defined
Q722. “The prototyping approach does not assume the existence of: “
A. Reusable software
B. Formal specifications languages
C. Detail requirements document
D. Fourth-generation programming languages
Q723. “Which of the following is NOT an advantage of an object-oriented

approach to data management systems? “
A. A means to model complex relationships.
B. The ability to restrict the variety of data types.
C. The capacity to meet the demands of a changing environment.
D. The ability to access only the information that is needed.
Q724. Which one of the following components of the database language

structured query language (SQL) hold the actual data in the database?
A. Schemas
B. Triggers
C. Reports
D. Tables
183
Q725. Which of the following is not a part of digital certificates -

A. Digital signature of the issuer
B. Public key of the subject
C. Private key of the subject
D. Serial number
Q726. “Which of the following concerns about the security of an electronic

message would be addressed by Digital Signatures? “
A. Unauthorised reading
B. Theft
C. Unauthorised copying
D. Alteration
Q727. “A decision table is used in program testing to check the branching of

distinct processes. It consists of: “
A. A condition stub and result
B. A condition stub, condition entry, action stub and action entry
C. An action stub and condition entry
D. An action stub and result
Q728. “A computerized information system frequently fails to meet the needs

of users because: “
A. User needs are constantly changing.
B. The growth of user requirements was inaccurately forecast.
C. The hardware system limits the number of concurrent users.
D. User participation in defining the system’s requirements is
inadequate.
184
Q729. “An organization is developing a new business system. Which of the

following will provide the MOST assurance that the system provides the
required functionality? “
A. Unit testing
B. Regression testing
D. Integration testing
Q730. Which one of the following protocols is used by the Internet?

A. DNA
B. ISO/OSI
C. TCP/IP
D. X.12
Q731. The designer of a cryptosystem is called a:

A. cryptoanalyst
B. cryptographer
C. cryptologist
D. cryptogenist
Q732. Where are larger cell structures commonly used?

A. Densely populated areas
B. Mountainous areas
C. “Rural areas“
D. Lightly populated urban areas
Q733. Which of the following is not a desirable property of a cipher system:

A. simplicity
B. small key
185
C. high error propagation

D. high work factor
Q734. “Which one of the following methodologies requires effi cient system
requirement analysis? “
A. Reverse engineering
B. The Delphi Design (JAD)
C. Joint application Design (JAD)
D. Traditional system development life cycle.
Q735. “_____________” is not exchanged immediately after a session between

two nodes is started.
A. DLSw Version number
B. NetBIOS support
C. Search frames support
D. MAC address of devices
Q736. “The arrows and letters P through W in the diagram represent: “

A. Events
B. Activities
C. Successor points
D. Predecessor points
Q737. “Which of the following is performed first in a system development life

cycle project? “
A. Developing program flow chart
B. Determining system inputs and outputs
C. Developing design documents.
D. Developing conversation plans
186
Q738. “Which of the following†187estimate of tim⁥Section 1 has most important

relevance in PERT evaluation technique? “
A. Most likely time
B. Pessimistic time
C. Actual time
D. Optimistic time
Q739. “Which of the following statements is false (with regard to structured

programming concepts and program modularity)? “
A. Modules should perform only one principal function.
B. Interaction between modules should be minimal.
C. Modules should have only one entry and one exit point.
D. Modularity means program segmentation.
Q740. “Data flow diagrams are used by IS auditors to: “

A. Order data hierarchically
B. Highlight high-level data definitions
C. Graphically summarise data paths and storage
D. Portray step-by-step details of data generation
Q741 The function of an access gateway is to:

A. “Connect components in the same network“
B. Access information for an end user
C. Connect one network to another
D. All of the above
Q742. “Which phase of SDLC uses Data Flow Diagrams? “

A. Requirements
B. Design
187
C. Implementation
D. Maintenance
Q743. Which one of the following is not an essential feature of LAN?

A. Range
B. Transmission Technology
C. Topology
D. Routing
Q744. Electronic methods of data transfer are involved in all of the following
except:
A. remote batch processing
B. stand alone data processing
C. message switching
D. time sharing
Q745 “An IS auditor who plans on testing the connection of two or more
system components that pass information from one area to another
would use: “
A. Pilot testing.
B. Parallel testing.
C. Interface testing.
D. Regression testing.
Q746 A Bluetooth piconet can have a maximum of __________ slaves.

A. One
B. Three
C. Five
D. Seven
188
Q747. The DES is an example of a:

A. short key cipher system
B. 32 bit key system
C. long key cipher system
D. encryption system that can not be used more than once
Q748. Which among the following hacking techniques DOES NOT facilitate
impersonation?
A. Forging the signature
B. Packet replay
C. Interception
D. Relay
Q749. The science of cryptography provides all of the following safeguards

except
A. system availability
B. data confidentiality
C. message authentication
D. message integrity
Q750. “In which of the following SDLC (System Development Life Cycle)
phases, is the IS audito⁲Section 1s participation unnecessary? “
A. Feasibility study
B. User requirements
C. Programming
D. Manual specifications
Q751. “In a system development project, the formal change control mechanism
is begun after: “
A. Completing the system planning document
189
B. Completing the system requirement document

C. Completing the system design document
D. Completing the program coding work
Q752. “Which of the following groups/ individuals assume ownership of

systems development life cycle projects and the resulting system? “
A. User management
B. Senior management
C. Project Steering committee
D. Systems development management
Q753. A public key cryptosystem uses:

A. two private keys
B. a two public keys
C. private key and a public key
D. a new key is generated for each transaction
Q754. Which of the following is not a function of operations management:

A. performance monitoring
B. file library
C. program source code modification
D. production work flow control
Q755. “In an information processing system, specific measures were

introducedto improve quality. An auditor however will not be assured of
the effectiveness of these measures by: “
A. A perceptible reduction in problems reported by users.
B. Increased satisfaction
C. An increase in the quality assurance budget.
D. A reduction in the maintenance cost of the application
190
Q756. Which of the following would NOT normally be part of a feasibility study?
A. Identifying the cost savings of a new system.
B. Defining the major requirements of the new system.
C. Determining the productivity gains of implementing a new system.
D. Estimating a pay-back schedule for cost incurred in implementing
the system.
Q757. The CSMA/CD Protocol is useful in

A. Correcting Collisions
B. Preventing Collisions
C. Eliminating Collisions
D. Detecting Collisions
Q758. The following is not a desirable property of a cipher system:

A. high work factor
B. low work factor
C. small key
D. low error propagation
Q759. “The primary function of the steering committee is: “

A. Reviewing user requirements and ensuring that all controls are
considered
B. Strategic planning for computer installation.
C. Evaluating specific project plans for systems
D. Conducting a major feasibility study, when it is required.
Q760. “Design prototyping is more likely to be needed when: “

A. The application system to be designed is a traditional accounting
system.
B. “There is substantial uncertainly surrounding the system to be
designed. “
191
C. “The designer believes that there is no need to develop user

specification for the system to be implemented. “
D. The SDLC approach to system development is adopted.
Q761. Access to the firewall should be limited to:

A. Firewall administrators
B. Top management
C. Security administrators
D. IT personnel
Q762. Which one of these features is specific to cross bar switches?

A. Direct control
B. Call supervision
C. Common control
D. Identification of path
Q763. Rapid Application Development is not appropriate when the development

cycle involves
A. Reusability
B. Short time cycle
C. High technical risks
D. Small-integrated teams
Q764. The least commonly used medium for local area network (LAN)
environment is:
A. Fiber optics cable
B. Twisted-pair (shielded) cable
C. Twisted-pair (unshielded) cable
D. Coaxial cable
192
Q765. Which of the following is not an aspect of data mining?

A. Data collection
B. Powerful multiprocessor computers
C. Data mining algorithms
D. Decision trees
Q766. “After the system is developed, the audito⁲Section 1s objective in

conducting a general review is to “
A. “ Determine whether a critical application system needs
modification due to recent change in the status. “
B. “Conduct a test of controls to ensure that the no necessary
control is omitted in the design? “
C. “Make an evaluation of the whole process to quantify
thesubstantive test required for the specialization audit of the
process. “
D. “Conduct a substantive test of the application system. “
Q767. “Which of the following issues requires more attention from an

information Systems (IS) auditor participating in a system development
life cycle project? “
A. Technical issues
B. Organisational issues
C. Behavioural issues
D. Contractual issues
Q768. “Which of the following represents a typical prototype of an interactive

application? “
A. Screens and process programs
B. Screens, interactive edits and sample reports
C. Interactive edits, process programs and sample reports
D. Screens, interactive edits, process programs and sample reports
193
Q769. “Which one of the following techniques is represented by structured

analysis and design? “
A. Function-oriented techniques
B. Data-oriented techniques
C. Control-oriented techniques
D. Information-oriented techniques
Q770. “Which of the following tasks would NOT be performed by IS

auditor when reviewing systems development controls in a specific
applications? “
A. Attend project progress meetings.
B. “Review milestone documents for appropriate sign-off. “
C. “Compare development budgets with actual time and amount
spent. “
D. “Design and execute testing procedures for use during
acceptance testing. “
Q771. “Which of the following is false with regard to expert systems? “

A. Expert system knowledge is represented declaratively
B. Expert system computations are performed through symbolic
reasoning
C. “Expert systems knowledge is incorporated in the program control
“
D. Expert systems control their own actions
Q772. “Use of asymmetric encryption over an Internet e-commerce site,where

there is one private key for the hosting server and the public key is
widely distributed to the customers, is MOST likely to provide comfort
to the: “
A. “Customer over the authenticity of the hosting organization. “
B. Hosting organization over the authenticity of the customer
194
C. Customer over the confidentiality of messages from the hosting

organization
D. “Hosting organization over the confidentiality of message passed
to the customer. “
Q773. “ PC† based analysis and design tools are used along with mainframe
computer-based tools. Identify the CASE tool that is required in this
situation. “
A. Diagramming tools
B. Simulation tools
C. Export / import tools
D. Diagram checking tools
Q774. “----------” is a component of virtual office.

A. Internet access
B. Cellular communications
C. Groupware
D. All of the above
Q775. “The use of coding standards is encouraged by IS auditors because

they: “
A. Define access control tables.
B. Detail program documentation.
C. Standardize dataflow diagram methodology.
D. Ensure compliance with field naming conventions.
Q776. “The primary role of an IS auditor in the system design phase of an

application development project is to: “
A. Advise on specific and detailed control procedures.
B. Ensure the design accurately reflects the requirement.
C. Ensure all necessary controls are included in the initial design.
D. Advise the development manager on adherence to the schedule.
195
Q777. “Which of the following statements is incorrect? “

A. “Expert systems are aimed at solving problems using an
algorithmic approach “
B. Expert systems are aimed at solving problems that have irregular
structure
C. “Expert systems are aimed at solving problems which have
incomplete information”
D. Expert systems are aimed at solving problems of considerable
complixity
Q778. “Which of the following is not a subsystem of the decision support

system? “
A. Language system
B. Knowledge system
C. Transaction processing system
D. Problem processing system
Q779. “An auditor evaluating a software package purchase contract will NOT
expect the contract to include. “
A. License cost
B. Maintenance cost
C. Operational costs
D. Outage costs
Q780. “Which of the following is an advantage of prototyping? “

A. The finished system normally has strong internal controls.
B. Prototype systems can provide significant time and cost savings.
C. Change control is often less complicated with prototype systems.
D. It ensures that functions or extras are not added to the intended
system.
196
Q781. “ Many IT projects experience problems because the development

time and / or resource requirements are underestimated. Which of
the following techniques would improve the estimation of theresources
required in system construction after the development of t”
A. PERT chart
B. Recalibration
C. Cost-benefit analysis
D. Function point estimation
Q782. “The critical path in a Program Evaluation Review Technique (PERT)

chart is identified by: “
A. “The project management team after identifying the critically of
the function. “
B. The path that has maximum slack time.
C. The path that has zero slack time.
D. Project development team after discussing with the uses.
Q783. “Objectives of risk assessment include: “

A. Sensitizing business processes
B. Prioritizing business processes
C. Criticising business processes
D. Evaluating business processes
Q784. “Introduction of CASE tools in a mainframe environment provides which

of the following benefit? “
A. Easy conversion of huge data
B. Adequate technical knowledge
C. Proper training personnel
D. Acts as supportive tools
197
Q785. “Which of the following is a management technique that enables

organizations to develop strategically important system faster while
reducing development costs and maintaining quality? “
A. Function point analysis
B. Critical path methodology
C. Rapid application development
D. Program evaluation review technique
Q786. SET transaction is initiated by the:

A. E-wallet
B. Merchant Server
C. Acquirer
D. Certificate Authority
Q787. “Which of the following project completion paths represents the critical
path? “
A. PUW
B. PTVW
C. RVW
D. QSVW
Q788. A (B 2 C) E commerce web site as part of its information security

program, wants to monitor, detect and prevent hacking activities and
alert the system administrator when suspicious activities occur.Which
of the following infrastructure components could b
A. Intrusion detection systems
B. Firewalls
C. Routers
D. Asymmetric encryption
198
Q789. “ Structured programming is BEST described as a technique that: “

A. Provides knowledge of program functions to other programmers
via peer reviews.
B. Reduces the maintenance time of programs by the user of small
scale program.
C. Makes the readable coding reflect as closely as possible the
dynamic execution of the program.
D. Controls the coding and testing of the high-level functions of the
program in the development process.
Q790. “Which of the following computer aided software engineering (CASE)

products is used for developing detailed designs, such as screen and
report layouts? “
A. Super CASE
B. Upper CASE
C. Middle CASE
D. Lower CASE
Q791. _______ ensures an undisturbed connection between two nodes during

data exchange
A. Application layer
B. Data link layer
C. Session layer
D. Presentation layer
Q792. “The biggest benefit of prototyping is: “

A. Better version control
B. Better communication between developers and users
C. Increased productivity
D. Quicker delivery
199
Q793. “For which of the following does the IS auditor NOT take part in the
development team deliberations? “
A. Ensuring adequacy of data integrity controls.
B. Ensuring adequacy of data security controls.
C. Ensuring that there are no cost and time overruns
D. Ensuring that documentation is accurate life cycle project?
Q794. “An IS auditor involved as a team member in the detailed system design
phase of a system under development would be MOST concerned with:
A. Internal control procedures.
B. user acceptance test schedules.
C. Adequacy of the user training program.
D. Clerical progress for resubmission of rejected items.
Q795 “Fuzzy Logic is most effective when: “

A. Used to develop decision support system
B. Combined with neural network technologies
C. Used to build hard disc controllers
D. Used to design memory caches
Q796. ____________ do not have an address table when they are first
installed
A. Simple bridges
B. Multiport bridges
C. Transparent bridges
200
Q797. “Which of the following is a management technique that enables

organizations to develop strategically important system faster while
reducing development costs and maintaining quality? “
B. Critical path methodology
D. Program evaluation review technique
Q798. “ E-cash is a form of electronic money that: “

A. Can be used over any computer network.
B. Utilizes reusable e-cash coins to make payments.
C. Does not require the use of an Internet digital bank.
D. Contains unique serial numbering to track the identity of the
buyer.
Q799. Removing sequences of extraneous zeros or spaces in a file is an

application of:
A. Disk striping
B. Data streaming
C. Data editing
D. Data compression
Q800. “Which of the following would be considered to be the MOST serious

disadvantage of prototyping systems development? “
A. The prototyping software is expensive.
B. Prototyping demands excessive computer usage.
C. Users may perceive that the development is complete.
D. The users needs may not have been correctly assessed.
201
Q801. “An IS auditor while conducting a post-implementation review, would

look for “
A. The documentation of the test objectives
B. The extent of issues pointed out in the user acceptance test and
the unresolved issues.
C. The documentation of the test results.
D. The log containing the problems reported by the users.
Q802. How is the DNS implemented on the client side?

A. Through “Binding”
B. Through “Resolver” programs
C. Through Virtual hosting
D. By registering with a registrar company
Q803. Which of the following technique/feature does ATM not integrate?

A. Multiplexing
B. Switching
C. Data/voice/video transmission
D. Encryption
Q804. The most important process in an SSL session is:

A. Client authentication
B. Server authentication
C. Encryption of data
D. Symmetric key creation.
Q805. Which one of the following risks is unique to wireless communication?

A. Lack of physical security
B. Denial of service
202
C. Spoofing attack
D. Disabling of network.
Q806. ISDN’s Basic Rate Interface (BRI) is also known as?

A. 23B+D
B. “23D+B“
C. 2B+D
D. 2D+B
Q807. “An IS auditor who has participated in the development of an application

system might have their independence impaired if they: “
A. Perform an application development review.
B. “Recommend control and other system enhancements. “
C. “Perform an independent evaluation of the application after its
implementation”
D. “ Are actively involved in the design and implementation of the
application system”
Q808. “ Which of the following is a characteristic of a decision support system

(DSS)? “
A. DSS is aimed at solving highly structured problems.
B. DSS combines the use of models with non-traditional data access
and retrieval functions.
C. “DSS emphasizes flexibility in the decision making approach of
users. “
D. “DSS supports only structured decision-making tasks. “
Q809. Which of the spread spectrum technologies is widely employed?

A. Frequency hopping
B. Direct Sequence
C. Time Hopping
D. Multipath Code Division Multiple Access
203
Q810 For ensuring adequate security of LAN, the auditor must exercise control
over
A. Password
B. Policies
C. Firewall
D. Applets
Q811 An electronic device that combines data from several low speed
communication lines into a single high-speed line is a :
A. modem
B. multiplexer
C. channel
D. Link editor
Q812. Which type of cipher has the highest work factor?

A. substitution cipher
B. product cipher
C. bit cipher
D. transmission cipher
Q813. “A significant problem is planning and controlling a software

development project is determining: “
A. Project slack times.
B. A project’s critical path.
C. Time and resource requirements for individual tasks.
D. Precedent relationships which preclude the start of certain
activities until others are complete.
204
Q814. “Which of the following statements pertaining to data warehouses is

FALSE? “
A. A data warehouse is designed specifically for decision support.
B. The quality of the data in a data warehouse must be very high.
C. “Data warehouses are made up of existing database, files and
external information. “
D. “A data warehouse is used by senior management only because
of the sensitivity of the data. “
Q815. While auditing the logical access control, the auditor need not review:
A. Authorisation of dial in access
B. Audit trail
C. Bugs in the firewall
D. Password management
Q816. In an Internet environment, firewall acts as

A. modem
B. brouter
C. router
D. bridge
Q817. Which of these benefits is unique to CDMA one?

A. Capacity gain
B. Improved call quality
C. Enhanced privacy
D. Soft handoffs
205
Q818. Internet Message Access Protocol or IMAP allows __________mode of

email access.
A. Online
B. Offline
C. Disconnected
Q819. Which RAID (Redundant Array of Independent Disks) type makes use
of embedded operating systems?
A. RAID-3
B. RAID-6
C. RAID-53
D. RAID-7
Q820. Which of these is not a benefit of datawarehousing?

A. Data creation
B. Immediate information delivery
C. Data integration
D. Business analysis
Q821. Network masquerading is countered effectively by:

A. Dial-forward technique
B. Dial-back technique
C. Dial-back combined with data encryption
D. Data encryption alone
Q822. SONET is a standard for which of the following networks?

A. Twisted-pair cable
B. Fiber-optic cable
206
C. Coaxial cable
D. Ethernet
Q823. Which of the following is not a PKI Component?

A. Certificate Authority
B. Merchant Server
C. “Time Server“
D. Signing Server
Q824. Passwords belong to the following class of authentication information:

A. physical attributes
B. personal details
C. possessed objects
D. remembered information
Q825. What is the similarity between a multiplexer and a hub?

A. Both of them use TDM
B. Both use FDM and STDM
C. Both are hardware
D. Both route multiple connections
Q826. A class-B GPRS terminal can support _________ service at a time.

A. GSM and GPRS
B. GSM or GPRS
C. TDMA
D. TDMA and GSM
Q827 A peer-to-peer network works under____________

A. A centralised environment
B. A decentralised environment
207
C. Server control
D. All of the above
Q828. A security management system should undertake _____________.

A. Local data reduction
B. Event correction
C. Low resource utilisation
D. All of the above
Q829. In WAP, the actual transfer of data is done by the ___________

A. Bearers
B. Session Layer
C. Transport Layer
D. Transaction Layer
Q830. “Proxy servers” acts as a mediator between:

A. Two Local Area Networks (LANs)
B. Local network and Internet
C. Two networks using different protocols
D. Router and Internet
Q831. While reviewing firewall logs, the auditor does not attempt to keep track
of:
A. Unsuccessful logins
B. Successful logins
C. Unsuccessful logins
D. Unsuccessful logouts
208
Q832. Normal Post Office Protocol (POP) session has three different stages:1)
Transaction state 2) Update state 3) Authorisation state.The correct
sequence is
A. 1,2,3
B. 3,2,1
C. 3,1,2
D. 2,3,1
Q833. Which of the following features is least likely to be found in a real time
application?
A. User manuals
B. Preformatted screens
C. Automatic error correction
D. Turnaround documents
Q834. The voice data is transformed from analog to digital mode or vice-versa
by:
A. Internet Service Provider
B. Gateway Server
C. VoIP Service Provider
D. PSTN Station
Q835. The modifications done in an image can be determined by

A. Patch work
B. Tamper proofing
C. Feature tagging
D. Embedded captions
Q836. Security problem(s) that a PC can create in a Local Area Network are:
A. Multiplication Factor
B. Channel Factor
209
C. Both and
D. Division Factor
Q837. Which of the following is used to append a digital signature?

A. Public Key
B. Private key
C. Trusted Key or Third party key
D. Any digital Key
Q838. Which of the following elements is unique to a Smart Card?

A. Magnetic stripe
B. Microchip
C. Signature
D. Photograph
Q839. Which of these services offered by the GSM provides a personal

security code to subscribers?
A. Short message service
B. Cell broadcasting
C. Advice of charge
D. Voice mail
Q840. Which SAN (Storage Area Network) architecture is most widely used?
A. Optical fibers
B. Fiber loop
C. Mainframes
D. Network attached storage
210
Q841. Under normal conditions, which of the following offers the fastest
connection to the Internet?
A. Analog connections
B. ISDN
C. DSL
D. Cable
Q842. Security assessment of capability levels does not involve:

A. Firewall rule set
B. Application server Configuration
C. Manual inspection
D. Eliminating the incorporation of security architecture
Q843. Which one of these options allows multicasting and broadcasting in an

ATM LAN?
A. Ethernet
B. Token ring
C. LES
D. BUS
Q844. Which of the following is not a characteristic of a modem?

A. Transmission Speed
B. Data Accuracy
C. Error Detection and Correction
D. Data Compression
Q845. The size of a cell does not depend upon__________

A. The subscriber density
B. Demand in an area
211
C. The landscape
D. The subscriber’s conversation time
Q846. ____________is not exchanged immediately after a session between

two nodes is started.
A. DLSw (Data Link Switching)Version number
B. Net BIOS (Network Basic Input/Output System) support
C. Search frames support
D. MAC Media access control)address of devices
Q847. #NAME?
A. PGP (Privacy Good Policy)
B. S/MIME (Secure/Multipurpose Internet Mail Extension)
C. PEP (Privacy Enhance Mail)
D. MIME Object Security Services
Q848. WAN helps in

A. Transferring data among resources in the same building
B. connecting different branches of an organisation within the city or
in different cities
C. determining the number of connections in a network
D. routing the data to various networks
Q849. “Biometric authentication” is a technique for secure data transfer. This

authentication is based on:
A. Design features
B. Logical features
C. Physical features
D. Depends upon the application to be authenticated
212
Q850. ________ are self replicating malicious code that bring down the speed
of the processor on entering a network, and are not dependent on the
action of the user
A. Viruses
B. Worms
C. Trojan Horse
D. Spoofing
Q851. __________ are Wireless LAN devices that act like the
“hubs” in traditional LANs and provide connectivity to
the user irrespective of his location.
A. Data carriers
B. Transmitters
C. Receivers
D. Access Points
Q852. A computer can call into primary storage only that portion of a program
and data needed immediately while storing the remaining portions in an
auxiliary storage device. This feature is commonly known as:
A. compiling
B. multiplexor channeling
C. virtual storage
D. on-line processing
Q853. A firewall cannot do one of the following:

A. Protect against unauthorised logins from external networks
B. Protect the network against users connecting to the Internet using
the office telephone and a modem
C. Appear transparent to the users
D. Log traffic to and from the local network
213
Q854 A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem?
A. Data formatting
B. Decentralised control
C. Allocating adequate bandwidth
D. All of the above
Q855 A major way in which modern quality systems used to support the
information systems function differ from traditional quality systems is:
A. modern quality systems focus on customer satisfaction as the
primary goal
B. modern quality systems focus on the production of zero-defect
software as the primary goal
C. traditional quality systems fail to recognise the inherent conflict
that can exist among some goals established for an information
systems project
D. traditional quality systems do not take into account the need for
an independent QA group and independent testing
Q856. Which of the following is an application level firewall?

A. Packet filtering routers
B. Proxy systems
C. Stateful inspection
D. Circuit layer gateways
Q857. A multitasking capability in a client/server computing environment is

supported by which one of the following?
A. A “shell” program in the workstation
B. A database application program
C. An application program interface
D. A network operating system
214
Q858. A Packet Filter Firewall Ruleset ideally should:

A. Forward any packet with a source address of the local network
to the external network
B. Allow all access from the external network to the firewall system
itself
C. Expressly allow everything unless specifically prohibited
D. Expressly prohibit everything unless specifically allowed
Q859. A packet-sniffer is a software application which-

A. Identifies the packet that is required by the user.
B. Captures a packet moving across a network with help of a
Network Interface Card.
C. Identifies packets which have leaked while travelling through the
network.
D. Identifies packets, which are not safe to travel without encryption.
Q860. A PIN if stored for reference purposes, must be stored in:

A. plain text form in the eventuality that it has to be reissued at a
later stage, if the customer forget their PIN
B. ciphertext form produced only from an reversible encryption
algorithm
C. ciphertext form produced only from an irreversible encryption
algorithm
D. ciphertext form that is a function of the account number
Q861. Access to a computer system is conditional upon success of the

authentication process. The best methodology of authentication means
A. identifying who the user is
B. identifying what the user possesses
C. identifying what the user knows or remembers
D. identifying what the user is and what she/he knows/remembers
215
Q862. Which one of the following transmission media is unsuitable for handling
intrabuilding data or voice communications?
A. Unshielded Twisted pair
B. Microwave transmission
C. Shielded Twisted pair
D. Optical fiber
Q863. Which one of the following uses a modem technology as a common

means of communicating between computers?
A. Packet-switched networks
B. Frame relay
C. Wireless Local Area Network
D. Public switched telephone network
Q864. Which one of these options is incorrect? An IPSec is an extension of IP

and
A. Requires no encryption
B. Ensures message integrity
C. Implements WAN and LAN security measures
D. Ensures data confidentiality
Q865 While down sizing a material inventory system, data center personnel
considered redundant array of inexpensive disks (RAID for the inventory
database. One reason to use RAID is to ensure that :
A. all data can still be reconstructed even if one drive fails
B. all data are split evenly across pairs of drives
C. snap shots of all transactions are taken
D. write time is minimised to avoid concurrency conflicts
216
Q866. While planning for the security of the organisation

A. Old policies should never be followed
B. The statements in the documentation should be abstract for quick
understanding
C. Information classification and access control should be of more
importance than password management
D. The security policy could be treated as optional to be provided to
the employees
Q867. Which of the following statements is true:

A. A Proxy server is the best option for caching heavy network
loads.
B. Network caching facilitates the storage of user data in the
network.
C. Stand alones are costly and require large scale deployments.
D. The capacity for storing content on the user’s hard disk is
decided by the local network cache
Q868. LDAP (Lightweight Directory Access Protocols) has an edge over X.500
in Directory Enabled Networks (DEN), because it supports:
A. Static routing
B. Dynamic routing
C. Both
D. None
Q869. Which of the following statements regarding security concerns for lap
top computers is NOT false?
A. Decentralised controls over the selection and acquisition of
hardware and software is a major concern
B. The primary methods of controls usually involves general controls
217
C. segregation of duties becomes increasingly important

D. With the increase in use, the degree of concern regarding
physical security decreases
Q870. Which of the following tool allots a specific amount of space to packets
to handle traffic effectively?
A. Priority Queuing
B. Custom Queuing
C. Weighted Flow Queuing
D. FIFO, Basic store and forward capability
Q871. Which of the following would not be considered a characteristic of a

private key cryptosystem?
A. the encryption key can be transmitted through the system over
the normal communication path
B. two different keys are used for the encryption and decryption
C. Data Encyption Standard (DES) is a typical type of private key
cryptosystem
D. For the decryption, the decryption key should be equivalent to the
encryption key
Q872. Which of the following would not normally be considered a typical file
structure for a database management system:
A. Hierarchical structure
B. Batched sequential structure
C. Network structure
D. Relational structure
Q873. Which of these Internet protocols are used by Unified Messaging

framework:
A. Simple Mail Transfer Protocol (SMTP)
B. Post Office Protocol (POP)
218
C. Internet Message Access Protocol (IMAP)

D. All of the above
Q874. Which of these statements is true?

A. There can be only one internal perimeter router in a network
B. There can be more than one internal perimeter router in a
network
C. An internal perimeter router distinguishes between a network
under control & not under control
D. An internal perimeter distinguishes between the network and the
ISP
Q875. Which of these wireless technologies deploys Radio Frequency (RF) for
a WLL (Wireless Local Loop)?
A. Analog Cellular
B. Digital Cellular
C. Personal Communication system (PCS)
D. Proprietary systems
Q876. Which one of the following client/server implementation approaches

requires greater programming skills?
A. Image server configuration
B. Peer-to-peer communications
C. Applications programming interface
D. GUI-based operating system
Q877. Which one of the following computer systems is best to provide parallel
processing of documents in a business environment?
A. Network Management systems
B. Database Management systems
219
C. Workflow systems
D. Imaging and Mirroring systems
Q878. Which one of the following is a feature of Bluetooth security provisions?

A. Device authentication
B. “Compulsory pairing and bonding between two devices“
C. Constant authentication of device and user
D. Use of a single key for device authentication and link encryption
Q879. Which one of the following is not an operating control:

A. Library security and use of proper file labels
B. Halt and error controls
C. Batch controls
D. Duplicate files and backup procedures
Q880. Which one of the following is NOT an essential component of a

distributed computing environment?
A. Unix platform
B. Distributed computing infrastructure
C. Systems management
D. Distributed applications or services
Q881. The IEEE 802.4 Token bus LAN

A. Has no specific topology
B. Physically and logically linear or tree-shaped
C. Physically a ring and logically a bus
D. Physically linear and logically a ring
220
Q882. Which one of the following is NOT false:

A. Conversion to a database system is inexpensive
B. Data redundancy can be reduced
C. Multiple occurrences of data items are useful for consistency
checking
D. Backup and recovery procedures are minimised
Q883. Which one of the following is NOT true relating to the use of fiber optics:
A. Data is transmitted rapidly
B. Fiber optic cable is small and flexible
C. They are unaffected by electrical interference
D. It has high risk of wire tapping
Q884. Which one of the following is the most essential activity for effective
computer capacity planning:
A. Scheduling of documents
B. Planning of adequate security and controls in the computer center
C. Estimating electrical load
D. Workload forecasting
Q885. Which one of the following network architectures is designed to provide

data services using physical networks that are more reliable and offer
greater bandwidth?
A. Transmission control protocol/Internet Protocol (TCP/IP)
B. File transfer protocol
C. Permanent Virtual Circuit (PV)
D. Integrated services digital network (ISDN)
221
Q886. Which one of the following network types will play an important role in
implementing E-commerce?
A. Local area network
B. Wireless Local area network
C. Value-added network
D. Internet Servers Providers’ network
Q887. Which one of the following pair of items is a primary cause of signal
distortion in data communications?
A. Sudden change in weather and temperature
B. Attenuation and propagation delay
C. Phase hits and amplitude jitter
D. Number of concurrent users
Q888. Which one of the following pairs of protocols greatly conflict with
each other in the same pair of protocols? (TCP/IP is transmission
control protocol/Internet protocol, ISO/OSI is international standards
organization /open systems interconnection, SNA is
A. ISO/OSI and GOSIP
B. TCP/IP and ISO/OSI
C. ISO/OSI and SNA.
D. SNA and TCP/IP
Q889. Which one of the following statement is true with respect to VSAT?
A. Usage is restricted to geographical boundaries
B. Very high cost due to the usage of fibre optic cables
C. Though quality of data is high,it doesn’t support high bandwidth
D. It operates in two frequency bands namely Ku and C
222
Q890. Which one of the following statements concerning microcomputer

systems NOT true?
A. Database management systems are available for microcomputer
systems
B. Integrated packages are examples of operating systems for
microcomputers
C. An operating system program is a critical software package for
microcomputers
D. Electronic spreadsheet packages are types of application software
for microcomputers
Q891. Which feature makes an intranet similar to the Internet?

A. Corporate network
B. TCP/IP
C. LAN technology
D. Token ring
Q892. Which one of the following statements is False?

A. With a concentrator, the total bandwidth entering the device is
normally different from the bandwidth leaving it
B. Demodulation is the process of converting an analog
telecommunications signal into a digital computer signal
C. With a multiplexer, the total bandwidth entering the device is
normally different from the bandwidth leaving it
D. A communications terminal control hardware unit that controls a
number of computer terminals.
Q893. Which of the following uses RTP (Real-time Transport Protocol)?

A. Fiber Distributed Digital Interface (FDDI)
B. Ethernet
223
C. Mbone
D. Backbone
Q894. “Which part of the Universal Mobile Telecommunication system (UMTS)

network houses the ATM (Asynchronous Transfer Mode) standard?
A. Core Network
B. Radio Access
C. User Equipment
D. Mobile Station
Q895. All computers have a central processing unit (CPU) that works in
conjunction with peripheral devices. The function of the CPU are:
A. Input, Output and arithmetic-logic
B. Control and Output
C. Control and arithmetic-logic
D. Input and Control
Q896. An agreement between two computer systems on the ways in which the
data to be transmitted between them shall be packed and interpreted is
called
A. Communication channel
B. Communication protocol
C. Synchronous mode of transmission
D. Asynchronous mode of transmission
Q897. An electronic bulletin board system cannot do which one of the

following?
A. Sending and receiving messages
B. Transferring files with all major protocols
C. Searching textual database
D. Real time user-to-user chat facilities
224
Q898. Analyzing data protection requirements for installing a local area network
(LAN) does not include:
A. Uninterruptible power source
B. Fault tolerance
C. Operating systems
D. Destruction of the logging and auditing data
Q899. Asynchronous transfer mode (ATM) is an example of fast packet

switching network. Which one of the following statements about ATM is
FALSE?
A. ATM is a high bandwidth low delay switching and multiplexing
technology
B. ATM networks can carry video communications
C. ATM allows very high speed data transfer rates at up to 155
Mbits/s
D. ATM networks use long packets with varying sizes
Q900. Circuit switching technology is used for:

A. Sending data in small packets as in emails.
B. Sending data continuously in an order as in voice or video
messages.
C. Switching on and off circuits in the telecommunications network.
D. Storing messages and then transmitting them to the next node
depending on the address.
Q901. Client/server architecture has an edge over other system in :

A. providing a strong change control management procedures
B. controlling access to confidential and sensitive data
C. distributing the processing thus not tying up the mainframe
resources
D. avoiding obsolescence of components
225
Q902. Computer manufacturers generally install software programs

permanently inside the computers as part of its main memory to provide
protection against loss in case of a power supply interruption. This
concept is known as:
A. File integrity
B. Read Only Memory ROM)
C. Firmware
D. Random Access Memory (RAM)
Q903. Confidentiality and data integrity services are provided in a network in

which of the following layers of the ISO/OSI model?
A. Physical layer
B. Data Link layer
C. Presentation layer
D. Application layer
Q904. Connection Establishment and Termination in Transmission Control

Protocol (TCP) do not require?
A. connect and disconnect request
B. Confirmation of request
C. Acknowledgement of confirmation
D. Encryption of connection established message
Q905. Control over data preparation is important because:

A. it is often a major cost area taking about 50% of the data
processing budget
B. unauthorised changes to data and program can take place
C. the work is boring so high turnover always occurs
D. it can be a major bottleneck in the work flow in a data processing
installation
226
Q906. Which of the following statements is not a benefit for using the Voice-
over-Internet protocol?
A. High quality voice
B. Security
C. Use of vocoder
D. Use of TDMA
Q907. The IP address 135.0.0.2 (in decimal octet notation) belongs to which
IP addressing class?
A. Class A
B. Class B
C. Class C
D. Class E
Q908. Data is an important asset in an organisation. To prevent the

interception of data the auditor should determine
A. Whether the redundant network cabling schemes and
communication resources are being used
B. Whether access controls exist at the source and destination of
data transfers
C. Whether the audit trails and transaction monitoring exist for
sensitive applications
D. Whether the system automatically gets disconnected after
substantial inactivity
Q909. Determining what components to include in the network configuration is

called a:
A. Configuration control
B. Configuration management
C. Configuration status accounting
D. Configuration identification
227
Q910. Different controls are required in the software whether they are re
purchased, customised or developed. The auditor while auditing the
LAN determines that
A. There exists a license agreement for purchased software
B. All the users have contact number of the vendor
C. Users can ask the vendor to customize the software as required
by them
D. All the software used by the company is accessible by everybody
on the LAN
Q911. Digital subscriber line access multiplexer (DSLAM) is used for:

A. High-speed data transfer
B. Developing efficient digital network over network
C. Accessing remote computer
D. Synchronising protocols of different network
Q912. Dynamic Synchronous Transfer Mode (DTM) supports implementation

of Virtual Private Networks (VPNs) because of
A. PDH (Plesiochronous Data Hierarchy)
B. IP Internet Protocol) over DTM
C. SDH (Synchronous Digital Hierarchy) tunnelling
D. DTM Local Area Network (LAN) Emulation (DLE)
Q913. Environmental controls include protection from water, temperature, dust

and related matter. While auditing the environment controls in a LAN
environment the auditor should confirm that
A. LAN file server facility has dust, smoke and other particulate
matters
B. Consumption of food, beverage and tobacco is allowed
C. Air conditioning, humidity control system are followed as desired
by the users of the LAN
228
D. Fire protection equipment are adequate and appropriate
Q914. Extensible Business Reporting Language (XBRL) is an XML based

application that is used for financial processing. Which of the following
statements is false?
A. Data in an XBRL document can be accessed with any office tool
such as a spreadsheet etc.
B. It is a freely available electronic language for financial reporting.
C. It is compatible with virtually any software product that manages
financial information.
D. Organisation has to disclose additional information than required
in normal accounting standards
Q915. Extensible Markup Language or XML differs from HTML in the sense
that
A. It has predefined tags and semantics
B. It allows the applications to define its own tags and semantics
C. It has a larger set of predefined tags and semantics
Q916. Hardware controls usually are those built into the equipment by the
manufacturer. One such control, an echo check , is best described as:
A. a component that signals the control unit that an operation has
been performed
B. two units that provide read-after-write and dual-read capabilities
C. double wiring of the CPU and peripheral equipment to prevent
malfunctioning
D. validations logic to fields and records based o their
interrelationships with controls established for the batch.
229
Q917. How can OFDM (Orthogonal Frequency Division Multiplexing) be

implemented efficiently?
A. By using oscillators
B. Through Quadrature Amplitude Modulation QAM) only
C. Through Fast Fourier Transform (FFT) only
D. Using FFT and QAM
Q918. If a web site using the Internet Information Server from Microsoft does
not run dynamic scripts, which of the following tools can harden the
Web Server?
A. IIS Lockdown
B. CGI
C. URLScan
D. Microsoft Management Console
Q919. If possible, the quality goals for specific information systems project
should be formulated by:
A. the sponsor of the project
B. the project’s quality control group
C. QA personnel
D. the project leader
Q920. Implementing a large distributed system involves a number of unique

risks arising from both technical and management issues. Which one
of the following risks is common to both risk categories?
A. Error detection and correction
B. System response time and system uptime
C. Distributed databases and application programs
D. Security mechanisms
230
Q921. In 802.5 Token Ring LAN, when a data frame is in circulation, where is
the token?
A. At the receiving station
B. At the sending station
C. With a special station called Monitor station
D. Both the sending and receiving stations have a copy of the token
Q922. In a DeMilitarized Zone (DMZ) Network

A. There are no firewalls and hence the network is called
DeMilitarized
B. A firewall before the boundary router and one firewall after it, but
before the external WebServer
C. Both the firewalls lie between the external Web Server and the
internal (local) Server
D. A firewall between the router and the WebServer and another
between this Server and the local Server
Q923. In a thin client networking model

A. Database is available in server and application and the user
interface is available on the client.
B. Database is available on the client; application is available on the
server
C. Database and application are available on the server and user
interface on client.
D. Databse, application and user interface are available on server
Q924. In an Internet URL, “http://www.themanagementor.com”, what is the use

of “.com”?
D. Identifies the purpose of the site. It stands for commercial.
231
Q925. In order to trace data through several application programs, an auditor

needs to know what programs use the data, which files contain the
data, and printed records display the data. If database system is in use,
the auditor could probably find all of thes
A. Database schema
B. Data dictionary
C. Data encryptor
D. Decision table
Q926. In switching over to an Electronic Fund Transfer (EFT) environment,

which of the following risks DOES NOT occur?
A. Increased access violations
B. Increased cost per transaction
C. Inadequate backup and recovery procedures
D. Duplicate transaction processing
Q927. In Telecommunication Management Network (TMN) logical model, which

layer supports decision-making process at high level?
A. Network-Management Layer (NML)
B. Network-Element Layer (NEL)
C. Business-Management layer (BML)
D. Service-Management Layer (SML)
Q928. In the audit of LAN, inventory control helps the auditor in determining
the effectiveness of IS operations. Which of the following is not correct
with respect to inventory control?
A. Identify the person responsible for disposing obsolete or badly
damaged LAN equipment
B. Inventory control is maintained of all LAN software
C. Hardware components are marked with identification number
which cannot be erased or removed
D. Virus checking software is in use
232
Q929. In today’s business environment one can hardly find a company without
a computer. But an IPF (Information processing facility is typically a
large expense, in planning the physical location of the computer, the
primary consideration for selecting a site i
A. minimise the distance that data control personnel must travel to
deliver data and reports
B. provide security
C. be easily accessible by a majority of company personnel
D. be in the top floor
Q930. In utilizing Internet for extracting certain information, the BIGGEST

hurdle is
A. Finding out the best location of the required information
B. Establishing a connection to the location of the information
C. Access privileges required at the remote computer system
D. Purchasing and establishing the required equipment
Q931. In which of the following services is Public Key Infrastructure (PKI) and
Digital certification not a useful feature.
A. Virtual Private Networks
B. Web Authentication
C. File Encryption
D. Circuit Switching
Q932. Integration of asset management system, network performance data,

customer information, and call details results in improved help desk
customer satisfaction. Which one of the following is the most important
benefit that can be realized by integrating help
A. Number of errors are substantially reduced
B. The desired level of data and program security is met
C. Redundant data is not present
D. Service level agreements are met
233
Q933. It is essential to monitor telecommunication processes and ensure that

data transmission is complete and accurate. Which of the following
automated processes/reports measure this?
A. Turn around time reports
B. Help Desk response monitoring reports
C. Breakdowns/Downtime reports
D. On-line monitoring tools
Q934. LAN configuration if altered without proper controls may lead to

disrupted operations. Which of the following is the control objective over
configuration change control for the continuous satisfactory operation of
LAN?
A. Log book is maintained for LAN downtime
B. LAN server is adequately protected
C. There exists a procedure for changing configuration
D. Access to LAN is on need basis
Q935. Logical access control consists of usage of proper access control

mechanism and related security. In the audit of logical security in a LAN
environment the auditor ensures that
A. Virus checking software is in use
B. LAN audit trails for login ID are maintained for a reasonable
period of time
C. The inventory reports of the hardware are maintained
D. All the control files are identified
Q936. MIME essentially acts as:

A. A transport agent for e-mail
B. “An interface between the mail client and the web server“
C. A compressor that packages different formats into SMTP
compatible type
234
Q937. Most computer systems have hardware controls that are built in by the
computer manufacturer. Common hardware controls are :
A. duplicate circuitry, echo checks, tape file protection and internal
header labels
B. duplicate circuitry, echo check and internal header labels
C. tape file protection, cryptographic protection and limit checks
D. duplicate circuitry, echo checks and dual reading
Q938. Multi-layer IPsec is different from original IPsec because in ML-IPsec:

A. Data is transmitted over different layers
B. “Datagrams can be divided into different zones“
C. Multiple datagrams can be sent simultaneously
D. All of the above
Q939 To which of the following resource type are the most complex action
privileges assigned?
A. hardware
B. software
C. commodity
D. data
Q940. Network designers must be able to predict network performance if they

are to optimise a network. The probability of a lost call is referred to as:
A. Interactivity
B. Availability
C. Reliability
D. Grade of Service
235
Q941. Network downtime is very costly and should be kept to minimum as

much as possible. Which one of the following network monitoring
devices is best suited in a multivendor data center?
A. Line monitor
B. Circular routing
C. Protocol analyzer
D. Database replication
Q942. Network growth is inevitable and in on increase. Which one of the

following components of such growth is most difficult to predict?
A. Modifications to physical and facilities
B. Network utilization by the existing users
C. Increased business activity and revenue
D. Extension of the network to new users
Q943. Of the following, which is NOT an advantage of distributed over

centralized processing?
A. If a disaster occur at one site, processing can be continued in
another site
B. It is easier to implement security controls than in a centralized
environment
C. Investment is not huge and made onetime, the system can be
allowed to grow gradually,
D. The cost of communication subsystem is lower than in a
centralized system
Q944. One of the basic objectives of LAN audit is to ensure that

A. Effective controls exist for the security of organisational data files
and program libraries
B. “Logs are maintained for recording of all security related
incidents“
236
C. Passwords are chosen carefully

D. Administer account are renamed to deter intruder hacking
Q945. One of the main objectives of e-commerce is to attract as many

customers as possible and reach out to them irrespective of where
they are. Extensible Markup Language (XML) makes this possible by
_____________________ feature.
A. Standardisation
B. Internationalisation
C. Accessibility
D. Manageability
Q946. Operations in a LAN environment are day to day operation, processes,

activities etc. The auditor while auditing the controls over operation in a
LAN confirms that
A. There is segregation of duties
B. Operation staff can change the controls over operation as desired
by them
C. Roles are identified but the personnel performing the role define
the responsibility
D. LAN response time is not to be considered for the operation
Q947. Organizations which are unable to create and maintain their own private
networks are more likely to use
A. a wide area network
B. vendor delivered electronic mail system
C. fast-packet switching
D. public switched network
237
Q948. Out of the following pairs of services, which provides an access control
over a network of computers
A. Identification and authentication
B. Certification and accreditation
C. Access control lists and access control privileges
D. Accreditation and assurance
Q949. Personal Computers and Laptops have both a floppy disk drive and a
hard disk drive. The major difference between the two types of storage
is that a hard disk :
A. Has much larger storage capacity than a floppy disk and can also
access information much more quickly
B. is a direct access storage medium whereas a floppy disk is a
sequential access storage medium
C. provides an automatic audit trail, whereas a floppy disk does not
D. is suitable for an online system whereas a floppy disk is not
Q950. The integrity of system cannot be lost due to

A. Trojan Horse
B. Packet Sniffers
C. Brute force attack
D. Firewalls
Q951. Which of the following is not a key feature of distributed firewalls.

A. Dependence on network topology
B. Using IPSec
C. Using Policy language
D. Efficiency in detecting internal attacks
238
Q952. Remote workstations can be used effectively with client/server

applications. In addition to a modem, which one of the following devices
is required to operate a remote workstation?
A. Remote bridge
B. Remote controller
C. Remote router
D. Remote repeater
Q953. Replication management in a distributed system environment provides

data consistency between multiple copies of data. Which one of the
following replication process components would help achieve that
consistency?
A. Replica currency
B. Replica definition
C. Replica scalability
D. Replication operations management
Q954. Ring topology envisages

A. connecting all communication channels to form a loop and each
connection passing the communication to its neighbour to the
appropriate destination
B. grouping common messages and transmits them along one
common line
C. hierarchically organizing the communication through a central
computer
D. connecting each node to a central host computer like a hub
Q955. Satellite communications cannot be used in which of the following

cases?
A. Unencrypted Confidential data is to be sent
B. Mobile Communications
239
C. In case of natural calamities

D. Communication in rocky areas
Q956. Short Message Service (SMS) cannot be used to provide which of the
following services?
A. Notify a user if new email comes to user’s email account
B. Inform a user about news headlines or weather
C. Provide transmission of short messages between two users
D. Display a graphic-rich web page
Q957. Simple Software has just purchased a minicomputer. The make and
module selected will allow the company to attach additional units as
its needs expand. The company has taken advantage of a concept in
hardware design known as :
A. Emulation
B. Networking
C. Modularity
D. Standardisation
Q958. Staffing the QA function is often difficult because:

A. high levels of interpersonal conflict often arise among QA
personnel
B. incumbents have little opportunity to exercise high-level
information systems skills
C. QA personnel require high level of interpersonal skills because of
potential conflict between QA personnel and information systems
personnel is high
D. information systems personnel tend to prefer a development role
to a monitoring role
240
Q959. The auditor while reviewing the local area network (LAN) takes into
consideration the purpose and processing environment. In the pre-audit
phase the auditor
A. Considers LAN utilities which are used by the company and take
training on the same
B. Ensures whether the hardware inventory contains a unique
identification number
C. Ensures whether the procedure exists for operation staff to
manage change control
D. Review the problem resolution log to determine if the problems
are recurring
Q960. The best control to ensure that a customer uses a debit/credit card
carefully is:
A. to make the customer liable if the careless use of a card leads to
a fraud,
B. blocking a card if it is not used for a period of 3 months
C. to educate the customer about the importance of card security
D. enforced periodic change of the PINs
Q961. The database administrator is not responsible for which one of the
following functions?
A. Physical design of a database
B. Security of a database
C. Coordinate and resolve conflicting needs and desires of users in
their diverse application areas
D. Logical design of a database
Q962. The following device is used to connect one type of IEEE 802.x LAN to
another
A. Router
B. Repeater
241
C. Bridge
D. No device is necessary as they are all compatible and are hence
grouped under 802 series
Q963. The following method of obtaining customer selected PINs does not
require the cryptographic generation of a reference number, to initially
associate the PIN with the customer’s account number?
A. entry via phone
B. PIN entry at the issuer’s premises
C. PIN entry via a secure terminal
D. PIN entry at acquirer’s premises
Q964. The following method of PIN validation seems to result in the fewest
control problems?
A. allow the customer to make a small number of PIN entry
attempts, close the account after the limit has been reached, and
retain the card
B. allow the customer to make a small number of PIN entry
attempts, do not close the account after the limit has been
reached, but retain the card
C. allow a reasonable number of PIN entry attempts, close the
account after the limit has been reached, but do not retain the
card
D. allow a reasonable number of PIN entry attempts, close the
account after the limit has been reached, and retain the card
Q965. The following statement applies to a capability based approach to

authorisation?
A. a list of users who can access the resource is associated with
each resource together with each user’s action privileges with
respect to the resource
B. the mechanism associates with each user the resources they can
access together with the action privileges they have with respect
to each resource
242
C. a user is assigned capabilities as a function of the class into

which user’s password falls
D. the users are assigned privileges only if they know the password
for each resource
Q966. The following statement is true about a mandatory access control

policy?
A. it is not possible for users to change their classification level,
though they can change their clearance levels
B. it must be enforced by a more complex access control
mechanism compared with a discretionary access control policy
C. it is less likely to be used in a business systems environment
than a discretionary access control policy
D. an audit trail is not required with a mandatory access control
policy
Q967. The internal auditor’s first job while trying to identify the components of
a telecommunication system posing the GREATEST threat, shall be
A. Identify the business objectives of the network
B. Review the network with reference to the ISO/OSI model of seven
layers
C. Identify the various layers of ISO/OSI model to which each
component belongs
D. Estimate the operating costs of the communication subsystem
Q968. The main DISADVANTAGE of using a PBX-based communication

network for establishing a local area network is
A. rewiring is to be done using coaxial cabling
B. large volumes of data cannot be handled
C. system maintenance will have to be entrusted to outsiders
D. any relocation of the devices at a later stage is almost impossible
243
Q969. The major reason why quality metrics need to be chosen for a specific
information systems project is:
A. to alleviate conflict between stakeholders
B. to reduce the amount of monitoring of compliance with standards
that QA personnel will have to undertake
C. to clarify the basis on which QA personnel will evaluate whether
quality goals have been met
D. to alleviate conflict between the Statutory Auditors and Information
Systems Auditors
Q970. Which feature of the Interior Gateway Routing Protocol (IGRP) prevents
large loops of routers?
A. Poison-reverse updates
B. Split-horizon updates
C. Hold down
D. Composite metric
Q971. The manager of the information systems QA function should report to

the:
A. managing director of the organisation
B. project leader
C. manager in charge of the information systems function
D. manager responsible for the internal audit function
Q972. The MOST secured access control mechanism is

A. encryption
B. user identification with a password of not less than 6 characters
C. plastic cards with magnetic stripe and a PIN
D. call-back telephone facility
244
Q973. The presence of a Quality Assurance (QA function has an effect of

the auditors’ function. Which of the following statements about the
relationship between quality assurance and auditing is most likely to be
not true?
A. the extent of substantive testing to be carried out by the auditors
can be decreased substantially when QA function is working
reliably
B. QA personnel are likely to check information systems controls
more comprehensively than auditors
C. the inherent risk associated with an organisation decreases
considerably when an organisation has an information systems
QA function
D. It is more likely that the external auditors will focus on the
reliability of the QA function rather than undertaking direct tests
of information systems controls
Q974. The presence of an arbitrator in a digital signature system will prevent:

A. the senders from reneging on the contract by making their private
key public and claiming that the message was forged
B. the sender from forging a message using the receiver’s private
key
C. an unauthorised person from reading the message
D. the receiver forging a message using the sender’s private key
Q975. The primary advantage of the list-oriented approach to authorisation is:

A. it introduces run-time efficiency
B. it allows efficient administration of capabilities
C. access control lists are stored on a fast memory device to
facilitate easy access to the list
D. smaller protection domains are permitted
245
Q976. The primary purpose of Quality of Services is to

A. Provide efficient services of all applications in the network
B. Provide preference to large flows
C. Improved services to specified flows
D. Give equal preference to all resource
Q977. The principle of least privilege is a important concept in access controls

of a network. Among the four enumerated here, which does NOT
support this concept?
A. Privilege based on the time and day
B. Privilege based on an application
C. Either allow access to all resources or none
D. Privileges of the group inherited by the user
Q978. The purpose of electronic signature is

A. to establish the authenticity of the message
B. to encrypt the message for confidentiality
C. to prevent compromises when using a private key
D. to prevent misuse of email facilities
Q979. The relationship with vendors is important from the view of maintenance
of the systems and servicing. The auditor in his review of LAN ensures
that software meets the demand of the company and
A. The vendor reliability is not important
B. The license agreement exists
C. The vendor support for the installation,training need not exist
D. The software is purchased without approval of the senior officials
246
Q980. The significance of hardware controls to auditors is that they:

A. Ensure correct programming of operating system functions
B. Assure that the vendors support current versions of the software.
C. Assure the correct execution of machine instructions
D. Ensure that run-to-run totals in application systems are consistent
Q981. The use of multiple disks in Redundant Array of Independent arrays

results in_______
A. Increased MTBDL (Mean Time Between Data Loss)
B. Decreased Fault tolerance
C. Increased MTBF (Mean Time Between Failure)
D. Striping
Q982. The use of programming aids, data and instructions that are prepared
for one computer and can be used on another computer without
conversion or program modifications are examples of :
A. Modularity
B. Interfacing
C. Sequencing
D. Portability
Q983. To connect to an FTP site without being a registered user, one needs
to enter:
A. login name=anonymous : password=email address
B. login name=email address ; password=anonymous
C. login name=anonymous ; password=anonymous
D. cannot log on without being a registered user
247
Q984. To effectively implement the principle of least privilege, it is necessary

to have:
A. a ticket oriented approach to authorisation
B. a list oriented approach to authorisation
C. small protection domains
D. an open environment
Q985. Unified Messaging is a common way of receiving all kinds of messages

like email, fax, etc. through a single interface. Fax messages are
received as:
A. Simple mail that can be viewed in the editor window
B. Attachments that can be printed out
C. Messages notifying receipt of a fax that can be collected
Q986. Uninterruptible Power Supplies (UPS) are used in computer centers to

reduce the likelihood of :
A. failing to control concurrent access to data
B. losing data stored in main memory
C. dropping bits in data transmission
D. crashing disk drives read-write heads
Q987. Use of a local area network has its own restrictions when compared to
a wide area network. Which one of the following is not a restriction?
A. The number of workstations that can be connected to a network
B. The length of cable to connect a workstation to the network
C. A single link failure, a repeater failure, or a break in the cable
could disable a large part or all of the network.
D. The ability of a personal computer to act as a data terminal
248
Q988. Value added networks (VAN) DO NOT

A. convert transactions of a client to a standard protocol to enable
the recipient face lesser problem connected to non-standard
protocols
B. store orders of the exporter in one country to be accessed by
importers in various countries
C. maintain a transaction log of the import orders of an organization
from its trading partner
D. eliminate the need for trading partners to establish direct
connection for EDI
Q989. What does a firewall do when a security incident occurs?

A. Sound an audible alarm
B. Block all further traffic, irrespective of whether it is authorised
access or not
C. Correlate events, as the firewall is the gatekeeper to the entire
network
D. Reroute all traffic through a back up firewall
Q990. What does NAT mean in the context of Firewalls and Security?
A. NAT (Network Attack Terminator) and is a program used to hunt
and destroy malicious packets.
B. NAT, Network Administration Terminal,is an application-proxy
firewall and inspects incoming packets
C. NAT, Network Address Translation, hides the internal addressing
scheme in the network
D. NAT, Network Authentication tool,identifies authorised users and
allows them remote access
Q991. What function does Address Resolution Protocol (ARP) perform?

A. It relates IP addresses to Ethernet addresses
B. Prevents two computers from using the same IP address
249
C. Enables a diskless workstation to know its IP address by

broadcasting its Ethernet address
D. Resolves a name like www.themanagementor.com to the IP
address of the computer hosting the web site
Q992. What happens when the Session Manager opts for a persistent session?
A. Session data is stored permanently in the database
B. Session data for each transaction is stored in the database
C. Session data is stored in the memory for a limited time
D. Session data is not related to a persistent session
Q993. What is a MAJOR benefit of switching over to the electronic data

interchange (EDI system?
A. Improving of business relationship with trading partners
B. Increasing of the transmission speed of documents
C. Decreasing of contingency and backup planning efforts
D. Decreasing of the legal liabilities over proprietary data
Q994. What is Telecommunication Management Network (TMN) ?

A. A set of standards for all networks
B. A set of international standards for telecommunication network
C. A programming language
D. A type of software
Q995. “What is the similarity between a GSM (Global System for Mobile
Communication) network and EDGE (Enhanced Data for GSM
Environment)?“
A. Both use the TDMA frame structure
B. Both deliver a data rate of 384 Kbps
C. Both use the same transceiver unit
D. Both use phase shift modulation
250
Q996. When three or more nodes are linked together through a single
communication medium it is termed as,
A. Ring Logical Topology
B. Point-to-Point Topology
C. Multipoint Topology
D. Bus Logical Topology
Q997. When a compliance failure occurs, QA personnel should:

A. notify external auditors because it may affect the audit plan
B. implement corrective actions as and when compliance failure
occurs
C. take action to mitigate the effects of the compliance failure on
shareholders
D. consider appropriate corrective actions so they can make
recommendations to management
Q998. When constructing the communications infrastructure for moving data

over a local area network, the major implementation choices involve
decisions about all of the following except:
A. Repeaters
B. File servers
C. Routers
D. Terminal controllers
Q999. When data is accessed through both sequential and direct access
methods the process is called:
A. Sequential storage and retrieval
B. Direct access and retrieval
C. Indexed sequential storage and retrieval
251
Q1000. When emails are exchanged over the Internet, one server handles
incoming mails and the other outgoing. With respect to this, which of
the following options is true?
A. SMTP handles incoming mails and POP3 handles outgoing.
B. POP3 handles incoming mails and SMTP handles outgoing.
C. Microsoft Outlook handles incoming mails and Outlook Express
handles outgoing.
D. Outlook Express handles incoming mails and Microsoft Outlook
handles outgoing.
Q1001. When sending a signed message under a public key infrastructure, the
message is encrypted using the:
A. receiver’s private key
B. sender’s private key
C. receiver’s public key
D. sender’s public key and receiver’s private key
Q1002. When the exchange of information is the primary purpose for installing a
computer system, with an information repository accessible to its users,
the BEST system is:
A. Electronic Bullet Board System
B. Electronic Mail System
C. Private Branch Exchange (PBX)
D. Fax/modem software
Q1003. Where is the service logic located in an Advance Intelligent Network

(AIN)?
A. Service Control Point (SCP)
B. Service Switching Point (SSP)
C. Intelligent Peripheral (IP)
D. Location Routing Number (LRN)
252
Q1004. When users of an information system are dispersed over a wide area
and are authorized to use dial-up lines for getting access to confidential
data, the BEST form of control for data security and confidentiality is
A. forced change of password after every day
B. end-to-end encryption
C. dial-disconnect-callback features
D. dedicated telephone lines
Q1005. Where access control mechanism is implemented in an open

environment, the users are allowed to access a resource:
A. only if authorisation information specifies users can access the
resource
B. unless authorisation information specifies users cannot access
the resource
C. have to authenticate themselves only once, and not after that
D. with full access to read, write and execute
Q1006. Which among the following is a distinct benefit of installing a Local Area
Network (LAN ?
A. LANs enable sharing of resources like hardware, software and
data
B. LANs prevent virus attack
C. LANs provide better change management control
D. LANs provide greater confidentiality of data than other systems
Q1007. Which area of the ISO Network management Model is responsible for
identifying problems, logging reports and notifying the users, so that the
network runs effectively?
A. Performance Management
B. Accounting Management
C. Fault Management
D. Configuration Management
253
Q1008. Which component of the Local Multipoint Distribution Service (LMDS) is

vendor specific?
A. Central Office (CO) equipment
B. Customer Premises Equipment (CPE)
C. Network Operations Centre (NOC)
D. Fibre -based infrastructure
Q1009. Which feature gives Time Division Multiple Access the edge over other
spread spectrum technologies?
A. Hierarchical cell structures
B. Extended TDMA
C. Elimination of interference
D. Reduced infrastructure costs
Q1010. Which feature in UMTS (Universal Mobile Telecommunication system)

security is not derived from GSM standards?
A. Subscriber identity module
B. Radio interface encryption
C. Security against false base stations through mutual authentication
D. Subscriber identity confidentiality
Q1011. Which of the following actions should be undertaken when a file

retention date expires?
A. the storage medium on which the file resides should be retired
from use
B. the file should be purged
C. the file retention date should be extended
D. the file should be retrieved from back up storage
254
Q1012. Which of the following activities should not be permitted when operators
use a communications network control terminal:
A. Monitoring network activity levels
B. down line loading a program
C. transmitting system warning and status messages
D. altering the audit trail to correct an error
Q1013. Which of the following activities would not be performed by control

section personnel when they collect the output of a batch application
system from the computer room:
A. checking basic control totals
B. Checking to see whether any programs terminated abnormally
C. Scanning the output for obvious errors
D. checking the transaction log
Q1014. Which of the following requires two different keys for encryption and
decryption:
A. Symmetric Cryptography
B. Asymmetric Cryptography
C. Cryptanalysis
D. Cryptology
Q1015. Which of the following AIN (Advanced Intelligent Network) components

functions as an intelligent router?
A. Intelligent peripheral
B. Service Control Point
C. Service Switching Point
D. Signalling Transfer Point
255
Q1016. Which of the following best describes the role of QA management with
respect to the information systems function?
A. Carrying out a post implementation audit/review of the application
systems of a information systems function
B. monitoring IS activities for compliance with IS standards
C. advising information systems development staff on the quality of
the requirements specification an design specification that they
have prepared
D. working with internal auditors to devise a program of compliance
testing and substantive testing activities for the information
systems function
Q1017. Which of the following characteristics is not associated with a public key
cryptosystem?
A. the encryption key can be known to all communication users
B. the processing time required in private key cryptosystem is faster
than that of public key cryptosystem
C. the decryption key should be kept a secret
D. the decryption key is the same as the encryption key
Q1018. Which of the following controls applies to PIN transmission?

A. the PIN must always be encrypted under the issuer’s key
B. the PIN must always be encrypted under the acquirer’s key
C. a unique cipher must be generated for each transmission of the
PIN
D. the PIN check digit should not be stripped off before the PIN is
encrypted for transmission
Q1019. Which of the following decisions most likely cannot be made on the
basis of performance monitoring statistics that are calculated:
A. whether new hardware/system software resources are needed
B. whether unauthorised use is being made of hardware/system
software resources
256
C. whether the system being monitored has provided users with a

strategic advantage over their competitors
D. whether there is any abnormal work load during a particular shift
which may be because of private use of resources by some staff
Q1020. Which of the following decisions most likely could not be made on the
basis of reports prepared from the maintenance log:
A. whether to move files from one storage medium to another to
reduce read/write errors
B. whether only valid and authorised transactions were processed
C. whether a storage medium should be retired
D. whether a master file should be stored on a particular storage
medium
Q1021. Which of the following does not reflect good control over use or
removable storage media?
A. Personnel at off-site locations should receive and issue backup
files only in accordance with an authorised schedule or a signed
requisition
B. project managers should maintain records of media use
associated with the application systems over which they have
responsibility
C. sensitive files and non sensitive files should be stored on the
same removable storage medium
D. backup for all media except diskettes should be kept off site and
access to them must be restricted
Q1022. Which of the following events is recorded on a public audit trail in a

digital signature system?
A. registration of public keys
B. terminal identifier
257
C. resources provided/denied
D. modifications to private keys
Q1023. Which of the following feature is attributed to UDP?

A. Data reliability
B. Stable connection
C. Maximum protocol mechanisms
D. Uses checksum to check whether the data transferred has
reached destination without being corrupted.
Q1024. Which of the following features in Internet Information Server (IIS) 5.0
from Microsoft logs the CPU resources consumed by Web Services?
A. Application Protection feature
B. Centralised Administration
C. Kerberos
D. Process Accounting
Q1025. Which of the following features is not a part of DSL but of ADSL?
A. Use of Plain Old Telephone Service (POTS)
B. Use of copper wire as transmission medium
C. Facilitates more downstream rather than upstream transfer
D. Provides more bandwidth for voice
Q1026. Which of the following functions cannot be performed using a

communications network control terminal:
A. resetting message queue lengths
B. starting and terminating lines and processes
C. generating a control total for a point-of-sale device
D. correcting a hardware error in a modem
258
Q1027. Which of the following incidents can seriously damage a digital signature
system?
A. compromise of a key server’s private key
B. compromise of a receiver’s private key
C. compromise of a sender’s private key
D. use of a fake public key
Q1028. Which of the following information technologies or software products do

not mesh well with the information sharing concept?
A. Groupware products
B. Workgroup products
C. Stovepipe systems
D. Workflow software
Q1029. Which of the following is a component of Internet?

A. Routers to strengthen the attenuated signals
B. Repeaters to establish physical connection between various LANs
C. Gateways to allow a network to use the resources of another
main frame
D. Bridges to optimize the transmission path of messages
Q1030 Which of the following is considered the greatest threat to the corporate
network, as far as cyber theft is concerned:
A. Business partners who have authorised access to the network
B. External parties not having authorised access to the network
C. Suppliers and customers who have authorised access to the
network
D. Employees who are connected to the corporate network
259
Q1031. Which of the following is false related to watermarking?

A. It embeds copyright information in the object
B. It is sufficient to prove the ownership of the article
C. It should be invisible
D. It identifies the user with the help of a serial number
Q1032. Which of the following is incorrect with regard to IP multicasting?

A. It distributes large amounts of data
B. It reduces the choking of bandwidth, due to high data traffic.
C. It requires additional resources for efficient delivery of data.
D. It is a group concept.
Q1033. Which of the following is least likely to be a motivation to establish a

QA role within IS function?
A. Of all stakeholders, QA personnel are likely to be perceived
as the most independent if they assume responsibility for the
development, promulgation and maintenance of information
system standards
B. A QA role facilitates organisations successfully undertaking more
ambitious information systems projects
C. An organisation may not be able to sell some of its IS products
unless it can show its customers that it has a viable QA function
D. A QA role will substantially decrease the costs of review work and
testing work associated with the development and implementation
of an Information system
Q1034. Which of the following is least likely to be a reason for making QA

personnel responsible for identifying areas where quality improvement
can be made?
A. QA personnel should have the knowledge and experience to
make the best recommendations for improvements to information
systems standards
260
B. QA personnel are charged with being knowledgeable about and

remaining up-to-date with best practice in information systems
C. QA personnel should have the greatest incentives to effect
improvements to information systems standards
D. QA personnel are in the best position to decide whether quality
improvement will result in better achievement of the organisation’s
overall corporate strategy
Q1035. Which of the following is most unlikely to be a reason for having QA

personnel responsible for formulating, promulgating, and maintaining
standards for the information systems function?
A. QA personnel should have the most knowledge about the
impact of national and international quality standards on their
organisations
B. QA personnel will be best placed to recommend corrective actions
when they formulate, promulgate, and maintain standards
C. QA personnel should have most experience of information
systems development, implementation, operations, and
maintenance activities
D. QA personnel should have incentives to ensure their organisation
adopts the best set of quality assurance standards possible
Q1036. Which of the following is NOT a characteristic of optical fibre cables?

A. Transmission rates are very high
B. Transmission is free of distortion due to noise/cross talk
C. The cables are small and flexible
D. The signal gets attenuated
Q1037. Which of the following is not a function of the control section:

A. dispatching input to the computer room
B. altering source data to correct input errors
261
C. batch containing errors would be rejected for correction prior to

processing
D. follow-up on unpaid accounts if a transfer pricing scheme is being
used
Q1038. Which of the following is not a part of the Global System for Mobile
Communication (GSM) network?
A. Telecommunication standard Institute (ETSI)
B. Switching System (SS)
C. Base Station System (BSS)
D. Operation and Support System (OSS)
Q1039. Which of the following is not a problem that undermines the

establishment of quality goals for an IS project?
A. There are no widely accepted quality goals for Information
Systems
B. Quality can have different meanings for different stakeholders in
Information System
C. Top management may evaluate quality in terms of whether an
information system allows their organisation to compete better in
a market place
D. Quality goals can vary, depending on the nature of Information
System to be developed, implemented, and maintained
Q1040. Which of the following is not a responsibility of the production control

section with respect to acquisition of consumables that the information
systems function uses?
A. ensuring that consumables are stored securely
B. monitoring the price and quality of consumables used
C. performing credit control checks on vendors who provide
consumables
D. control over the use of consumables
262
Q1041. Which of the following is NOT a security option of Internet Information

server 4.0?
A. All scripts and programs must be thoroughly tested for wrong
input given with malicious intent
B. Enable Secure Sockets Layer (SSL)
C. Use NT File System (NTFS) instead of using File Allocation Table
(FAT file system)
D. If multiple sites are being hosted, they have to be appropriately
segregated
Q1042. Which of the following is not an audit objective in the review of hardware
acquisition?
A. ensuring that adequate information for sound management
decision making is available prior to contracting for the purchase,
rent or lease of new equipment
B. ensuring that the vendors are provided with appropriate and
uniform data for submission of bids according to management
approved specifications and guidelines
C. Ensuring that provisions are made to minimise damage or abuse
to hardware and to maintain the hardware in good operational
condition
D. Ensure that management’s hardware acquisition plan has taken
into consideration technological obsolescence.
Q1043. Which of the following is NOT an input control objective?

A. Maintenance of accurate batch registers
B. Completeness of batch processing
C. Authorisation of file updates
D. Appropriate accounting for rejections and exceptions
263
Q1044. Which of the following is NOT True as a mode of network reliability

enhancement:
A. Redundant switching equipment
B. Parallel physical circuits
C. Licensed software
D. Standby power supplies
Q1045. Which of the following is NOT true about a database management

system application environment?
A. Multiple users use data concurrently
B. Data are shared by passing files between programs or systems
C. The physical structure of the data is independent of user needs
D. Each request for data made by an application program must be
analysed by DBMS.
Q1046. Which of the following is not true with regard to SNMP?

A. It is a connectionless protocol
B. It guarantees data transmission
C. It can accommodate devices from different vendors
D. It reduces the resources required, and makes network
management simple
Q1047. Which of the following is true in relation to the “Frame Relay”?

A. A physical frame relay port will have a single virtual circuit
B. It is used to send analog information such as voice and data
C. It uses two OSI protocol layers as against three used in X.25
D. Using frame relay limits the type of resources that can be
connected to a network
264
Q1048. Which of the following is true regarding Remote Authentication Dial-In

User Service (RADIUS):[a] [b] [c] [d]
A. It can authenticate a single client at a time through a centralised
database
B. It can authenticate multiple clients at a time through a
decentralised database
C. It can authenticate multiple clients at a time through a centralised
database
D. It can authenticate a single client at a time through a
decentralised database.
Q1049. Which of the following provides mobile user network access over an air
interface in Wireless IP?
A. Core network
B. End-user Services Network
C. Radio Access Network
D. GSM
Q1050. Which of the following is true with regard to fibre optics?

A. It consists of inner cladding and an outer core.
B. It consists of an inner core and outer cladding.
C. Even though thinner and lighter than metal wires, they are more
susceptible to interference.
D. Less susceptible to interference than metal wires but carry analog
signals that slow down data.
Q1051. Which of the following is unlikely to be a capability of an automated

library system for removable storage media?
A. recording the names of the persons who are authorised to access
each storage medium
B. recording the dates when the contents of storage media can be
deleted
265
C. recording and maintaining the history of difficulties experienced

with the medium (read/write errors)
D. preparing reports indicating times when the temperature and
dust levels in the room where storage media are stored reached
unacceptable levels
Q1052. Which of the following modulation schemes does Orthogonal Frequency

Division Multiplexing (OFDM) deploy?
A. Multicarrier modulation
B. Phase shift keying
C. Amplitude /Phase keying
D. Digital amplitude modulation
Q1053. Which of the following options is true (with regard to SLIP)?

A. It includes a protocol identifier.
B. It allows communication with multi protocol computers.
C. It has no addressing scheme for routing purposes.
D. It is never used in a dial up connection.
Q1054. Which of the following pairs of items perform similar functions?

A. The Web server and the Web browser
B. Assembler and compiler
C. Bypass Label Processing and Central Processing Unit
D. Routers and gateways
Q1055. Which of the following principles should guide the ways in which QA
personnel monitor compliance with information systems standards?
A. QA personnel should use automated tools to ensure compliance
with information systems standards
B. QA personnel should seek to understand the reasons for a
compliance failure so that they can advise management
266
C. QA personnel should alert management on a timely basis when

they suspect a compliance deviation has occurred
D. QA personnel should avoid making comments to management
about the consequences of compliance failures
Q1056. Which of the following principles should not guide the way in which QA
personnel report to management?
A. the recommendation that QA personnel make should be backed
up by concrete facts
B. stakeholders should be informed of the contents of reports before
they are released to management
C. the recipients of project based reports should be agreed upon at
the start of a project
D. QA report must degenerate into a long list of defects that have
been identified
Q1057. Which of the following security practices are supported by most remote
control program products when accessing a host workstation on a local
area network?
A. Matching user ID and name with password
B. Principle of highest privilege should be implemented to perform
the file backup function
C. Limiting access to local drives and directories
D. Controlling file-transfer rights
Q1058. Which of the following statements about computer is correct?

A. Lap tops usually cost more than Personal Computers but less
than mainframes
B. Because of the increase in use of distributed system, the need
for mainframes will increase in the near future
C. PCs and Laptops must be programmed directly in machine
language while mainframes use higher level language
267
D. The cost per transaction to process on each type of computer has

decreased in recent years
Q1059. Which of the following statements about national and international

information systems standard is true?
A. the adoption of national and international information systems
standards will increase the cost of the QA function
B. QA personnel will perform better when their organisation adopts
national and international information systems standards
C. widespread acceptance of national and international information
systems standards can undermine an organisation’s competitive
position
D. the adoption of national and international information systems
standards reduces for conflict within the management
Q1060. Which of the following statements about personnel training in QA

standards and procedures is false?
A. a personal development plan with respect to QA training should
exist for each employee in the information systems function
B. training in general QA standards should be provided by QA
personnel whereas training in specific QA standards should be
provided by project managers
C. the quality of QA training is an important indicator of top
management’s commitment to the attainment of quality assurance
within the information systems function
D. QA training should be an ongoing process and all new QA
employees must be inducted in the QA goals, standards and
procedures that have been adopted by the information system
function
Q1061. Requirement specification errors lead to:

A. Function-related bugs
B. System bugs
268
C. Design bugs
D. Data bugs
Q1062. OCR stands for:

A. Original Character Recognition
B. Optical Character Recognition
C. Optical Character Record
D. Original Character Record
Q1063. Which one of the following is not a maintenance type?

A. Corrective maintenance.
B. Adaptive maintenance.
C. Perfective maintenance.
D. Detective maintenance.
Q1064. In monitoring and controlling a system development life cycle project

what is NOT formal and documented?
A. Change management forms
B. Logs
C. Checklists
D. Face-to-face communications
Q1065. A successful project management practice involves training a project

team to achieve desired goals. Under which process does this fall?
A. Planning
B. Organising
C. Controlling
D. Leading
269
Q1066. Which of the following is not a software implementation strategy?

A. Parallel Implementation.
B. Preventive Implementation.
C. Phased Implementation.
D. Abrupt change over.
Q1067. Data captured about real life events happening in day-to-day is

contained in:
A. Master file
B. Parameter file
C. Transaction file
D. All of these
Q1068. All of the following should be in place prior to programming except:

A. User manual
B. Coding standards
C. Detail design documents
D. Unit test cases
Q1069. Identify the one that is NOT a key concept of object-oriented technology.
A. Encapsulation
B. Idempotence
C. Polymorphism
D. Inheritance
Q1070. Identify the EARLIEST software development model

A. The Waterfall model
B. Spiral model
C. Prototyping model
D. Incremental model
270
Q1071. Object Oriented languages are:

A. Data Oriented
B. Process Oriented
C. Data and Process Oriented
D. Task oriented
Q1072. Interactive voice response is an application of:

A. Fuzzy Logic
B. Expert System
C. Natural Language
D. Robotics
Q1073. _________ tests individual programs.

A. Unit testing
B. System testing
D. Parallel testing
Q1074. XBRL stands for

A. Extreme Business Related Language
B. Extreme Business Reporting Language
C. Extensible Business Reporting Language
D. Exhaustive Business Reporting Language
Q1075. Feasibility study may not cover the ___________ aspects of a project:
A. Economic
B. Technical
C. Legal
D. Personal
271
Q1076. Risk analysis is MOST useful when applied during which phase of the
system development process?
A. Project initiation
B. System Construction
C. Acceptance Testing
D. Implementation Planning
Q1077. The attributes of a Web Based Application are:

A. Network Intensive
B. Content Driven
C. Continuous Evolution
D. All of the above
Q1078. CASE tools are:

A. Costly
B. Requires extensive training
C. Both (a) and (b)
Q1079. An upper CASE tool is used in :

A. Design
B. Code
C. Implementation
D. Maintenance
Q1080. A type of SDLC model where a time box can be used to limit the time
available for producing a working system.
A. Prototype
B. Spiral
272
C. RAD
D. Waterfall
Q1081. A good program will not have

A. Accuracy
B. Reliability
C. Robustness
D. Hardcoding
Q1082. Person responsible for overall cost and time lines of a project is:
A. Project Manager
B. Network Engineer
C. Team Leader
D. Systems Analysts
Q1083 Coding standards would provide which of the following?

A. Field naming conventions
B. Data flow diagrams
C. Access control tables
D. Program documentation
Q1084. Accuracy of data is important most likely to a

A. Decision Support System (DSS)
B. Strategic Planning System
C. Expert system
D. Management control system
Q1085. Which of the following is true with regard to White Box Testing?
A. Output of the program code is not required before the beginning
of the code.
273
B. It is not very expensive.

C. It may involve testing every line of code.
D. It shows errors caused by omission.
Q1086. Artificial Intelligence is now being used in every sphere of life. Which of
the following options justifies the statement?
A. Ability to work in hazardous places
B. Ability to think like human beings
C. Ability to work in artificial environments
Q1087. Which one of the following is performed FIRST in a system development

life cycle project?
C. Developing design documents
D. Developing conversion plans
Q1088. During the detailed design phase of SDLC, which one of the following
tasks performed?
A. Defining control, security, and audit requirements
B. Developing screen flows with specifications
C. Identifying major purpose(s) of the system
D. Developing system justification
Q1089. Fuzzy logic is most effective when :

A. Used to develop decision support systems
C. Used to build hard disk controllers
274
Q1090. A normally expected outcome of a business process re-engineering is

that:
A. Information technologies will remain unaltered.
B. It improves the product, service and profitability.
C. Information from clients and customers will not be required.
D. Business priorities will not be modified.
Q1091. A reasonably controlled practice in the distributed executable programs

and ActiveX controls, is -
A. installation of a firewall
B. usage of a secure web connection
C. acceptance of executable only from the established and trusted
source
D. hosting the website as part of your organisation
Q1092. In which testing is done by using the same test data in the new and old
system, and the output results are compared.
A. Unit Testing
B. Parallel Testing
C. Penetration Testing
D. All of the above
Q1093. Which of the following procedures would an IS Auditor not perform

during the design phase of a system project
A. Assist in developing a functional design for embedded audit
routines
B. Assess the adequacy of the system
C. Advise the analyst regarding control routine
D. Review the design for adherence to corporate policies
275
Q1094. With respect to various phases in the SDLC which of the following is
least likely to vary ?
A. Conduct of each phase
B. Sequence in which phases are performed
C. Presence of each phase
D. Resources needed to perform each phase
Q1095. Which of the following statements regarding the function of a System

Development Life Cycle Steering Committee is FALSE ?
A. Review projects progress regularly
B. Report only to senior management on project status
C. Serve as a Coordinator and Advisor to answer questions about
system and program design
D. Take corrective actions regarding personal changes on the project
team
Q1096. ___________ involves overseeing the effectiveness of risk responses,

monitoring residual risks, identifying and documenting new risks, and
assuring that risk management processes are followed.
A. Risk Identification
B. Risk Monitoring & Control
C. Risk Response Planning
D. Risk Management Planning
Q1097. A project manager has asked that you advise him of the potential risk
associated with the use of timebox development techniques in a system
development project. Which of the following would NOT be good
advice?
A. That the timebox technique should only be applied to projects that
can be completed within a reasonable timeframe.
B. For the timebox approach to be effective, end-users and
management should have agreed to core functionality to be
developed in the timebox.
276
C. That delivery of all functionality within the timebox is more

important than quality.
D. That the timebox approach will require the use of evolutionary
prototype techniques
Q1098. Many IT projects experience problems because the development

time and/or resource requirements are underestimated. Which of
the following techniques would provide the GREATEST assistance in
developing an estimate of project duration?
B. PERT chart
D. Object-oriented system development
Q1099. A Subject - oriented, integrated, time-variant, non-volatile collection of

data to support of management’s decision making process is
A. Data Warehouse
B. Data Mining
C. Both (a) and (b)
Q1100. Which one of the following is not true about emergency changes?
A. They are Required to resolve system problems and enable critical
processing to continue
B. It Involves the use of special logon-IDs that grant temporary
access to production environment during emergency situation.
C. Emergency IDs used for making emergency changes have
special privileges hence their usage should be logged & carefully
monitored
D. Passwords of emergency IDs used for making emergency
changes should never expire.
277
Q1101. The governance framework determines

A. Whom the organization is there to serve and how the purposes
and priorities of the organization should be decided
B. Whom the organization is there to serve
C. The legal framework for the administration of the organisation
D. The regulatory framework in which the organization operates
Q1102. The main purpose of corporate governance is:

A. To separate ownership and management control of organizations
and to make organizations more visibly accountable to a wider
range of stakeholders.
B. To separate ownership and management control of organisations
C. To maximize shareholder value
D. To ensure that regulatory frameworks are adhered to
Q1103. The two-tier board of an organization is particularly useful:

A. In ensuring that there is a counterbalance to the power of
managers
B. For managers to assert their power
C. In improving operational efficiency
D. In ensuring that employees can determine strategies for the
organisation
Q1104. The desire for more accountability of public sector organizations has
resulted in:
A. An increased proportion of independent members on governing
bodies
B. Pressure on all public sector organizations to be operated on a
profit making basis
C. Public sector managers to become more professional
D. Public sector organizations to develop plans for their strategic
development
278
Q1105. Stakeholders are the individuals or groups who:

A. Depend on the organization to fulfil their own goals and on whom
the organization depend
B. Are shareholders in key competitors
C. Dominate the strategy development process in an organization
D. Determine operational issues
Q1106. The purpose of stakeholder mapping is to:

A. Identify stakeholder interest and power
B. Outline policies on stakeholder relationships
C. Geographically locate different stakeholders
D. Identify stakeholder power
Q1107. Where a stakeholder has a high level of interest in the development

of an organization, but a low level of power, strategists or managers
should:
A. Keep these stakeholders informed
B. Keep these stakeholders informed and satisfied
C. Expend minimal effort on these stakeholders
D. Treat these stakeholders as key players
Q1108. Powers is:

A. The ability of individuals or groups to persuade others into
following certain courses of action.
B. The ability of individuals to persuade, induce or coerce others into
C. The ability of groups to persuade, induce or coerce others into
D. The ability of individuals or groups to persuade, induce or coerce
others into following certain courses of action.
279
Q1109. An indicator of power held by external stakeholders is:

A. The organisational perception of the status of an external party.
B. Negotiating skills.
C. Personal relationship with a key decision-maker.
D. Mutual resource dependency.
Q1110. Ethical issues concerning business and public sector organizations exist
at three levels:
A. Macro; Corporate: Individual
B. Corporate; Business; Functional
C. Corporate; Functional; Individual
D. Business; Family; Individual
Q1111. An ethical stance is the extent to which:

A. An organisation will exceed its minimum obligations to
stakeholders and society at large.
B. An organisation meets the expectations of its stakeholders.
C. An organisation meets regulatory requirements.
D. An organisation respects the dominant religious beliefs of the
country in which it operates.
Q1112. Corporate social responsibility concerns:

A. The ways in which an organisation exceeds its minimum required
obligations to stakeholders.
B. How an organisation meets the expectations of its stakeholders.
C. The behaviour of individual managers.
D. External stakeholder relationships.
280
Q1113. The cultural frames of reference include (this is not a comprehensive

list):
A. National; organisational; organisational field and functional/
divisional.
B. National; organisational field; competitors.
C. Unions; organisational; industrial.
D. Organisational; colleagues; organisational field.
Q1114. The culture of an organisation can be conceived as consisting of the

following layers:
A. Values; beliefs; behaviours; and taken-for-granted assumptions.
B. Values; beliefs; tasks.
C. Beliefs; tasks; personalities.
D. Individual; functional; organisational.
Q1115. Which of the following is NOT an influence on organizational purposes?

A. The organizational mission
B. Minor stakeholders
C. Business ethics
D. Corporate governance
Q1116. The governance framework determines

A. Whom the organization is there to serve and how the purposes
and priorities of the organization should be decided
B. Whom the organization is there to serve
C. The legal framework for the administration of the organisation
D. The regulatory framework in which the organization operates
281
Q1117. The main purpose of corporate governance is:

A. To separate ownership and management control of organizations
and to make organizations more visibly accountable to a wider
range of stakeholders.
B. To separate ownership and management control of organisations
C. To maximize shareholder value
D. To ensure that regulatory frameworks are adhered to
Q1118. The two-tier board of an organization is particularly useful:

A. In ensuring that there is a counterbalance to the power of
managers
B. For managers to assert their power
C. In improving operational efficiency
D. In ensuring that employees can determine strategies for the
organisation
Q1119. The desire for more accountability of public sector organizations has
resulted in:
A. An increased proportion of independent members on governing
bodies
B. Pressure on all public sector organizations to be operated on a
profit making basis
C. Public sector managers to become more professional
D. Public sector organizations to develop plans for their strategic
development
Q1120. Stakeholders are the individuals or groups who:

A. Depend on the organization to fulfil their own goals and on whom
the organization depend
B. Are shareholders in key competitors
C. Dominate the strategy development process in an organization
D. Determine operational issues
282
Q1121. The purpose of stakeholder mapping is to:

A. Identify stakeholder interest and power
B. Outline policies on stakeholder relationships
C. Geographically locate different stakeholders
D. Identify stakeholder power
Q1122. Where a stakeholder has a high level of interest in the development

of an organization, but a low level of power, strategists or managers
should:
A. Keep these stakeholders informed
B. Keep these stakeholders informed and satisfied
C. Expend minimal effort on these stakeholders
D. Treat these stakeholders as key players
Q1123. Powers is:

A. The ability of individuals or groups to persuade others into
B. The ability of individuals to persuade, induce or coerce others into
C. The ability of groups to persuade, induce or coerce others into
D. The ability of individuals or groups to persuade, induce or coerce
others into following certain courses of action.
Q1124. An indicator of power held by external stakeholders is:

A. The organisational perception of the status of an external party.
B. Negotiating skills.
C. Personal relationship with a key decision-maker.
D. Mutual resource dependency.
283
Q1125. Ethical issues concerning business and public sector organizations exist
at three levels:
A. Macro; Corporate: Individual
B. Corporate; Business; Functional
C. Corporate; Functional; Individual
D. Business; Family; Individual
Q1126. An ethical stance is the extent to which:

A. An organisation will exceed its minimum obligations to
stakeholders and society at large.
B. An organisation meets the expectations of its stakeholders.
C. An organisation meets regulatory requirements.
D. An organisation respects the dominant religious beliefs of the
country in which it operates.
Q1127. Corporate social responsibility concerns:

A. The ways in which an organisation exceeds its minimum required
obligations to stakeholders.
B. How an organisation meets the expectations of its stakeholders.
C. The behaviour of individual managers.
D. External stakeholder relationships.
Q1128. The cultural frames of reference include (this is not a comprehensive

list):
A. National; organisational; organisational field and functional/
divisional.
B. National; organisational field; competitors.
C. Unions; organisational; industrial.
D. Organisational; colleagues; organisational field.
284
Q1129. The culture of an organisation can be conceived as consisting of the

following layers:
A. Values; beliefs; behaviours; and taken-for-granted assumptions.
B. Values; beliefs; tasks.
C. Beliefs; tasks; personalities.
D. Individual; functional; organisational.
Q 1130 Which of the following is NOT an influence on organizational purposes?

A. The organizational mission
B. Minor stakeholders
C. Business ethics
D. Corporate governance
285

Q703 Ans. d Q731 Ans. b Q759 Ans. B
Q706 Ans. a Q734 Ans. D Q762 Ans. c
Q708 Ans. d Q736 Ans. B Q764 Ans. d
Q709 Ans. b Q737 Ans. B Q765 Ans. a
Q710 Ans. c Q738 Ans. A Q766 Ans. C
Q711 Ans. d Q739 Ans. D Q767 Ans. C
Q712 Ans. d Q740 Ans. C Q768 Ans. D
Q713 Ans. B Q741 Ans. c Q769 Ans. A
Q714 Ans. C Q742 Ans. B Q770 Ans. C
Q715 Ans. c Q743 Ans. d Q771 Ans. C
Q716 Ans. D Q744 Ans. b Q772 Ans. A
Q717 Ans. a Q745 Ans. C Q773 Ans. C
Q719 Ans. c Q747 Ans. a Q775 Ans. D
Q720 Ans. C Q748 Ans. b Q776 Ans. C
Q721 Ans. D Q749 Ans. a Q777 Ans. A
Q722 Ans. C Q750 Ans. C Q778 Ans. C
Q723 Ans. B Q751 Ans. B Q779 Ans. D
Q724 Ans. d Q752 Ans. A Q780 Ans. B
Q725 Ans. c Q753 Ans. c Q781 Ans. D
Q726 Ans. D Q754 Ans. c Q782 Ans. C
Q727 Ans. B Q755 Ans. C Q783 Ans. B
Q729 Ans. C Q757 Ans. d Q785 Ans. C
286
Q787 Ans. D Q817 Ans. d Q847 Ans. b

Q788 Ans. A Q818 Ans. a Q848 Ans. b
Q789 Ans. B Q819 Ans. d Q849 Ans. c
Q790 Ans. C Q820 Ans. a Q850 Ans. b
Q792 Ans. B Q822 Ans. b Q852 Ans. c
Q793 Ans. C Q823 Ans. b Q853 Ans. b
Q794 Ans. A Q824 Ans. d Q854 Ans. c
Q795 Ans. C Q825 Ans. c Q855 Ans. a
Q797 Ans. C Q827 Ans. b Q857 Ans. d
Q798 Ans. D Q828 Ans. d Q858 Ans. d
Q800 Ans. C Q830 Ans. b Q860 Ans. d
Q801 Ans. B Q831 Ans. d Q861 Ans. d
Q807 Ans. D Q837 Ans. b Q867 Ans. c
Q813 Ans. C Q843 Ans. d Q873 Ans. d
287

Q905 Ans. d Q935 Ans. b Q965 Ans. b
288

Q992 Ans. b Q1022 Ans. a Q1052 Ans. a
289
Q1057 Ans. a Q1082 Ans. A Q1107 Ans. A

Q1058 Ans. d Q1083 Ans. A Q1108 Ans. A
Q1059 Ans. c Q1084 Ans. D Q1109 Ans. A
Q1060 Ans. b Q1085 Ans. C Q1110 Ans. A
Q1066 Ans. B Q1091 Ans. C Q1116 Ans. A
Q1074 Ans. C Q1099 Ans. A Q1124 Ans. A
Q1077 Ans. D Q1102 Ans. A Q1127 Ans. A
290
Module 4 Questions
Q1131. “Insurance cover that reimburses a company for expenses incurred to
avoid or minimize the suspension of business is called: “
A. Business Interruption Insurance
B. Equipment and Facility Insurance
C. Data Reconstruction
D. Extra expense insurance
Q1132. “The IS auditor should ensure that insurance coverage is adequate and
reflects the actual cost of recovery. It is important that the organisation
not only covers the loss of property but also: “
A. Covers the health of the employees
B. Covers the cost of data reconstruction.
C. Covers employee fidelity
D. Covers the loss of revenue stream arising from that property
Q1133. “Insurance that protects the company in the case of a claim against
the company for negligence, errors, omissions, or wrongful acts in the
performance of the compan⁹Section 1s duties is called: “
A. Business Interruption Insurance
B. Equipment and Facility Insurance
C. Professional Liability Insurance
D. Extra expense insurance
Q1134. Which of the following terms best define a computer program looking
“normal” but containing harmful code?
A. Trojan horse
B. Trapdoor
291
C. Worm
D. Time bomb
Q1135. At which stage of the data process flow, from source to warehouse, is
detective controls implemented?
A. Data migration
B. Transformation
C. Loading
D. Reconciliation
Q1136. Which transmission impairment is dependent on propagation velocity as

a function of frequency?
A. Attenuation
B. Noise
C. Delay distortion
D. “Cross talk“
Q1137. A macro virus infections in a computer will __________.

A. Erases the hard disk
B. Clears the ROM
C. Destroys document files
D. Slows down processes on the server
Q1138. A restriction controls that merges cells containing sensitive statistics is

described as:
A. Partitioning
B. Order control
C. Rolling up
D. Relative table size control
292
Q1139. Which one of the following is not an application control to assure data
accuracy?
A. Crossfooting
B. Control total
C. Limit and reasonableness test
D. Echo checking
Q1140. “Auditor should ensure that the BC⁐Section 1s priorities: “

A. Support objectives of the organisation.
B. Meet regulatory requirements.
C. Conform to contractual requirements.
D. All of the above.
Q1141. Which application of Biometrics employs speech recognition systems?

A. Employee records
B. Telecommunications
C. Banking
D. Forensics
Q1142. Which of the following will least important basis for access control
A. What the user knows
B. What the user wants
C. What the user is
D. What the user has
Q1143. Which of the following is not a part of external access control?

A. Port protection devices
B. Secure gateways
C. Security labels
D. Host-based authentication
293
Q1144. Which of this is not an internal access control mechanism?

A. Passwords
B. Host-based authentication
C. Roles
D. Permission bits
Q1145. Parity checking and Access logging can be broadly classified as –

A. Preventive control
B. Detective control
C. Compensating control
D. Operations control
Q1146. The BEST transmission control that can be employed to protect data
during data transfer is –
A. Applying parity check
B. Data encryption
C. File header encryption
D. Use of standard protocol
Q1147. Which one of the following types of passwords is not user-friendly?

A. User selected passwords
B. System-generated passwords
C. One-time passwords
D. Time-based passwords.
Q1148. Which of the following worms does the friendly “Cheese worm”
counteract?
A. Adore worm
B. Sadmind/ IIS worm
294
C. Ramen worm
D. 1i0n worm
Q1149. Social Engineering is:

A. Creating a team for software development
B. Referred to as people hacking
C. A technique to motivate teams
D. A training method software development team
Q1150. All of the following control procedures can be used to ensure

completeness of data, EXCEPT –
A. Completeness check
B. File trailer records
C. Run to run control totals
D. Validity routines
Q1151. The feature of Linux that allows changing password without altering or
recompiling any utility is:
A. Shadow password
B. Pluggable Authentication Module (PAM)
C. LILO
D. Dual booting
Q1152. The BEST method to verify the data values through the various stages
of processing
A. Check digits
B. Hash totals
C. Run-to-run totals
D. Automated controls
295
Q1153. “Which of the following media has the least backup capacity? “
A. Removable Cartridges
B. Floppy Diskettes
C. Compact Disk
D. Tape Drives
Q1154. “Enhanced risk awareness and more emphasis on the importance

of good risk measurement and management and properly ensured
appropriate capital reserve requirements is a requirement of: “
A. Basel Committee’s principles for electronic banking
B. Basel II Capital Accord
C. COBIT
D. ISO/IEC 17799:2000
Q1155. A common backup method for portable computers is:

A. Electronic Vaulting
B. Tape Drives
C. Remote Mirroring
D. Synchronization
Q1156. “The correct order of steps for developing a BCP is: “

A. “Initiate, Risk assessment, Choose a recovery strategy, Testing
and validation, Develop and implement. “
B. “Initiate, Choose a recovery strategy, Risk assessment , Develop
and implement, Testing and validation. “
C. “Initiate, Risk assessment, Choose a recovery strategy, Develop
D. “Risk assessment, Initiate, Choose a recovery strategy, Develop
296
Q1157 “During exposure assessment the effects of a disruption may be

tracked:“
A. Over time
B. Across related resources and dependent systems
C. On the basis of historical costs
D. Over time and across related resources and dependent systems
Q1158. “Data or documentation that must be retained for legal reasons, for use
in key business processes, or for restoration of minimum acceptable
work levels in the event of a disaster is classified as: “
A. Desirable
B. Vital
C. Essential
D. Critical
Q1159. “ The response procedures for occupants of a facility in the event of a

situation posing a potential threat to the health and safety of personnel,
the environment, or property is contained in a/an: “
A. Business Resumption Plan
B. Cyber Incident Response Plan
C. Business Resumption Plan
D. Occupant Emergency Plan
Q1160. “With respect to a BCP, the auditor should test check contact information
(of vendors, employees) to ensure: “
A. They will honour their contractual agreements.
B. That they are current.
C. They are physically close by.
D. They are registered with tax authorities.
297
Q1161. “ Single points of failure are: “

A. Recommended
B. To be eliminated
C. Desirable.
D. To be encouraged
Q1162. “Which of the following RAID levels is NOT recommended as a data

recovery solution? “
A. RAID-1
B. RAID-0
C. RAID-10
D. RAID-100
Q1163. “ Identify the correct statement: “

A. “ Both differential and incremental backups take the same amount
of time. “
B. Incremental backups take longer to complete than differential
backups
C. “Differential backups take longer to complete than incremental
backups “
D. “ Incremental backups take longer when using tape drives. “
Q1164. Which of the following is NOT a type of system backup?

A. Incremental
B. Sequential
C. Differential
D. Full
298
Q1165. “A comprehensive statement of consistent actions to be taken

before,during, and after a disruptive event that causes a significant loss
is called a: “
A. Business continuity plan (BCP)
B. Disaster recovery plan (DRP)
C. Disaster continuity plan (DCP)
D. Business recovery plan (BRP)
Q1166. “Any force or phenomenon that could degrade the availability, integrity
or confidentiality of an Information Systems resource, system or network
is called a: “
A. Threat
B. Risk
C. Vulnerability
D. Threat-source
Q1167. “With respect to BCP testing, which of the following type of test will
involve considerable expenditure of time, effort and resources? “
A. Checklist
B. Structured walk-through
C. Full-interruption
D. Simulation
Q1168. “The potential for a threat-source to exercise (accidentally trigger or

intentionally exploit) a specific vulnerability is called a/an : “
A. Threat
B. Risk
C. Exposure
D. Hazard
299
Q1169. “Business functions that cannot be done manually under any

circumstances are classified as: “
A. Vital
B. Essential
C. Critical
D. Non-critical
Q1170. “Elimination of all risks is usually: “

A. Impractical or impossible
B. Easy to achieve
C. Vital to the survival of the company
D. Recommended by law
Q1171. “Which of the following is NOT data redundancy techniques used by

RAID technology? “
A. Mirroring
B. Parity
C. Blocking
D. Striping
Q1172. “A disruption of business operations that stops an organization from

providing its critical services caused by the absence of critical resources
is called a: “
A. Disaster
B. Vulnerability
C. Catastrophe
D. Calamity
300
Q1173. “Which of the following is the MOST reliable strategy for centralized
systems? “
A. Cold site
B. Reciprocal Agreement
C. Hot Site
D. Mirror site/Active Recovery Site
Q1174. “ Which of the following is the LEAST reliable strategy for centralized
systems? “
A. Mobile Site
B. Hot Site
C. Reciprocal Agreement
D. Mirror site/Active Recovery Site
Q1175. “Data that can be reconstructed fairly readily but at some cost is
classified as: “
A. Critical
B. Essential
C. Sensitive
D. Essential
Q1176. “Disaster recovery plan and insurance are: “

A. Controls of first resort.
B. Unreliable controls.
C. Preventive controls.
D. Controls of last resort
301
Q1177. “Among strategies for telecommunications systems, the strategy that

involves the use of different networks, circuits or end points when the
primary telecommunication facility is unavailable is called: “
A. Distributed Routing
B. Associative Routing
C. Diverse Routing
D. Alternative Routing
Q1178. “The auditor should evaluate the security of an offsite facility to ensure
that it has logical, physical and environmental controls. Ideally,these
controls should be: “
A. On par with that provided at the primary facility.
B. Less than that provided at the primary facility.
C. More than that provided at the primary facility.
D. Different from that provided at the primary facility.
Q1179. “With respect to BCP testing which is the most rigorous way to test a
business continuity plan? “
A. Full-interruption
B. Parallel
C. Simulation
D. Structured walk-through
Q1180. Business functions that can be performed manually but only for a brief
period of time are usually classified as:
A. Vital
B. Essential
C. Desirable
D. Critical
302
Q1181. “Banks must demonstrate that they have an overall data architecture
that integrates the various business functions from operations to finance
to risk management if they are to achieve compliance with: “
A. ISO/IEC 17799:2000
B. SAS 70
C. Basel Committee’s principles for electronic banking
D. Basel II Capital Accord
Q1182. “Risk assessment consists of: “

A. Data collection
B. Data analysis
C. Data collection and data analysis
D. Data collation
Q1183 “With respect to BCP testing, in which type of test is processing done
at both the primary and alternate location? “
A. Full-interruption
B. Parallel
C. Simulation
D. Structured walk-through
Q1184. “Which of the following technical methods for Backup does not require
restoration? “
A. Electronic Vaulting
B. Networked Disk
C. Tape Drives
D. Remote Mirroring
303
Q1185. “Which of the following type of system backup would require the
maximum storage? “
A. Incremental
B. Sequential
C. Full
D. Differential
Q1186 Auditor should verify that the recovery strategies adopted by the
company are:
A. In line with audit objectives
B. In line with costs
C. In line with the priorities
D. In line with that of major competitors
Q1187. Backup media should be stored:

A. On-site in a secure, environmentally controlled location
B. Off-site in a insecure, environmentally controlled location
C. On-site in a insecure, environmentally controlled location
D. Off-site in a secure, environmentally controlled location
Q1188. “Which of the following techniques used by RAID technology increases

performance? “
A. Mirroring
B. Parity
C. Striping
D. Hashing
Q1189. “A file-oriented environment that offers a common storage area for

multiple servers and which allows any application residing on or any
304
client using virtually any operating system to send data to or receive

data is called: “
A. Network-Attached Storage (NAS)
B. Remote Access Storage (RAS)
C. Redundant Array of Inexpensive Disks (RAID)
D. Storage Area Network (SAN)
Q1190. “ A list of persons or organisations to be notified in the event of a

disaster and often included in a business continuity plan is a called a: “
A. Crisis Communication Directory
B. Crisis Communication Plan
C. Call Directory
D. Notification Directory
Q1191. “The Generally Accepted System Security Principles (GASSP) is

intended to provide authoritative point of reference and legal reference
for information security principles, practices, and opinions. These
principles were modelled after: “
A. Basel II Capital Accord
B. SAS 70
C. The Generally Accepted Accounting Principles (GAAP).
D. ISO/IEC 17799:2000
Q1192 “Within any complex system, there are usually components or processes
that, if not replicated or otherwise backed up by redundant capabilities,
represent points of failure for the entire system. These are called “
A. Multiple points of failure
B. Cascading points of failure
C. Linear points of failure
D. Single points of failure
305
Q1193. “When backups of data and system files are taken together, they are
often called: “
A. Systems backup
B. Data backup
C. Incremental backup
D. Differential backup
Q1194. “The process of combining multiple physical storage devices into a

logical, virtual storage device that can be centrally managed and is
presented to the network applications, operating systems, and users as
a single storage pool is called: “
A. RAID
B. Storage virtualization
C. WAN
D. SAN
Q1195. Which of the following is not a visual programming language?

A. Control flow languages
B. Visual C++ language
C. Concurrent languages
D. Form based languages
Q1196. “A high-speed, high-performance network that enables different servers

with different operating systems to communicate with one storage
device is called: “
A. Network-Attached Storage (NAS)
B. Remote Access Storage (RAS)
C. Redundant Array of Inexpensive Disks (RAID)
D. Storage Area Network (SAN)
306
Q1197. “The plan that addresses the restoration of business processes after an
emergency, but which lacks procedures to ensure continuity of critical
processes throughout an emergency or disruption is called a: “
A. Business Continuity Plan
B. Crisis Communication Plan
C. Business Resumption Plan
D. Continuity of Operations Plan
Q1198. “Procedures that are designed to enable security personnel to

identify,mitigate, and recover from malicious computer incidents, such
as unauthorized access to a system or data, denial of service, or
unauthorized changes to system hardware, software, or dat”
A. Continuity of Operations Plan
B. Cyber Incident Response Plan
C. Crisis Communication Plan
D. Business Resumption Plan
Q1199. “An IT-focused plan designed to restore operability of the target system,
application, or computer facility at an alternate site after an emergency
is called a: “
A. Disaster Recovery Plan
B. B. Business Resumption Plan
C. C. Continuity of Operations Plan
D. D. Cyber Incident Response Plan
Q1200. A malicious user can change an application to get the full database. This
is a pitfall in which type of database security measure ?
A. Passwords
B. User Accounts
C. Isolation
D. Backup
307
Q1201. The overriding principle behind most continuity plans is

A. The protection of profits.
B. The protection of assets.
C. The protection of human life.
D. The protection of customers.
Q1202. “ The order of steps in the process of risk assessment for the purpose
of BCP is: “
A. “Asset identification and prioritization, Threat identification,
Exposure assessment, Objective formulation. “
B. “Objective formulation, Threat identification, Exposure
assessment, Asset identification and prioritization. “
C. “ Asset identification and prioritization, Exposure assessment,
Threat identification, Objective formulation. “
D. “Objective formulation, Asset identification and prioritization,
Threat identification, Exposure assessment. “
Q1203. “The maximum amount of time allowed for the recovery of the of the
business function is called the “
A. Maximum Recovery Time Period
B. Critical Recovery Time Period
C. Minimum Recovery Time Period
D. Vital Recovery Time Period
Q1204. “The technique that allows traffi c to be distributed dynamically across

groups of servers running a common application so that no one server
is overwhelmed is called: “
A. Server Load Balancing
B. Alternative Routing
C. Diverse Routing
D. Storage Area Network
308
Q1205. Computer viruses continue to pose a threat to the following

characteristics of information systems except:
A. Integrity
B. Availability
C. Reliability
D. Confidentiality
Q1206. Which of the following data items is MOST LIKELY to have its integrity
protected by controls over standing data?
A. Pay rate
B. Raw material receipts
C. Customer’s address
D. Quantity sold
Q1207. Object control is widely used in:

A. Single user systems
B. “Multi-user systems only“
C. Multi-user and distributed systems
D. Distributed systems only
Q1208. Run-to-run totals are part of which of the following control?

A. Input control
B. Process control
C. Manual control
D. Output control
Q1209. All the following application system controls are considered preventive
in nature except:
A. Batch control totals
B. Authorization
309
C. Preprinted forms
D. Passwords
Q1210. Hacking by making use of information on waste/discarded paper is

termed -
A. Finger protocol
B. “Ping“
C. Dumpster diving
D. Social engineering
Q1211. Searching for weaknesses in the Windows NT and Unix Operating

Systems is an example of:
A. Active attack
B. Security control bypassing attack
C. Passive attack
D. Tear-drop attack
Q1212. Direct Manipulation Interfaces (DMI) cannot help reduce?

A. Error-rates
B. Learning time
C. Easy remembering of operations
D. System resources
Q1213. Which feature of RBAC specifies event-triggered conditions?

A. Role perspective
B. Role activation
C. Role hierarchy
D. Role based management
310
Q1214. Which access control mechanism does security label fit into?
A. Logical access control
B. Discretionary access control
C. Physical access control
D. Mandatory access control
Q1215 A data unit 01000101 sent from the source was received as 01111101.
What is the type of error?
A. Single-bit error
B. Byte error
C. Burst error
D. Spike error
Q1216. Which of these biometric tools use thermal sensors along with infrared
rays for identification?
A. Key stroke dynamics
B. Iris/Retinal scan
C. Speech recognition
D. Fingerprint scanning
Q1217. In an automated processing system of records, processing control total

reconciliation is a type of -
A. File management control
B. Output control
C. Input control
D. Access control
Q1218. Hackers cover their tracks by masking their IP address. This is done
through:
A. Proxy Chaining
B. Denial of Service
311
C. Secure Sockets Layer hacking

D. IP spoofing
Q1219. The control procedure of installing the anti-virus software in the system
is called -
B. Compensating control
C. Detective control
D. Corrective control
Q1220. Which one of the following properties of information systems would be

compromised by the denial of service attacks?
A. Maintainability
B. Confidentiality
C. Reliability
D. Availability
Q1221. The logical access exposure involving data changing before and/or while
being entered into the computer is called -
A. Virus
B. Logical bombs
C. Trojan Horse
D. Data Diddling
Q1222. The general control that concern the proper segregation of duties and
responsibilities is called -
A. An output control
B. An access control
C. Organisation control
D. A Processing control
312
Q1223. In network protection technique of e-commerce, which one of the

following use Secure Socket Layer(SSL):
A. DMZ
B. “Firewalls“
C. Network segregation
D. Data encryption
Q1224. Which type of constrained user interface does an ATM have?

A. Menus
B. Physically constrained user interface
C. Database views
D. Access control lists
Q1225. The following are the checks used to determine if a field contains data
and not zeros and blanks, EXCEPT -
A. Parity bits
B. Check digits
C. Batch headers
D. Trailer records
Q1226. Physical access control does not depend upon which of these factors?
A. Working environment
B. Hiring procedure
C. Public key infrastructure
D. Access privileges
Q1227. In a manufacturing company, which of the following computer files is

MOST critical?
A. Debtor’s file
B. Invoices paid file
313
C. Materials ordered file

D. Contingent liabilities file
Q1228. Viruses that can change their appearance and use encryption are known
as:
A. Boot sector virus
B. Polymorphic virus
C. Stealth virus
D. Multipartite virus
Q1229. Components of an ACL include_______

A. Roles
B. “Roles and rights“
C. Roles, rights and resources
D. Roles, rights, resources and filters
Q1230. Which aspect of command language differentiates it from menu-driven

languages?
A. Compatibility
B. Precision
C. Users type notation and initiate action
D. Speed in learning
Q1231. Which of the following would be considered a programmed input control

in an application program,?
A. Read-after-write
B. Header-label checks
C. Embedded audit module
D. Reasonableness check
314
Q1232. Dual protection/mirroring provides protection against which of the

following?
A. Procedural error
B. Power loss
C. System software error
D. Application program error
Q1233. Which of the following is NOT a security concern while using Java?
A. Intrusion of Privacy
B. Message digests
C. Denial of Service
D. Irritations
Q1234. What is the methodology used in the Novell Netware Operating System
to implement the concept of Access control Lists?
A. File Rights
B. Trusteeship
C. Authentication
D. Property Rights
Q1235. The unauthorised use of data files can be best prevented by using -
A. hardware lock
B. library control software
C. tape librarian
D. access control software & procedures
Q1236. Which of the following primarily assists in detecting real memory errors?
A. Valid character checks
B. Parity-based hamming code check
315
C. Boundary register checks

D. Read-after-write checks
Q1237. The basic control requirement in a real time application system is :

A. Logging of all transactions
B. Logging of all terminals
C. Logging of console transaction
D. Audit log
Q1238. The best way to delete a highly confidential file from a microcomputer
would be by using which of the following:
A. Security card
B. Encryption routine
C. Disk utility
D. Multiplexor
Q1239. To disable easy detection of password, it should be arranged in the

following convention as shown below:
A. RAMA
B. TN37D2640
C. BHAGWAN SRIGANESH
D. XW7_TU
Q1240. Dial back modem uses which of the following feature for external access
control?
A. SLIP protocol
B. “Port protection“
C. Point-to-Point Protocol
D. Blue boxes
316
Q1241. Computer Forensics inspection has limitations due to?

A. Legal restrictions in the form of limited search warrants
B. CMOS information
C. Password Protection
D. Write-Protect capability
Q1242. For maintaining the integrity of data

A. Security policy should not be integrated with general policy
B. Staff should be trained in validation and incident response
procedures
C. Backup should be done only of data and not codes
D. Auditing is required only of operating system
Q1243. Which is the most important step that can save a company from social
engineering attacks?
A. Creation of helpdesk rules
B. Making people accountable for jobs
C. Including social engineering in the social policy
D. Using Id cards
Q1244 A “Dry pipe”, which is an arrangement to extinguish fires is:

A. A sprinkler system where the water is in the pipe, but the outside
of the pipe is dry
B. A Halon gas system that contains a dry pipe
C. A carbon dioxide (CO2) gas system that has a dry chemical to
extinguish a fire
D. A sprinkler system where the water does not enter the pipes until
the automatic sensor indicates that there is a fire in the area
317
Q1245. A company has policy to purchase microcomputer software only

from recognized vendors and prohibit employees from installing non-
authorized software on their microcomputers. To minimize the likelihood
of computer viruses infecting any of its systems, the
A. Restore infected systems with authorized versions.
B. Recompile infected programs from source code backups.
C. Institute program change control procedures.
D. Test all new software on a stand-alone microcomputer.
Q1246 A company’s labour costing report has to be corrected extensively due

to labour hours charged to inactive jobs. Which of the following controls
would prevent this happening?
A. Reasonableness test
B. Validity test
C. Limit test
D. Control total
Q1247 A compensating control for the weakness in access controls is the

daily review of log files. The IS Auditor reviewing the adequacy of this
compensating control would be least concerned with -
A. the contents of the log file
B. the controls available and implemented for the protection of the
log file
C. list of persons authorised to alter the log file contents and the
software controlling the log file updating.
D. The period up to which the log file is retained
Q1248 A competitor would gain by accessing sensitive operating information

stored on computer files. Which of the following control would best
prevent such losses?
A. Controlled disposal of documents
B. Encryption of data files and safe keeping of encryption keys
318
C. Access control at application system level

D. Access control at data base management system level
Q1249. A computer virus is a malicious code that can “infect” a computer

system. Which of the following statements is true about computer
viruses?
A. It can attach to a data field
B. It can attach to an executable program
C. It can attach to a data file
D. It can attach to a data record
Q1250. A computerized system should contain an audit trail of information to

facilitate detection of certain events. In an audit trail log of unauthorized
system access attempts, which of the following would not be included?
A. The terminal used to make the attempt
B. The date and time of access attempt.
C. The user-id used to make the attempt
D. The password used to make the attempt.
Q1251. A control procedure that checks that data was entered and does not
contain blank or zeros is called -
A. A mathematically calculated check digit
B. Control check to verify the data existence agrees to a
predetermined criteria
C. Completeness check
D. Reasonableness check
Q1252. A Data Base Management System locks out a record used by one user,
when it is simultaneously accessed by another user for updating. This
control is primarily intended to prevent:
A. Duplicate processing of transactions
B. LAN Server Overload
319
C. Transaction processing delay

D. Concurrent transaction processing
Q1253. A detective control designed to establish the validity and appropriateness

or numeric data elements, and to guard against errors made in
transcribing or keying data is -
A. Sequence check
B. Record check
C. Check digit
D. Field-size check
Q1254. A fraud involving accessing data by using other’s password and altering
the same for gain, was detected and investigated. The IS Auditor, during
investigation will be in a position to provide information about all the
following except –
A. details of access control procedures in use
B. administration of password security
C. the hurdles crossed by the perpetrator of the fraud
D. preventive methods to avoid similar attempts/
Q1255. A hacker changes data stored in hidden form fields to reduce the price
in online shopping. This type of attack is called:
A. Denial of Service
B. Dynamic Scripting
C. Data Manipulation
D. Identity Spoofing
Q1256. A main advantage of a standard access control software implemented

properly is -
A. use of security guards can be dispensed with
B. physical access to back up storage devices can be restricted
effectively
320
C. authorized files are logically allowed access to authorized users

D. data entry by the user department is made easy
Q1257. A major advantage of associating passwords with users in the access

control mechanism, over associating the passwords with the resources
is -
A. Processing time saved is substantial.
B. Control can be exercised to a very fine level of authorisation
C. Users need not remember multiple passwords rather than a single
passwords
D. Security administration is made simple
Q1258. A major drawback of a remote dial up network communication system

is
A. absence of logging of attempted sign-on
B. inability to disconnect after invalid access attempts
C. existence of call forwarding devices
D. required display of user codes and passwords
Q1259. A manually calculated figure of Rs. 12,50,000 was entered before

running a batch program for preparing vendor cheques in an accounts
payable system. The computer is programmed to display an error
message if the total amount of cheques prepared does not eq
A. A parity total
B. Check digit
C. A hash total
D. A control total
Q1260. A newly released virus was enabled into LAN, from a floppy drive in one
of the workstations connected to the LAN. The existence of such virus
in the LAN will be revealed effectively by which of the following?
A. ensuring compulsory scanning of all floppy disks before use
321
B. formatting of the network file server

C. regular scanning of all network drives as per the established
routines
D. installing anti-virus software on all nodes
Q1261. Access control list of a firewall can have the following parameters, on
the basis of which it may filter access, EXCEPT one.
A. IP address
B. Activity/service type
C. Port
D. Network interface card
Q1262. A reasonably controlled practice in the distributed executable programs

and ActiveX controls, is -
A. installation of a firewall
B. usage of a secure web connection
C. acceptance of executable only from the established and trusted
source
D. hosting the website as part of your organisation
Q1263. A receipt control is LEAST LIKELY to cover which of the following

exposures associated with online output?
A. User’s failure to read a message because they are absent
B. Improper forwarding of a message to another party
C. Acceptance of a letter bomb from an anonymous source
D. Downloading of a program file containing a virus
322
Q1264. A remote dial up order entry system using portable computers for sales
man to place order should have the following control system to prevent
it from misuse.
A. Modem equalisation
B. A call back procedure
C. An error-correcting code
D. Frequent access code revalidation
Q1265. A risk associated with the use of laptop computers is their loss or theft
and consequent disclosure of confidential information stored on them.
Which one of the following control measures is most effective and
inexpensive to protect the information stored
A. Briefings of users
B. Removable data storage media
C. Screen saver passwords
D. Encryption of data files on stored media
Q1266. A verification process by adding one or more redundant digits added at

the end of a word or number which was derived in relation to the other
digits in the word or number is called -
A. Hash total verification
B. Parity check verification
C. Check digit verification
D. Input edit check verification
Q1267. Abuse of information system (IS is BEST described as :

A. Unauthorized modification of pay roll cheque printing program to
inflate the amount for the perpetrator.
B. Any incident involving the IS whereby a perpetrator is able to
inflict a loss to a would-be victim for his/her personal gain
323
C. Breaching in the security of the IS resulting in destruction of

hardware or software
D. Willful damage to IS hardware or software.
Q1268. Access Control is implemented using __________ in Windows NT and

__________ in Unix?
A. Access control List and file system
B. Security Reference Manager and Syslog
C. File system and Access control List
D. Syslog and Security Reference Manager
Q1269. Access control procedure provides for access rights administration by

the Security administrator. However, the access to production data
should be authorised by –
A. Data owner
B. Data custodian
C. System analyst
D. Application programmer
Q1270. Access to an online system running an application program, requires

users to validate themselves with a user ID and password. This helps
in providing -
A. context-dependent security
B. write protect security
C. data security
D. physical security
Q1271. All of the following are the Environmental controls employed in an IS

department EXCEPT –
A. External file header label on storage device
B. Fire extinguishers
324
C. Good housekeeping procedures

D. UPS
Q1272. Which one of the following threats would cause the greatest concern to
an auditor auditing the data centre of a client organization?
A. Gun powder is stored in the basement of the building where the
data centre is also located
B. The data centre is located near airport.
C. The data centre is in close proximity (i.e., between one and
two miles) to one engaged in the refinement of highly explosive
chemicals or combustible and volatile products
D. The data centre is five to ten miles away from a nuclear power
plant
Q1273. The control and the procedure used in a program before data is
processed in a program is called -
A. Edit controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Q1274. While classifying controls on the basis of the operations involved, input
control can be classified as -
A. Organisation control
B. General control
C. Processing control
D. Application control
Q1275. While attempting to discover a valid password, which of the following

factors a perpetrator is least concerned with?
A. The character set from which the password is composed
325
B. The password length

C. The power of the computer used to break the password code
D. The number of failed login attempts allowed before disconnect
Q1276. While carrying out an IS security review, the IS auditor observed the
following controls present in the client’s IS security system. Which of
these controls may detect that an IS security violation has occurred?
A. Terminals are disabled after three failed login attempts
B. Passwords are changed periodically
C. Log book are reviewed by security personnel
D. Employee ID cards are in use
Q1277. While carrying out IS Audit, you have discovered a Trojan Horse
program in the computer system. Which of the following actions you will
take FIRST?
A. Start an investigation to find its author
B. Immediately remove the code containing the portion of “ TROJAN
HORSE”
C. Investigate the underlying threat if any
D. Install a compensating control
Q1278. While designing logical access controls it is often required to balance

some of the often-competing interests. Which one of the following
should receive the highest priority while making a tradeoff when
designing such controls?
A. Security principles
B. Operational requirements
C. User-friendliness
D. Technical constraints
326
Q1279. While establishing an information security program which of the following

steps comes first
A. Adoption of a corporate information security policies
B. Preparation, adoption and implementation of an information
security standards manual
C. Acquisition of access control security software
D. A comprehensive security controls review by the IS auditor
Q1280. While implementing an application control system the management

wants to ensure that the critical fields in the master record are
properly posted. Which of the following controls may best address their
intention?
A. Reasonableness checks
B. Before and after maintenance report
C. Field checks
D. Control totals
Q1281. While reviewing an organisation that has a mainframe and a client/

server environment where all production data reside, the IS auditor
discovered several weaknesses. The most serious weakness of the
following is -
A. The database administrator also serves as the Security Officer.
B. Business continuity plan for the mainframe systems non - critical
applications is not proper
C. Regular back ups by many of the LAN nodes are not taken in the
file server.
D. Password controls are not administered over the client/server
environment
Q1282. While reviewing the file identification standards in a client, the IS auditor
may not be concerned with which of the following:
A. Retention period standards
327
B. Periodic file inventory

C. External labeling standards
D. High-level qualifier standards
Q1283. While reviewing the telecommunication access control, the primary

concern of the IS Auditor will be on the -
A. access logs on usage of various system resources
B. protection of stored data in the server by encryption or otherwise
C. ensuring accountability and identifying terminals accessing system
resources
D. proper procedure for verification of User ID and passwords,
ensuring authorisation and authentication before granting access
to resources
Q1284. Within an EDI system which of the following is used to determine non-
repudiation?, Only Digital signautres can ensure non-repudiation of
messages, since the messages are signed by the private key of the
sender which is known only to the sender.
A. Private key cryptosystem.
B. Digital Signatures.
C. Spoofing.
D. Terminal ID and passwor
Q1285. Which of the following statements regarding computer viruses is correct?

A. Using precompiled programs prevents the invasion of computer
viruses.
B. A “Trojan horse” is the same as a computer virus.
C. Scanning incoming e-mail would prevent all virus infection.
D. Computer security techniques can reduce the threat of computer
viruses.
328
Q1286. Which of the following terms best describes the purpose of control
practice over the input -
A. Authorisation of access to data files
B. Authorisation of access to program files
C. Completeness, accuracy and validity of update
D. Completeness, accuracy and validity of input
Q1287. Which of the following tests the compliance of internal accounting

control procedure?
A. getting confirmation letters from each of the Creditors and debtors
B. preparation and analysis of significant accounting ratios
C. reconciliation of balance of accounts and finding control totals
D. document inspection for verification of performance by employess
Q1288. Which of the following would be of great concern to an auditor reviewing

a policy about selling a company’s used microcomputers which have
been used to process sensitive information?
A. Whether deleted files on the hard disk have been completely
erased.
B. Whether the computer has viruses.
C. Whether all the software on the computer is properly licensed.
D. Whether the computer has terminal emulation software on it.
Q1289. Which of the following would not be appropriate to consider in the

physical design of a data centre?
A. Evaluation of potential risks from air flight paths
B. Proximity to earthquake zone.
C. Design of authorization tables for operating system access.
D. Inclusion of an uninterruptible power supply system and surge
protection.
329
Q1290. Which of the following, is the BEST procedure to find out whether
program documentation access is restricted only to authorized persons?
A. Back up and recovery procedure evaluation
B. Interview the programmers about the procedures currently
followed and if possible conduct a physical inspection of actual
access procedures
C. Programme library utilisation record verification
D. Review the detective control logs
Q1291. Which of these access control mechanisms is not based on multi-level

security?
A. Mandatory Access Control (MAC)
B. Discretionary Access Control (DAC)
C. Role Based Access Control (RBA)
D. Internal Access Control
Q1292. Which of these transaction types occupies the highest level of

significance for application control?
A. Error correction transactions
B. Master file change transactions
C. Normal transactions
D. Batch control transactions
Q1293. Which one of the following application controls is considered to be

detective in nature?
A. Maintaining transaction logs of terminal activity
B. Storing backup copies of application files in remote locations
C. Range check in an on-line data-entry system
D. Assigning passwords to users
330
Q1294. Which one of the following authentication mechanisms would be difficult

to implement when a mobile user is accessing a host computer?
A. Static password exchange mechanism
B. One-time password mechanism
C. Challenge response mechanism
D. Address-based mechanism
Q1295. Which one of the following computer fraud methods relates to obtaining
information that may be left in or around a computer system after the
execution of a job.
A. Scavenging
B. Data diddling
C. Salami technique
D. Piggybacking
Q1296. Which one of the following password construction procedures would be

the most difficult to remember?
A. Use a random number generation algorithm
B. Reverse or rearrange the characters in user birthday
C. Reverse or rearrange the characters in the user’s native place.
D. Reverse or rearrange the characters in the users spouses name
Q1297. Which one of the following statement is not true with regard to physical
security?
A. Examining the age of the cabling is not significant
B. Lack of proper cooling facility may cause hardware failure
C. Locked gates, entrances, parking places are properly lit
D. Employees have to undergo training in physical security
331
Q1298. Which one of the following user identification and authentication

techniques is least expensive and least secure?
A. Memory tokens
B. Retina scanner
C. User Ids and passwords
D. Smart tokens
Q1299. Which one of the following statements is not true about audit trails?
A. If a user is impersonated, the audit trail will establish events and
the identity of the impersonator.
B. There is an interdependency between audit trails and security
policy.
C. Audit trails may assist in recovery in case of certain types of
processing failure.
D. Audit trails can be used to identify breakdowns in logical access
controls.
Q1300. Which of the following instruments is used to measure atmospheric

humidity in Data Centres?
A. Hydrometer
B. Hygrometer
C. Barometer
D. Voltmeter
Q1301. Which one of the following user identification and authentication

techniques use reference profiles or templates?
A. Fingerprint recognition
B. Memory tokens
C. Smart tokens
D. Cryptography
332
Q1302. Access to the work area restricted through a swipe card or only
through otherwise authorised process and when visitors enter the work
area they are issued a pass and escorted in and out by a concerned
employee. These type of controls are called -
A. Organisational controls
B. Physical access controls
C. Logical access controls
D. Operational controls
Q1303. Accounts Receivable Section personnel for a manufacturer frequently

access computer data on customer and product sales. Logical access
control for these users would be
A. Inappropriate
B. Use of a Accounts Receivable Section password
C. Use of individual passwords
D. Use of individual passwords plus separate access passwords for
customer data and product data
Q1304. After an action has been performed successfully in a database, the

changes are permanent, and must be present, even after a subsequent
failure. This is a principle of:
A. Durability
B. Atomicity
C. Consistency
D. Isolation
Q1305. After you enter a purchase order in an on-line system, you get the
message, “The request could not be processed due to lack of funds in
your budget”. This is an example of error
A. Detection
B. Correction
333
C. Prevention
D. Recovery
Q1306. Which of these devices can be used to evade the firewall?

A. Routers
B. Modems
C. Switches
D. CPU
Q1307. All the following features help discover a valid password, EXCEPT -
A. the nature and character of the password content
B. the No. of letters in a password
C. the no. of times attempts are allowed before disconnection due
to incorrect password.
D. The complexity of construction and special characters used for
construction.
Q1308 All the following statements are true regarding a water-based fire
extinguishing system except:
A. Water cools the equipment relatively quickly
B. The release of water can be localized to where it is needed
C. Water and Halon gas systems cannot co-exist
D. Jet sprayers can be an alternative to water sprinklers
Q1309 An access control policy for a Customer Service Representative in a

banking application is an example of the implementation of an :
A. User-directed policy
B. Role-based policy
C. Identity-based policy
D. Rule-based policy
334
Q1310 An access control review conducted by an IS auditor, highlighted the

following control weaknesses in the system. Which of the weakness will
not result in an exposure?
A. Audit trails are not enabled
B. Programmers have access to the live environment
C. Group logons are being used for critical functions
D. The same user can initiate transactions and also change related
parameters
Q1311 An auditor suspected that a program calculating interest on advances

gave erroneous results for certain conditions. In an earlier audit, the
auditor found no evidence of erroneous processing. The best audit
technique for investigating possible errors in t
A. Mapping
B. Use of a test deck
C. Integrated test facility
D. Snapshot
Q1312 An auditor using an integrated test facility (ITF) should:

A. Reverse ITF data from production data at appropriate cutoff times
B. Analyze ITF data to determine the reasonableness,
completeness,and consistency of data files
C. Embed ITF routines in production programs to sample specified
transactions
D. Code a test routine to process production dat
Q1313 An auditor wishes to detect duplicate payments of an invoice in an

automated accounts payable system. Which of the following sorting
order of the accounts payable file would contribute to this objective?
A. Payment number and date of payment
B. Payment number and amount of payment
335
C. Invoice number and amount of payment

D. Invoice number and date of payment
Q1314. An incorrect end-of-file protocol in an application update program tends

to result in which of the following?
A. Program getting into loops
B. Transaction file records not being processed
C. Standing data getting corrupted
D. The incorrect internal label being inserted into the header record
on a file
Q1315. An interest calculation program of a Bank has several schemes and

several interest rates. The MOST APPROPRIATE control to verify the
correctness of the interest rates entered into the program is :
A. Interviewing all data entry operators about the method of input
entry adopted
B. Physical verification of actual data entry operations
C. Usage of CAATs to verify the interest rates
D. Reviewing independently the transaction listing
Q1316. An IS auditor carrying out review of logical access control, shall have
the PRIMARY OBJECTIVE of
A. ensuring that access is given in accordance with the
organisations authorities
B. reviewing the software based access controls
C. carrying out personal examination of the existing physical access
environment
D. using CAAT techniques to know the access provided in the
software
336
Q1317. The most common concern regarding physical access to a data centre
is:
A. Piggybacking
B. Locks and keys
C. Fire suppression system
D. Electronic access control system
Q1318. An IS Auditor carrying out security review for verification of the

implementation of certain security measures, will be LEAST concerned
about -
A. the timely and efficient delivery of information by the EDP
department
B. existence of adequate controls to minimize the potential for loss
due to computer fraud or embezzlement
C. installation of proper physical security cover over the data
processing installation
D. preparations and plans for the accidental damage or loss in the
IPF
Q1319. An IS Auditor verifying the Physical and environmental control of an

IS facility has found that there are no adequate fire detection and fire
control facility available in the premises. Which of the following will help
alleviate a disaster BEST in the eve
A. Sufficient fire insurance cover
B. Proper Annual maintenance contract
C. Properly updated off-site storage of master and transaction files
D. Availability of back up processing facilities
Q1320. An IS Auditor, concerned that application controls are not adequate

to prevent duplicate payment of invoices, decided to review the data
337
processing files for possible duplicate payments. Which of the following

techniques/tools would be useful to the IS Au
A. An integrated test facility.
B. Statistical sampling.
C. Generalized audit software.
D. The audit review file.
Q1321. An online banking system permitted withdrawals from inactive customer

accounts. Which of the following controls would prevent this weakness:
A. Check-digit verification
B. Master file lookup
C. Duplicate record check
D. Range check
Q1322. An on-line data entry program is used for original entry of vendor
invoices. Subsequently a batch cheque-writing program is used to
prepare cheques; occasionally it is found that a cheque for a vendor
not yet included in the vendor file is prepared with n
A. A record lookup for vendors during data entry of vendor invoices
B. A batch control total check on vendor payments
C. A completeness test on fields in the cheque-writing program
D. A verification of vendors in the cheque-writing program
Q1323. An on-line teller application abruptly shuts down while some transactions
are in process. The best control to ensure that each unfinished
transaction is completed successfully when the system resumes
operation is:
A. Automatic restart that prompts tellers to complete in-process
B. Manual reconstruction of in-process transactions by tellers
C. Computer reconciliation of accepted-item totals
D. Manual reconciliation of accepted-item totals
338
Q1324. Applications access control will be seriously jeopardised if -

A. Passwords are allowed to be shared
B. Password files are not encrypted
C. Redundant log-on Ids are removed
D. Allocation of log-on Ids are controlled
Q1325. Arithmetically business risk is defined as business value x threat x

vulnerability. Thus if there are no threats it means that the business risk
A. Does not exist
B. Exist
C. Will exist in future
Q1326. Because of the sensitivity of its data, a database system for business
forecasting was implemented with access control at different levels.
Users’ initial log-in would be controlled by
A. Integrated Test Facility
B. Database authorizations
C. Application software
D. Operating System
Q1327. Before disposing off the PC used for storing confidential data the most
important precautionary measure to be taken is -
A. mid-level formatting of hard disk
B. deleting all the files in the hard disk
C. deleting all the data on the hard disk
D. demagnetising the hard disk
339
Q1328. Changes made on line to important master records will not be noticed
by which of the following controls ?
A. proper authorisation of updates before the actual entry of the
update in the system
B. the complete listing of all updates made are daily taken and
verified by independent supervisor
C. data entry operators are not authorised to operate the update
command, which shall be executed by an independent supervisor
after verification
D. access to master records denied to data entry operators, but
given only to independent supervisor
Q1329. Confidentiality of sensitive data transmitted over public communication

lines could best be protected by
A. Cable Modems
B. Authentication Techniques
C. Call-back techniques
D. Cryptographic devices
Q1330. Complete and accurate transmission of data can be ensured by which

of the following measures?
A. protecting all program files with password
B. implementing reconcilation procedures at the microcomputer and
mainframe levels
C. implementation of proper back up and review procedures
D. regular review of transmission equipment problems and proper
procedure for logging of all maintenance activities of transmission
equipments
Q1331. Computer viruses could be detected by which one of the following

actions?
A. Maintain backups of program and data
340
B. Monitor usage of the device.

C. Use write-protect tabs on disks.
D. Examine the creation date and file size.
Q1332. Data once input into the computer system cannot be changed in an
unauthorised manner. The controls established to achieve the above
objective is called –
A. data security controls
B. detective controls
C. compensating controls
D. operations controls
Q1333. Data security function review examines the following areas EXCEPT –
A. Security policy and responsibility for implementation
B. Application controls
C. Access controls
D. Password administration controls
Q1334. Which of the following resources not controlled by the application

controls ?
A. User
B. Data processing environment
C. Automated application system
D. Data used for the application
Q1335. Duplication of submitting corrections to errors could be prevented by:

A. After errors have been corrected, the error reports should be
discarded
B. Data input validation programs should highlight the situation by
showing input controls do not balance
341
C. Corrected errors should be initialed by the person correcting the

error
D. Only one person should be responsible for correcting errors in
any application system
Q1336. During a fire in a data centre, an automatic fire suppression system

would first:
A. Cut power to data processing equipment.
B. Disengage the uninterruptible power supply.
C. Sound an alarm and begin a timed countdown.
D. Activate the fire extinguishing system.
Q1337. During a review of system access rules, an IS Auditor noted that the
System Administrator has unlimited access to all data and program files.
Such access authority is:
A. Appropriate, but all access should be logged.
B. Appropriate, because System Administrator has to back up all
data and program files.
C. Inappropriate, since access should be limited to a need-to-know
basis, regardless of position.
D. Inappropriate, because System Administrator has the capacity to
run the system.
Q1338. Which is the right combination with respect to pointing devices?

A. Light pen and tablet.
B. Mouse and digitizer.
C. Digitizer and tablet.
D. None of the above.
342
Q1339. Which of the following is a special signal sent by the different hardware
devices to the Operating System (OS)?
A. Process
B. Threads
C. Interrupts
D. Applications
Q1340. During the review of logical access controls over a company’s

various application systems, an auditor found that access controls are
programmed into each application. The best recommendation in this
situation is to:
A. Consider the use of access control software.
B. Consider the use of utility software
C. Consider the use of Data Base Management System
D. Expand the use of the built-in access controls to new
applications.
Q1341. Electronic card access system is used to control access to a data

centre. The documentation for this system should be up-to-date and
should include:
A. Procedures for annual review of the security reports.
B. Identification of the cardkeys documenting the data centre areas
to which they grant access.
C. A list of all cards issued and the individuals to whom they were
issued.
D. Identification on the cardkeys documenting the name and address
of the data centre.
Q1342. Errors in an information system based on computers are less tolerable

than in a manual system primarily because:
A. Users have almost a blind faith that any output generated by a
computers has to be correct
343
B. Computers systems commit errors sporadically and not in a

pattern
C. If a program is erroneously coded, it commits errors at a very
high speed resulting in wastage of resources for locating and
correcting it besides the loss
D. Computers systems handle large volume of data
Q1343. Establishing effective access control through the use of Sign-on

procedure involves -
A. entering of log id by the user
B. entering of password by the user
C. identification of terminal being used by the user
D. authorisation procedure involving, authentication through the entry
of user log-on ID and password and the terminal ID.
Q1344. Exposure that could have been caused by the line - grabbing technique
is -
A. excessive usage of the hard disk space
B. blocking of CPU functions
C. transmission delay
D. unauthorised access to data
Q1345. Expected losses associated with rounding errors in a calculation are

MOST LIKELY to be mitigated by the following application program
control?
A. Calling two or more subroutines that perform the same calculation
using different algorithms
B. Printing run-to-run control totals to allow the accuracy and
completeness of computations to be checked
C. Avoidance of closed routines when arithmetic instructions are
executed
D. Minimisation of human intervention in providing parameter values
344
Q1346. Which of these components of NFS uses authentication?

A. Cache file system
B. Virtual file system
C. Mount protocol
D. Remote procedure call
Q1347. For a high security installation the most effective physical access control
devices is
A. User ID and password
B. Magnetic Card reader
C. Bio-metric devices
D. Laser activated photo identification.
Q1348. For a stand alone system, the best security control is to have -
A. User ID and passwords
B. Detailed logical access control procedures
C. Restricted physical access
D. Regular back ups taken at periodical intervals
Q1349. For eCommerce deals through web based transactions involving

acceptance of payment through credit cards, installation of firewall with
strict parameters is required, having impact on the transaction itself.
State the parameter having the LEAST impact over
A. Encryption of all transactions
B. Authentication of all transaction in time
C. Architecture of the firewall hiding the internal network
D. Exchange of traffic through the firewall at the application layer
only
345
Q1350. The malicious program which put a constraint on server’s activities over
Network is:
A. Virus
B. Trojan horses
C. LOgic bombs
D. Worms
Q1351. For reviewing the physical security of the IPF facility, the necessity of
the following document is the LEAST -
A. Complete details of the IPF floor plans
B. SDLC procedure statement
C. List of all authorised users of IPF
D. Detailed organisation chart
Q1352. For secure exchange of data, database has to ensure ACID properties.
A property of database that avoids conflict between two or more
transactions running simultaneously is:
A. Atomicity
B. Consistency
C. Integrity
D. Durability
Q1353. For successful implementation of the preventive security it is necessary

that
A. Preventive security should be implemented based on activities of
the company
B. Preventive security should always remain the same
C. Preventive security should not be related to the cost
D. Preventive security need not be based on any policy
346
Q1354. For which of the following audit tests, parallel simulation would be an
appropriate approach:
A. Testing for the presence of authorized signatures on documents
B. Summarizing the results of accounts receivable confirmation work
C. Scanning the general ledger file for unusual transactions
D. Re-calculating amounts for declining balance depreciation charges
Q1355. For which of the following options does the Demilitarised Zone (DMZ)
Security in e-commerce work as a protection technique?
A. Network protection
B. “Application-level protection“
C. Platform protection
D. Database protection
Q1356. Hackers avoid detection of attacks by changing the URL such that it is
difficult to write programs to detect the attacks. This is done through:
A. Spoofing
B. Physical attacks
C. Smurfing
D. Hexadecimal encoding of URLs
Q1357. Host 1 wants to prove its identity to Host 2. Host 2 is also authenticating
Host 3, but by mistake uses Host 1’s credentials. This is possible in
which type of authentication?
A. Zero Knowledge Proofs
B. Message Digests
C. Kerberos
D. Token Authentication
347
Q1358. How the control in a loan processing edit program which ensures a
logical relationship between the amount advanced, the number of
repayments and the installments could be classified:
A. A format check
B. An existence check
C. A dependency check
D. A sequence check
Q1359. In a mainframe operating system software all of the following controls

can be incorporated EXCEPT –
A. header-label checks
B. address reference checks
C. parity checks
D. record length checks
Q1360. Implementation of control totals should begin at which point to prevent

the loss of data during the processing?
A. in the error report given for verification to the user department
B. in the computer itself at the time of processing
C. at the time of process changeover
D. at the time of data preparation & at input stage
Q1361. Implementing a firewalls is not the best solution for Virtual Private
Networks because:
A. Firewalls cannot detect spoofing attacks.
B. “Firewalls cannot be installed on VPNs“
C. Firewalls cannot alter data over a network
D. All of the above
348
Q1362. In a Bank, the updating programme for bank account balances

calculates check digit for account numbers. This procedure is called -
A. File management control
B. Output control
C. Input control
D. Access control
Q1363. In a central computer system users specify where their output is printed,
but some users give the wrong destination code and tie up other
departments’ printers. The best approach to ensure that printing occurs
on an appropriate device is to:
A. Centrally monitor the print queues for correct destinations
B. Create destination defaults for printing based on each employee’s
departmental affiliation.
C. Centrally print and distribute the outputs.
D. Train current users in how to specify the right destination codes
for their printing.
Q1364. In a client server environment, if all printing options are commonly

accessed by all users, it may result in the following exposure -
A. unauthorised users may receive information
B. any one can print any report at any time thereby improving
operating efficiency
C. information is easily available
D. flexibility and user friendliness is facilitated
Q1365. In a data processing environment, where the data is centrally stored at

a database and data entry is carried out from remote terminals, it would
be more effective to perform editing/validation of data at the:
A. Remote processing site after transmission to the central
processing site.
B. Central processing site after application program processing.
349
C. Central processing site during application program processing.

D. Remote processing site prior to transmission to the central
processing site.
Q1366. In a Denial of Service attack, a TCP SYN flood attack is an example of:
A. Network Resource exhaustion
B. Memory consumption
C. Exploiting of the targets own resources
D. Configuration information alteration
Q1367. In a microcomputer small business environment, the following will be

the BES T security control procedure that can be employed effectively.
A. day to day review by the management of the trouble log
B. storage of computer back up media in a security area
C. application system design to be reviewed independently
D. regular and daily supervision and monitoring of computer usage
Q1368. In a network using Novell Netware, a user has full rights to a directory.
The user, however, must not access one file in that directory. What
feature of Netware can be used to achieve this?
A. Inheritance
B. Inherited Restriction Filter
C. Attributes
D. Security Equal To
Q1369. In a stand-alone small business computer environment which control

procedure for security will be the most effective?
A. Review of the trouble log by the management everyday
B. Closely supervising the usage of computers
C. Using a locked cabinet for storage of all computer media
D. An independent quality assurance review of all applications
developed
350
Q1370. In an accounting audit trail for online output, which of the following
information is LEAST LIKELY to be stored?
A. The time at which the output was received
B. The contents of the output
C. The persons who received the output
D. The resources consumed to produce the output
Q1371. In an accounting audit trail for processing subsystem, which of the

following events is MOST LIKELY to be included?
A. Hardware malfunctioning
B. Attempted integrity violation
C. A triggered transaction
D. Program start time
Q1372. In an accounts payable system, clerks who enter invoices for payment
also maintain the file containing valid vendor codes. This practice
increases the risk that:
A. The vendor table will not contain current information.
B. Clerks will enter an incorrect but valid code for payment.
C. Vendors not in the table file will be paid.
D. Unauthorized vendors’ invoices will be pai
Q1373. In an inventory maintenance application, the batch processing to update

the inventory master file could not detect several inventory transaction
records that were missing. Identify the pair of controls that would help
to ensure that missing records are de
A. Record counts and hash totals
B. Limit tests and record counts
C. Hash totals and reasonableness tests
D. Check digits and missing data tests
351
Q1374. Which of the following is NOT a condition for deadlock to arise?

A. Lockout
B. Pre-emption
C. Circular wait
D. Additional request
Q1375. In an IS environment, routing all links to external systems via a firewall,

scanning all diskettes and CDs brought in from outside the company
before use and use of anti-virus software to update users anti-virus
configuration files every time they log in,
A. Corrective controls
B. Preventive controls
C. Detective controls
D. Programming controls
Q1376. In an online processing system, to reconstruct correctly the interrupted

transactions on a failure, the system should have a control procedure
called -
A. Reconciliation of batch control totals
B. Anticipation and hash total
C. Concurrency and sequence number
D. logging and restart verification
Q1377. In auditing an on-line perpetual inventory system, an auditor selected

certain transactions for detailed testing. The audit technique which will
provide a computer trail of all relevant processing steps applied to a
specific transaction is described as:
A. Simulation
B. Snapshot
C. Integrated Test Facility
D. Tagging and tracing
352
Q1378. In deciding about the “ need to know “ basis access for the following,
the data classification plays an important role :
A. Test programs and data
B. Production programs and data
C. Test and production programs
D. Production and test data and programs
Q1379. In general, mainframe computer production programs and data are

adequately protected against unauthorized access. Certain utility
software may, however, have privileged access to software and data.
The risk of unauthorized use of privileged software could
A. Preventing privileged software from being installed on the
mainframe
B. Restricting privileged access to test versions of applications.
C. Limiting and monitoring the use of privileged software.
D. Keeping sensitive programs and data on an isolated machine.
Q1380. In general, output controls over reports of batch systems would be more
compared with that of online systems because:
A. Batch output is more detailed than online output.
B. There are more intermediaries involved in producing and
distributing batch output.
C. Only managers typically receive online reports so less misuse is
likely.
D. The only way to breach the privacy of online reports is to wiretap
the communications line
Q1381. In implementing a covert storage channel whereby one process can

communicate sensitive information to another unauthorised process,
which of the following technique is UNLIKELY to be used?
A. Changing the number of files deleted from a directory
B. Changing the name of a file in the directory
353
C. Changing the workload demands placed upon the central

processor
D. Changing the date on which a file was last modified
Q1382. In preventing unauthorised access to a computer file from a remote

terminal, which of the following controls can be used with best results?
A. User ID and passwords
B. Biometric checks
C. Frequently changed access controls
D. Call back procedures
Q1383. In relation to an out put recovery process, which of the following factors
makes the recovery process EASIER?
A. In-place update rather than batch update is used
B. Avoidance of use of checkpoint facilities
C. Transaction data to be recovered instead of status data
D. Lack of use of spooling or printer files
Q1384. In relation to database access controls, which of the following types of

access control is the most difficult to enforce?
A. Content-dependent access control
B. Name-dependent access control
C. History-dependent access control
D. Context-dependent access control
Q1385. In relation to online output production and distribution which of the

following exposures is LEAST LIKELY to be covered by source
controls?
A. Lack of authenticity in relation to files that can be accessed
publicly through Internet
B. Unauthorised modification of an online output distribution list kept
on a list server
354
C. Unauthorised placement of copyrighted information in Web pages

D. Inappropriate use of information obtained from a bulletin board
Q1386. In the case of a generalised software that is available to interrogate the

operations audit trail in the processing subsystem, which of the following
would NOT be a report that could be typically generated?
A. Account implosion report
B. Program run time report
C. Hardware utilisation report
D. Report on programs abnormally terminated
Q1387. In the case of online output, which of the following is LEAST LIKELY to
be an exposure covered by disposition controls?
A. Unauthorised copying of online output to diskettes
B. Unauthorised viewing of confidential data displayed on a screen
by a passerby
C. Failure to forward e-mail received in a general mailbox to persons
responsible for addressing the matters mentioned in the e-mail
D. Forwarding of confidential e-mail to unauthorised parties
Q1388. In Windows XP, which component controls access to the credentials of

users who are permitted to log onto the system?
A. Certification Authority
B. Credentials Prompting User Interface
C. Group Policy Settings
D. Local Security Authority
Q1389. Inaccurate data input can NOT be detected by the employment of which
of the following controls ?
A. Reasonableness checks
B. Validity checks
355
C. Completeness checks
D. Hash totals, and run to run totals.
Q1390. Information system crimes and abuses in comparison to those of the

general category are likely to be
A. Of less serious nature
B. Unaffected by stringent legal and/or organizational controls
C. Of higher volume and of bigger size
D. Punishable by law relatively easily
Q1391. IS Auditor performing a security review will perform all the following
steps. However he will begin with -
A. Test of evidence of physical access at suspected locations
B. An overview understanding of the functions being audited and
evaluate the audit and business risk
C. Determine the risks/threats to thedata center site
D. Interviewing people at the site for the specific tasks performed by
them.
Q1392. IS security policy of an organisation will not contain details about the
following:
A. the overall security philosophy of the organisation
B. the authorisation procedure for accessing data
C. security awareness programme
D. highlights and identity of the sensitive security features
Q1393. It would not be possible to use the Checkpoint/restart facilities when:

A. A Power loss occurred
B. The hardware temporarily malfunctioned.
C. A wrong tape reel is loaded in a multireel file
D. The program contained a serious logic error
356
Q1394. “Kerberos is a user authentication mechanism. Which of the following

methods does it not use, to establish a secure connection between the
client and the target server?“
A. Tickets
B. “Secret key“
C. Password
D. Encryption
Q1395. Lock-and-key mechanism is MOST likely to be used in which of the

following types of real memory access control system?
A. Single user, contiguous storage allocation system
B. Multiple user, contiguous storage allocation system
C. Single user, non-contiguous storage allocation system
D. Multiple user, non-contiguous storage allocation system
Q1396. Logging of authorised and unauthorised attempts to access the

computer systems and Disconnection of a terminal after it has been
inactive for a period of time are classfied as
A. Physical access controls
B. Terminal access controls
C. Processing controls
D. Operations controls
Q1397. Logical access controls are built into___________

A. software and operating system
B. Operating system, hardware and communication devices
C. Software, hardware, operating system and communication devices
D. Communication devices and operating system
357
Q1398. Logical access security could be compromised by various elements

of a computer system. Which one of the following could contribute to
compromise of security?
A. Smart cards with PIN
B. Non-reusable passwords
C. Last login messages
D. Network cabling
Q1399. Many users on a network want to use a single Operating System (OS)
to perform their tasks. Which of the following operating systems can be
used in this situation?
A. Real-time Operating System (RTOS)
B. Single-User Operating System
C. Multi-tasking Operating System
D. Multi-user Operating System
Q1400. Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem

is used for sending the messages, then Mr. R. encrypts the message
under the -
A. Mr. R. s private key.
B. Mr. S s public key
C. Mr. R s public key
D. Mr. S s private key
Q1401. On-Line Analytical Processing (OLAP) is a much better solution than

data warehousing as OLAP supports:
A. On-line access
B. Decision making
C. Relational databases
D. Large amounts of data storage
358
Q1402. Networked micro computers can be protected from viruses by practising

the following EXCEPT –
A. Unchecked bulletin board software should not be allowed to be
used
B. Installing a latest anti-virus software
C. Implementing the corporate security policy for the IS environment
D. Using untested software on system and testing new software
before use.
Q1403. Notebook computers are portable and used to access the company’s
database while the executives are on travel. Which of the following
would provide the least security for sensitive data stored on a notebook
computer?
A. Encryption of data files on the notebook computer.
B. Setting up a password for the screensaver program on the
notebook computer.
C. Installing an access control software.
D. Using a locking device that can secure the notebook computer to
an immovable object.
Q1404. On a computer, the Random Access Memory is limited to 32 M The

operating system allocates memory for an application, which needs
more memory to run by using?
A. Main Memory
B. Cache Memory
C. Virtual Memory
D. Read Only Memory (ROM)
Q1405. On June 23, 2000, an accounting clerk prepared an invoice dated June
33, 2000 and sent it to data entry as part of a batch of invoices. The
input control most likely to detect this error is:
A. Completeness (field) test
359
B. Size check
C. Hash total
D. Range check
Q1406. One of the advantages of using naming convention for access control
is that -
A. ambiguity in the resource name is avoided
B. rules for protecting resources can be minimised
C. naming convention gives a unique identity to the resources
D. fancy and international names can be used
Q1407. One of the disadvantages of residual dumping is:

A. It cannot take place as a background operation
B. There is less flexibility in levelling system workloads
C. There is more duplicate backup
D. Recovery is more complex than with physical dump
Q1408. One of the main advantages of employing biometric devices is that -

A. it provides effective physical access control
B. it helps check virus attack
C. it monitors air pollution
D. it helps detect electromagnetic fields in the area
Q1409. One of the main tasks performed by a Security Administrator is -

A. formulating the data classification methodology
B. supervision of data entry
C. error correction in the data entry
D. distribution of output
360
Q1410. One of the production supervisors who has got access to the corporate
database sold sensitive product pricing information to a competitor.
Which of the following controls would best prevent such a situation?
A. Software configuration management is established and enforced
B. User access to the corporate database is controlled by passwords
C. Data ownership resides with the most appropriate users
D. Access privileges are established on a need-to-know basis
Q1411. Output control is best described by which of the following ?

A. the controls that are designed to provide reasonable assurance
that data received for processing have been properly authorixed
and are in a suitable form
B. the controls that provide reasonable assurance that all
transactions are processed as authorised
C. the controls that prevents unauthorised and improper use of data
and program
D. the control that reconciles input with processing control totals to
ensure that all transactions have been processed and gives a
reasonable assurance of the accuracy of processing results and
that only authorized personnel receive the results.
Q1412. Overall responsibility to protect and control the database and monitor
and improve the efficiency of the database are the job of -
A. Security administrator
B. Data owner
C. Data custodian
D. Database administrator
Q1413. Password control procedures incorporate all the following features

EXCEPT -
A. Forcing frequent changes of password by the user
B. Ensuring that the passwords are not distributed indiscriminately
361
C. Disabling all the redundant passwords

D. Helping the user by reminding the users password through the
screen
Q1414. Passwords are the commonly used technique to identify and

authenticate a user to a computer system. Which of the following
password-related factors cannot be tested by an auditor?
A. Password secrecy
B. Password storage
C. Password length
D. Password lifetime
Q1415. Processing control procedures include

A. Authorisation and authentication of users
B. Access control for on line data
C. Reporting of before and after images
D. Reasonableness checks and Hash totals
Q1416. Protection of a system from virus can be ensured by complying with

which of the following activities ?
A. all diskettes once they are checked for virus, should be made
write protected
B. all new software should be installed only after scanning for
viruses
C. after checking the diskettes for virus, daily before booting, then
boot the system by using the checked diskettes only
D. no vendor should be allowed to show their demonstration in the
companys systems
Q1417. Retention date on magnetic tape files would:

A. Enable files with the same generation number to be distinguished
362
B. Indicate when the file should be again backed up

C. Prevent the file from being overwritten before the expiry of the
retention date
D. Prevent the file from being read before expiry of the retention
date
Q1418. Select the BEST control to mitigate the risk of creation of duplicate user
name and password during sign on procedures, if encountered during
an audit of an IS configuration.
A. security policy should be modified
B. users should be educated about weak password
C. proper validation procedures to be built in during user creation
and password change
D. require a periodic review of matching of user ID and passwords
for detection and correction
Q1419. Session-hijacking refers to

A. A type of attack where the web pages are defaced
B. A type of attack where the session ids of other users are guessed
C. A type of attack leading to increased privileges for the attacker
D. Using sessions to track the state of users
Q1420. Specify the IS application control in the following, while others are
general controls -
A. the security policy of the company and the organisaiton and
control of security activity
B. all the physical access control routines
C. control over the systems installed
D. Hash totals and batch totals
363
Q1421. Spooling software can be subject to one of the following control

problem:
A. It is error-prone because the software is highly complex.
B. The output could be redirected to another printer.
C. It can be used to obtain an unauthorized copy of a report.
D. The output could be cancelled before printing.
Q1422. The access control program in a Database Management system can

control access to which of the following ?
A. Data storage locations
B. Subroutines
C. Data elements, files and records
D. Programs
Q1423. The answer sheets in most examinations require the candidates to

answer by marking the correct choice. This kind of data is converted
into computer readable form through:
A. Optical Character Reader (OCR)
B. Optical Mark Reader (OMR)
C. Magnetic Ink Character Reader (MICR)
Q1424. “The auditor before commencing audit of access controls should obtain
the following information by interviewing the organisation’s staff“
A. IT organisation structure
B. Key business activities
C. Significant changes to network
D. Method of authorising access
364
Q1425. The Best information about Unauthorized input from a terminal can be
derived from which of the following?
A. Printout of the Console log
B. Transaction journal
C. Error report
D. Listing of all suspence file generated automatically
Q1426. Which of the following is a passive measure for securing the Linux
Operating System?
A. Restricting administrator access
B. Logging
C. Running only necessary services
D. Application auditing
Q1427. The control practice of installing and using anti-virus software is

classified as -
A. detective control practices
B. preventive control practices
C. corrective control practices
D. compensating control practices
Q1428. The control procedure of totalling specified fields in a series of

transaction or records, to check whether transactions or records are
either lost or entered or transmitted incorrectly or duplicated, is called -
A. limit checks on calculated amounts
B. programmed controls
C. existence check
D. hash totals
365
Q1429. The control procedure to be followed in the administration of password

should incorporate the following feature :
A. Password can be displayed on terminal screen for correct
entering by the user
B. Password may be shared by the user for easy and fast access
C. Password should be changed by the user frequently
D. Password should not be changed by the user frequently
Q1430. The control to provide security against accidental destruction of records

and to ensure continuous operations is called -
A. A processing control
B. An operations control
C. A development control
D. A documentation control
Q1431. The default authentication mechanism in a Solaris System is Kerberos.

If a third party mechanism is to be implemented instead of the default,
which of the following can be used for this purpose?
A. Access Control Lists
B. Secure NFS Distributed File Service
C. Solstice SunScreen
D. Pluggable Authentication Module
Q1432. The Digital Signature system uses the services of an Arbitrator to

prevent
A. the complaint of non-receipt of message by the receiver
B. the sender from disowning the message
C. forging of messages by the receiver
D. defrauding by the receiver by colluding with the sender.
366
Q1433. The first step in the installation of an information security program is

the -
A. Installation of a security control software
B. A detailed review by the IS Auditor of the security controls
C. Preparation of the information security standards manual
D. Formulation of a corporate information security policy and its
adoption by the top management
Q1434. The following are examples of some of the preventive controls in

practice, EXCEPT -
A. shutting down of the terminal after a pre-determined number of
unauthorized attempts
B. forcing the change of employee password periodically
C. the log book review by security personnel
D. scanning of all floppies before being loaded into the system
Q1435. The following control procedure helps us verify data values through
various stages of application processing, ensuring that data read into
the computer was accepted and then applied to the updating process
A. Edit checks
B. Run-to- run totals
C. Completeness checks
D. Reasonableness checks
Q1436. The following is NOT a pre-requisite for installing a new anti-virus

software
A. the machine should have a compatible operating system
B. the security policy should be clear about administration of the
anti-virus policy
C. the installation of the anti-virus software should be properly
authorised
D. the earlier anti-virus software should be uninstalled.
367
Q1437. The following measures will protect the computer systems from virus
attack EXCEPT:
A. once the diskettes are checked for virus and cleaned, write
protect them
B. all new software before loaded should be scanned for viruses and
cleaned
C. no demonstration packages should be allowed to be run on the
company owned machines
D. always boot from the diskettes
Q1438. The following resources are protected by Logical access controls

A. All the nodes in a LAN
B. The entire storage devices in all the servers
C. All the back up storage devices and the backed up floppies &
disks
D. Data ownership and classification
Q1439. The IS Manager of a small company senses that unrestricted access

to production library results in the risk of untested programs being
installed. Which one of the following controls would protect the
production libraries without compromising the efficienc
A. Restrict updating and read access to one position
B. Permit updating and read access for everyone in IS
C. Permit updating for everyone in IS but restrict read access to
source code to one position
D. Restrict updating to one position but permit read acccess to
source code for everyone in IS
Q1440. The IS security policy of a company usually incorporates all of the

following features EXCEPT -
A. complete details about the computer hardware and software used
B. commitment of the management for the implementation of the
policy
368
C. procedure for authorising access to computer resources

D. details of complete authentication steps and security procedures
to allow access
Q1441. The main activity of the input/output control function is -

A. Loading and returning of master data tape files
B. Loading and returning of transaction data tape files
C. Verifying the key data
D. Keeping a log of all batches and hash total reconciliation
Q1442. The management must take various security measures to mitigate the
risk. Which of the following measure aims to minimise the damage and
prevent the reoccurrence of incident?
A. Reductive measure
B. Detective measure
C. Repressive measure
D. Corrective measure
Q1443. The most appropriate audit strategy for a large organisation which relies
on comprehensive user controls over the micro computer usage is -
A. Tests of user controls
B. Edit checks of data entered
C. Tests of general controls
D. Substantive tests of executed program logic
Q1444. The most serious exposure in a Digital Signature system is caused by

which of the following?
A. Receivers private key becoming public
B. Senders private key becoming public
C. Key servers private key becoming public
D. Forgery of public keys
369
Q1445. The password administration procedure should follow the following

principle in implementing the access control :
A. Passwords may be changed by the user at his discretion
and users at their discretion need not even change the initial
password allotted also
B. Initial password assignment shall be done by the user department
incharge
C. The system should display the password to enable the user to
enter it correctly
D. Password files are encrypted and the system should force
the user to change the initial password allotted and also at
subsequent intervals.
Q1446. The person responsible for providing access rights to each of the user
and access profile for each data element stored in the computer system
is -
A. Data Custodian
B. Security administrator
C. Data owner
D. The database administrator
Q1447. The primary objective of security software is to:

A. Control access to information system resources.
B. Restrict access to prevent installation of unauthorized utility
software.
C. Detect the presence of viruses.
D. Log attempts of unauthorized access.
Q1448. The process of creating sample transactions for processing through a

system to generate results for comparison with predetermined results
is:
A. Desk checking
370
B. Random sampling
C. Use of a test deck
D. Parallel simulation
Q1449. The public audit trail of a Digital Signature system will not contain which
of the following?
A. Public Key registrations
B. Signature registrations
C. Key compromise notifications
D. Private key modifications
Q1450. The salient features of the data file access control shall address the
following EXCEPT –
A. Access by computer data entry operators
B. Access through terminals
C. Access by production programs
D. Access to physical resources
Q1451. The technical support personnel should have unlimited access to all
data and program files to do their job. Which of the following is the right
prescription for proper access authority devolution.
A. Such access authority is appropriate, if they are logged
completely.
B. Such access authority is appropriate because they have the full
knowledge and understanding about the entire system.
C. Such access authority is inappropriate because it violates the
principle of “access on need - to - know basis, irrespective of
position
D. Such access authority is inappropriate because they have the full
knowledge and understanding about the system
371
Q1452. The test of access control, over a distributed database, can be carried
out by -
A. Reconciliation of batch control totals
B. Examination of logged activity
C. Prohibition of random access
D. Analysis of system generated core dumps
Q1453. The validity of a program recalculation could be audited by the following

techniques except:
A. Use of Generalized Audit software
B. Source code review
C. Source code comparison
D. Manual recalculation of sample items
Q1454. To determine the authorized sign on in an EDI transaction, the EDI

system uses the following method
A. User ID and Password
B. Anti-virus and anti-piracy softwares
C. DES Cryptosystem
D. Digital signature.
Q1455. To effectively prevent intrusion, usually the following controls are

established. Of this which control BEST detects intrusion attempts
effectively?
A. only through authorized procedures, user creation and privileges
are granted
B. procedure to ensure that the workstation is logged off
automatically when not in use for a particular period of time
C. unsuccessful attempts after a specified number of times, should
result in the automatic log off of the workstation
D. log of unsuccessful log on attempts are reviewed online and the
active monitoring of the same by the security administrator
372
Q1456. To ensure that only authorised transactions have been posted to

accounting records, which of the following controls can be relied upon?
A. Proper physical access control procedures
B. Proper password security administration procedure
C. Proper authorisation procedure for the input documents
D. Periodic closing balance total calculation from the opening
balance and the authorised input transaction and comparing the
same with the system closing balance output.
Q1457. To prevent virus attack effectively in an IS environment, the first and the
foremost step to be taken is -
A. formulating and adopting a detailed anti-virus policy for the
organisation as a whole and appraising all users about the same
and implementing it.
B. Installing the latest anti-virus software regularly
C. Prohibiting the usage of disk drives in workstations
D. Have a proper and highly secured physical access control
environment
Q1458. To properly control access to accounting data held in a Database

Management System, the database administrator should ensure that
database system features are in place to permit:
A. e. Read-only access to the database files.
B. f. Updating from privileged utilities.
C. Access only to authorized logical views.
D. User updates of their access profiles.
Q1459. To protect computer systems from short term power fluctuations, the
best environmental control is -
A. an alternative source of power
B. a dedicated power generator
373
C. an UPS and spike buster

D. a continuous voltage stabilizer
Q1460. Under certain conditions, an inventory batch-update program ignores

transactions with invalid transaction code types. Which of the following
controls would detect the presence of such errors in processing:
A. Check digit
B. Limit test
C. Hash total
D. Reasonableness test
Q1461. Uninterruptible power supply (UPS systems are an environmental control

to address electric power failures. Which one of the following factors
would be a least concern in selecting a UPS system?
A. The quantity of the electric load it can support
B. The time duration when it can support the load in case of mains
power failure
C. Size of the gas fuel supply
D. The speed with which it assumes the load when the primary
source fails
Q1462. Updating of master records critical field can be monitored by which of

the following ?
A. check digit fields to ensure that it contains the correct type of
characters
B. a key field to detect transposition or other data entry errors
C. verification before updating and after updating of the master
report
D. run to run control totals
374
Q1463. What feature of Windows 2000 allows for delegation of security

responsibilities in terms of group policies ?
A. Kerberos
B. Centralised Management
C. Encrypted File System (EFS)
D. NTLM Authentication
Q1464. User authentication determines who is making a system request or

access. There are various ways by which users can identify themselves
to a computer system. Which of the following identification techniques
provide the best means of user authentication?
A. What the user knows
B. What the user has and what the user knows
C. What the user is
D. What the user has
Q1465. Validation of a transaction is carried out by the following control function-

A. Authentication of data entry by a supervisor of another
department
B. Authentication of data entry by a supervisor of the same user
department
C. Reasonableness check & completeness check carried out on the
data entry
D. Comparison of the transaction against predefined criteria, by a
separate program
Q1466. What does the Automated Security Access Tool (ASET) (provided by
Solaris) in Medium setting, do?
A. Checks for file permissions and makes sure standard permissions
are set
B. It modifies permissions of certain system files such as ttytab etc)
and restricts access
375
C. Makes the OS highly secure by severely restricting access

D. Denies login attempts and checks for passwords
Q1467. What feature of Linux allows a secure connection between client and
server for generally insecure services such as Telnet?
A. Password Protection
B. Logging
C. Secure Sockets Layer (SSL)
D. Secure Shell (SSH)
Q1468. What feature of Microsoft Windows XP Professional Operating System

protects the data of a user, even if the computer is shared between
users?
A. Passwords
B. Network Access controls
C. Firewall
D. Encrypting File System
Q1469. What feature of the Windows 2000 Operating System provides a single,
centralised security administration capability?
A. Active Directory Integration
B. Flexibility in Authentication
C. Consistently enforcing Authorisation
D. Public Key Infrastructure
Q1470. When the account number is entered into an online banking system, the
computer responds with a message that reads: “Account number that
you entered is not assigned to an active number. Please reenter”. What
technique is the computer using.
A. Existence check
B. Dependency check
376
C. Format check
D. Check digit
Q1471. When the results of production data files processing with a generalized
audit software do not agree with the total balance according to the
inventory application reports, what should the IS Auditor do first?
A. Tell data processing that the inventory application has a bug in it.
B. Review the data field definitions and logic in the audit software.
C. Rerun the audit software against a backup of the inventory
master file.
D. Process the data using a different generalized audit software.
Q1472. When the user department complains of an input error to EDP

department, the best method to verify whether the particular input with
the error is processed, and if so to what extent is the control procedure
used to track the distribution of data, which is
A. check digit verification
B. input edit check verification
C. error log
D. verification of the transmittal document
Q1473. When transmitting online output through Internet, which of the following
controls is likely to offer MOST protection?
A. Symmetric cryptography
B. Asymmetric cryptography
C. File compression algorithms
D. Message routing protocols
Q1474. Where a transaction processing application is very complex, involving

many sources of data capture and many routes for output, the
377
following control is used to ensure that transactions are not lost during
processing.
A. controls for validating data
B. checking of internal credibility
C. manual control procedures
D. balancing procedures through the system itself automatically
Q1475. Which component in the Java Virtual Machine checks the compiled
code to see if it matches all the rules and specifications of the Java
language?
A. Class Loader
B. Security Manager
C. Byte code Verifier
D. Garbage collector
Q1476. Which of the following access rights if allotted to a computer operator,

will violate a standard access control rules :
A. Right only to read data
B. Right to read and execute program
C. Access to Job control languages/script files
D. Authority to access and delete transaction data files
Q1477. Which of the following allows the most granular access control
mechanism for database security ?
A. System and Object Privileges
B. Database Integrity mechanisms
C. Data Encryption
D. Row-Level Security
378
Q1478. Which of the following cannot prevent a Denial of Service attack?

A. Implementing good password policies
B. Router filtering, firewalls and patching the OS
C. Using centralised logging
D. Applying patches when required
Q1479. Which of the following combination of authentication mechanisms is

arranged in the decreasing sequence of effectiveness against intrusion
into computer systems?
A. Password only, password and PIN, challenge response, one-time
password
B. Password and PIN, challenge response, one-time password, and
password only
C. Challenge response, one-time password, password and PIN,
password only
D. Challenge-response, password and PIN, one-time password,
password only
Q1480. Which of the following control objectives is violated when the theft of
proprietary software or corporate data is stolen:
A. preserving data integrity
B. ensuring system efficiency
C. achieving system effectiveness
D. safeguarding the assets
Q1481. Which of the following controls is the most basic and simple login
control?
A. Logging unsuccessful login attempts
B. Validating user-name and password
C. Sending alerts to the Security Administrator
D. Disabling accounts when a break-in occurs
379
Q1482. Which of the following controls would address the concern that data
uploaded from a microcomputer to the company’s mainframe system in
batch processing may be erroneous.
A. The mainframe computer should be backed-up on a regular basis.
B. Two persons should be present at the microcomputer when it is
uploading data.
C. The mainframe computer should subject the data to the same
edits and validation routines that on-line data entry would require.
D. The users should be required to review a random sample of
processed data.
Q1483. Which of the following controls would prevent unauthorized access to

specific data elements in a database management system?
A. Sign-on verification security at the physical terminals.
B. Sign-on verification security when logging on to the database
management system
C. Authorized user access privileges for each data file or element
D. Sign-on verification security at the operating system level
Q1484. Which of the following data base environment controls enforces access
rules in addition to maintaining standardized definitions?
A. Active data dictionary system
B. Passive data dictionary system
C. Deadlock resolution
D. Record locking
Q1485. Which of the following faults is MOST LIKELY to be detected by a parity

check?
A. An instruction that is not within the valid set of instructions
B. Incorrect execution of an instruction because of a design error in
the logic unit
380
C. Corruption of data in a register by electromagnetic interfaces

D. Failure of a computational process in the arithmetic unit through
component fatigue
Q1486. Which of the following feature may seriously affect or nullify the utility
of audit trails for an application system ?
A. User ids are not recorded in the audit trail
B. Security administrator can amend the details in the audit trail
C. Date and time stamps are not recorded automatically but only
with manual interferance
D. Audit trail records can be amended by the users.
Q1487. Which of the following is a feature of ActiveX controls that can both be
used as well as misused?
A. ActiveX controls can be reused
B. ActiveX controls can access system resources
C. Many pre-developed controls for performing many tasks are
available
D. Execution of ActiveX controls can be controlled using Internet
Explorer security settings
Q1488. Which of the following is a major problem associated with terminal-

dependent access controls?
A. Terminals can be allowed to access specific transactions
B. Terminals can be allowed to access specific resources
C. A specific access control procedure can be associated with the
definition for a terminal
D. The security specified for the terminal can override any security
allocated to the user of the terminal
381
Q1489. Which of the following is an advantage of Hardware-based Keystroke

logging over Surveillance cameras for observing data input?
A. Physical access to the equipment
B. Electrical interference does not affect the functioning
C. Technical skill is not required
D. Independent of the Operating System
Q1490. Which of the following is an operating system penetration technique,

which takes advantage of the time during which a legitimate user is still
connected to the system but is inactive?
A. Masquerading
B. Piggybacking
C. Between lines entry
D. Spoofing
Q1491. Which of the following is LEAST likely to be an objective of file handling

controls?
A. To prevent inefficient access by programs to data
B. To ensure the correct file has been loaded for a program
C. To ensure data is retained for a certain period
D. To prevent data items from being accidentally overwritten
Q1492. Which of the following is NOT a feature of Software Keystroke loggers?

A. They are difficult to detect
B. No physical device is needed to be installed
C. They can transmit the keystrokes externally via the network
D. They cannot record BIOS passwords
382
Q1493. Which of the following is the control information that prevents

undetected removal of the last page of a batch report?
A. End-of-job marker
B. Page title
C. Security classification
D. Page number
Q1494. Which of the following is the most common type of input validation to
verify the length of a number entered by a user in a numeric field?
A. Form-Level
B. Validation lists
C. Field-Level
D. Filtering Keyboard Input
Q1495. Which of the following is the most objective and relevant evidence in a
computer system related fraud investigation?
A. Physical examination
B. Computer logs
C. Physical observation
D. Inquiries of people
Q1496. Which of the following is TRUE about perturbation controls, compared

with restriction controls?
A. Allow fewer statistics to be calculated on the data contained in
the database
B. Result in an information loss associated with the variance of the
perturbed statistic around the true value
C. Are not subject to averaging attacks
D. Eliminate biases or inconsistencies that arises as a result of
implementing interface controls
383
Q1497. Which of the following is true regarding ActiveX controls?

A. ActiveX is a completely unsafe technology
B. ActiveX controls are nothing but exe files run inside Web
Browsers
C. A digitally-signed control is completely safe
D. Even a digitally-signed control may be dangerous
Q1498. Which of the following may be the least important factor for
implementing a password control system?
A. Encrypting the password file
B. Purchasing computers with boot level password facilities
C. Limiting the distribution of passwords
D. Not writing down the password
Q1499. Which of the following methods can detect burst errors only if the
number of errors is in each data unit is odd?
A. Vertical Redundancy check (VRC) - even parity
B. Vertical Redundancy check (VRC) - odd parity
C. Longitudinal Redundancy Check (LRC)
D. Checksum
Q1500. Which of the following pairs of items which are related to each other?
A. The segregation of duties principle, the “least privilege” principle
B. The parity check, the reasonableness check
C. The single-key system, the Rivest-Shamir-Adleman (RS) algorithm
D. The two-key system, the Data Encryption Standard DES)
algorithm
384
Q1501. Which of the following physical access control devices would be most
effective for a high security installation?
A. Proximity sensing card reader
B. Retina scanner
C. Photo identification card
D. Magnetic card reader
Q1502. Which of the following risks is not associated with utility programs?
A. Unauthorized manipulation of data
B. Incorrect batch totals
C. Override of password checking
D. Bypassing of system controls
Q1503. Which of the following security procedures is least useful in preventing

unauthorized access to on-line systems?
A. Terminal time-out from inactivity
B. Callback on dialup lines
C. Data encryption
D. Screen saver passwords
Q1504. Which of the following should be the least important criteria for selecting
a security software package
A. The memory and hard disk space used by the package
B. Compatibility with the in-house database management system
C. The financial stability of the software supplier
D. The number of personnel on the software supplier’s staff
Q1505. Which of the following statements is true about “Trojan-horse”?

A. It is a useful computer program
B. It is a malicious computer program
385
C. It is an anti-virus package
D. It is a powerful supercomputer
Q1506. Which one of the following recovery strategy has the GREATEST
chance of failure due to systems and personnel changes?
A. Hot site
B. Cold site
C. Reciprocal agreement
D. Redundant site
Q1507. The business impact analysis should critically examine the business
processes looking MOST at their:
A. Composition
B. Priorities
C. Dependencies
D. Service levels
Q1508. ------------------- act on behalf of the whole network to completely separate

packets from internal hosts and external hosts.
A. Proxies
B. Honeypots
C. IDSs
D. IPSs
Q1509. With respect to BCP, critical activities can be segregated into –

A. Essential activities, recommended activities, non-essential
activities
B. Essential activities and non-essential activities
C. Recommended activities and non-essential activities
D. There is no segregation
386
Q1510 The purpose of establishing Information System Security Evaluation

Team is to
A. Guide the management and help them in protecting information
assets
B. Help in recruitment of the staff
C. Assist in appointing auditors
D. Frame the security and other policies of the company
Q1511. Which of the following is the business continuity planning and

reconstruction team that is responsible for for updating the application
database working from terminals at the user recovery site during a
reconstruction?
A. Application team
B. Network recovery team
C. Emergency operation team
D. Data preparation and records team
Q1512. The MOST significant level of business continuity planning program

development effort is generally required during the:
A. Testing stage
B. Evaluation stage
C. Maintenance stage
D. Early stages of planning
Q1513. A company performs full backup of data and programs on a regular

basis. The primary purpose of this practice is to:
A. Maintain data integrity in the applications
B. Restore application processing after a disruption
C. Prevent unauthorized changes to programs and data
D. Ensure recovery of data processing in case of a disaster
387
Q1514. An IS auditor reviewing an organization’s information systems disaster

recovery plan should verify that it is:
A. Tested every 6 months
B. Regularly reviewed and updated
C. Approved by CEO
D. Communicated to every departmental head in the organization
Q1515. During an audit of a reciprocal disaster recovery agreement between

two companies, the IS auditor would be PRIMARILY concerned about:
A. The soundness of impact analysis
B. Hardware and software compatibility
C. Differences in IS policies and procedures
D. equency of system testing
Q1516. Which of the following methods would best ensure the adequacy of a
disaster recovery plan?
A. Regular reviews of timeliness of information detailed in the plan
B. Unannounced shut down of the primary installation during quiet
periods
C. Regular recovery exercises using expert personnel
D. Unannounced recovery exercises at regular intervals
Q1517. Classification of information systems is essential in business continuity

planning. Which of the following system cannot be replaced by manual
methods?
A. Critical systems
B. Vital systems
C. Sensitive systems
D. Non-critical systems
388
Q1518. The window of time for recovery of information processing capabilities

is based on the:
A. Criticality of the processes affected
B. Quality of data to be processed.
C. Nature of the disaster.
D. Applications that are mainframe based
Q1519. Which of the following would best describe a cold backup site?
A. A computer facility with electrical power and HVAC, all needed
applications installed and configured on the file/print servers, and
enough workstations present to begin processing
B. A computer facility with electrical power and HVAC but with
no workstations or servers on site prior to the event and no
applications installed.
C. A computer facility with no electrical power or HVAC
D. A computer facility with electrical power and HVAC and some
file/print servers, although the applications are not installed or
configured and all of the workstations may not be on site or ready
to begin processing
Q1520. Which of the following represents the GREATEST risk created by

a reciprocal agreement for disaster recovery made between two
companies?
A. Developments may result in hardware and software
incompatibility.
B. Resources may not be available when needed
C. The recovery plan cannot be tested
D. The security infrastructure in each of the company may be
different
389
Q1521. Losses can be minimized MOST effectively by using outside storage

facilities to do which of the following?
A. Include current, critical information in backup files
B. Ensure that current documentation is maintained at the backup
facility
C. Test backup hardware
D. Train personnel in backup procedures.
Q1522. Which of the following pair of phrases is the BEST example of operating
watch words to remember in developing disaster recovery plans:
A. No policy, No procedure
B. No ring, No write
C. No backup, No recovery
D. No security, No protection
Q1523. Determining the criticality of each computer based application system in

the productions environment is important so that scarce resources can
be allocated to highly critical systems. The BEST way to accomplish this
objective is to:
A. Ask the application programmer who is developing and/or
maintaining the system
B. Ask the computer operator who are running day-to-day production
jobs
C. Ask the internal and external auditors during their routine audit
work
D. Ask the end users how they would continue their operations if the
system were unavailable for a specified period of time
Q1524. At the end of a simulation of an operational contingency test, the IS

auditor performed a review of the recovery process. The IS auditor
390
concluded that the recovery was more than the critical time frame that
was necessary. Which of the following actions w
A. Widen the physical capacity to accomplish better mobility in a
shorter time.
B. Shorten the distance to reach the hot site.
C. Perform an integral review of the recovery tasks
D. Increase the number of human resources involved in the recovery
process
Q1525. While reviewing the business continuity plan of an organization, the

IS auditor observed that the organization’s data and software files are
backed up on a periodic basis. Which characteristics of an effective plan
does this demonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. sponse
Q1526. There are several methods of providing telecommunications continuity.

The method of routing traffic through split cable or duplicate cable
facilities is:
A. Alternative routing
B. Diverse routing
C. Long haul network diversity
D. Last mile circuit protection
Q1527. Which of the following is a continuity plan test that uses actual
resources to simulate a system crash to cost effectively obtain evidence
about the plan’s effectiveness?
A. Paper test
B. Post test
391
C. Preparedness test
D. Walkthrough
Q1528. Responsibility of business continuity rests with the management and IT

operations. To ensure this the management need not ensure which of
the following:
A. The plan is tested
B. Plan is maintained
C. Plan is distributed to authorised people
D. Plan is static
Q1529. What is it called when the firewall ignores an attach

A. Shunning
B. Logging
C. Notification
D. False negative
Q1530. Secured waste, audit checks, and applicant screening all act:
A. Data security
B. Software protection
C. Privacy detection
D. License protection
Q1531. One form of built-in software protection for data is:

A. User profiles
B. Secured waste
C. Applicant screening
D. Audit checks
392
Q1532. Which device can limit traffic on a network and allow access onto
specific TCP/IP port numbers when security is a concern?
A. Firewall
B. Hub
C. DNS
D. Modem
Q1533. Authorisation to make multiple software copies is called:

A. Site licensing
B. Copy protection
C. Copy control
D. Controlled privacy
Q1534. To reduce the possibility of security break-ins from unauthorised users,

which should be implemented?
A. Firewall
B. Packet sniffers
C. Port scanners
D. Intrusion detection system
Q1535. What is the purpose of a port scanner?

A. Search the network host for open ports
B. Scan UDP for closed ports
C. Scan TCP for closed ports
D. Scan IP for closed ports
Q1536. Both data integrity and system security are required to:
A. Protect a person’s right to privacy
B. Increase the speed of processing
393
C. Reduce the cost of processing

D. Eliminate the need for data backup
Q1537. Internal controls are the rules and procedures that are followed to
maintain the integrity and security of:
A. The data, records and financial assets of an organization
B. The hardware and networks in an organization
C. Policies
D. The Internet
Q1538. You have a remote user who can connect to the internet but not to the
office via their VPN client. After determining the problem, which should
be your next step?
A. Make sure the user has the correct VPN address and password
B. Have the client reboot their host
C. Have the client reinstall their VPN software
D. Reboot the router at the corporate office.
Q1539. If you have a device in a telecommunications closet owned and installed

by the telecommunications company (telco) and it’s your responsibility
to cable from this box to the CPE, which term should you use to refer
to the device?
A. Demarcation point
B. Customer premises equipment
C. Toll network
D. Central office
Q1540. Authorisation to make multiple software copies is called:

A. Site licensing
B. Copy protection
C. Copy control
D. Controlled privacy
394
Q1541. Which of the following govern how the network is configured and
operated as well as how people are expected to behave on the
network?
A. Policies
B. Baselines
C. Laws
D. Procedure
Q1542. The “what you are” criteria for computer system access involve:
A. Bio metrics
B. A badge
C. A swipe card
D. A password
Q1543. Secured waste, audit checks, and applicant screening all act:
A. Data security
B. Software protection
C. Privacy detection
D. License protection
Q1544. One form of built-in software protection for data is:

A. User profiles
B. Secured waste
C. Applicant screening
D. Audit checks
Q1545. Both data integrity and system security are required to:
A. Protect a person’s right to privacy
B. Increase the speed of processing
395
C. Reduce the cost of processing

D. Eliminate the need for data backup
Q1546. Internal controls are the rules and procedures that are followed to
maintain the integrity and security of:
A. The data, records and financial assets of an organization
B. The hardware and networks in an organization
C. Policies
D. The Internet
Q1547. To reduce the possibility of security break-ins from unauthorised users,

which should be implemented?
A. Firewall
B. Packet sniffers
C. Port scanners
D. Intrusion detection system
Q1548. You have a remote user who can connect to the internet but not to the
office via their VPN client. After determining the problem, which should
be your next step?
A. Make sure the user has the correct VPN address and password
B. Have the client reboot their host
C. Have the client reinstall their VPN software
D. Reboot the router at the corporate office.
Q1549. Which device can limit traffic on a network and allow access onto
specific TCP/IP port numbers when security is a concern?
A. Firewall
B. Hub
C. DNS
D. Modem
396
Q1550. Which is not a type of access control list (ACL)?

A. Standard
B. Referred
C. Extended
D. Outbound
Q1551. What is it called when the firewall ignores an attach

A. Shunning
B. Logging
C. Notification
D. False negative
Q1552. ------------------- act on behalf of the whole network to completely separate

packets from internal hosts and external hosts.
A. Proxies
B. Honeypots
C. IDSs
D. IPSs
Q1553. If you have a device in a telecommunications closet owned and installed

by the telecommunications company (telco) and it’s your responsibility
to cable from this box to the CPE, which term should you use to refer
to the device?
A. Demarcation point
B. Customer premises equipment
C. Toll network
D. Central office
Q1554. What is the purpose of a port scanner?

A. Search the network host for open ports
397
B. Scan UDP for closed ports

C. Scan TCP for closed ports
D. Scan IP for closed ports
Q1555. The “what you are” criteria for computer system access involve:
A. Bio metrics
B. A badge
C. A swipe card
D. A password
Q1556. Which is not a type of access control list (ACL)?

A. Standard
B. Referred
C. Extended
D. Outbound
Q1557. Which of the following govern how the network is configured and
operated as well as how people are expected to behave on the
network?
A. Policies
B. Baselines
C. Laws
D. Procedure
398

Q1131 Ans. D Q1159 Ans. D Q1187 Ans. D
Q1132 Ans. D Q1160 Ans. B Q1188 Ans. C
Q1134 Ans. a Q1162 Ans. B Q1190 Ans. D
Q1135 Ans. d Q1163 Ans. C Q1191 Ans. C
Q1136 Ans. c Q1164 Ans. B Q1192 Ans. D
Q1137 Ans. c Q1165 Ans. B Q1193 Ans. A
Q1138 Ans. c Q1166 Ans. D Q1194 Ans. B
Q1139 Ans. d Q1167 Ans. C Q1195 Ans. b
Q1140 Ans. D Q1168 Ans. A Q1196 Ans. D
Q1141 Ans. b Q1169 Ans. C Q1197 Ans. C
Q1142 Ans. b Q1170 Ans. A Q1198 Ans. B
Q1143 Ans. c Q1171 Ans. C Q1199 Ans. A
Q1144 Ans. b Q1172 Ans. A Q1200 Ans. b
Q1145 Ans. b Q1173 Ans. D Q1201 Ans. C
Q1147 Ans. b Q1175 Ans. C Q1203 Ans. B
Q1148 Ans. d Q1176 Ans. D Q1204 Ans. A
Q1149 Ans. b Q1177 Ans. D Q1205 Ans. d
Q1150 Ans. d Q1178 Ans. A Q1206 Ans. a
Q1151 Ans. b Q1179 Ans. A Q1207 Ans. c
Q1152 Ans. c Q1180 Ans. A Q1208 Ans. b
Q1153 Ans. B Q1181 Ans. D Q1209 Ans. a
Q1154 Ans. B Q1182 Ans. C Q1210 Ans. c
Q1155 Ans. D Q1183 Ans. B Q1211 Ans. c
Q1156 Ans. C Q1184 Ans. D Q1212 Ans. d
Q1157 Ans. D Q1185 Ans. C Q1213 Ans. b
Q1158 Ans. D Q1186 Ans. C Q1214 Ans. d
399

400

Q1323 Ans. a Q1353 Ans. a Q1383 Ans. b
401

402

Q1487 Ans. b Q1512 Ans. D Q1537 Ans. A
Q1488 Ans. d Q1513 Ans. B Q1538 Ans. A
Q1489 Ans. b Q1514 Ans. B Q1539 Ans. A
Q1495 Ans. b Q1520 Ans. A Q1545 Ans. A
Q1497 Ans. d Q1522 Ans. C Q1547 Ans. A
Q1499 Ans. a Q1524 Ans. C Q1549 Ans. A
Q1500 Ans. a Q1525 Ans. B Q1550 Ans. A
Q1501 Ans. b Q1526 Ans. B Q1551 Ans. A
Q1503 Ans. c Q1528 Ans. D Q1553 Ans. A
403
404
Module 5 Questions
Q1558. “The primary objectives for auditing IT change management is to ensure
that: “
A. Only approved changes were made
B. All changes are documented
C. Change control procedure variances are recorded and accounted.
D. Latest version of software is used
Q1559. “In an organization providing services of outsourcing, the PRIMARY

objective of a Business Continuity Plan (BCP) is to ensure: “
A. Safeguard assets from a disaster
B. Redundancy of IT resources
C. Continuity of critical business processes as per SLA
D. Identify single points of failure relating to Technology.
Q1560. “The MOST critical consideration for an IS Auditor in reviewing access

authorizations is to understand the: “
A. Security policy
B. IT Resources
C. Functionalities
D. Organization structure
Q1561. “The most important resource for successful deployment of Information

technology in an enterprise is: “
A. Effective Business processes
B. Trained Human Resources
C. Well-defined Organization structure
D. Implementing Latest technology
405
Q1562. “ In addition to defining the policy objective, which of the following is

MOST critical to ensure implementation of policy? “
A. Provide adequate allocation of resources
B. Establish clear-cut responsibilities.
C. Commitment from senior management
D. Monitor changes required on a regular basis.
Q1563. “In review of Job description, IS Audito⁲Section 1s concern from control

perspective is: “
A. Are current, documented and readily available to the employee.
B. Establish instructions on how to do the job and policies define
authority of staff.
C. Establish responsibility and the accountability of the employee’s
actions.
D. Communicate management’s specific expectations for job
performance.
Q1564. “Which of the following is not a function of the IT steering committee? “

A. Establish size and scope of IT function
B. Set priorities for the IT projects
C. Formulate IT procedures and practices
D. Review and approve standards, policies and procedures
Q1565. “The primary purpose in management implementing IT controls and IS

auditor reviewing these controls is to: “
A. Maintain Data integrity
B. Safeguard computers are
C. Provide assurance that business objectives are achieved
D. Provide proper segregation of duties
406
Q1566. “The MOST critical consideration in preparing a security policy is the: “

A. Analysis of the assets.
B. Analysis of the perceived risks.
C. Review of intellectual property to be safeguarded.
D. Availability of tools to monitor security.
Q1567. “Which of the following is the basis for providing authorization and
access to employees in an enterprise? “
A. Organization Structure
B. Nature of Business process
C. Type of technology
D. Style of management
Q1568. “The most critical consideration in IT strategy planning from perspective

of IT governance is: “
A. Senior management should develop and implement long- and
short-range plans
B. “IT issues as well as opportunities are adequately assessed and
reflected “
C. “IT is aligned with the mission and business strategies of the
enterprise. “
D. “Strategic plan must address and help determine priorities to meet
business needs “
Q1569. “In reviewing segregation of duties, the IS Auditor as a measure of

BEST control would review whether the Security Administrator (SA) is: “
A. “Performing functions as defined “
B. Well trained in business processes
C. Technically competent
D. Aware of the security policy
407
Q1570. “Which of the following is MOST likely to be result of inadequate IT

policies and standards? “
A. Absence of guidelines and benchmark
B. Security and controls may be compromised
C. Audit opinion on quality of control and security will be open to
question.
D. Time required for audit is higher
Q1571. Which of the following is not a component of Electronic Data

Interchange?
A. Standards
B. Management Involvement
C. Software
D. Communication
Q1572. Which of the following is preventive as well as recovery control

measure?
A. Business Continuity Plan
B. Password controls
C. Backups
D. Encryption
Q1573. The communication of signals is subjected to noise MOST LIKELY

because of
A. Defective switching equipment
B. Poor contact points in the wiring
C. Humidity increase
D. Temperature increase
408
Q1574. Which of the following is used to determine authorised sign on in an

EDI transaction?
A. Spoofing
B. Masking
C. Digital signature
D. Private key cryptosystem
Q1575. Which of the following is not related to an electronic-mail system?

A. X.500
B. X.400
C. Pretty good privacy (PGP)
D. Digital signature standard (DSS)
Q1576. Which of the following is TRUE about an electronic-mail (E-mail)

network?
A. Co-operative processing system
B. Distributed system
C. Centralised system
D. Decentralised system
Q1577. Which one of the following forms a part of transmission control in EDI
control layers?
A. Interchange
B. Functional group
C. Transaction set
Q1578. The two overall primary goals of IT Governance are:

A. Consider critical success factors that leverage IT resources and
measure them
409
B. Ensure delivery of information to business and measure using

Key Goal Indicators
C. “Create and maintain system of process/control excellence and
monitor business value delivery of IT “
D. Add value to business and balance risk versus return
Q1579. “ The GREATEST risk on account of inadequate IT policies and

standards is: “
A. Lack of benchmarks for evaluating the operations
B. Security and controls may be compromised.
C. Audit opinion on quality of control and security will be open to
question.
D. Time required for audit is higher.
Q1580. “Which of the following additional duties performed by the information

security manager poses the GREATEST risk to the organization? “
A. Maintaining custody of documents
B. Operating computer hardware
C. Entering data for processing
D. Programming
Q1581. “Which among the following combination of roles results has maximum
risk “
A. Data entry and Operations
B. Librarian and Help Desk
C. Systems Analysis and Quality Assurance
D. Database Administration and Data entry
Q1582. “In auditing outsourcing, which of the following is the IS Auditor most
likely to consider for formulating the audit scope and objectives: “
A. Benefits of outsourcing
410
B. Technical skills of service provider

C. Service level agreement
D. Quality of services provided
Q1583. “The MOST critical factor to be considered in segregation of duties in

an IT environment is: “
A. Business operations
B. Security policy
C. Organization structure
D. IT resources
Q1584. “Which of the following is the most critical consideration in providing

access to information in an enterprise? “
A. Job descriptions
B. Technical skills
C. Work Experience
D. Security policy
Q1585. Security policy to be MOST effective has to be defined, based on:

A. Technology deployed
B. Risk analysis
C. User requirements
D. Security standards
Q1586. “Which of the following statement relating to policies is incorrect? “

A. “Provide management guidance and direction overall effective
deployment of Information and its activities. “
B. Provide details of actions to be taken for preventing, detecting,
correcting and reporting security lapses.
C. Refers to specific security rules for particular systems.
D. State the high-level enterprise position and scope
411
Q1587. “ Which of the following statement relating to practices is correct? “

A. Refer to implementation aspects for various Information systems
and related activities
B. Outline set of steps to be performed to ensure that a policy
guideline is met
C. Provide management guidance and direction overall effective
deployment of information and its activities
D. Formulated by senior management and represents strategic
philosophy
Q1588. “The primary objective of segregation of duties is: “

A. Distribution of work responsibilities as per experience
B. Prevention/Monitoring of accidental or purposeful errors/
omissions.
C. Distribution of work as per technical skills
D. Provide better service to customers
Q1589. “Which of the following is the MOST critical consideration in segregation

of duties? “
A. The possibility for a single individual to subvert a critical process
is prevented
B. Senior management ensures implementation of division of roles
and responsibilities.
C. Staff is performing only those duties stipulated for their respective
jobs and positions.
D. Experienced staff review all critical functions performed by junior
staff.
Q1590. “At the preliminary review stage of IT strategic plan; the most critical
audit procedure involves verification of: “
A. Short-range plan, which has been prepared outlining the specific
project.
412
B. Specific task activities delegated to section manager that support

completion of short-range plan.
C. Methodology for progress reporting and monitoring relating to
adequacy of long range and short-range plan
D. Documented long-range plan for facilities, hardware, system
software and application software.
Q1591. “Which of the following is most critical for effective implementation of

security “
A. Defining and communicating individual roles, responsibilities, and
authority
B. Having regular external audit of security implementation
C. User training covering all aspects of security
D. Senior management is well versed with technical aspects of
security
Q1592. For IT steering committee to be effective, it’s members must necessarily

include:
A. Users
B. IT head
C. Director
D. Functional Heads
Q1593. “The MOST critical consideration for an IS Auditor in reviewing access

authorizations is to understand the: “
A. IT Resources
B. Organization structure
C. Functionalities
D. Nature of business
413
Q1594. “ During the preliminary stage of a review of an IT strategic plan, the

MOST critical audit procedure is to verify the existence of: “
A. “Documented long-range plan or facilities, hardware and system
and application software. “
B. “Short-range plans, which has been prepared outlining specific
projects. “
C. “Specific assignments for each IT manager that supports
completion of short-range plans. “
D. “Methodology for progress reporting and monitoring relating to
adequacy of long/short-range plans “
Q1595. Dual protection or mirroring of servers mitigates the exposures from

A. power loss
B. an operating system error
C. an application program error
D. a procedural lapse
Q1596. Conditioning of the transmission lines is LEAST effective against

A. Attenuation
B. Wiretapping
C. Delay distortion
D. White noise
Q1597. Rapid recovery is MOST crucial in the case of which of the following
applications?
A. Departmental chargeback
B. Corporate planning
C. Point-of-sale
D. Regulatory reporting
414
Q1598 Which image processing display technique is also known as point

operations?
A. Pre-processing
B. Image coding
C. Local operations
D. Contrast enhancement
Q1599. Maximum reliability is available in

A. Bus topology network
B. Ring topology network
C. Star topology network
D. Mesh topology network
Q1600. Internal controls of EDI should address which of the following risks?
A. Storage errors
B. Transmission errors
C. File errors
D. Accounting errors
Q1601. Active attack on communication network DOES NOT include

A. Flooding the network with spurious messages
B. Changing the order of the message
C. Traffic analysis
D. Modification of the message
Q1602. Which of the following is not part of an emergency plan?

A. Disaster notification to personnel
B. Equipment shutdown procedures
C. Evacuation procedures
D. Restart procedures
415
Q1603. Generally, which of the following is considered as a major threat to a

computer installation?
A. Tornadoes
B. Fire
C. Structural damage
D. Floods
Q1604. Wiretapping CANNOT easily be done without detection in

A. optical fibre transmission
B. satellite transmission
C. twisted pair wire transmission
D. thin ethernet cable transmission
Q1605. Which step comes just before the final approval of the BCP?
A. Collecting data
B. Organising and documenting the plan
C. Testing the plan
D. Writing policies and procedures
Q1606. As against link encryption, end-to-end encryption cannot protect against

A. insertion of a spurious message
B. spurious associations
C. changing the order of the message
D. traffic analysis
Q1607. Which of the following alternate facilities has the GREATEST chance of
failure due to change in systems and personnel?
A. Reciprocal agreement
B. Hot site
416
C. Warm site
D. Cold site
Q1608. Which of the following is not a measurement criterion for the Personal
Software Process?
A. Defects
B. Time
C. Task
D. Lines of codes
Q1609. The responsibility of business continuity does not rest with

A. Management
B. IT operation
C. Auditor
Q1610. For getting high speed access in telecommuting, which of the following
connection is used?
A. Internet Connection
B. Ethernet Connection
C. Modem connection
Q1611. Interference is resisted MOST by

A. transmission by radio frequency
B. transmission over coaxial cable
C. transmission on terrestrial microwave
D. transmission on satellite microwave
417
Q1612. Which of the following plans specifies the actions to be taken

immediately on the occurrence of a disaster?
A. Emergency plan
B. Recovery plan
C. Restart plan
D. Backup plan
Q1613. In the case of a bank teller the access control policy is an example of:
A. User directed policy
B. Role based policy
C. Rule based policy
D. Identity based policy
Q1614. An electronic-mail security program is not effective in the case of the

following attacks?
A. Playback attacks
B. Key management attacks
C. Bogus traffic
D. Cryptanalytic attacks
Q1615. The technique employed in packet switching mode of transmission is:

A. modulation technique
B. multiplexing technique
C. line conditioning technique
D. concentration technique
Q1616. Which of the following systems are MOST important for business
resumption following a disaster?
A. Vital systems
B. Sensitive systems
418
C. Critical systems
D. Non-critical systems
Q1617. Which one of the following is TRUE about Pretty Good Privacy (PGP ,
an electronic mail security program?
A. PGP is a protocol
B. PGP is a standard
C. PGP is a product
D. PGP is not portable
Q1618. ___________ is a clause in trading partner agreement which means

that no party shall be liable for any failure to perform their obligation if
such failure is due to reasons beyond their control
A. Accountability
B. Error correction
C. Force majeure
D. Security
Q1619. A bank performs a backup of its online deposit files each day after all
processing is over and retains it for 7 days. The bank does not retain a
copies of each days transaction. This approach is:
A. Valid, since it minimises the complexity of backup/recovery
procedures if the online file has to be restored
B. Valid, since having a weeks worth of backups permits recovery
even if one backup could not be restored.
C. Risky, since restoring from the most recent backup file would omit
subsequent transactions
D. Risky, since no checkpoint/restart information is kept with the
backup files
419
Q1620. A Data Replication Architecture that updates the secondary site by

capturing changes using the asynchronous process is,
A. Shadowing
B. Mirroring
C. Transaction Aware Replication
D. Hosting on a warm site
Q1621. A disaster recovery plan for a companys computer system usually

focuses on which of the following?
A. The probability that a disaster will occur
B. Operations turnover procedures
C. Alternative procedures to process transactions
D. Strategic long range planning
Q1622. A modem is NOT intended to

A. reduce the noise level in the transmission
B. encrypt the messages transmitted and decrypt them on reception
C. convert digital signals to analog signals
D. convert analog signals to digital signals
Q1623. A primary objective of BCP is:

A. To provide a sense of security
B. To make systems reliable by providing back ups
C. To ensure continuity and survival
D. To minimise decisions to be made during times of disaster
Q1624. A recovery plan for restoring computer operations after a processing

outage should ensure that:
A. Planned changes in equipment capabilities are compatible with
estimated workloads
420
B. Backup/restart procedures have been built into job streams and

programs
C. Documented service level agreements with owners of applications
are available
D. Operating personnel cannot bypass change control procedures
cannot
Q1625. Access to the Electronic Funds Transfer (EFT) terminal should be

restricted to authorised persons. The auditor need not
A. Check the security of the place in which the terminal is located
B. Check whether or not the terminal is kept locked when not in use
C. Check the level of management supervision over the terminal
D. Check if there is a proper segregation of duties
Q1626. While conducting a business continuity audit, which of the following

would an IS auditor consider to be MOST important to review?
A. A business continuity manual is available and current
B. Backups are performed on a timely basis and stored offsite
C. Insurance premiums are current and coverage is adequate
D. Availability of hot site
Q1627. While preparing a cost benefit analysis of a security objective for an

electronic data interchange (EDI transaction, which one of the following
costs should be part of a detection method?
A. Cost of preventive action
B. Cost of implementation of management directives
C. Cost of recovery action
D. Cost of technical action
Q1628. With respect to BCP, critical activities can be segregated into:

A. Essential activities, recommended activities, non-essential
activities
421
B. Essential activities and non-essential activities

C. Recommended activities and non-essential activities
D. There is no segregation
Q1629. Which of the following would BEST ensure continuity of a Wide Area
Network (WAN ?
A. A maintenance contract with a service provider
B. Full system back-up taken on a daily basis
C. A duplicate machine alongside each server
D. Built-in alternative routing
Q1630. Which one of the following in NOT true statement about encryption used
in an electronic data interchange (EDI transaction?
A. Encryption ensures data integrity
B. Encryption ensures data availability
C. Encryption ensures data confidentiality
D. Encryption prevents unauthorised viewing of data
Q1631. Which one of the following is a control weakness in the treatment of

user messages in electronic mail system?
A. Retransmission of the corrupted messages
B. Restoration of corrupted message from backups
C. Editing of corrupted message by the network staff
D. Introduction of automated checks to detect corruption of
messages
Q1632. Which one of the following is NOT true about an electronic data
interchange (EDI) system?
A. Direct or dedicated transmission channels with trading partners
B. Elimination of paper records
422
C. Possibility of human oversight is minimal

D. Error propagation is eliminated
Q1633. Which one of the following network configurations used by electronic

data interchange (EDI trading partners does not have a storage
capability and does not provide any message status information?
A. Use of dedicated network
B. Use of a single value-added network
C. Use of two VANs
D. Point-to-point network
Q1634. Which one of the following statements is correct with regard to

reciprocal processing agreement?
A. It should be documented in writing and signed by both parties.
B. It provides for parallel processing capability at a hot site and in
the production environment.
C. It requires the hardware vendor to provide compatible computer
equipment.
D. It provides for full processing capability in the event of a disaster.
Q1635. An IS auditor reviewing an organisation’s Business Continuity Plan

discovered that the plan provides for an alternate site which can
accommodate about 50% of the processing requirements of the
organisation. Which of the following steps should the IS Audit
A. Ensure that the alternate site could process all the critical
applications.
B. Recommend that the processing capacity of the alternate site
should be increased.
C. Under normal circumstances only about 25% of the processing
is critical to an organisation. Hence, there is no need to take any
action.
D. Identify applications that could be processed at the alternate site
and develop manual procedures for other applications.
423

discovered that the plan was prepared many years ago and has never
been updated, tested or approved by the senior management. In this
situation the IS auditor should recommend that:
A. The existing plan should be approved by the Board of Directors
B. The plan be tested once in a year
C. The plan be circulated to all key management personnel
D. A senior management personnel co-ordinate creation of a new
plan or revised plan within a defined timeframe.

discovered that the software backups are not stored in an offsite
location and the management is not aware of where backups are being
kept. In this situation which of the following recomme
A. Software backup should be kept in an offsite location in a
fireproof safe.
B. An inventory of backup tapes at the offsite storage location
should be maintained.
C. IS security measures including controls over access to data
should be strengthened.
D. Offsite storage location should be secured and should not be
easily identified from the outside.
Q1638. An organisation has an application level gateway and allows only

electronic-mail to pass between the organisations network and the
outside world. In such situation the organisations electronic mail system
is used to do which of the following?
A. Remote access
B. File transfer
C. The firewalls that refuse to forward anything unless it is from the
gateway
D. The firewalls that refuse to forward anything unless it is to the
gateway
424
Q1639. Audit of LAN disaster backup and recovery plan ensures that business
is restored after a system failure or disaster. Which of the following is
FALSE with respect to such plans
A. Plan identifies the critical hardware and equipments
B. Confidential information is not disclosed in the plan
C. Plan is reviewed and accepted by the management
D. Plan is communicated to the employees
Q1640. Companies are exposed to various kinds of e-mail threats-mails

containing racist, sexual content are typical of:
A. Spam
B. “Information leakage“
C. Interception and tampering
D. Offensive contents
Q1641. BCP (Business Continuity Plan) should focus on:

A. Departments that are greatly affected by a disaster
B. Departments that are least affected
C. Departments that have at least 50% IS related assets
D. The entire enterpris
Q1642. Business continuity plan of an organisation should address early

recovery of which of the following?
A. All applications designed by the IS Manager
B. All information system processes
C. Processes in priority order, as defined by the business manager
D. All financial processing applications
425
Q1643. Checks should exist in an Electronic Funds Transfer (EFT), to ensure

that messages transmitted are delivered completely and are fully
accounted for. The auditor should ensure that
A. A permanent record of all transmitted messages is maintained
B. Messages are encrypted
C. All changes to a user function are properly authenticated
D. The system prevents unauthorised transmission
Q1644. Concentration technique in a communication network DOES NOT

A. route the message over alternate path if the normal path fails
B. reduce the wiretapper’s capabilities to tap more data
C. send different packets of the same message over different
available lines
D. free channel utilization to make more capacity available for the
user
Q1645. During exposure analysis, which of the following is NOT done?

A. Evaluating the possibility of the threat to be successful given the
controls that are in place
B. Identifying the source of threats to assets
C. Assessing the reliability of the controls that are in place
D. Assessing the losses that will result, if a threat circumvents the
controls in place
Q1646. Electronic Data Interchange

A. Is another name for e-mail
B. Is not of much use in data transfer between two computers
C. Provides strategic, operational and opportunity benefits
D. Is a tool that can even transmit information in an unstructured
format
426
Q1647. Electronic mail message authenticity and confidentiality is BEST

protected through which of the following techniques?
A. Signing the message using the receivers private key and
encrypting the message using the senders public key
B. Signing the message using the receivers public key and
encrypting the message using the senders private key
C. Signing the message using the senders private key and
encrypting the message using the receivers public key
D. Signing the message using the senders public key and encrypting
the message using the receivers private key
Q1648. Every organisation should have a contingency plan regardless of its

size. Contingency plan should be detailed for the management and
staff to actually act in event of a disaster. The contingency plan need
not address
A. Event declaration and escalation
B. Audit of the plan
C. Employee responsibility
D. Recovery operation
Q1649. Factors such as Distribution channel and Target Segment are

considered in which of the following profiles:
A. Cultural Profile
B. Relationships Profile
C. Technology environment profile
D. Existing security profile
Q1650. Generation of PIN in EFT/PoS involves: 1. Acquirer validates

information; 2. Acquirer sends resonse to the acceptor; 3. Authorisation
request is sent to the acquirer; 4. PIN entered is encrypted. Which
option indicates the correct order of events?
A. 1,2,3,4
B. 1,3,4,2
427
C. 4,3,1,2
D. 4,3,2,1
Q1651. Hot site is:

A. Equipped with facilities such as air-conditioning, power, cables,
but no computer systems
B. A remote facility that provides hardware and operations facilities
C. Data storage space in other corporate systems
D. An internal reciprocal arrangement
Q1652. If outsourcing a hot site is a feasible solution, then which of the following
should be considered while interacting with the vendor?
A. Hardware, software and networking requirements
B. “Location and testing requirements“
C. “Staff expertise“
D. All the above
Q1653. In an electronic data interchange (EDI) system, assessment of risks

would help to determine which one of the following loss categories?
A. Actual loss, catastrophic loss
B. Single occurrence loss, actual loss
C. Expected loss, single occurrence loss
D. Expected loss, catastrophic loss
Q1654. In an electronic data interchange (EDI) trading partner agreement, which

one of the following requires a clear and precise definition?
A. Resolution of disputes
B. Elimination of disputes
C. Co-ordination between partners
D. Message format
428
Q1655. In determining new controls that might be implemented to reduce

exposures to an acceptable level, which of the following is not used as
a basis?
A. Analyse the scenarios developed during the exposures analysis
phase
B. Choose controls that emphasise design secrecy
C. Examine the control profiles used in similar installations
D. Review the answers to questions on the internal control
questionnaires completed during the exposure analysis phase
Q1656. In residual dumping technique for backup, the records that are backed
up are those that have not undergone any change since
A. the last full dump
B. the last residual dump
C. the second-last full dump
D. the second-last residual dump
Q1657. In the case of a large database with on-line communication network

environment where the critical business continuity period is 7 days,
which of the following alternative business recovery strategies would
be LEAST appropriate?
A. Dual information processing facilities
B. Warm site
C. Hot site
D. Reciprocal agreement
Q1658. In the case of electronic funds transfer (EFT) , which one of the
following is MOST vulnerable to fraud and physical attacks?
A. Point-of-sale system
B. Home banking system
C. Automated teller machine system
D. Telephone bill paying system
429
Q1659. In the event of a disaster, the crisis management team should first:
A. Inform the stakeholders
B. Assess the impact of disaster on the company
C. Take care of personnel and their dear ones
D. Form an emergency response team
Q1660. Internet was established NOT for

A. minimizing the high risk protocol conversion functions that the
gateways perform
B. controlling all the networks connected in a better way
C. improving the overall reliability of the networks
D. restricting access to sensitive messages by restricting them to
specific parts of the network
Q1661. It is widely accepted that every company should have a disaster

recovery plan. Importing of data (a component of LAN disaster recovery
plan) does not help in keeping track of
A. Equipment inventories
B. Policy inventory
C. Software inventories
D. Data that is necessary for the recovery process
Q1662. It was observed that there is no fire detection and control equipment in
an organisations computer processing area. Which of the following is
MOST important in such circumstances?
A. Offsite storage of transaction and master backup files
B. Adequate fire insurance
C. Fully tested backup processing facility
D. Regular hardware maintenance
430
Q1663. Link encryption in communication of signals

A. controls the exposures from traffic analysis
B. ensures that even if compromise of encryption key takes
place, the loss is restricted to a single user associated with the
compromised key
C. does not require each node through which the message passes
to be protected against hacking
D. renders charge back system easier and effective
Q1664. Logging of transaction is an important means of backup. Which purpose

among the following is not served by logging the transactions in a
financial institution?
A. Both rollforward and rollbackward of transactions after a disaster
is rendered easier
B. After a disaster, the transactions can be reentered easily, if
needed
C. The transactions shall be recorded chronologically as they are put
through
D. There will be no need for taking a data dump
Q1665. MAC or message authentication code prevents

A. messages getting changed by hackers
B. traffic analysis by sniffing
C. violating the confidentiality of the message
D. the exposures associated with transmitting credit card PINs as
clear text
Q1666. Modems do enhance the quality of transmission. Which among the

following is NOT a control feature that enhances the quality?
A. multiple transmission speeds
B. auto-dial features
431
C. dynamic equalization
D. attenuation amplification
Q1667. Most important risk to be addressed in an electronic data interchange

(EDI transaction is:
A. Delay in transmission of the data
B. Duplicated transactions
C. Invalid transactions
D. Repudiated transactions
Q1668. Operations audit trail rather than the accounting audit trail is likely to
show
A. message sequence number
B. queue length at each network node the message traverses before
reaching the destination
C. time and date of dispatch of the message
D. the unique identifier of the sender’s node from which it was sent
Q1669. OSI model of ISO presents a model of seven layers through which data
communication across computers passes. Encryption is NOT done in
any form in
A. Presentation
B. Physical
C. Data Link
D. Transport
Q1670. Reciprocal Agreements are normally entered between two or more

organisations:
A. Within same geographical location
B. With different business activities
432
C. With compatible equipment and applications

D. With similar business activities
Q1671. Responsibility of business continuity rests with the management and IT

operations. To ensure this the management need not ensure which of
the following:
A. The plan is tested
B. Plan is maintained
C. Plan is distributed to authorised people
D. Plan is static
Q1672. Ring topologies have an edge over bus topologies. Which of the
following statements is FALSE?
A. In ring topology, nodes are connected on a point to point basis
whereas it is a multipoint connection in a bus network
B. The connectors in a bus topology attenuate the signals and
distort them, whereas repeaters in a ring topology are relatively
harmless
C. If a connector in bus topology is malfunctioning, the whole
network will not be brought down, whereas malfunctioning
repeaters will bring the network down
D. Encryption is resorted to as a control technique more in bus
topology than ring topology
Q1673. Rollback is an effective means of recovering data. In which of the

following situations after an error has occurred but many processes
have updated the corrupt database before it is detected?
A. Rollback may not be too useful if many users have updated the
corrupt database before the discovery of the corruption
B. To set right the situation, all the elements that have been
updated after the corruption must be traced and efforts started
for correcting them
433
C. If afterimages have been corrupted, rollback is not achievable

D. It is not always possible to determine how much damage has
been done for undoing it
Q1674. Rollback is easily accomplished with differential file backup technique

for which of the following reasons?
A. Beforeimages of the modified records have been kept in the
differential file
B. Beforeimages of the modified records have been kept in the
primary file
C. It facilitates identification of the users that have effected changes
to the database
D. The technique provides for taking the backup on a high speed
medium like CDROM
Q1675. Rollforward and rollback are two important techniques for backup. Which
among the following should be logged for facilitating rollforward?
A. Afterimages
B. Beforeimages
C. All valid transactions
D. All input transactions
Q1676. Software change management

A. Is all about managing alterations, irrespective of the stage of
lifecycle of a product
B. Is done only in the development stage
C. Is done only in the maintenance stage
D. Activities decrease after the product release.
Q1677. Team software process, a software configuration management tool:

A. Identifies the roles of a team and assigns respective jobs to team
members
434
B. Focuses on managing tasks of individual developers

C. Focuses only on the role of developers
D. Does not require a customer interface
Q1678. The residual dump technique in backup has the disadvantage of

A. complexity of recovery more than a physical dump
B. the inability of the backup operation to run in the background
while operations are being carried out
C. duplicity of backup operations more than other techniques
D. lesser flexibility in leveling system workloads
Q1679. The Security Profile Model helps a company to prioritise security

management. Which of the following features is not a part of the asset
profile?
A. A company needs to classify its assets
B. It needs to identify interdependencies between assets
C. Its employees should be able to identify and evaluate security
matters
D. It should identify assets that contain sensitive information
Q1680. The time required for recovery of information processing facility in the
case of a disaster is based on which of following?
A. Nature of disaster
B. Criticality of the operations affected
C. Mainframe based applications
D. Quality of the data to be processed
Q1681. Transaction logs generally consist of successful transactions. Rejected

transactions are printed to a separate log. This segregation facilitates
A. both rollforward and rollback to be effected in case of a disater
B. recording the time sequence of the successful transactions alone
435
C. avoiding the reappearing of rejection messages when the

transactions are resubmitted after a disaster and a restoration of
the backup
D. elimination of control total problems when the transactions are
resubmitted after a disaster and a restoration of the backup
Q1682. Transmission of electronic signals is not free of impairments. Which of

the following statements is true?
A. Satellite signals are not easily affected by other electronic
transmissions.
B. Attenuation is the delay in transmission of signals due to
difference in frequency
C. Inductive wiretaps can pick up the free space emissions
emanating from amplifiers
D. Analog signals are less attenuated than digital signals
Q1683. Which among the following is NOT a serious problem in a ring topology
based LAN?
A. Corruption of tokens during transmission may occur
B. Collision of tokens during transmission may occur
C. Tokens may be captured by a node and before releasing it the
node may fail
D. The receiver might not have captured the token but it might have
passed the addressee node
Q1684. Which among the following is NOT true of start topologies?

A. Ring topologies are more reliable than start topologies
B. Star networks are more easily maintained than a bus network
C. Malfunctioning in one node will not bring a star network down
D. Malfunctioning of the hub will bring the star network down
436
Q1685. Which of the following activities is a task during scenario analysis?

A. Determine the assets to be protected
B. Identifying controls and their associated level of reliability
C. Assessing the probability of threat occurrence
D. Identifying how threats can circumvent controls
Q1686. Which of the following approach is ideal in order to test the electronic
data interchange (EDI) system for a value added network (VAN) user?
A. Test mailbox
B. System programmer mailbox
C. Production mailbox
D. Application programmer mailbox
Q1687. Which of the following are NOT true about electronic data interchange
(EDI) ?
A. EDIs data is processed by computer application systems without
human intervention
B. Standardisation is not key to EDI transaction
C. EDI concept is different from electronic commerce
D. EDI promotes a paperless environment
Q1688. Which of the following BEST describes “reducing exposure to an

acceptable level”?
A. Residual threats have been eliminated
B. All controls implemented are totally reliable
C. The cost of implementing and operating further controls exceed
the reduction in expected losses that will occur
D. Threats for which no control exists and have a low probability of
occurrence
437
Q1689. Which of the following BEST describes a residual risk?

A. Risk that must be treated as a cost of doing normal operations
B. Risk that cannot be handled by the installation and will not be
covered in the insurance policy for data processing assets
C. Risk remaining after risks have been controlled by system design,
installation of security measures, and regular security audits
D. Risk that will not be handled by an insurance company
Q1690. Which of the following BEST describes a warm site?

A. Partially equipped site where the computer environment consists
of few equipment without the main computer.
B. Fully equipped computer centre in a ready state for continuing
operations within hours.
C. A site where the computer environment is maintained without any
equipment.
D. Dedicated, self developed recovery site that can backup critical
applications
Q1691. Which of the following BEST describes an exposure?

A. The expected loss that will occur, given the reliability of the
existing controls
B. Any threat that may eventuate
C. The expected loss that will occur prior to implementation of any
controls
D. Any threat for which no controls have been implemented
Q1692. Which of the following controls should be introduced in the case of EDI
transaction with a trading partner for efficient data mapping?
A. Manual recalculations
B. Functional acknowledgements
C. Key verification
D. One-for-one checking
438
Q1693. Which of the following controls would be useful in reducing losses

from some types of threats that would result in structural damage to a
computer installation?
A. Housing the computer on the upper floor of a building
B. Fail-safe doors
C. Voltage regulator
Q1694. Which of the following cryptographic algorithm does both encryption and
digital signature?
A. International data encryption algorithm (IDE)
B. Digital signature standard (DSS)
C. Rivest, Shamir, Adleman (RS
D. Data encryption standard (DES)
Q1695. Which of the following encryption algorithms or schemes is MOST

difficult to break?
A. International data encryption algorithm (IDE)
B. RC2 and RC4
C. One-time pad
D. Data encryption standard (DES)
Q1696. Which of the following electronic commerce systems handle non-

monetary documents?
A. Society for Worldwide Interbank Financial Telecommunication
(SWIFT)
B. Electronic funds transfer system (EFTS)
C. Electronic data interchange (EDI)
D. Electronic benefits transfer system (EBTS)
439
Q1697. Which of the following electronic document management areas is

of the MOST concern for an IS auditor reviewing an electronic data
interchange (EDI system?
A. Data storage
B. Data classification
C. Data retention
D. Data indexing
Q1698. Which of the following involves routing of traffic through split or duplicate
cable facilities in providing telecommunication continuity?
A. Long haul network diversity
B. Diverse routing
C. Redundancy
D. Alternate routing
Q1699. Which of the following is an advantage of the use of hot sites as a

backup alternative?
A. Hot sites can be used for an extended amount of time.
B. Hot sites can be made ready for operation within a short period
of time.
C. Costs associated with the hot sites are low.
D. Hot sites do not require that equipment and systems software to
be compatible with the primary installation being backed up.
Q1700. Which of the following is covered in a business interruption insurance?

A. Costs involved in reconstructing the computer facility
B. Additional costs incurred because the organisation is not
operating from its normal facilities
C. Loss in business income because the organisation is unable to
trade
D. Claims against the organisation by the customers because the
organisation cannot service its customers
440
Q1701. Which of the following is not an EDI risk?

A. Segregation of duties is not possible
B. Audit trail may not be available for transactions which are in
electronic format
C. Data that is transmitted is always error free
D. Dependency of trading partners on each other increases
Q1702. Which of the following is NOT considered in a backup plan?

A. Priorities to be assigned to recover the various systems
B. Site where resources can be assembled and operations restarted
C. Personnel who are responsible for backup resources
D. Procedures for periodically testing to ensure that recovery can be
effected
Q1703. Which of the following is NOT relevant in the case of a Business

Continuity Plan Testing?
A. Involvement of key business continuity team members
B. Test should address all critical components
C. Test should simulate actual prime time processing conditions
D. Advance information about the test to non-business continuity
team members.
Q1704. Which of the following is NOT true about a reciprocal agreement for an
alternative processing facility?
A. The reciprocal data centre may not be available during normal
business hours
B. They are expensive to maintain
C. The reciprocal data centre may not have adequate capacity
D. Incompatibilities in the operating software may occur
441
Q1705. The objective of compliance testing is to determine whether:

A. Procedures are valid
B. Controls functions as intended
C. Assets are properly valued
D. Programs operate consistently
Q1706. Which of the following is NOT true about Pretty good privacy (PGP) and
privacy enhanced mail (PEM)?
A. They are both based on public-key cryptography
B. They both have same uses
C. They both encrypt messages
D. They both sign messages
Q1707. Which of the following is not true of a Disaster Management Team:

A. “To decide on locations from where remote access is possible, in
the event of disaster“
B. To make a list of employees, who should be called to remote
sites for work
C. To provide remote access to the network to all employees
D. To continuously check whether security and intrusion systems are
functioning effectively
Q1708. Which of the following is the MOST effective and environment friendly
methods of suppressing fire in a data centre?
A. Carbon dioxide gas
B. Wet-pipe sprinklers
C. Halon gas
D. Dry-pipe sprinklers
442
Q1709. Which of the following is the BEST disaster recovery plan for the
communication processor for a large chain of shops which has a central
communication processor for connecting with the banking network with
electronic fund transfer (EFT at point-of-sale de
A. Alternate standby processor at another network node
B. Alternative standby processor onsite
C. Installation of duplex communication links
D. Offsite storage of daily backup
Q1710. Which of the following is the LEAST important in the case of backup
and recovery plan?
A. Frequency of the backup
B. Usage of backup tapes
C. Frequency of offsite backup
D. Frequency of restoration of backups to test the backup tapes
Q1711. Which of the following is the MOST effective test of a Business

Continuity Plan?
A. Structured walkthrough of the plan by all key personnel
B. Conduct mock disaster and carry out disaster recovery
procedures
C. Review the plan in detail by external auditor
D. Detailed review of the plan by IS audito
Q1712. Which of the following is the primary objective of a recovery plan?

A. Specify how backup can be assembled for recovery purpose
B. Identify a recovery committee that will be responsible for working
out the specifics of the recovery to be undertaken
C. Specify precisely how recovery will be effected
D. Identify which applications are to be recovered immediately
443
Q1713. Which of the following is TRUE about Automated Teller Machines

(ATMs) ?
A. Uses protected telecommunication lines for data transmissions
B. Must provide high levels of logical and physical security
C. Are usually located in populous areas to prevent theft or
vandalism
D. Allow for cash withdrawal and cash deposits only
Q1714. Which of the following is TRUE about Electronic Data Interchange (EDI)
application system?
A. Transmits transactions using sophisticated formats and file
definitions
B. Applications, transactions and trading partners supported remain
static over time
C. System that performs based on business needs and activities
D. Provides utility programs for a limited number of application
systems
Q1715. Which of the following is TRUE about most of the business continuity
tests?
A. Address all system components
B. Conducted at the same time as normal business operations
C. Monitored by the IS auditor
D. Evaluate the performance of personnel
Q1716. Which of the following is TRUE in relation to the input controls of EDI ?
A. The data that is entered into the system should have sequence
numbers
B. Data that is entered into the system need not be translated to
EDI standard
C. Parity and redundancy checks should be used
D. Any changes to EDI should be tested before implementation
444
Q1717. Which of the following offsite alternative for business recovery would
require the least amount of funds?
A. Cold site facility
B. Reciprocal agreement
C. Warm site facility
D. Hot site facility
Q1718. Which of the following network risk apply to EDI transactions irrespective
of the type of network involved?
A. Failure to detect the recipient
B. Data being transmitted to the wrong recipient
C. Delay in transmission of the data
D. The data being intercepted and disclosed to others without
authorisation
Q1719. Which of the following project scheduling techniques does not provide
information about predecessor and successor relationships –
A. Gantt Charts
B. Critical Path Method
C. Program Evaluation and Review Technique
D. Critical Chain Path Method
Q1720. Which of the following security control is MOST effective to prevent

fraud and abuse in the case of electronic fund transfers?
A. Encryption
B. Unique password
C. Unique user ID and password
D. Unique user ID, password and personal identification number
(PIN)
445
Q1721. Which of the following should be verified by an IS auditor reviewing a

Business Continuity Plan?
A. Approval of the plan by Board of Directors.
B. Plan is tested once in a year.
C. Plan is reviewed and updated regularly.
D. Plan is circulated to all the Head of Departments
Q1722. Which of the following should find a place in a disaster recovery plan
A. Program coding standards for the organization
B. History of updates to the operating system
C. List of applications under development
D. Responsibilities of each organizational unit
Q1723. Which of the following statement is TRUE about an offsite information

processing facility?
A. Should be located near to the originating site so that it can
quickly be made operational
B. Should have the same amount of physical access restrictions as
the primary processing site
C. Need not have the same level of environmental monitoring as the
originating site since this would be cost prohibitive
D. Should be easily identified from outside so that in the event of an
emergency it can be easily found
Q1724. Which of the following statement is true with respect to Electronic Fund
Transfer/ Point of Sale transaction?
A. To verify the identity of the cardholder, using signature is more
secure than using the PIN
B. All cards are not checked with hot card numbers
C. A central authority verifies the signature of the person holding the
card
D. Before payment, the cardholder and the merchant agree upon the
amount
446
Q1725. Which of the following statements about digital signatures is NOT true?
A. It prevents non-repudiation by the receiver
B. It provides sender authenticity
C. It facilitates repudiation by the sender
D. It prevents repudiation by the sender
Q1726. Which of the following statements about encryption is NOT correct?

A. Encryption protect data in transit from unauthorised interception
and manipulation
B. Verify authenticity of a transaction or document
C. Encryption will solve all problems of industrial espionage
D. Some countries will not allow transborder encryption of
information
Q1727. The IT strategy committee works at:

A. Board level only
B. Executive level only
C. Board and Executive levels
Q1728. IS auditors must have a through understanding of the risk assessment

process. Risk assessment is a(n):
A. Subjective process
B. Objective process
C. Mathematical process
D. Statistical process
Q1729. Which of the following is a detective control?

447
C. Back-up procedures
D. Audit trails
Q1730. While appointing an auditor to conduct the IS audit the company need
not look into ________ of the auditor?
A. Legal capability
B. Experience
C. Proficiency in different computer languages
D. Secrecy bond, if penetration test is to be done
Q1731. When planning a software audit, the management does not consider:
A. The timing of the audit
B. Persons who should conduct the audit
C. Keeping the audit objective secret
D. Providing access to the required facilities
Q1732. A procedure to have an overall environmental review which is NOT

performed by an IS auditor during pre audit planning is
A. Understanding of business risks by interviewing management’s
key personnel.
B. Determining adherence of regulatory requirements by conducting
compliance tests.
C. Reviewing audit reports of the previous years.
D. Touring key activities of the organisation.
Q1733. A sampling technique used to estimate the average or total value of a

population based on a sample is termed as :
448
Q1734. A Systems Analyst’s duties and roles comprises of:

A. Scheduling of computer resources.
B. Testing and evaluating programmer and optimisation tools.
C. Ascertaining user needs for application programming.
D. Corporate database definition.
Q1735. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
A. Continuous Sampling
Q1736. Which of the following are considered to be the best practices in

enterprise governance:
A. Strategic Oversight and enterprise risk management
B. Enterprise risk management and the acquisition process
C. The acquisition process and board performance
D. All the above.
Q1737. While developing a risk based audit program which of the following
would the IS auditor MOST likely focus on
A. Business processes
B. Critical IT applications
C. Corporate objectives
D. Business strategies
449
Q1738 Which of the following is the MOST appropriate audit evaluation

technique to provide assurance that adequate data backups exist to
allow timely recovery of system operations following service disruptions
A. Stop-or-go sampling
B. Interview personnel and review information system organization
structure
C. Review applicable documented procedures and observe the
process
D. Use any automated tool
Q1739. When an IS auditor obtains a listing of current users with access to the
selected WAN/LAN and verifies that those listed are active associates,
the auditor is performing a:
A. Compliance test.
B. Substantive test
C. Statistical sample
D. Risk assessment
Q1740. A long-term IS employee with a strong technical background and broad

managerial experience has applied for a vacant position in the IS audit
department. Determining whether to hire this individual for this positions
should be based on the individual’s vas
A. The length of service since this will help ensure technical
competence.
B. The individual’s age as training in audit techniques may be
impractical
C. IS knowledge since this will bring enhanced credibility to the audit
function
D. Existing IS relationships where the ability to retain audit
independence may be difficult
450
Q1741. Which of the following statements pertaining to the determination of

sample size is TRUE
A. The larger the confidence level, the smaller the sample size
B. The larger the standard deviation, the larger the sample size
C. The smaller the precision amount, the smaller the sample size
D. Sample size is not affected by the expected error rate in the
population
Q1742. In a risk-based audit approach, an IS auditor is not only influenced by

risk but also by:
A. The availability of CAATs
B. Management’s representations
C. Organizational structure and job responsibilities
D. The existence of internal and operational controls.
Q1743. Which of the following is a substantive audit test?

A. Verifying that a management check has been regularly performed
B. Observing that user IDs and password are required to sign on to
the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trail balance of accounts receivable.
Q1744. Which of the following is NOT an advantage of a continuous auditing

approach?
A. It tests cumulative effects for the year
B. Findings are generally more material to organization
C. Audit resources are more effectively directed
D. Current decisions can be based on audited information
451
Q1745. In planning attribute sampling of data, which one of the following factors
would be LEAST important?
A. Review and evaluation of internal controls
B. Age of the system being examined
C. Past audit experience and previous test results
D. Expected error rate
Q1746. The people, who have contact with the system such as employees and
customers, are:
A. Users
B. Systems analysis
C. Programmers
D. Clients/Customers
Q1747. A Plan to trace data to its source is called

A. An audit trace
B. A vector
C. Rollback
D. Two way hashing
Q1748. The person who fills the role of the change agent is the
A. System analyst
B. Administration
C. Programmer
D. User
Q1749. The kind of interview where all question are planned in advance is
called
A. Structured
B. Unstructured
452
C. Audit program
D. Checklist
Q1750. When the entire new system is used by a portion of the users it is called
A. Pilot conversion
B. Direct conversion
C. Parallel conversion
D. Phased conversion
Q1751. A set of choices on the screen is called a(n):

A. Menu
B. Editor
C. Template
D. cursor
Q1752. A well- controlled implementation minimizes the following risks except

A. Attrition turnover
B. System bugs
C. Misaligned staff
D. Performance issues
Q1753. A program written when the programmer is employed by the

organization is owned by:
A. The organization
B. The programmer
C. The IT/IS department
D. The user
453
Q1754. If a program fails to par a test, the programmer can call for a
………………… program run to check on the status of the registers after
each program operations
A. Trace
B. Mapping
C. Linker
D. Loader
Q1755. A project management package can help managers identify the

………………. path so that they can direct their attention to the
sequence of tasks in that path.
A. Critical
B. Shortest
C. Most expensive
D. Least expensive
Q1756. Integrating software shells allow users to exchange date between:

A. Separate programs produced by different vendors
B. Separate programs produced by the same vendor
C. Suite of programs produced by the same vendor
D. Hardware using different character codes
Q1757. The screen displays produced by a proto typing software package

A. May closely model the outputs that may be produced by the
completed programs
B. Are the outputs produced by the completed programs
C. Hinder communication between system users and model builders
D. Discourage users from becoming involved in defining system
needs
454
Q1758. Is the ratio of correct information the total amount of information

produced over a period
A. Accuracy
B. Reliability
C. Consistency
D. Dependability
Q1759. Which of the following is false in relation to documentation in a system

implementation?
A. IS strategy
B. The sequence of programs and steps to be taken in case of
processing failure
C. Code with comments embedded
D. Pseudocode and flowcharts
Q1760. A set of choices on the screen is called a(n):

A. Menu
B. Editor
C. Template
D. cursor
Q1761. The kind of interview where all question are planned in advance is
called
A. Structured
B. Unstructured
C. Audit program
D. Checklist
455
Q1762. Is the ratio of correct information the total amount of information

produced over a period
A. Accuracy
B. Reliability
C. Consistency
D. Dependability
Q1763. The people, who have contact with the system such as employees and
customers, are:
A. Users
B. Systems analysis
C. Programmers
D. Clients/Customers
Q1764. The person who fills the role of the change agent is the
A. System analyst
B. Administration
C. Programmer
D. User
Q1765. When the entire new system is used by a portion of the users it is called
A. Pilot conversion
B. Direct conversion
C. Parallel conversion
D. Phased conversion
Q1766. The data gathering vehicle that permits high-volume anonymous

answers is:
A. Questionnaire
B. Unstructured interview
456
C. Structured interview
D. Observations
Q1767. A Plan to trace data to its source is called

A. An audit trace
B. A vector
C. Rollback
D. Two way hashing
Q1768. A program written when the programmer is employed by the

organization is owned by:
A. The organization
B. The programmer
C. The IT/IS department
D. The user
Q1769. If a program fails to par a test, the programmer can call for a
………………… program run to check on the status of the registers after
each program operations
A. Trace
B. Mapping
C. Linker
D. Loader
Q1770. A project management package can help managers identify the

………………. path so that they can direct their attention to the
sequence of tasks in that path.
A. Critical
B. Shortest
C. Most expensive
D. Least expensive
457
Q1771. Integrating software shells allow users to exchange date between:

A. Separate programs produced by different vendors
B. Separate programs produced by the same vendor
C. Suite of programs produced by the same vendor
D. Hardware using different character codes
Q1772. A well- controlled implementation minimizes the following risks except

A. Attrition turnover
B. System bugs
C. Misaligned staff
D. Performance issues
Q1773. The screen displays produced by a proto typing software package

A. May closely model the outputs that may be produced by the
completed programs
B. Are the outputs produced by the completed programs
C. Hinder communication between system users and model builders
D. Discourage users from becoming involved in defining system
needs
Q1774. Which of the following is false in relation to documentation in a system

implementation?
A. IS strategy
B. The sequence of programs and steps to be taken in case of
processing failure
C. Code with comments embedded
D. Pseudocode and flowcharts
458
Q1775. The data gathering vehicle that permits high-volume anonymous

answers is:
A. Questionnaire
B. Unstructured interview
C. Structured interview
D. Observations

Q1558 Ans. A Q1578 Ans. D Q1598 Ans. d
Q1559 Ans. C Q1579 Ans. A Q1599 Ans. d
Q1560 Ans. D Q1580 Ans. C Q1600 Ans. b
Q1561 Ans. B Q1581 Ans. D Q1601 Ans. c
Q1562 Ans. B Q1582 Ans. C Q1602 Ans. d
Q1563 Ans. C Q1583 Ans. C Q1603 Ans. b
Q1564 Ans. C Q1584 Ans. A Q1604 Ans. a
Q1565 Ans. C Q1585 Ans. B Q1605 Ans. c
Q1567 Ans. A Q1587 Ans. A Q1607 Ans. a
Q1568 Ans. C Q1588 Ans. B Q1608 Ans. c
Q1569 Ans. A Q1589 Ans. A Q1609 Ans. c
Q1570 Ans. B Q1590 Ans. D Q1610 Ans. b
Q1571 Ans. b Q1591 Ans. A Q1611 Ans. b
Q1572 Ans. a Q1592 Ans. B Q1612 Ans. a
Q1573 Ans. d Q1593 Ans. B Q1613 Ans. b
Q1574 Ans. c Q1594 Ans. A Q1614 Ans. c
459

Q1645 Ans. b Q1675 Ans. a Q1705 Ans. D
460

Q1709 Ans. a Q1732 Ans. B Q1755 Ans. A
Q1719 Ans. a Q1742 Ans. D Q1765 Ans. A
Q1720 Ans. a Q1743 Ans. D Q1766 Ans. A
461
Module 6 Questions
Q1776. “An IS auditor conducting a review of software usage and
licensingdiscovers that numerous PCs contain unauthorized software.
Which of the following actions should the IS auditor perform FIRST? “
A. Personally delete all copies of the unauthorized software.
B. Inform auditee of the unauthorized software and follow-up to
confirm deletion.
C. Report the use of the unauthorized software to auditee
management and the need to prevent recurrence.
D. Take no action, as it is a commonly accepted practice and
operations management is responsible for monitoring such use.
Q1777. “The audit procedure which could be common to auditing Information

Security as well as for a financial audit and for IS audit is: “
A. Review technical documentation
B. Inspection
C. Use CAATs for finding open ports
D. Review of Information Security Policy
Q1778. IS audit standards:

A. Specify the manner in which an IS audit should be carried out
B. Provide recommendations on improvement of audit performance
C. Provide auditors with a clear idea of the minimum level of
acceptable performance
D. Provide guidance to professionals on audit on performing IS audit
in specified environments.
462
Q1779. Which of the following is a detective control?

C. Back-up procedures
D. Audit trails
Q1780. “An important distinction an IS auditor should make when evaluating

and classifying controls as preventive, detective or corrective is: “
A. The point when controls are exercised as data flows through the
system.
B. Only preventive and detective controls are relevant.
C. Corrective controls can only be regarded as compensating.
D. Classification allows an IS auditor to determine which controls are
missing.
Q1781. During a review of the controls over the process of defining IT service
levels an IS auditor would MOST likely interview the:
A. Business unit manager.
B. Legal staff.
C. Systems programmer.
D. Programmer.
Q1782. The risks of using the integrated test facility is:

A. The controls in application may not be tested
B. The processing of data may not be tested
C. The effects of testing using test data may adversely impact the
integrity of the production database
D. The modifications for audit testing made to application in live
environment may not be removed entirely.
463
Q1783. “ Sarbanes-Oxley Act 2002 seeks to regulate: “

A. “Control requirements relating to Information Technology
governance and controls, especially those relating to financial
disclosure controls “
B. “To enhance requirements as regards quality and transparency
of financial reporting and disclosure and related internal controls
and corporate responsibility thereof “
C. To empower audit committees
D. “To check the rate of growing computer crime “
Q1784. Exposures refer to:

A. Quantification of potential impact of problem
B. Causes of risk
C. Audit objectives
D. Alignment of functions
Q1785. “The document least likely to be considered in an Application Controls

audit is: “
A. User manual
B. Business process rules
C. Work flow procedures
D. Coding standards
Q1786. Which of the following is an anti-virus detective control?

A. Route all links to external systems via a firewall.
B. Scan all diskettes and CDs brought in from outside the company
before use.
C. Scan all files on all file server hard disks daily, moving suspect
files to a safe areA.
D. Use anti-virus software to update users’ anti-virus configuration
files every time they log in
464
Q1787. “Which of the following is a not an offence under the Information

Technology Act, 2000: “
A. Introducing a virus into the network of an organisation
B. Providing assistance to any person to facilitate unauthorized
access to any computer system.
C. Creating a software to cause denial of service attack
D. Damaging the computer system by changing an operating system
parameter with a view to cause disruption to business
Q1788. “Which of the following would qualify to be a requirement under the IT

Act, 2000: “
A. Requiring signatures on all documents generated
B. Controls over time and date stamping of data messages
C. Controls over physical security of computer equipment
D. Use of standard software for firewalls
Q1789. The key objective of control is to:

A. Implement appropriate policy, procedures and practices
B. Establish appropriate organisation structure
C. Provide reasonable assurance that business objectives are
achieved.
D. Facilitate management of information systems
Q1790. CIS under AAS 29 of ICAI refers to:

A. Continuous and systematic information
B. Continuous and Intermittent Simulation
C. Computerised Information Systems
D. Computerised Information Sources
465
Q1791. Entrusted with the objective of identifying errors or deviations in the

controls relating to inventory application software, which of the following
would the auditor find most appropriate for the purpose
A. Black box approach
B. Snapshot technique
C. Integrated test facility
D. Waterfall model
Q1792. “The Information Technology Act does not apply to all of the following,
except: “
A. e-banking mechanism used instead of a cheque
B. A will
C. Electronic contract for sale of building through electronic means.
D. Notification of documents in the Government Gazette
Q1793. Identify the one that is NOT a key concept of object-oriented technology.
A. Encapsulation
B. Reusability
C. Messaging
D. Inheritance
Q1794. COBIT is:

A. “A standard to be followed by IS auditors while conducting IS
Audit “
B. A comprehensive standard for IT Governance
C. A multi-purpose audit tool for testing application controls
D. A standard for Corporate Governance
466
Q1795. IT Infrastructure Library (ITIL) deals with:

A. “Information Technology controls for organisations requiring
secure implementation “
B. Best practices for quality of IT services and its management
C. A governance model for management of IT
D. Internal controls in Information Technology for integrity of financial
reporting.
Q1796. The scope and objective of an IS audit assignment is:

A. Always specified by regulation
B. Determined by the IS auditor
C. Specified by the user management
D. Agreed in discussion with the senior management
Q1797. IS auditors, auditing through computers are not expected to:

A. Be aware of the fundamental concepts of Information Technology
B. Know the key components of IT and how they function
C. Be experts in technology behind development of CAATs
D. Understand business process controls
Q1798. “The most important factor to be considered in case of an IT

environment is: “
A. Inherent risks
B. Physical access control impact IT
C. Environmental controls impact IT
D. CAATs are used for audit
467
Q1799. Internal testing is a part of __________

A. Stress testing
B. Penetration testing
C. Beta testing
Q1800. Identify the factor that is not part of an expert system architrcture.
A. Knowledge base
B. Computing environment
C. Inference engine
D. End user interface
Q1801. “An IS Auditor has been assigned the task of reviewing the Information
Systems Security of a Sales Database, this refers to evaluation of
Information based on the following criteria: “
A. Effectiveness, Efficiency and Authenticity
B. Confidentiality, Integrity and Availability
C. Availability, Integrity and Reliability
D. Confidentiality, Compliance and Reliability
Q1802. “The risk that an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when, in fact, they do, is an
example of: “
A. Inherent risk.
B. Control risk.
C. Detection risk.
D. Audit risk.
468
Q1803. The most critical impact on an internal control system on account of

computerization is:
A. High volume of processing of transactions
B. Extent of substantive procedures could be reduced
C. Internal control systems get in-built into the applications
D. Inherent risks of information technology as deployed
Q1804. “The most effective option of using computer programs for testing client
data is: “
A. Use the client’s program
B. Write a program specifically for the purposes of the audit
C. Use a generalized audit software
D. Use a walk-through approach to understanding the process
Q1805. “An auditor plans to use CAATs extensively for conducting an internal
audit of manufacturing operations of an enterprise. CAATs are least
likely to be used for: “
A. Drawing out appropriate samples
B. Interface with production databases to query
C. Report the audit findings with evidence
D. Uncover fraudulent transactions
Q1806. “With regard to an external audit agency entrusted with review of

controls in sales and inventory processes in a computerized information
systems environment, the audit approach will significantly differ with
regard to: “
A. The method of fixation of audit objectives and scope
B. “The procedures followed by the auditor in obtaining a sufficient
understanding of the accounting and internal control system. “
C. The methods for rating of risks based on his findings
D. “The degree of performance of compliance and substantive test
procedures in a computerized environment as compared to a
non-computerised environment “
469
Q1807. Using Generalised Audit Software for testing application if correct rates
are applied to sales invoices involves
A. Testing the logic and sales data of the auditee
B. Testing the actual sales data from the database of the client
organisation.
C. Testing the auditee’s sales application software
D. Testing the access controls
Q1808. As a basis of determining the size of the project, COCOMO model uses:
A. Function Points
B. Object Points
C. Lines of Code
Q1809. Method used for identification of risk is called:

A. Risk chart
B. Risk graph
C. Risk item checklist
Q1810. Requirement specification errors lead to:

A. Function-related bugs
B. System bugs
C. Design bugs
D. Data bugs
470
Q1811. Processes in a Transaction Processing System are: 1) Data Validation

2) Data Preparation 3) Data Entry. The order in which they are
performed is:
A. 2,3,1
B. 1,2,3
C. 2,1,3
D. 3,1,2
Q1812. Compliance testing could be most effectively used for testing the:
A. Completeness of transactions
B. Accuracy of transactions
C. Implementation of controls as per policy
D. Processing of transactions
Q1813. An auditor would use the black box approach:

A. To test for suspected transactions or suspected practices
B. In case the audit does not involve testing controls in a
computerized information systems environment.
C. To evaluate the controls in computerized systems by analyzing
the outputs from a computerised system against calculated
results for a given set of inputs
D. To map the logic path and controls in the application software.
Q1814. “An organisation seeks to get its Information Security

ManagementSystems certified by an independent certifying agency,
which of the following standards would be useful in this regard: “
A. COBIT
B. SAS 70
C. BS7799
D. ITIL
471
Q1815. “The most critical risk in embedded audit facility is: “

A. “Specially designed modules are not appropriately embedded in
the application”
B. Selected data is stored on the auditee’s computer
C. Selected data can be modified by the auditee’s management
D. Data collection modules are inserted in the application at points
determined by the auditee management.
Q1816. “The Information Technology Act: “

A. Defines the method of authentication of an electronic record
B. Provides for authentication of all electronic records using digital
signature.
C. Encourages the use of digital signatures for all government
transactions
D. Requires the use of electronic signatures using symmetric
cryptography
Q1817. An upper CASE tool is used in :

A. Design
B. Code
C. Implementation
D. Maintenance
Q1818. “IS audit refers to any audit that encompasses review and evaluation
of:”
A. Efficiency of computing resources and networking technologies
B. Controls in Computerised information systems
C. Risks and controls as regards use of IT for business
D. Automated information processing systems and its interfaces
472
Q1819. “ An audit firm is offered the engagement to conduct a Network security

audit of the ATM systems of a large national bank. In such a situation,
the audit firm should: “
A. Accept the audit even though internal competencies may not be
available
B. Not accept the assignment since it does not possess the
competencies
C. First evaluate the audit risk of conducting the audit with available
internal competencies and explore the options of relying on the
services of an expert
D. Accept the audit first and take immediate steps to gain the
knowledge and competence through intensive training.
Q1820. Companies use Enterprise Resource Planning (ERP) packages to:

A. Plan future requirements
B. Integrate the work of various departments
C. Utilise minimum resources
D. Find errors in a database
Q1821. In SDLC, in which phase would you perform Boundary value analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1822. A lower cost software product metric that is used for data collection :
A. Requirements tracing
B. Defect counts
C. Function points
D. Test coverage
473
Q1823. For effective implementaion of a software quality program the MOST

important prerequisite is:
A. Quality metrics
B. Process improvement
C. Software reengineering
D. Commitment
Q1824. Risk mitigation deals with:

A. Avoiding risk
B. Transferring risk
C. Accepting risks
D. All of the above
Q1825. Which of the following is an upper CASE tool?

A. Debugging tool
B. Source code generation tool
C. Flow-charting tool
D. Project Management tool
Q1826. The most common reason for IS exposures is due to:

A. Errors, negligence and low-tech manipulations by insiders
B. Hacking
C. Computer Equipment breakdown
D. Natural disasters such as fire, earthquake and floods.
Q1827. The first step to using an audit software is to:

A. Collect the test data
B. Understand the test objectives
C. Evaluate the test results
D. Identify IT resources required for the testing
474
Q1828. “The most critical control consideration in designing the audit procedures
in a computerized environment is: “
A. Lack of segregation of duties
B. Lack of management control
C. Lack of IT knowledge by IT staff operating the system
D. The online and real time nature of the system
Q1829. The objective of an audit charter is to:

A. Serve as a control framework for outsourced audit engagements
B. “Outline the responsibility, authority and responsibility of the IS
Audit function “
C. Prescribe the audit program and procedures
D. A top level document that defines the rights, authority and
responsibilities of the management towards the audit function
Q1830. An IS Auditor appointed to conduct an IS audit of networking controls

is expected to perform all of the following except:
A. Identify and evaluate control weaknesses
B. Provide report on the findings and recommendations
C. Follow up implementation of recommendations
D. Ensure that controls are effectively installed by participating in
implementing the controls
Q1831. “An IS auditors is expected to use due professional care when

performing audits, which requires that the individual exercise skill or
judgment: “
A. Commonly possessed by practitioners of that specialty.
B. Which includes programming skills in the software under review.
C. Relating to the selection of audit tests and evaluation of test
results
D. Where an incorrect conclusion based on available facts will not
be drawn.
475
Q1832. “The objective of IS security is least likely to include: “

A. Strategy for risk management
B. Procedures and practices to assure that computer facilities are
available at all required times
C. Complete and efficient processing of data occurs
D. Restriction of data access to authorized users
Q1833. The objective of the audit mission statement is to:

A. Outline the purpose and value addition of the audit function
B. Lay down the priority for the areas of audit
C. Outline the responsibility, authority and responsibility of the IS
Audit function
D. Assess the competency and skill requirements of the IS Audit
function.
Q1834. IS security is not concerned with:

A. Possibilities of fraud and error
B. Ability to manage IT resources effectively
C. Attempt of company to keep its information intact
D. Ability to recover from disasters like data loss with minimum
damage.
Q1835. “Changes in traditional controls in a computerized environment is least

likely to impact: “
A. Transfer of responsibilities
B. Decline in accountability
C. Audit objectives
D. Alignment of functions
476
Q1836. “The risk assessment approach should ensure that formal agreement
on residual risk. The most critical factor on which this depends is: “
A. Risk identification and measurement
B. Corporate policy
C. Adopting risk assessment approach of that of the competitor
D. Cost effectiveness of implementing safeguards and controls
Q1837. The risk assessment process involves all of the following except:
A. Take steps to reduce risk to an acceptable level
B. Assess probability of occurrence of threats
C. Identify the IT resources
D. Ascertain the risk profile
Q1838. “Which of the following forms of evidence would be considered to be

the MOST reliable? “
A. An oral statement from the auditee
B. The results of a test performed by an IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
Q1839. Skills and competence requirements of an IS Auditor must include:

A. Proficient programming skills
B. Sound knowledge of business operations, practices and
compliance requirements and related IT risks and controls
C. A general understanding of systems design and project
management concepts
D. In-depth knowledge of risks and controls relating to various
Information technologies
477
Q1840. At which stage of Software Development Life Cycle (SDLC) the program
development work is completed
A. Design specifications
B. “Program specifications
C. System testing
D. Unit testing
Q1841. Ability to operate on multiple computer types from different vendors is

envisaged by
A. Integrity
B. Reliability
C. Maintainability
D. Portability
Q1842. The longest phase in SDLC is :

A. Requirements and analysis
B. Design
C. Implementation
D. Maintenance
Q1843. Which of the following tests would be used to ensure whether a

software product fails or not?
A. Quality assurance test
B. Interface test
C. Integration test
D. Volume test
478
Q1844. Which of the following phase involves gathering of cost of data?

A. The Pre-delivery phase
B. The early operational phase
C. The mature operational phase
D. The evolution/replacement phase
Q1845. Error seeding should be done in which of the following phases of a

system development life cycle?
A. Analysis
B. Design
C. Implementation
D. Maintenance
Q1846. With regards to systems development, hardware and software studies

are performed in
A. System analysis phase
B. System design phase
C. System implementation phase
Q1847. With respect to expert systems, a heuristic is not a:

A. Rule of thumb
B. Known fact
C. Known procedure
D. Guaranteed procedure
Q1848. Which phase of SDLC uses Data Flow Diagram?

A. Requirements
B. Design
C. Implementation
D. Maintenance
479
Q1849. Which one of the following is a Fourth Generation Language (4GL):

A. C
B. PHP
C. Oracle
D. Visual Basic
Q1850. The main objective of a system test is to:

A. Make the system fail.
B. Test the control totals
C. Determine the program
D. Determine that manuals are complete and adequate
Q1851. Which would ensure that IS organizations do not take more resources
for less output?
A. Full-scale projects
B. Pilot projects
C. Grand design projects
D. Conversion projects
Q1852. In Reverse Engineering, ______________ deals with the restructuring

of existing source code.
A. Abstraction
B. Completeness
C. Interactivity
D. Directionality
Q1853. What does predictive validity specify?

A. Quantitative score
B. Assessment model
C. Quality assurance
D. Relationship between process capability and performance
480
Q1854. A document-driven approach is used in :

A. The prototyping model
B. The waterfall model
C. The spiral model
D. The iterative model
Q1855. What is the maximum number of critical paths in a program evaluation

review technique (PERT chart?
A. only one
B. less than 3
C. less than 10
D. as many paths as there are in the chart
Q1856. Identify the non-cost factor while analysing feasible system alternatives
for an organisation.
A. Conversion
B. Supplies
C. Maintenance
D. Obsolescence
Q1857. If a program cannot be executed, then it requires:

A. Adaptive maintenance
B. Preventive maintenance
C. Perfective maintenance
D. Corrective maintenance
Q1858. Prototyping approach does not assume the existence of

A. Reusable software
B. Formal specification languages
C. Detail requirements document
D. Fourth-generation programming languages
481
Q1859. In the Software Capability Maturity Model, the Productivity and Quality
of a software project is measured in:
A. Level 1
B. Level 2
C. Level 3
D. Level 4
Q1860. A catastrophic failure in a memory chip is due to:

A. A short or open circuited wire
B. Improper chip insertion
C. Unconnected wires
D. Physical or electrical damage
Q1861. An auditor evaluating a software package purchase contract will NOT

expect the contract to include
A. licence cost
B. maintenance cost
C. operational costs
D. outage costs
Q1862. Identify the element that is not connected with structured design.
A. Coupling
B. Cohesion
C. Objects
D. Structure charts
Q1863. In which phase of SDLC would you use software sneak circuit analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
482
Q1864. The boundary conditions incorporated in a program are tested in

A. regression test
B. conversion test
C. stress test
D. integration test
Q1865. The most efficient stress testing tool used for both front end and
backend applications is:
A. Open STA
B. Microsoft web application stress tool
C. Compuware’s QA load
D. Pureload
Q1866. Which of the following can be construed as a COMPREHENSIVE

preventive method in locating a bug?
A. Formal inspections
B. Programming languages
C. Software compilers
D. Software testing
Q1867. Which file format requires an acrobat reader to view the file?
A. .zip
B. .pdf
C. .html
D. .arc
483
Q1868. Which of the following is done at various testing points in the production
process.
A. Regression Testing
B. Vee Testing
C. Black Box Testing
D. Integration Testing
Q1869. Which one of the following is NOT a part of software quality metrics?
A. Completeness
B. Ergonomics
C. Correctness
D. Reliability
Q1870. Which of the following would greatly affect the project estimate if any
changes made to it while developing a project?
A. Time
B. Scope
C. Quality
D. Resources
Q1871. Software metric that deals with measurement of lines of code is:
A. Requirements metrics
B. Design metrics
C. Code metrics
D. Test metrics
484
Q1872. Software Acquisition Innovation Management and Continuous Process

Improvement belong to which level of SA-CMM.
A. Level 5
B. Level 4
C. Level 3
D. Level 2
Q1873. Where would you handle finite state machines in SDLC?

A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1874. Identify the item that is not a part of performance guarantees in software
contract negotiations.
A. Terms of payment
B. Warranty provisions
C. Package fixes
D. Penalty provisions
Q1875. Which one of the following errors will occur because of overflow
conditions?
A. Requirement errors
B. Design errors
C. Process errors
D. Data errors
485
Q1876. The testing process conducted during the “live” application of software
is a ___________
A. Functional test
B. Performance test
C. Beta test
D. Acceptance test
Q1877. What makes Rapid prototyping technique portable?

A. User friendliness
B. Quality
C. Software independence
D. Productivity
Q1878. Which of the following is the most difficult to manage in a SDLC project?
A. Personnel turnover
B. Changes in hardware
C. Creeping functions
D. Changes in project scheduling
Q1879. In software maintenance, the NON technical tool is: maintenance?

A. Cross referencer
B. Change control
C. Comparator
D. Diagnostic routines
Q1880. IS Auditor’s participation is necessary during the following steps in the

SDLC, EXCEPT?
A. Feasibility study
B. User requirements
C. Programming
D. Manual specifications
486
Q1881. Which of the following is not a congestion management tool?

A. Priority queuing
B. Custom queuing
C. Network traffic queuing
D. Weighted fair queuing
Q1882. The process of visualising the design of a project that is yet to take
shape is called:
A. data abstraction
B. Data modeling
C. Data transparency
D. Data designing
Q1883. Software quality assurance envisages

A. Error prediction
B. Error prevention
C. Error detection
D. Error correction
Q1884. In monitoring and controlling a system development life cycle project

what is NOT formal and documented?
A. Change management forms
B. Logs
C. Checklists
D. Face-to-face communications
Q1885. All of the following should be in place prior to programming except:

A. User manual
B. Coding standards
C. Detail design documents
D. Unit test cases
487
Q1886. The cost incurred in collecting data comes under: [a] [b] [c] [d]
A. Prevention cost
B. Appraisal cost
C. Internal failure cost
D. External failure cost
Q1887. The of information design type used for navigational aids and graphs
for geographical use is:
A. Pictogrammatic
B. Diagrammatic
C. Cartographic
D. Hybrid
Q1888. Which one of the following statements is true?

A. Testing follows debugging
B. Debugging follows testing
C. Requirements follow design
D. Coding follows implementation
Q1889. In which of the following phases of a system development life cycle

decision tables being used?
A. Requirements Definition
B. Detailed Design
C. Implementation
D. Testing
488
Q1890. Incorrect initialization occurs on account of which of the following faults?

A. Data fault
B. Requirement fault
C. Output fault
D. Design fault
Q1891. Which of the following is not an element of measurement program?

A. Cost to the software project
B. Cost of technical support
C. Cost of analysis and packaging
D. Cost to the hardware
Q1892. Stress testing is mainly done to test the _____________.

A. Feasibility of a program
B. Database reliability.
C. Website
D. Efficiency of hardware components.
Q1893. Which of the following is a party to the escrow agreement?

A. Mortgagor
B. Lessor
C. Lessee
D. Beneficiary
Q1894. Which phase of SDLC uses “Program slicing” technique?

A. Requirements
B. Design
C. Implementation
D. Maintenance
489
Q1895. The component of Management Information System (MIS) that assist in

planning and decision making in a organisation is/are: -
A. Hardware
B. Software
C. Database
D. All of the above
Q1896. A less formal review technique is:

A. a Inspections
B. b Testing
C. Reviews
D. Walkthroughs
Q1897. Design phase in the linear sequential model deals with:

A. Designing the data structure
B. Designing the user interfaces
C. Designing the algorithms
D. All of the above
Q1898. The sequence and level of testing of an item or function is decided at

A. Test strategy
B. Test Plans
C. Test Case Design
D. Test procedure
Q1899. Each of the following should be included in a user manual, EXCEPT :

A. Data entry format
B. On-line menu descriptions.
C. Checkpoint/restart procedures.
D. Edit criteri
490
Q1900. Which of the following is NOT associated with structured programming?

A. program design languages
B. top-down approach to development
C. modularization
D. uncontrolled looping
Q1901. The biggest benefit of prototyping is:

A. Better version control
B. Better communications between developers and users
C. Increased productivity
D. Faster delivery
Q1902. Which one of the following metrics deal with “number of entries/exits per
module” ?
B. Design metrics
C. Code metrics
D. Test metrics
Q1903. Which of the following approaches is used in the waterfall development

model?
A. Entity-based approach
B. Risk-based approach
C. Rule-based approach
D. Data-based approach
Q1904. CASE Tools do not help in:

A. Understanding requirements
B. “Code generation”
C. Security Labels
D. System prototyping
491
Q1905. Software quality assurance process does NOT undertake:

A. Reviewing library controls
B. Monitoring and reporting system
C. Reviewing change controls
D. Evaluating software distribution
Q1906. Identify the EARLIEST software development model

A. The Waterfall model
B. Prototyping model
C. Spiral model
Q1907. While acquiring software which of the following criteria should be

applied?
A. Useful life
B. Resale value
C. Cost of capital
D. All the above
Q1908. In the development life cycle model, the place to start software quality
process is:
A. Requirements phase
B. Design phase
C. Coding phase
D. Testing phase
Q1909. The software test objective of operating in different platforms is achieved

by conducting:
A. Recovery test
B. Regression test
492
C. Integration test
D. Configuration test
Q1910. Availability of computer time is taken care of in which part of the Project
Planning and scheduling ?
A. Milestones
B. Deliverables
C. Baseline
D. Assumptions
Q1911. In which phase of SDLC Desk Checking is practiced?

A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1912. You would NOT use stubs or drivers in which of the following testing
approaches?
A. A top-down approach
B. A bottom-up approach
C. A sandwich approach
D. A big bang approach
Q1913. Which of the following is not a subsystem of Decision Support System

(DSS)?
A. Language System
B. Knowledge System
C. Transaction Processing System
D. Problem Processing System
493
Q1914. The testing process in which the user participate is called:

A. a Acceptance testing
B. Program testing
C. Conversion testing
D. d System testing
Q1915. Which of the following is NOT a characteristic of legacy systems?

A. Focus on specific problems
B. Limited scope
C. Selective functionality
D. Effective and efficient management of databases
Q1916. User interface prototyping may NOT focus on :

A. Screen layouts
B. Dialogue styles
C. Ergonomics
D. System performance
Q1917. Which of the following is a dynamic analysis to detect software errors?

A. Inspections
B. Code reading
C. Testing
D. Tracing
Q1918. What is the most important factor to be considered when comparing

system alternatives before making the final selection ?
A. ROI
B. IRR
C. User satisfaction
D. Benefit-cost ratio
494
Q1919. Which of the following is useful in auditing the Program Change

Management?
A. User manual
B. System logs
C. Standards and procedures
D. Operators run manuals
Q1920. Which of the following software metrics would refer to function points?
B. Design metrics
C. Code metrics
D. Test metrics
Q1921. In unit testing, which one of the following can be mechanised?

A. Syntax checking
B. Desk checking
C. Quality assurance audit
D. Quality assurance review
Q1922. Which of the following is not a component of audit risk?

A. Inherent risk
B. Control risk
C. Detection risk
D. Restrictive risk
Q1923. The development of IS security policy is the responsibility of the

A. IS department
B. Security committee
C. Security administration
D. Board of directors
495
Q1924. Which of the following socio-technical design principle is applicable to

environmental guidelines?
A. Compatibility
B. Information flow
C. Boundary location
D. Support congruence
Q1925. ------------ is an activity conducted in the last stages of the contract

before accepting an information technology product: (1.2.3.4.)
A. Benchmarking
B. Testing
C. Contract negotiation
D. Vendor evaluation
Q1926. “----------” is an activity performed in the pre-contract phase of a software

acquisition project
A. Identification of alternatives
B. Testing and acceptance
C. Contract management
D. Preparation of the invitation document
Q1927. A computer programmer altered the program for Saving Bank accounts
so that his account would be not be listed, when a list of accounts
with over draft was prepared. Following controls would be effective in
preventing or detecting this fraud EXCEPT?
A. a User sign-off for program changes.
B. Special Internal Auditor review of all employee accounts
C. Independent code review following any changes
D. Prohibiting the programmers to move complied programs to
production.
496
Q1928. A decision table is used in a program testing to test the branching to

distinct processes. It consists of
A. condition stub and result
B. condition stub, condition entry, action stub and action entry
C. action stub and condition entry
D. action stub and result
Q1929. A feasibility study should be conducted when:

A. a decision must be made on the best way of sequencing SDLC
during system development
B. the consequences of decentralising data processing functions
must be assessed
C. an assessment must be made of whether or not the security
policy and procedures work
D. decision must be made on whether or not a new operations
schedule will increase throughput and staff efficiency
Q1930. A majority of defects are attributed to a few number of causes. Which

of the following basic tools would BETTER depict this scenario?
A. A scatter diagram
B. A Pareto diagram
C. A run chart
D. A control chart
Q1931. A project manger must know which of the following, in order to be

sure that the schedule will work, even though he has a detailed project
schedule?
A. Detailed cost for each phase
B. b Programmer assignments
C. Task interdependencies
D. Resource allocation
497
Q1932. A software metric will NOT define which one of the following?
A. Number of defects per thousand lines of code
B. Number of defects over the life of a software product
C. Number of customer problems reported to the size of the product
D. Number of customer problems reported per user month
Q1933. A Software Quality Assurance team performs the job of:

A. Prepares an SQA Plan
B. Participate in the development of the projects software process
description
C. Review software engineering activities to verify compliance with
defined process
D. All the above
Q1934. Which one of the following will be included in the application software
testing phase for effective controls?
A. Test cases, test documentation
B. Test summaries, test execution reports
C. Activity logs, incident reports, software versioning
D. Test cases rejected, test cases accepted
Q1935. While auditing system acquisition, the auditor’s objective is to ensure

that the system acquisition is based on complete and accurate lists of
the functional needs of the user. For this, the auditor reviews which one
of the following?
A. The security policy of the organisation
B. The requirements and specifications statement of the project
C. The acquisition-plan document
D. All of the above.
498
Q1936. While development is in progress, changes are likely to occur. But

modifications should be effected in a controlled manner. Which of the
following principles will guarantee this?
A. Project management
B. Quality assurance
C. Configuration management or change control techniques
D. Time management
Q1937. With respect to the various phases in the system development life cycle,
which of the following is least likely to vary:
A. conduct of each phase as planned
B. sequence in which the phases are performed
C. resources and time needed to perform each phase
D. presence of each phase
Q1938. Which of the following statements is true with regard to Computer Aided
Software Engineering (CASE) workbench?
A. A single CASE tool is more effective when used individually than
when combined with more than two
B. It is very difficult to add a new case workbench or replace an
existing one
C. An organisation has to depend on a single supplier
D. Workbench can be easily managed with the aid of the
configuration management system
Q1939. Which of the following system life factors is most difficult to control by
a user organization?
A. The length of time the system will satisfy the needs of the initial
user
B. The rate at which computer technology is expected to advance
C. The probability of continued availability of system support
D. The time required for subsequent acquisition to meet the
requirement
499
Q1940. Which of the following Technical specifications will NOT be included in

a functional requirements document for a software package?
A. System design
B. Mean-time-between-failure
C. Mean-time-to-repair
D. On-line system response times
Q1941. Which of the following testing approaches will test the system’s ability
to withstand misuse by inexperienced users?
A. Functional testing
B. Unit testing
C. Resiliency testing
D. User acceptance testing
Q1942. Which of the following testing method is used when the loops in a
program are not structured.
A. Flow graphs
B. Graph Matrix
C. Concatenating loop
D. No testing is done until loops are redesigned and structureD.
Q1943. Which of the following tests address the interaction and consistency
issues of successfully tested Parts of a system?
A. Unit testing
B. Acceptance testing
C. Integration testing
D. System testing
500
Q1944. Which of the following tests ensures that all the programs in the system
being developed work in concert and their communication among
themselves is as designed?
A. Unit test
B. Interface test
C. Regression test
D. Integration test
Q1945. Which of the following threats, vulnerabilities, or risks do not arise in an

in-house system development project?
A. Signing poor contracts
B. Planting Trojan horses
C. Writing incorrect program code
D. Using inappropriate tools
Q1946. Which one of the following criteria shall NOT be considered for choosing
an appropriate Computer platform to suit a given application software
system?
A. Database size
B. Data usage
C. System development tools
D. Data storage
Q1947. Which one of the following design approaches would address data
sharing and system access problems in legacy application systems?
A. Develop a shareware application
B. Develop a freeware application
C. Develop an API application
D. Develop a GUI application
501
Q1948. Which one of the following documents would be least effective in

performing unit testing of an applications software?
A. Program source code
B. System requirements definition
C. Detailed design documents
D. General design documents
Q1949. Which one of the following errors cannot be detected during an

inspection activiy?
A. Incomplete requirements errors
B. Infeasible requirements errors
C. Conflicting requirements errors
D. Input/output errors
Q1950. Which one of the following graphical user interface (GUI development
approaches would create more user-friendly interactions ?
A. Object-oriented user interfaces
B. Application-oriented user interfaces
C. Screen-oriented manipulation user interfaces
D. Menu-oriented user interfaces
Q1951. Which one of the following is an example of process metric?

A. Number of software developers
B. Size and complexity of the system
C. System performance levels
D. Resolution time for fixing errors
Q1952. Which one of the following is performed FIRST in a system development

life cycle project?
502
C. Developing design documents

D. Developing conversion plans
Q1953. Which one of the following maintenance aspects would greatly ensure
the currency of the plan as time passes?
A. Incorporate into hardware upgrades
B. Incorporate into change management procedures
C. Incorporate into software upgrades
D. Incorporate into revision procedures
Q1954. Which one of the following methodologies require efficient system

requirements analysis?
A. Reverse engineering
B. The Delphi method
C. Joint application design (JAD)
D. Traditional system development life cycle
Q1955. Which one of the following options is not a characteristic of structured

analysis?
A. It uses bottom up approach.
B. It uses several tools and techniques.
C. It uses physical and logical models”
D. It incorporates several steps simultaneously
Q1956. Which one of the following pairs, when performed simultaneously, would
pose a major Risk?
A. Systems analysis and design
B. System design and programming
C. Programming and testing
D. Test case preparation and test case execution
503
Q1957. Which one of the following reasons is the most important to retain a
legacy application system?
A. It meets the needs of the organization
B. Changing the computing platform may not improve the legacy
system
C. resistance to change
D. Low maintenance cost
Q1958. Which one of the following software test methods should invariably
perform Input-tolerance testing?
A. Unit testing
C. Production operations acceptance testing
D. User acceptance testing
Q1959. Which one of the following techniques is represented by structured

analysis and design?
A. Function-oriented techniques
B. Data-oriented techniques
C. Control-oriented techniques
D. Information-oriented techniques
Q1960. Which one of the following testing order is correct?

A. Integration test, unit test, systems test, acceptance test
B. Unit test, systems test, integration test, acceptance test
C. Acceptance test, unit test, integration test, systems test
D. Unit test, integration test, systems test, acceptance test
Q1961. “According to Gartner, the three components of systems management

are: Knowledge and control, Policy setting and Continuous
504
improvement. Which of the following forms the foundation of systems

management?”
A. Knowledge and control
B. Policy setting
C. Continuous improvement
Q1962. Activities related to determining strategic business objectives based on

market needs, or threat analysis falls under which stage of software
acquisition?
A. Predevelopment
B. Development
C. Post development
D. Concept Exploration
Q1963. After the system is developed, the auditors objective in conducting a

general review is to
A. determine whether a critical application system needs modification
due to a recent change in the statute
B. conduct a test of controls to ensure that the no necessary control
is omitted in the design
C. make an evaluation of the whole process to quantify the
substantive test required for the specialized audit of the process
D. conduct a substantive test of the application system
Q1964. After which of the following testing , should formal change control
mechanism start?
A. After completion of integration testing
B. After completion of unit testing
C. After completion of systems testing
D. After completion of acceptance testing
505
Q1965. All of the following assumptions about legacy application systems are
correct except
A. A legacy system is a mainframe computer-based application
system
B. A legacy system is old and hence no longer good
C. A legacy system uses a proprietary programming language
D. A legacy system is difficult to port to other environments
Q1966. Among the various software analyses listed below, the controlling
functionality against software failure is provided by:
A. Safety analysis
B. Sneak circuit analysis
C. Fault tree analysis
D. Hazard analysis
Q1967. An analysis of the project requirements for the activities of an

organisation is done in which stage of the Software Development Life
Cycle (SDLC)
A. Feasibility study stage
B. “Business requirement specifications stage
C. Functional specifications stage
D. Design specifications stage
Q1968. An IS auditor takes part in the development team deliberations NOT for
A. ensuring adequacy of data integrity controls
B. ensuring adequacy of data security controls
C. ensuring that there are no cost and time overruns
D. ensuring that documentation is accurate and complete
Q1969. An IS auditor while conducting a post-implementation review, would look

for
A. the documentation of the test objectives
506
B. the extent of issues pointed out in the user acceptance test and
the unresolved issues
C. the documentation of the test results
D. the log containing the problems reported by the users
Q1970. An off-the-shelf applications software package requirement document

does NOT include which one of the following?
A. Both organizational and functional requirements should be
precisely stated to vendors
B. System reliability should be expressed to vendors in MTBF and
MTTR terms
C. System response time should be stated to vendors under
average-case conditions
D. System response time should be stated to vendors under worst-
case conditions
Q1971. Auditing of development project works in the prototyping model presents

the IS auditors difficult problems. Which of the following is the MOST
difficult?
A. Exhibiting flexibility to new approaches vis-à-vis traditional
approaches
B. Evaluating the adequacy of the documentation
C. Maintaining cordial relation with the team members
D. Keeping the technical knowledge up to date
Q1972. Auditors gather evidence during the review of the system design of a
software project. Which of the following tools will they NOT depend?
A. Observation of the design process
B. Interviewing the development team
C. Verifying the documented plan
D. Circulating questionnaires among the members of the team for
their self evaluation
507
Q1973. Black-box testing is depicted by which of the following?

A. Test all features mentioned in the specifications
B. Execute every statement at least once
C. Execute every branch at least once
D. Test the use of all data objects
Q1974. Business risk does not include:

A. Risk of developing software that has no takers
B. Risk that effects the entire project plan
C. Risk of developing software for an outdated business strategy
D. Risk of losing the support of the top management, due to change
in business focus.
Q1975. Customer details like address changes etc are being used in too many
mainframe application systems calling for a great deal of data entry
redundancy effort. In this situation, which one of the following method
will be useful?
A. Develop “seamless” processes
B. Eliminate mainframe computer processing
C. Develop a data synchronization software
D. Develop a client/server system
Q1976. Decision tables are used in programs to branching to various distinct

processes. Which of the following systems generally use decision
tables?
A. Transformational systems
B. Interactive systems
C. Concurrent system
D. Distributed systems
508
Q1977. Detection of changes to program source code files in an unauthorized

fashion can be detected by the IS auditor by
A. analytical review
B. code review
C. comparison of codes
D. log of authorized changes
Q1978. Difference between the spiral model and the incremental model is:
A. The former is an evolutionary process, the latter is a classic
process
B. “The former is time consuming, the latter is time saving”
C. The former does not ensure delivery of product after every
iteration, the latter does
Q1979. During which of the following stages is user resistance encountered in

Computer Aided Software Engineering (CASE) Life Cycle ?
A. Procurement
B. Evolution
C. Case system Introduction
D. Obsolescence
Q1980. Each of the following are preventive controls over the systems
development EXCEPT:
A. Standard methodology
B. Documentation standards.
C. Post implementation reviews.
D. User training program.
Q1981. During conversion the primary purpose of parallel running is to:

A. provide the basis for users training and acceptance testing
509
B. provide the basis for carrying out comprehensive system and user
tests
C. determine whether there are any bugs in the new hardware/
system software configuration that has been chosen
D. provide the basis for validating the design and implementation of
the new system
Q1982. During system design phase an auditor participating in system

development attempts to:
A. ensure refreezing methodology has been designed
B. determine whether necessary controls have been designed into
the system
C. ensure that the actual cost of the system development project is
within the budgeted cost
D. evaluate whether all the phases of SDLC is being performed
serially
Q1983. During the conduct of a source code review, the examination of the data
processing installation’s programming standards occurs:
A. after the source code listing has been obtained
B. concurrently with the source code review
C. before reviewing the program’s specifications
D. standard may not be reviewed at all
Q1984. In an organisation, Integrated Test Facility (ITF) is not used in:

A. Maintenance
B. Automatic testing
C. Quantity control
D. Quality control
Q1985. During the entry phase the system designer:

A. explains to users various alternative designs that can be
implemented
510
B. freezes and unfreezes the organisation requirements

C. carries out a preliminary study to evaluate the feasibility of the
new system
D. undertakes to understand the requirements of the proposed
system
Q1986. During the problem definition phase, the terms of reference do not
describe:
A. boundaries of the system to be examined
B. proposed objectives of the new system
C. problems of the stakeholders
D. organisational and resource constraints
Q1987. Expert systems are NOT associated with one of the following:
A. Expert systems are aimed at solving problems using an
algorithmic approach
B. Expert systems are aimed at solving problems that are
characterized by irregular structure
C. Expert systems are aimed at solving problems characterized by
incomplete information
D. Expert systems are aimed at solving problems characterized by
considerable complexity
Q1988. Find the CRITICAL PATH among the following paths in a PERT chart?
Path 1: A-D-E-G- 120 MANDAYS, Path 2: A-B-C-D-G- 125 MANDAYS,
Path 3: A-F-G -135 MANDAYS, Path 4: A-B-F-G -137 MANDAYS
A. Path 1
B. Path 2
C. Path 3
D. Path 4
511
Q1989. For an effective application development, each of the following would

help EXCEPT:
A. Active participation by user departments.
B. Management involvement
C. Prioritisation of applications to be developed
D. Post implementation reviews.
Q1990. For assessing process variations in software development and

maintenance projects which one of the following will be useful?
A. A control chart
B. A run chart
C. A bar graph
D. A Pareto diagram
Q1991. For reducing the complexity of a computer-based application program

which should be done?
A. Limit the length of the program as represented by the number of
characters
B. Limit the size of the program as represented by the number of
statements
C. Limit the number of independent paths in the program
D. Limit the type of programming language used in the program
Q1992. Formal change control mechanism would start after which of the
following in an overall system development project?
A. Completing the system planning document
B. Completing the system requirements document
C. Completing the system design document
D. Completing the program coding work
512
Q1993. Fuzzy logic is most effective when :

A. Used to develop decision support systems
C. Used to build hard disk controllers
Q1994. Identify the contractual provision that is objective and enforceable

among the parties involved in a system development life cycle project?
A. Commitment to quality
B. Penalties for late delivery
C. Problem support
D. Project staff skills
Q1995. Identify the correct sequence in the acceptance testing process:

A. Execution, validation, reporting, preparation
B. Validation, Execution, reporting, preparation
C. Preparation, validation, execution, reporting
D. Preparation, execution, validation, reporting
Q1996. Identify the cost that does NOT form part of software package
installation or implementation cost?
A. Cost of hardware
B. Cost of file conversion
C. Cost of computer downtime
D. Cost of initial debugging of software
Q1997. Identify the document which is LEAST effective during the acceptance
test of applications software.
A. Program source code
B. System requirements definition
513
C. Software acceptance criteria

D. System external specifications
Q1998. Identify the technique that mostly prevents a system failure from
occurring or facilitates quick recovery from failures.
A. Component isolation
B. Component modularity
C. Component redundancy
D. Information hiding
Q1999. Identify the test-case design techniques that is used in unit and
integration testing of applications software.
A. White-box, code-based, logic-driven technique
B. Black-box, code-based, data-driven technique
C. White-box, specification-based, logic-driven technique
D. Black-box, specification-based, data-driven technique
Q2000. Identify the wrong statement with respect to structured programming

concepts and program modularity.
A. Modules should perform only one principal function
B. Interaction between modules should be minimal
C. Modules should have only one entry and one exit point
D. Modularity means program segmentation
Q2001. In a project development complimentary and compensating controls, if

properly implemented ensure success of the project. Among the four
listed below, which DOES NOT act as a complimentary or compensating
control to any of the other?
A. Users active involvement in the project
B. Auditors participation
514
C. Applying standard system development methodologies

D. Contracting external consultants/contractors
Q2002. In a software development process, the MOST useful parameter or

activity for measuring the progress is
A. periodic management review
B. regular interactions by management with developers
C. milestones reached
D. expenses incurred
Q2003. In an ex-post review audit of the system development process, the

auditor:
A. evaluates the overall monitoring controls that were exercised in
the system development process
B. evaluates the system development process, in general, as a basis
for reducing the extent of substantive testing needed
C. carries out a substantive test of the system development process
for all accounting application systems within the installation
D. focuses only on the application controls that have been built into
the system to ensure that user requirements are met
Q2004. In an information processing system, certain measures were introduced

for improving the quality. An auditor looking for the effectiveness of the
measures WILL NOT be assured of the effectiveness by
A. a perceptible reduction in problems reported by users
B. an increased user satisfaction
C. an increase in quality assurance budget by the management
D. a reduction in the maintenance cost of the application
Q2005. In developing a system for automated diagnosis for a hospital, which of

the following shall be the MOST important in the design phase?
A. Meeting the project schedule
B. Remaining within the project budget
515
C. Ensuring software safety

D. Documenting the work meticulously
Q2006. In Information Technology projects, which of the following factors is most

crucial?
A. Adhering to the project schedule
B. Anticipating problems
C. Testing the system thoroughly
D. Managing end-user expectations
Q2007. In most GUI applications, when the application is busy processing

some data, an hourglass symbol is displayed. Which principle of User-
Interface is in action here?
A. Visual Grammar
B. Shortcuts
C. Focus
D. Safety
Q2008. In order to achieve more perfection of an already working software

system, what method will be adopted?
A. Program changes due to changes in rules, laws, and regulations
B. Program changes due to errors discovered
C. Program changes due to fine tuning of existing systems
D. Program changes due to changes in data formats
Q2009. In order to achieve the requirements of the user, the BEST option in
acquiring an off-the-shelf applications software package is
A. Build or buy
B. Purchase and tailor
C. Lease or purchase
D. Rent or purchase
516
Q2010. In program development, the bottom-up methodology involves

A. including driver routines to facilitate testing
B. testing of major interfaces only
C. creating prototypes
D. even usage of the resources
Q2011. In terms of Software Configuration Management, baseline refers to:

A. Point of first release of the software
B. Point of latest release of the software
C. Point of latest change to the software
D. Point of change approved in the software and added to the
project database
Q2012. In the system development life cycle approach, which of the following
is MOST likely to be constant?
A. Allocation of resources for purchase of software platforms and
hardware
B. Certain phases can be dropped
C. Each phase will have to be present
D. The sequence of the phases cannot vary
Q2013. In which of following system development life cycle models one phase
has to be completed before starting another phase?
A. Waterfall model
B. Prototyping model
C. Spiral model
Q2014. In which of the five stages in a system Life Cycle, is IT security

implication involved?
A. Initiation Phase
B. Implementation Phase
517
C. Operation/Maintenance Phase
D. All the five stages of system development life cycle
Q2015. Incremental Model as an approach adheres to:

A. More of linear sequential, less of prototyping
B. Less of linear sequential, more of prototyping
C. Best practices of both linear sequential and prototyping
D. Is an independent approach.
Q2016. Information Systems auditors can take part in the system development
life cycle as an independent member is not likely to jeopardize his/her
audit quality. In which of the following stages will the participation will
be the MOST effective?
A. Design phase
B. Requirements definition phase
C. Development phase
D. Testing phase
Q2017. Introducing CASE tools in a main frame environment is MOST likely to

encounter
A. huge data conversion efforts
B. lack of technical knowledge
C. dearth of training personnel
D. absence of supportive tools
Q2018. Introduction of CASE tools in an IS environment in the early stages of

implementation of a software project will impact in the LEAST :
A. data base administrator(DB
B. data base designer
C. system designer
D. programmer
518
Q2019. IS auditors participation in the development process improves the quality

of the product. In which of the following phases is the participation likely
to be LEAST beneficial?
A. Requirements definition
B. Coding
C. Testing
D. Configuration planning
Q2020. Many automated tools are designed for testing and evaluating computer
systems. Which one of the following such tools impact the system s
performance with a greater load and stress on the system?
A. Test data generators
B. Statistical software packages
C. Test drivers
D. Network traffic analyzers
Q2021. Normally detailed system specifications do NOT include:

A. A systems narrative depicting the systems objectives
B. A systems flow chart
C. Overviews of each program in the system.
D. Program, operations, and user documentation.
Q2022. PC-based analysis and design tools are used alongwith mainframe
computer-based tools. Identify the CASE tool that is required in this
situation.
A. Diagramming tools
B. Simulation tools
C. Export/import tools
D. Diagram checking tools
519
Q2023. Program Evaluation Review Technique charts aid

A. Identification of critical paths, interdependencies of the processes
and slack times on certain paths
B. Keeping a tab on the project cost
C. Keeping a tab on the project schedule
D. Keeping a tab on the programmers
Q2024. Project management needs are addressed first and artificial approach
to development is adopted in
A. rapid prototyping model
B. incremental development model
C. evolutionary development model
D. waterfall model or SDLC model
Q2025. Prototyping approach to system design is resorted to when

A. the SDLC method is chosen
B. the design is for a human resources division of the organization
C. the designer is circumspect of the users cooperation in spelling
out their requirements
D. the designer is uncertain as well as the user about the
requirements and it is likely to evolve as the design progresses
Q2026. Prototyping methodology is resorted to when :

A. there is no user specification document
B. there is a huge backlog of development work and incomplete
projects
C. the costs and schedule overruns increase by leaps and bounds
D. the need for meeting user requirements is very acute
520
Q2027. Since it is the end-users who are going to use an application, they
must be consulted and their opinions must be incorporated if found
reasonable. Which of the following principle of User-Interface Design
reflects the above statements?
A. User-Perceptions
B. Context-Sensitivity
C. User Testing
D. Aesthetics
Q2028. Software piracy is a common threat to an organization and so while

choosing an application software package what should be the prime
consideration?
A. Product portability
B. Vendor support
C. Software licensing
D. Product reliability
Q2029. Software quality assurance suffers MOST when

A. it is treated as another software testing
B. it is left to be inspected after the system is completely developed
C. a quality assurance library is established for subjecting the
programs to test
D. a quality assurance team is constituted for assessing the quality
Q2030. Stovepipe systems evolve more because of

A. End-user developing by employee empowerment to develop
B. Centralized developing by a core group of professionals
C. Standardizing the system development methodologies
D. Establishing a quality assurance function
521
Q2031. Structured programming is best described as a technique that:

A. Make the dynamic execution of the program.
B. Reduces the maintenance time of programs
C. Provides knowledge of program functions.
D. Controls the coding and testing functions in the development
process.
Q2032. Structured programming requires certain features for easy maintenance.

In so far as the size of a module in a program is concerned, which of
the following shall be the cardinal principle about the size of a module
to ensure structured design?
A. Fitting within one sheet of paper
B. Fitting within one page of the computer random memory
C. Module size shall not exceed one block of the hard disk to enable
faster retrieval
D. Size shall be small enough to make comprehension easier
Q2033. Symbolic evaluation is an error detection method. Where would you

handle this? An error detection technique “symbolic evaluation” is used
in which one of the following phases of a system development life
cycle?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q2034. System development controls are designed to prevent all of the following
EXCEPT:
A. Lack of project status reports
B. Implementation of unapproved system
C. Lack of adequate program controls.
D. Unauthorised program modification
522
Q2035. The auditor uses a normative model of the system development process
as a basis for:
A. determining what activities are usually undertaken during system
development
B. describing the activities that are to be carried during system
development that would change the distribution of power within
the organisation
C. determining the activities that should be carried out during system
development
D. determining development activities depending on the
circumstances at hand
Q2036. The comment which is a DISADVANTAGE concerning prototyping is:

A. Development through standard system development approach is
faster than Prototyping.
B. Users do not usually know sufficiently about systems to design
the system.
C. Active user involvement is more in the system development.
D. Change controls are more problematic to achieve than in a
traditional SDLC.
Q2037. The Commercial Off-The-Shelf software is:

A. Bought on commercial basis and can be given on rent or lease
B. Controlled by the integrator and the customer
C. Installed at only one place after it is available commercially
D. Maintained and controlled by original developer only
Q2038. The concurrent development model is used when:

A. The project under development is very complex
B. Two projects have to be tracked simultaneously
C. Various projects have to be tracked simultaneously
D. Various activities within a single project have to be tracked
simultaneously
523
Q2039. The correct sequence in a software systems development project is:

A. Identification, fact-gathering, evaluation, synthesis and installation
B. Identification, evaluation, fact-gathering, synthesis and installation
C. Identification, fact-gathering, synthesis, evaluation and installation
D. Identification, synthesis, fact-gathering, evaluation and installation
Q2040. The Critical path in a program evaluation review technique (PERT) chart
is identified by
A. the project management team looking at the criticality of the
function
B. the maximum slack time carrying path
C. the path containing zero slack time
D. an agreement after discussion among the users and the project
development team
Q2041. The data flow diagram can be used to:

A. Determine how to do a function efficiently
B. Restrict the number of times a function can be performeD.
C. Determine requirements of user.
D. It makes the data requirements in a system permanent
Q2042. The definition of beta sites is:

A. software environments where vendors send their product for
evaluation from users angle
B. software environments where programming teams productivity is
measured and analysis
C. software sites where the demand for the product is evaluated
D. software sites where the vendor commits to ship the product
earlier than others
524
Q2043. The estimate of time which has the MOST important relevance in
evaluation of the activities in a Program Evaluation Review Technique
(PERT is:
A. Most Likely time
B. Pessimistic time
C. Actual time
D. Optimistic Time
Q2044. The extent to which a newly developed or acquired system meets the
functionality required of it is determined in:
A. Unit testing of the individual program
B. Function test or whole-of-program test
C. User acceptance test (UAT)
D. Interface test
Q2045. The information systems requirements plan is derived directly from the:
A. information systems applications and general controls plan
B. long term master plan
C. organisational strategic plan
D. information systems strategic plan
Q2046. The information technology pilot projects envisages which of the

following concepts?
A. To test a new idea
B. To prove a new concept
C. The idea that not every theory tested will work as expected
D. To explore the use of new technology
Q2047. The main focus of the graphical user interface (GUI environments is:
A. Portability guidelines
525
B. Human-computer interaction guidelines

C. System navigation guidelines
D. System migration guidelines
Q2048. The major difference between a client/server and a mainframe-based

application may NOT likely to occur with regard to which of the following
areas from system testing viewpoint?
A. The system development environment
B. The system test deliverables
C. The information technology infrastructure
D. The information systems operational support
Q2049. The major risk in prototyping model is :

A. The prototype becomes the finished system
B. User expectations are inflated
C. No attention is paid to cosmetic details
D. The model is iterated too many times
Q2050. The most important factor while creating test data for checking a
system, is :
A. Have a sufficient quantity of data for each test case
B. Keep the test data to a minimum to conserve testing time
C. Select a random sample of actual data to ensure adequate
testing
D. Include data which represent conditions that occur in actual
processing
Q2051. The objective of software quality assurance is not:

A. Testing quality into a product
B. Designing quality into the product
526
C. Designing quality into the process

D. Designing quality into the interfaces
Q2052. The primary difference between program testing and system testing is:
A. program testing is more comprehensive than system testing
B. system testing is concerned with testing all aspects of a system
including user specification document, design document, job
designs and reward system designs
C. programmers have no involvement in system testing, whereas
designers and users are involved in program testing
D. system testing focuses on testing the interfaces between
programs, whereas program testing focuses on individual
programs
Q2053. The primary functions of a steering committee is:

A. reviewing the user requirements to ensure that all controls are
considered
B. strategic planning for a computer installation
C. evaluating specific project plans for systems
D. conducting any major feasibility study when it is needed
Q2054. The prototyping approach to software development is most suitable

when
A. Reusable components are available
B. The user is not fully aware of the requirements
C. There are time constraints
D. Minor changes have to be made in an existing product
Q2055. The purpose of the program development phase of SDLC is to:

A. Document a business problem
B. Prepare a high level design of a proposed system solution
527
C. Expand the general design of an approved system solution

D. Prepare, test, and document all computer programs
Q2056. The requirements specification phase needs a lot of operational

viewpoint input in the early stage of a system development. Which of
the following models that takes care of this aspect?
A. Waterfall model
B. Incremental development model
C. Evolutionary development model
D. Rapid prototyping model
Q2057. The statement which is NOT false regarding end user computing is:
A. Catering to the user’s requirement is more in such systems.
B. Implementation of change control procedures is easier.
C. Since the respective end users download their required data,
duplication of data does not occur.
D. Due to the programming staff not being involved, segregation of
duties is increased.
Q2058. The System Development Tool which gives the BEST results in an
application maintenance function is:
A. Network control programs
B. Tape Management systems
C. Project Management softwares
D. Test data generators
Q2059. The test approach that includes ALL of the systems requirement, system
design, and systems development documents is :
A. Unit testing
C. Systems testing
528
Q2060. To implement BPR, the best approach would be to:

A. Change marketing strategies in accordance with the data
gathered
B. Develop a plan based on the data gathered
C. Opt for the latest technology, irrespective of its relevance to the
business
D. Wait for an opportune moment, and chalk-out a short-term
strategy
Q2061. To provide the management with appropriate information about the

process being used by the software development project and of the
products being built is taken care by:
A. Software quality assurance management
B. Software configuration management
C. Software requirements management
D. Software project management
Q2062. To which one of the following issues that an information systems (IS)
auditor participating in a system development life cycle project should
devote more attention ?
A. Technical issues
B. Organizational issues
C. Behavioral issues
D. Contractual issues
Q2063. Under the contingency approach to system development, the major

factor affecting the requirements elicitation strategy chosen is the:
A. SDLC approach is a time consuming approach
B. nature of the job and organisational design proposed
C. level of uncertainty surrounding the system
D. likelihood of the sociotechnical design approach being
unsuccessful
529
Q2064. User acceptance testing (UAT)

A. Is done during conceptualisation of the product to analyse end-
userlikeness towards product
B. Is the final phase of validation and ensures that the system meets
the requirements of the user
C. Is done after designing, but before in-house testing
D. Involves testing a prototype
Q2065. Weaker manual control over authorization of changes will lead to

A. weaker policy implementation
B. weaker procedure implementation
C. weaker standards implementation
D. weaker change control/configuration management
Q2066. What is the control that should have been in vogue so as to enable
detection of a change made in a payroll program by a computer
operator?
A. Output of the payroll journal’s audit trail.
B. Review of the control totals.
C. Review of the payroll by the payroll department on a regular
basis.
D. Review of console logs for attempted / illegal intrusion.
Q2067. What is the cross-reference in the workbench used for?

A. Producing a cross-reference listing, indicating where all the
program names are declared and used
B. Loading the executable program into the computer memory prior
to execution
C. Processing the design and reporting on errors and anomalies
D. Controlling the execution sequence and viewing the program state
as execution progresses
530
Q2068. What is the MAJOR difference between business process reengineering

(BPR and business process improvement (BPI
A. The enormity of the changes contemplated and implemented
B. In measuring the process performance
C. The amount of focussing the customer needs get
D. The amount of focussing on the processes as primary analytical
units
Q2069. what is the major risk that is faced by a user organization during system
integration projects?
A. Isolated islands of information
B. Processing and computing power
C. Maintenance costs
D. System size and complexity
Q2070. What would you use to enforce integration rules so as to integrate one
component with another?
A. A data flow diagram
B. An entity relationship diagram
C. A state transition diagram
D. A data dictionary
Q2071. When a new system is envisaged to replace a legacy application

system, the next step that requires a detailed analysis is:
A. The Business Plan of the organization
B. The information systems audit plan
C. The organizations information technology architecture
D. How the new application will fit with other applications
531
Q2072. When a software application is acquired from a vendor, the terms of the
purchase order WILL NOT generally contain :
A. annual maintenance contract terms after the warranty period
B. details of software licence fees and other licence terms
C. terms of acceptance testing
D. dates of future updates and the fees for acquiring them
Q2073. When a systems development project is conceived and the planning

and analysis phase is started, the primary area of concern will be
A. data
B. development team personnel
C. the platform and tools
D. the processes involved
Q2074. When designing a User-Interface (UI), which principle refers to the

design of UI elements in a way that is easy to relate to everyday
examples?
A. User Profiling
B. Metaphors
C. Consistency
D. Visualisation
Q2075. When input control procedures are designed in an accounts package

development, which of the following gets LEAST importance?
A. Validation of the input data
B. Error reporting
C. Error correction
D. Data collection methods
532
Q2076. Whenever there is a modification made to an existing software, which

of the following testing approaches should be used?
A. Unit testing
B. Acceptance testing
C. Regression analysis and testing
D. System testing
Q2077. Which among the following is a detective control in a system

development project?
A. Including IS auditor as a member of the project team
B. Periodical design and code walkthroughs
C. Password implementation for vendors and outsourcing team
D. Adopting a standard development methodology for system
development
Q2078. Which controls would protect production programs from unauthorised

modifications:
A. Requiring operators to be maintain logbook.
B. Review of control totals.
C. Limiting accesses to source code by operators.
D. Restricting user access to the computer room
Q2079. Which is the correct sequence of concluding a software purchase

contract?
A. Receipt of contract terms from vendor, negotiations, modifications
to the terms, approval and execution of agreement
B. Negotiations, receipt of contract terms from vendor, modifications
to the terms, approval and execution of agreement
C. Receipt of contract terms from vendor, modifications to the terms,
negotiations, approval and execution of agreement
D. Receipt of contract terms from vendor, negotiations, approval,
modifications to the terms and execution of agreement
533
Q2080. Which is the correct sequence of data design phase in a software

development project?
A. data structure design, data requirements definition, data modeling,
data conversion
B. data conversion, data structure design, data requirements
definition, data modeling
C. data structure design, data conversion, data requirements
definition, data modeling
D. data requirements definition, data modeling, data structure design,
data conversion
Q2081. Which is the correct sequence of events in a software development

project?
A. User requirements definition, technical specifications development,
planning for implementation and system development(coding,
testing etc)
B. Technical specifications development, user requirements
definition, planning for implementation and system development
coding, testing etc)
C. User requirements definition, planning for implementation,
technical specifications development and system
development(coding, testing et
D. Implementation planning, programming, conversion, and system
testing
Q2082. Which is the LEAST important criteria while considering potential

software packages?
A. Vendor staff incompatibility
B. Hardware incompatibility
C. Operating system incompatibility
D. Requiring too much computer memory
534
Q2083. Which of the following are not part of the information systems design:
A. design of the data/information flow
B. design of the user interfaces
C. design of the user specification document layout
D. job design
Q2084. Which of the following factors would bring down the risks most in Joint
Application Design (JAD meetings?
A. The right software
B. The right people
C. The right training
D. The right hardware
Q2085. Which of the following CANNOT be used for measuring the progress of
a software development project?
A. Appraisal of the performance of the team members by the
superiors
B. Milestone achievement
C. Review of the codes generated
D. Review of the system design
Q2086. Which of the following characteristics of user developed systems has

been identified in empirical research:
A. usually have only a single user
B. typically obtain data from a centralised database
C. usually do not have basic control validations
D. often perform important, day-to-day operational functions
Q2087. Which of the following computer technologies is a major shift in the

develpoment and maintenance of application systems?
A. RDBMS technology
B. Client/server technology
535
C. Object-oriented technology
D. Graphical-user interface (GUI) technology
Q2088. Which of the following is addressed by software configuration

management as part of Software quality assurance?
A. At what point was the first baseline established?
B. Were the test strategies sufficient to determine whether the
software is safe and effective?
C. What actions were taken in response to the metrics results?
D. What error analysis techniques were used?
Q2089. Which of the following is deemed as good system design practice?

A. High cohesion of modules, low coupling of modules, and high
B. Low cohesion of modules, high coupling of modules, and high
C. High cohesion of modules, high coupling of modules, and high
D. Low cohesion of modules, low coupling of modules, and low
Q2090. Which of the following is false with regard to software engineering

metrics?
A. It helps in decision-making
B. It does not involve activities like designing, analysis and coding
C. It involves measuring productivity of individual designer
D. Metrics could be of no use or harmful due to wrong analysis
Q2091. Which of the following is most likely to be used to describe sequence

logic:
A. Table structures and table relationships
B. Data flow diagram
536
C. Business Process flow diagrams

D. Structured English
Q2092. Which of the following is NOT a constraint while using Computer Aided
Software Engineering (CASE tools running on workstations.
A. Lack of multi-user operations
B. Inability to handle large databases
C. Lack of security controls
D. Lack of tools for source code generation
Q2093. Which of the following is not a major benefit of applications software

prototyping ?
A. Reduction in development costs
B. Faster delivery of the system
C. Meeting user requirements
D. Reduced software maintenance efforts
Q2094. Which of the following is NOT a prerequisite for software system project
planning?
A. Availability of the technical expertise
B. Goals and objectives of the plan
C. The functional requirements
D. Programming area environment and infrastructure
Q2095. Which of the following is not an example of a strategic system

requirement:
A. overall goals and objectives to be accomplished
B. it forms the basis for evaluating the alternatives
C. use a high level language to program the system
D. maintain the existing organisational power structure
537
Q2096. Which of the following is NOT pertaining to change control/configuration

management in an computer-based IS environment?
A. Authorization of change requests
B. Message authorization code (MAC)
C. Authorized checking-in of programs to the library
D. Authorized checking-out of programs to the library
Q2097. Which of the following is not true in respect of Expert systems?

A. Expert systems knowledge is represented declaratively
B. Expert system computations are performed through symbolic
reasoning
C. Expert systems knowledge is combined into program control
D. Expert systems can explain their own actions
Q2098. Which of the following is not true with regard to Black Box Testing.
A. It may leave many program paths untesteD.
B. Both the tester and programmer are independent of each other.
C. Requires knowledge of internal working of the program.
D. Tests are designed to know if the system is sensitive to certain
input values.
Q2099. Which of the following is not true with regard to Commercial Off-The-
Shelf (COTS) systems:
A. Commercial Off-The-Shelf are highly secured
B. The cost of developing Commercial Off-The-Shelf is very high
C. There is no possibility of mismatch between Commercial Off-The-
Shelf components
D. The component user has little or no control over the evolution of
component
538
Q2100. Which of the following is the most likely sequence of phases in the
system development process:
A. feasibility study, system design, procedures and forms
development, acceptance testing
B. acceptance testing, procedures development, management of the
change process
C. entry and feasibility assessment, problem definition, analysis of
the existing system
D. feasibility study, information analysis, system design, program
development
Q2101. Which of the following is the NOT effective control for program
changes?
A. Independent review of changed program by quality assurance
group
B. Version control
C. Annual reviews of program listing
D. Compilation of source code by IS librarian
Q2102. Which of the following is true regarding software testing:

A. Debugging is same as software testing.
B. For better results, software testing is done after implementation
of the software.
C. Irrespective of the size of software, the documentation must be
of fixed size.
D. Tests are designed after each level of software specification has
been written.
Q2103. Which of the following is true with regard to the audit of acquisition risks.
A. Conversion costs need not be included in the cost benefit
analysis of the alternatives.
B. Analysis of each alternative takes into account only quantifiable
benefits.
539
C. The alternative analysis is not a part of the audit of acquisition

risks
D. The non-cost factor is an important part of the alternative analysis
of an acquisition project
Q2104. Which of the following is true with regard to White Box Testing?
A. Output of the program code is not required before the beginning
of the code.
B. It is not very expensive.
C. It may involve testing every line of code.
D. It shows errors caused by omission.
Q2105. Which of the following is true:

A. Workbenches are team based
B. Software Engineering Environments cannot include design and
documentation
C. In an integrated environment the project documents are stored in
different places
D. Software developed could be delivered for target system with a
completely different architecture
Q2106. Which of the following provide control over program maintenance?

A. Annual review of test results.
B. Source code reviewed by the IS AUDITOR
C. Programmers have access to the program library.
D. A written authorisation for program change to be obtained from
the user department.
Q2107. Which of the following requirements elicitation techniques is most

appropriate when the level of uncertainty surrounding the system to be
designed is the lowest
A. reviewing the existing system
540
B. asking others using similar type of system within the industry

C. asking the users of the system
D. deriving the requirements from an existing system
Q2108. Which of the following software defect prevention activities would ensure
the highest Rate on Investment?
A. Code inspection
B. Reviews with users/customers Design reviews
C. Design reviews
D. Unit test
Q2109. Which of the following statement is true with regard to management of

an acquisition project?
A. User involvement in the project is limited only to requirement
analysis stage.
B. It is not necessary for the top management to be involved in an
acquisition project
C. The project team is a mix of people with technical, functional and
contractual abilities.
D. Acquisition plan only specifies the details regarding the schedule
for the contract awardance.
Q2110. Which of the following system life factors is most difficult to control by
a user organization?
A. The length of time the system will satisfy the needs ofthe initial
user
B. The rate at which computer technology is expected to advance
C. The probability of continued availability of system support
D. The time required for subsequent acquisition to meet the
requirement
541
Q2111. Compliance auditing is used to do?

A. Complete audit under accepted auditing standards
B. Eliminate the need for substantive auditing
C. Verify specific balance-sheet and Profit and loss account values
D. Determine the degree to which substantive auditing may be
limited.
Q2112. Due Professional Care” requires an IS auditor to possess which of the

following quality
A. Good amount of programming skills in the required software.
B. Arriving at an correct conclusion based on the facts and figures
available.
C. Evaluating methodology of the audit test results.
D. Skills and judgement that are commonly possessed by IS
practitioners of that speciality.
Q2113. In segregation of duties, the organisation will exposed to a very HIGH

risk if the duties of
A. Computer Operator and Quality Assurance are combined.
B. The work of a Data entry clerk is also done by a Tape Librarian.
C. A tape librarian are carried out by an application programmer.
D. Systems analyst and database administrator are done by the
same person.
Q2114. During a review of a large data center an IS auditor observed computer

operators acting as back up tape librarians and security administrators.
Which of these situations would be most critical to report to senior
management
A. Computer operators acting as tape librarians
B. Computer operators acting as security administrators
C. Computer operators acting as tape librarians and security
administrators
D. It is not necessary to report any of these situations
542
Q2115. Which of the following would be included in an IS strategic plan

A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for IS department
Q2116. In a small organization an employee performs the function of computer

operator and when the situation demands modifies programs. Which of
the following should the IS auditor recommend
A. Automated logging of changes to development libraries
B. Additional staff to provide separation of duties
C. Procedures that verify that only approved program changes are
implemented
D. Access controls prevents the operator from making program
modifications
Q2117. Data processing agreements should contain a statement of all the

following EXCEPT
A. Monitoring and contingency requirements
B. Data access standards
C. Service review options
D. Site security mechanisms
Q2118. Which of the following function(s) is (are) most likely to be performed

by the data administrator?
A. Determining the effects of database redefinition on the internal
schema
B. Formulating data retention and retirement policies
C. Preparing the data validation programs needed to populate the
database
D. Both a and c.
543
Q2119. Which of the following is not a capability of a librarian package?

A. Determining those programs that have inadequate documentation
B. Addition, modification and deletion of source code
C. Encryption of source code
D. Creating indexes of programs and their attributes
Q2120. Which of the following would provide a mechanism whereby IS

management can determine when and if the activities of the enterprise
have deviated from planned or expected levels
A. Quality management
B. IS assessment methods
C. Management principles
D. Industry standards/benchmarking
Q2121. Which of the following situations would increase the likelihood of fraud
A. Application programmers are implementing changes to production
programs
B. Application programmers are implementing changes to test
programs
C. Operations support staff are implementing changes to batch
schedules
D. Database administrators are implementing changes to data
structures.
Q2122. A database administrator is responsible for

A. Maintaining the access security of data residing on the computers
B. Implementing database definition controls
C. Granting access rights to users
D. Defining system’s data structure
544
Q2123. A company that has to guarantee zero downtime and 100 percent
functionality would choose which type of backup facility?
A. Redundant
B. Rolling site
C. Cold
D. Warm
Q2124. Risk assessment is a critical component of the BCP process. As such,

which risk-assessment method is scenario-driven and does not assign
numeric values to specific assets?
A. Qualitative Risk Assessment
B. Statistical Weighted Risk Assessment
C. Quantitative Risk Assessment
D. Asset-Based Risk Assessment
Q2125. Which of the following best describes the concept and purpose of BCP?
A. BCPs are created to prevent interruptions to normal business
activity
B. BCPs are used to reduce outage times
C. BCPs and procedures are put in place for the response to an
emergency
D. BCPs guarantee the reliability of standby systems
Q2126. What are the three goals of a business impact analysis?

A. Criticality prioritization, downtime estimation, resource
requirements
B. Downtime estimation, resource requirements, defining the
continuity strategy
C. Defining the continuity strategy, criticality prioritization, resource
requirements
D. Criticality prioritization, downtime estimation, documenting the
continuity strategy
545
Q2127. During the BCP process, which group directs the planning,
implementation, and development of the test procedures?
A. BCP committee
B. Senior business unit management
C. Executive management staff
D. Functional business units
Q2128. During a BIA, a vulnerability assessment is usually performed. What is

it s purpose?
A. To determine the impact of the loss of a critical business function
B. To determine the financial cost of preventing an identified
vulnerability
C. To comply with due diligence requirements
D. To determine the nonmonetary cost to the organization of the loss
of a critical business function
Q2129. Which of the following elements of the BCP process includes the
completion of a vulnerability assessment?
A. Business impact assessment
B. Plan approval and implementation
C. Scope and plan initiation
D. Business continuity plan development
Q2130. Which phase of the BCP process includes project parameter definition?
A. Scope and plan initiation
C. Business impact assessment
546
Q2131. Backups ensure that information stored on a workstation or server can

be restored if a disaster or failure occurs. Which type of backup makes
a complete archive of every file?
A. Full backup
B. Complete backup
D. Incremental backup
Q2132. Which of the following is not a feature of a hot site?

A. Hot sites can be ready to use in a few hours to at most several
days.
B. Hot sites contain preexisting Internet and network connectivity
C. Equipment and software must be compatible with the data being
backed up
D. A company may have exclusive rights to the facility at which the
hot site is located.
Q2133. A critical first step in disaster recovery and contingency planning is

A. Complete a business impact analysis
B. Determine offisite backup facility alternatives
C. Organize and create relevant documentation
D. Plan testing and drills
Q2134. In disaster recovery, each level of employee should have clearly defined
responsibilities. Which of the following is a responsibility of senior
executives?
A. Oversee budgets and the overall project
B. Develop testing plans
C. Establish project goals and develop plans
D. Identify critical business systems
547
Q2135. When is the emergency actually over for a company?

A. When all operations and people are moved back into the primary
site
B. When all people are safe and accounted for
C. When operations are safely moved to the off-site facility
D. When a civil official declares that all is safe
Q2136. There are several reasons for a company to develop and implement
a disaster recovery plan. What is the most important goal of disaster
recovery?
A. Protect human life
B. Protect the integrity of the business
C. Protect critical operating systems
D. Protect customer relationships
Q2137. What is the maximum tolerable downtime (MTD) for urgent systems and
functions?
A. 24 hours
B. Minutes of hours
C. 4 to 6 hours
D. 72 hours
Q2138. A company that has to guarantee zero downtime and 100 percent
functionality would choose which type of backup facility?
A. Redundant
B. Rolling site
C. Cold
D. Warm
548
Q2139. Risk assessment is a critical component of the BCP process. As such,

which risk-assessment method is scenario-driven and does not assign
numeric values to specific assets?
A. Qualitative Risk Assessment
B. Statistical Weighted Risk Assessment
C. Quantitative Risk Assessment
D. Asset-Based Risk Assessment
Q2140. Which of the following best describes the concept and purpose of BCP?
A. BCPs are created to prevent interruptions to normal business
activity
B. BCPs are used to reduce outage times
C. BCPs and procedures are put in place for the response to an
emergency
D. BCPs guarantee the reliability of standby systems
Q2141. What are the three goals of a business impact analysis?

A. Criticality prioritization, downtime estimation, resource
requirements
B. Downtime estimation, resource requirements, defining the
continuity strategy
C. Defining the continuity strategy, criticality prioritization, resource
requirements
D. Criticality prioritization, downtime estimation, documenting the
continuity strategy
Q2142. During the BCP process, which group directs the planning,
implementation, and development of the test procedures?
A. BCP committee
B. Senior business unit management
C. Executive management staff
D. Functional business units
549
Q2143. During a BIA, a vulnerability assessment is usually performed. What is

it s purpose?
A. To determine the impact of the loss of a critical business function
B. To determine the financial cost of preventing an identified
vulnerability
C. To comply with due diligence requirements
D. To determine the nonmonetary cost to the organization of the loss
of a critical business function
Q2144. Which of the following elements of the BCP process includes the
completion of a vulnerability assessment?
A. Business impact assessment
C. Scope and plan initiation
Q2145. Which phase of the BCP process includes project parameter definition?
A. Scope and plan initiation
C. Business impact assessment
Q2146. Backups ensure that information stored on a workstation or server can

be restored if a disaster or failure occurs. Which type of backup makes
a complete archive of every file?
A. Full backup
B. Complete backup
D. Incremental backup
550
Q2147. Which of the following is not a feature of a hot site?

A. Hot sites can be ready to use in a few hours to at most several
days.
B. Hot sites contain preexisting Internet and network connectivity
C. Equipment and software must be compatible with the data being
backed up
D. A company may have exclusive rights to the facility at which the
hot site is located.
Q2148. What is the maximum tolerable downtime (MTD) for urgent systems and
functions?
A. 24 hours
B. Minutes of hours
C. 4 to 6 hours
D. 72 hours
Q2149. A critical first step in disaster recovery and contingency planning is

A. Complete a business impact analysis
B. Determine offisite backup facility alternatives
C. Organize and create relevant documentation
D. Plan testing and drills
Q2150. In disaster recovery, each level of employee should have clearly defined
responsibilities. Which of the following is a responsibility of senior
executives?
A. Oversee budgets and the overall project
B. Develop testing plans
C. Establish project goals and develop plans
D. Identify critical business systems
551
Q2151. When is the emergency actually over for a company?

A. When all operations and people are moved back into the primary
site
B. When all people are safe and accounted for
C. When operations are safely moved to the off-site facility
D. When a civil official declares that all is safe
Q2152. There are several reasons for a company to develop and implement
a disaster recovery plan. What is the most important goal of disaster
recovery?
A. Protect human life
B. Protect the integrity of the business
C. Protect critical operating systems
D. Protect customer relationships
552

Q1776 Ans. C Q1804 Ans. C Q1832 Ans. B
Q1778 Ans. C Q1806 Ans. D Q1834 Ans. B
Q1779 Ans. D Q1807 Ans. A Q1835 Ans. C
Q1780 Ans. A Q1808 Ans. b Q1836 Ans. D
Q1781 Ans. A Q1809 Ans. c Q1837 Ans. A
Q1782 Ans. C Q1810 Ans. a Q1838 Ans. D
Q1783 Ans. B Q1811 Ans. a Q1839 Ans. B
Q1784 Ans. A Q1812 Ans. C Q1840 Ans. c
Q1785 Ans. D Q1813 Ans. C Q1841 Ans. d
Q1786 Ans. C Q1814 Ans. C Q1842 Ans. d
Q1787 Ans. C Q1815 Ans. A Q1843 Ans. a
Q1788 Ans. B Q1816 Ans. A Q1844 Ans. b
Q1789 Ans. C Q1817 Ans. a Q1845 Ans. c
Q1790 Ans. C Q1818 Ans. D Q1846 Ans. b
Q1792 Ans. D Q1820 Ans. b Q1848 Ans. a
Q1794 Ans. B Q1822 Ans. b Q1850 Ans. a
Q1795 Ans. B Q1823 Ans. d Q1851 Ans. b
Q1796 Ans. D Q1824 Ans. d Q1852 Ans. d
Q1797 Ans. C Q1825 Ans. c Q1853 Ans. d
Q1798 Ans. A Q1826 Ans. A Q1854 Ans. b
Q1799 Ans. b Q1827 Ans. B Q1855 Ans. d
Q1800 Ans. b Q1828 Ans. A Q1856 Ans. d
Q1801 Ans. B Q1829 Ans. B Q1857 Ans. d
Q1802 Ans. C Q1830 Ans. D Q1858 Ans. c
Q1803 Ans. C Q1831 Ans. A Q1859 Ans. d
553

Q1862 Ans. c Q1892 Ans. c Q1922 Ans. D
Q1863 Ans. c Q1893 Ans. d Q1923 Ans. D
554

Q1954 Ans. d Q1984 Ans. C Q2014 Ans. d
555

Q2050 Ans. d Q2080 Ans. d Q2110 Ans. B
Q2051 Ans. a Q2081 Ans. a Q2111 Ans. D
Q2052 Ans. d Q2082 Ans. a Q2112 Ans. D
Q2053 Ans. b Q2083 Ans. c Q2113 Ans. C
Q2054 Ans. b Q2084 Ans. b Q2114 Ans. B
Q2055 Ans. d Q2085 Ans. a Q2115 Ans. B
Q2056 Ans. d Q2086 Ans. d Q2116 Ans. C
Q2058 Ans. d Q2088 Ans. a Q2118 Ans. B
Q2059 Ans. c Q2089 Ans. a Q2119 Ans. A
Q2060 Ans. b Q2090 Ans. b Q2120 Ans. B
Q2061 Ans. a Q2091 Ans. d Q2121 Ans. A
Q2062 Ans. c Q2092 Ans. d Q2122 Ans. B
Q2063 Ans. c Q2093 Ans. a Q2123 Ans. A
Q2064 Ans. b Q2094 Ans. d Q2124 Ans. A
Q2065 Ans. d Q2095 Ans. c Q2125 Ans. A
Q2066 Ans. c Q2096 Ans. b Q2126 Ans. A
Q2067 Ans. a Q2097 Ans. c Q2127 Ans. A
Q2068 Ans. a Q2098 Ans. c Q2128 Ans. A
Q2069 Ans. d Q2099 Ans. d Q2129 Ans. A
556

557
Module 7 Questions
Q2153. In order to provide maximum assurance on user identification the best
method of user authentication should be based on what user
A. is.
B. knows.
C. has.
D. does.
Q2154. Primary objective of controls is:

A. IT Governance
B. Mitigate risk
C. Securing IT assets
D. Managing employees
Q2155. The controls in Client-Server architecure first addres the risks arising
out of:
A. Client malfuntion.
B. Ping of death attack.
C. Network failure.
D. Application development.
Q2156. A basic control in a real-time application system is a n :

A. Audit log.
B. Console log.
C. Terminal log.
D. Transaction log.
558
Q2157 Which of the following data validation edits is effective in detecting

transposition and transcription errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check
Q2158. Which of the following is fist step in Data Classification?

A. Establish Ownership
B. Criticality Analysis
C. Access Definition
D. Data Dictionary
Q2159. Data quality in a data warehouse is achieved by:

A. Cleansing.
B. Restructuring.
C. Ensuring the credibility of source data.
D. Transformation.
Q2160. Which of the following information valuation methods is LEAST likely to

be used during a security review?
A. Processing cost
B. Replacement cost
C. Unavailability cost
D. Disclosure cost.
Q2161. IT Security policy is:

B. Detective control
559
C. corrective control
D. compensating control
Q2162. Defragmentation of hard disk means:

A. Formatting hard disk.
B. Degaussing hard disk.
C. Destroying hard disk.
D. optimizing hard disk.
Q2163. User found and repaired virus on his work station should first report to:
A. System administrator.
B. Network administrator.
C. Security administrator.
D. Data Base Administrator.
Q2164. Reconciliation of Control totals is the responsibility of :

A. Computer Operator.
B. Data entry Operator.
C. IS Manager.
D. Input Output Control Group.
Q2165. Which of the following is highest risk in implementing of VoIP (Voice

over Internet Protocol)?
A. Disrruption(Jitters)
B. Packet Loss.
C. Latency.
D. Sniffing.
560
Q2166. Which of the following would NOT be considered a security threat to

Internet web sites?
A. Hackers
B. Crackers
C. Virus writers
D. Asynchronous attacks
Q2167. Which of the following is the MOST reliable sender authentication

method?
A. Digital signatures
B. Asymmetric cryptography
C. Digital certificates
D. Message authentication code
Q2168. In ISO:OSI network model processing and printing documents is handled

by:
A. Physical Layer.
B. Transport layer.
C. Application layer.
D. Session layer.
Q2169. During the audit, control self assessment questionnaire replied by the
local management was made available to IS Auditor. The IS auditor
should:
A. Substantiate the answers.
B. Rely the answers and do nothing.
C. Ignore it since it is out of scope.
D. Ask for previous audit report instead.
561
Q2170. The primary objective of IT security incidence response program is to:

A. Reduce the impact of incidence on business.
B. Prevent the security breach incidence.
C. Secure communication network.
D. Manage help desk operations.
Q2171. An IS Auditor reviewing the controls in application systems developed in

popular RDBMS, requested access for data base to retrieve the records
for auditing. Which access rights DBA should provide to the auditor?
A. Read only for entire database.
B. Read and update for entire database.
C. DBA rights on entire database.
D. All rights on entire database.
Q2172. In a financial organization the transaction are posted into the Date Base
by the accounts assistant. A member of managerial staff authorizes the
transaction after posting. Which of the following access rights can be
allotted to the member of supervising staff in addition to ‘Update the
data base for confirming authorization of transactions.’?
A. Generate report and query the contents of fields from the
database.
B. Enter the transactions when accounts assistant is on leave.
C. Change the access rights of other staff members.
D. Necessary rights to modify the programs which updates the data
base.
Q2173. A multinational organization decided to provide its customers access to

the organization’s computer system. Which of the following application
providing access to customers is MOST secure from intrusion attacks?
A. Interactive Voice responsive system giving and receiving
information about customer’s requirements.
B. Online order processing using Internet.
562
C. Providing direct access terminal at customer’s office.

D. Dial-up access for customer.
Q2174. Which of the following control functions will be most effective due to the
use of Biometric Security solutions?
A. Authentication
B. Access
C. Password
D. Smart Cards
Q2175. Which of the following is the MOST likely reason why e-mail systems
have become a useful source of evidence for litigation?
A. Poor housekeeping leads to excessive cycles of backup files
remaining available.
B. Strong access controls establish accountability for activity on the
e-mail system.
C. Data classification is often used to regulate what information
should be communicated via e-mail.
D. Clear policy for using e-mail within the enterprise ensures that the
right evidence is available.
Q2176. Which of the following is NOT an application control likely to be found

in an EDI interface?
A. Hash totals
B. Echo checks
C. Record counts
D. Validity checks
Q2177. Anti-virus software should be used as a:

A. Detective control.
B. Preventive control.
563
C. Corrective control.
D. Compensating control.
Q2178. Which of the following is a dynamic analysis tool for the purpose of
testing of software modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
Q2179. An IS auditor’s substantive test reveals evidence of fraud perpetrated

from within a manager’s account. The manager had written his
password, allocated by the system administrator, inside his drawer,
which was normally kept locked. The IS auditor concludes that the:
A. Manager’s assistant perpetrated the fraud.
B. Perpetrator cannot be established beyond doubt.
C. Fraud must have been perpetrated by the manager.
D. System administrator could have perpetrated the fraud
Q2180. The risk that an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when, in fact, they do, is an
example of:
A. Inherent risk.
B. Control risk.
C. Detection risk.
D. Audit risk.
Q2181. Which of the following exposures associated with the spooling of

sensitive reports for off-line printing would an IS auditor consider to be
the MOST serious?
A. Sensitive data may be read by operators.
B. Data can be amended without authorization.
564
C. Unauthorized report copies might be printed.

D. Output would be lost in the event of system failure.
Q2182. An internal IS Auditor had been given charter to audit the software
implementation. During preliminary review the auditor found that the
scope of audit need to be enhanced to include review of software
development process. Which of the following should approve this
change?
A. Chief Information Officer
B. Board of Directors
C. Audit Committee
D. Chief Executive officer
Q2183. An IS auditor is assigned to help design the data security, data integrity
and business continuity aspects of an application under development.
Which of the following provides the MOST reasonable assurance that
corporate assets are protected when the application is certified for
production?
A. A certification review conducted by the internal auditor.
B. A certification review conducted by the assigned IS auditor.
C. Specifications by the user on the depth and content of the
certification review.
D. An independent review conducted by another equally experienced
IS auditor.
Q2184. Which of the following controls would BEST serve to effectively detect
intrusion?
A. User creation and user privileges are granted through authorized
procedures.
B. Automatic logoff when a workstation is inactive for a particular
period of time.
C. Automatic logoff of the system after a specified number of
unsuccessful attempts.
D. Unsuccessful logon attempts are actively monitored by the
security administrator.
565
Q2185. Which of the following information is LEAST likely to be contained in a

digital certificate for the purposes of verification by a Trusted Third Party
TTP /Certification Authority CA ?
A. Name of the TTP/CA
B. Public key of the sender
C. Name of the public key holder
D. Time period for which the key is valid
Q2186. Which of the following access control functions is LEAST likely to

be performed by a database management system DBMS software
package?
A. User access to field data
B. User sign-on at the network level
C. User authentication at the program level
D. User authentication at the transaction level
Q2187. Which of the following is a benefit of using callback devices?

A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
Q2188. A feature of a digital signature that ensures that the claimed sender
cannot later deny generating and sending the message is:
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
566
Q2189. Sign-on procedures include the creation of a unique user-ID and

password. However, an IS auditor discovers that in many cases the
user name and password are the same. The BEST control to mitigate
this risk is to:
A. Change the company’s security policy.
B. Educate users about the risk of weak passwords.
C. Build in validations to prevent this during user creation and
password change.
D. Require a periodic review of matching of user-ID and passwords
for detection and correction.
Q2190. Naming conventions for system resources are an important prerequisite

for access control because they:
A. Ensure that resource names are not ambiguous.
B. Reduce the number of rules required to adequately protect
resources.
C. Ensure that user access to resources is clearly and uniquely
identified.
D. Ensure that internationally recognized names are used to protect
resources.
Q2191. Which of the following exposures could be caused by a line-grabbing

technique?
A. Unauthorized data access
B. Excessive CPU cycle usage
C. Lockout of terminal polling
D. Multiplexor control dysfunction
Q2192. While auditing IT infrastructure the IS auditor observed that there were
no procedures defined for the performance monitoring of third-party
567
vendor who was assigned the maintenance of hardware with a clause

for 99% uptime during business hours. The BEST course for the auditor
is:
A. To suggest procedures to functional management and report to
top management.
B. To consult legal counsel for non-performance by the vendor.
C. To request the vendor management to provide necessary uptime
reports.
D. To evaluate the performance of third-party vendor for estimating
expected performance.
Q2193. Which of the following is an advantage of using a local area network

LAN ?
A. LANs protect against virus infection.
B. LANs protect against improper disclosure of data.
C. LANs provide program integrity from unauthorized changes.
D. LANs provide central storage for a group of users.
Q2194. Which of the following is a strength of a client/server security system?

A. Change control and change management procedures are
inherently strong.
B. User can manipulate data without controlling resources on the
mainframe.
C. Network components seldom become obsolete.
D. Access to confidential data or data manipulation is strongly
controlled.
Q2195. An IS auditor reviewing an organization’s information systems disaster

recovery plan should verify that it is:
A. Tested every 6 months.
B. Regularly reviewed and updated.
568
C. Approved by the chief executive officer CEO .

D. Communicated to every departmental head in the organization.
Q2196. A programmer managed to gain access to the production library,

modified a program that was then used to update a sensitive table
in the payroll database and restored the original program. Which of
the following methods is MOST effective to detect these unauthorized
changes?
A. Source code comparison
B. Executable code comparison
C. Integrated Test Facilities ITF
D. Periodic review of transaction log files
Q2197. Utilizing audit software to provide code comparisons of production

programs is an audit technique used to test program:
A. Logic.
B. Changes.
C. Efficiency.
D. Computations.
Q2198. Observing employees at work will help IS auditor in testing compliance

of:
A. Blank Screen Policy
B. Forced password change.
C. Internet Usage.
D. BCP Awareness
Q2199 Given the typical risk ratings below, an IS auditor performing an

independent risk rating of critical systems would rate a situation where
functions could be performed manually, at a tolerable cost, for an
extended period of time as:
A. Critical.
B. Vital.
569
C. Sensitive.
D. Non-critical.
Q2200. Which of the following methods of results analysis, during the testing of
the business continuity plan BCP , provides the BEST assurance that
the plan is workable?
A. Quantitatively measuring the results of the test
B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results
Q2201. Which of the following is an implementation risk within the process of

decision support systems?
A. Management control
B. Semi-structured dimensions
C. Inability to specify purpose and usage patterns
D. Changes in decision processes
Q2202. An IS auditor performing a review of the electronic funds transfer EFT

operations of a retailing company would verify that the customers credit
limit is verified before funds are transferred by reviewing the EFT:
A. System’s interface.
B. Switch facility.
C. Personal identification number generating procedure.
D. Operation back-up procedures.
Q2203. Which of the following must be included in the IT governance audit

report?
A. Top management is responsible for internal control system of the
organization.
B. The system of internal controls provides absolute assurance
against material loss.
570
C. The long-term strategic plan for IT deployment will achieve the

defined objectives.
D. The selected IT infrastructure used for IT operations is suitable
and completely secure.
Q2204. Which of the following is a primary purpose for conducting parallel

testing?
A. To determine if the system is more cost-effective.
B. To enable comprehensive unit and system testing.
C. To highlight errors in the program interfaces with files.
D. To ensure the new system meets all user requirements.
Q2205. Which of the following program change controls is NOT the responsibility
of the user department?
A. Updating documentation to reflect all changes
B. Initiating requests within its scope of authority
C. Approving changes before implementation, based on the results
of testing
D. Approving changes before implementation, based on review of
changes to manual procedures
Q2206. An IS auditor who plans on testing the connection of two or more

system components that pass information from one area to another
would use:
A. Pilot testing.
B. Parallel testing
C. Interface testing.
D. Regression testing.
571
Q2207 Which of the following quality mechanisms is MOST likely to occur

when a system development project is in the middle of the construction
stage?
A. Unit tests
B. Stress tests
C. Regression testing
Q2208. Which of the following would be a major DISADVANTAGE of using

prototyping as a systems development methodology?
A. User expectations of project timescales may be over-optimistic.
B. Effective change control and management is impossible to
implement.
C. User participation in day-to-day project management may be too
extensive.
D. Users are not usually sufficiently knowledgeable to assist in
system development.
Q2209. Which of the following testing methods is MOST effective during the
initial phases of prototyping?
A. System testing
B. Parallel testing
C. Volume testing
D. Top-down testing
Q2210. CORBA and COM/DCOM technologies:

A. Use shared and resusable objects.
B. Establish remote connections.
C. Execute program on remote processors.
D. Prioritize and process messages.
572
Q2211. Which of the following network configuration options, contains a direct

link between any two host machines?
A. Bus
B. Ring
C. Star
D. Completely connected mesh
Q2212. Message Authentication code (MAC) suffixed to message depending

upon the contents of message is:
B. Detective Control
C. Corrective control
D. Deterrent control
Q2213. When reviewing the quality of an IS department’s development process,

the IS auditor finds that they do not use any formal, documented
methodology and standards. The IS auditor’s MOST appropriate action
would be to:
A. Complete the audit and report the finding.
B. Investigate and recommend appropriate formal standards.
C. Document the informal standards and test for compliance.
D. Withdraw and recommend a further audit when standards are
implemented.
Q2214. When a new system is to be implemented within a short timeframe, it

is MOST important to:
A. Finish writing user manuals.
B. Perform user acceptance testing.
C. Add last-minute enhancements to functionalities.
D. Ensure that code has been documented and reviewed.
573
Q2215. If the decision has been made to acquire software rather than develop
it internally, this decision is normally made during the:
A. Requirements definition phase of the project.
B. Feasibility study phase of the project.
C. Detailed design phase of the project.
D. Programming phase of the project.
Q2216. When auditing the requirements phase of a software acquisition, an IS

auditor would:
A. Assess the adequacy of audit trails.
B. Identify and determine the criticality of the need.
C. Verify cost justifications and anticipated benefits.
D. Ensure that control specifications have been defined.
Q2217. In regard to moving an application program from the test environment

to the production environment, the BEST control would be provided by
having the:
A. Application programmer copy the source program and compiled
object module to the production libraries.
B. Application programmer copy the source program to the
production libraries and then have the production control group
compile the program.
C. Production control group copy the source program and compile
the object module to the production libraries.
D. Production control group copy the source program to the
production libraries and then compile the program.
Q2218. Which of the following is the FIRST point at which control totals
should be implemented in order to prevent the loss of data during the
processing cycle?
A. During data preparation
B. In transit to the computer
574
C. Between related computer runs

D. During the return of the data to the user department
Q2219. Functionality is a characteristic associated with evaluating the quality of

software products throughout their lifecycle, and is BEST described as
the set of attributes that bear on the:
A. Existence of a set of functions and their specified properties.
B. Ability of the software to be transferred from one environment to
another.
C. Capability of software to maintain its level of performance under
stated conditions.
D. Relationship between the level of performance of the software
and the amount of resources used.
Q2220. A company disposing of personal computers that once were used to

store confidential data should first:
A. Demagnetize the hard disk.
B. Low level format the hard disk.
C. Delete all data contained on the hard disk.
D. Defragment the data contained on the hard disk.
Q2221. The primary reason for replacing cheques with elect ronic funds transfer
EFT systems in the accounts payable area is to:
A. Make the payment process more efficient.
B. Comply with international EFT banking standards.
C. Decrease the number of paper-based payment forms.
D. Reduce the risk of unauthorized changes to payment
transactions.
575
Q2222. A tax calculation program maintains several hundred tax rates. The
BEST control to ensure that tax rates entered into the program are
accurate is:
A. Independent review of the transaction listing.
B. Programmed edit check to prevent entry of invalid data.
C. Programmed reasonableness checks with 20% data entry range.
D. Visual verification of data entered by the processing department.
Q2223. An IS auditor reviewing database controls discovered that normal

processing changes to the database were handled through a standard
set of procedures. However, changes made after normal hours required
only an abbreviated number of steps. In this situation what would be
considered an adequate set of compensating controls?
A. Use of DBA user account to make the change.
B. Use of normal user account with access to make changes to the
database.
C. Use of DBA user account to make changes, logging of changes,
as well as before and after image with the changes being
reviewed the following day.
D. Use of normal user account to make changes, logging of change,
as well as before and after image changes being reviewed the
following day.
Q2224. Which of the following database administrator activities is unlikely to be

recorded on detective control logs?
A. Deletion of a record
B. Change of a password
C. Disclosure of a password
D. Changes to access rights
576
Q2225. An IS auditor is assigned to perform a post implementation review of an

application system. Which of the following situations may have impaired
the independence of the IS auditor? The IS auditor:
A. Implemented a specific control during the development of the
application system.
B. Designed an embedded audit module exclusively for auditing the
application system.
C. Participated as a member of the application system project team,
but did not have operational responsibilities.
D. Provided consulting advice concerning application system best
practices.
Q2226. Which of the following findings would an IS auditor be MOST concerned

about when performing an audit of backup and recovery and the offsite
storage vault?
A. There are three individuals with a key to enter the area
B. Paper documents are also stored in the offsite vault
C. Data files, which are stored in the vault, are synchronized
D. The offsite vault is located in a separate facility
Q2227. While reviewing the business continuity plan of an organization, the

IS auditor observed that the organization’s data and software files are
backedup on a periodic basis. Which characteristic of an effective plan
does this demonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. Response
Q2228. A general hardware control that helps to detect data errors when data
are communicated from one computer to another is known as a:
A. Duplicate check.
B. Table look up.
577
C. Validity check.
D. Parity check.
Q2229. An IS auditor attempting to determine whether access to program

documentation is restricted to authorized persons would MOST likely:
A. Evaluate the record retention plans for off-premises storage.
B. Interview programmers about the procedures currently being
followed.
C. Compare utilization records to operations schedules.
D. Review data file access records to test the librarian function.
Q2230. A detective control in a computer operation area is :

A. Policy
B. Log
C. Procedure
D. Standard
Q2231. Following an authorized person through a secured door in order to by-

pass security checks or gaining unauthorized access through authorized
telecommunications line is called :
A. Data Diddling.
B. Trap Door.
C. Asynchronous Attack.
D. Piggybacking.
Q2232. An IS auditor is concerned of software vendors’ request to use a stand-

alone Personal Computer to load and demonstrate the latest anti-virus
software developed by his firm, because :
A. The Personal Computer has sensitive data.
B. The Personal Computer may be exposed to virus.
C. It is against the Policy of the organization.
D. The anti-virus program may not be tested properly.
578
Q2233. The IT risk management program of an organization that has

implemented extended ERP solutions using Extranet applications,
should primarily address the:
A. Business processes.
B. Network connectivity.
C. Hardware and software.
D. Database server.
Q2234. Ownership of Personnel Data File in an organization has been assigned

to the MIS Department. The IS auditor feels that it should be with the
Personnel Department. What is the MOST serious problem arising out
of this ownership?
A. The MIS department may not use the data.
B. The Personnel department may face problems in getting reports.
C. The data may not be up-to-date and accurate.
D. The Improper access rules might be implemented.
Q2235. To ensure continued operations data back-ups are stored off-site where
the redundant processing facilities are stored. Which of the following
statements is FALSE?
A. The site should bear the nameplate in order to identify the place
correctly in case of emergency.
B. The site should have similar physical access restriction as that of
original site.
C. The facilities are to be tested periodically in order to ensure
continued availability.
D. The hardware and software should be compatible
Q2236. In a situation where frequent power failures for varying periods from 6
to 8 hours, which of the following is the BEST possible solution?
A. Installation of UPS.
B. Installation of power generators.
579
C. Installation of UPS backed by power generators for prolonged

power failure.
D. Redundant power lines from another power sub-station.
Q2237. The PRIMARY objective of performing Domain Integrity testing is :

A. To verify that data confirms to definitions.
B. To verify that data items are in correct domain.
C. To ensure that data item has a legitimate value.
D. To ensure that edit and validation routines are working
satisfactorily.
Q2238. In an overall description of a database, the names of data elements,

their characteristics, and their relationship to each other are defined by
using a
A. Data definition language
B. Data control language
C. Data manipulation language
D. Data command interpreter language
Q2239. Which of the following is most likely characteristic of a direct access

file that uses indexes or dictionaries as its addressing technique when
processing randomly?
A. A randomizing formula is used
B. Two accesses are required to retrieve each record.
C. Synonyms will be generated that will result in extra accesses
D. There will be a high incidence of gaps or unassigned physical
records within the file.
Q2240. The manager of computer operations prepares a weekly schedule of

planned computer processing and distributes a copy of this schedule to
the tape librarian. The control purpose this serves is to:
A. Keep improper transactions from entering the computer facility
B. Specify file retention and backup policies
580
C. Authorize the release of data files to computer operators

D. Specify the distribution of printed outputs
Q2241. A systems analyst should have access to each of the following expect
A. Source code
B. Password identification tables
C. user procedures
D. Edit criteria
Q2242. Which of the following is not an important element in deciding whether

to lease or purchase computer equipment ?
A. Cost of money.
B. Tax consideration.
C. Maintenance expense
D. Parallel operations cost
Q2243. CASE (computer-aided software engineering )is the use of the computer
to aid in the development of computer-based information systems.
Which of the following could not be automatically generated with CASE
tools and techniques?
A. Information requirements determination
B. Program logic design
C. Computer program code
D. Program documentation
Q2244. A bank uses scanned signatures of customers to identify and

authenticate customers before authorizing the payments. Which of the
following process associated with this system needs maximum controls?
A. Capturing(imaging) the signatures.
B. Retrieving the signature images.
581
C. Storing the signatures images.

D. Displaying the image on monitor.
Q2245. One of the major problems in a computer system is that incompatible

functions may be performed by the same individual. One compensating
control is the use of:
A. Echo checks
B. A self-checking digit system
C. Computer-generated hash totals
D. A computer log
Q2246. Which of the following statements regarding security concerns for laptop
computers is true ?
A. The primary methods of control usually involve general controls .
B. Centralized control over the selection and acquisition of hardware
and software is not a major concern
C. Some traditional controls such as segregation of duties become
more important
D. As their use becomes more sophisticated, the degree of concern
regarding physical security decreases.
Q2247. Which of the following is a control that will prevent accessing the
accounts receivable files from a hardwired terminal located in a
manufacturing department?
A. An echo check.
B. A device authorization table
C. Providing only dial-up terminals
D. Using data encryption .
582
Q2248. The telecommunication control of dial-up/disconnect/dial-back can be

circumvented by using
A. Dedicated line technology
B. Automatic call forwarding
C. Encryption algorithms
D. High baud rate lines
Q2249. Good planning will help an organization restore computer operations

after a processing outage. Good recovery planning should ensure that:
A. Backup/restart procedures have been built into job streams and
programs .
B. Change control procedures cannot be bypassed by operating
personnel .
C. Planned changes in equipment capacities are compatible with
projected workloads .
D. Service level agreements with owners of applications are
documented.
Q2250. To increase the security of application software, the internal audit direct
or recommended that programmers be given diskless workstations
Using diskless workstations would increase security by
A. Making theft of programs more difficult
B. Reducing workstation maintenance expense
C. Imposing a stricter level of access control
D. Prompting programmers to work more closely together
Q2251. Scavenging for residual information in the main memory of a computer

can be best prevented by
A. Resetting the values of memory locations to zero .
B. Requiring passwords for memory access .
C. Setting memory access for asynchronous control.
D. Setting memory access for synchronous control.
583
Q2252. Security Policy for Information technology of a Bank specifies that all the
employees should clear the screen of monitor when not working. Which
of the following best describes the reason for this policy?
A. Prevent shoulder surfing.
B. Restrict electronic eavesdropping.
C. Save monitor from damage.
D. Avoid password sniffing.
Q2253. A executive of an company received an e-mail by mistake, from trading

partner which was meant for another company. Which of the following
is the best action the executive should take?
A. Inform the sender about the mistake and hold the mail for
sender’s disposal.
B. Forward the mail to the system administrator to decide the further
action.
C. Do nothing except deleting the mail from inbox.
D. Forward the mail to the actual recipient of the mail and inform
sender.
Q2254. Authentication is the process by which the:

A. System verifies that the user is entitled to input the transaction
requested.
B. System verifies the identity of the user.
C. User identifies himself to the system.
D. User indicates to the system that the transaction was processed
correctly.
Q2255. The IS auditor has determined that protection of computer files is

inadequate. Which of the following is LEAST likely to have caused this
problem?
A. Arrangements for compatible backup computer facilities
B. Procedures for release of files
584
C. Offsite storage procedures

D. Environmental controls
Q2256. If inadequate, which of the following would MOST likely contribute to a

denial of service attack?
A. Router configuration and rules
B. Design of the internal network
C. Updates to the router system software
D. Audit testing and review techniques
Q2257. Which of the following implementations of digital encryption standard is

the simplest implementation?
A. Electronic code block ECB
B. Cipher block chaining CBC
C. Cipher feedback CFB
D. Output feedback OFB
Q2258. IS Auditor needed the expert on networks to help in performing Network

security audit. Who should approve the inclusion of network engineer in
the audit team?
A. Network Administrator.
B. Chief Information officer.
C. Steering Committee.
D. Audit committee.
Q2259. Which of the following manages the certificate life cycle of public key
pairs to ensure adequate security and controls exist in e-commerce
applications?
A. Registration authority
B. Certificate authority
C. Certification relocation list
D. Certification practice statement
585
Q2260. Losses can be minimized MOST effectively by using outside storage

facilities to do which of the following?
A. Include current, critical information in backup files
B. Ensure that current documentation is maintained at the backup
facility
C. Test backup hardware
D. Train personnel in backup procedures
Q2261. Which of the following would warranty a quick continuity of operations

when the recovery time window is short?
A. A duplicated back-up in an alternate site
B. Duplicated data in a remote site
C. Transfer of data the moment a contingency occurs
D. A manual contingency procedure
Q2262. Which of the following is MOST important to have in a disaster recovery

plan?
A. Backup of compiled object programs
B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms
Q2263. When auditing the proposed acquisition of a new computer system, the
IS auditor should FIRST establish that:
A. A clear business case has been approved by management.
B. Corporate security standards will be met.
C. Users will be involved in the implementation plan.
D. The new system will meet all required user functionality.
586
Q2264. When implementing an application software package, which of the

following presents the GREATEST risk?
A. Multiple software versions are not controlled
B. Source programs are not synchronized with object code
C. Parameters are not set correctly
D. Programming errors
Q2265. Following the development of an application system, it is determined

that several design objectives have not been achieved. This is MOST
likely to have been caused by:
A. Insufficient user involvement.
B. Early dismissal of the project manager.
C. Inadequate quality assurance QA tools.
D. Non-compliance with defined approval points.
Q2266. Which of the following types of firewalls provide the GREATEST degree
and granularity of control?
A. Screening router
B. Packet-filter
C. Application-gateway
D. Circuit-gateway
Q2267. Risk of hash compromise is BEST mitigated using:

A. Digital signatures.
B. Message encryption.
C. Message authentication code.
D. Cryptoanalysis.
587
Q2268. Which of the following is least likely indicator of segregation of duties in

auditee area?
A. Job descriptions.
B. Organization charts.
C. Network diagram.
D. IT Security policy.
Q2269. During a post-implementation review of an enterprise resource

management system an IS auditor would MOST likely:
A. Review access control configuration.
B. Evaluate interface testing.
C. Review detailed design documentation.
D. Evaluate system testing.
Q2270. An executable module is about to be migrated from the test environment

to the production environment. Which of the following controls would
MOST likely detect an unauthorized modification to the module?
A. Object code comparison
B. Source code comparison
C. Timestamps
D. Manual inspection
Q2271. While performing the security audit of information processing facility an

IS auditor observed a dial-up connection provided to network node of
departmental head. The proactive action for the auditor is to inform:
A. IS security manager
B. Audit manager
C. User manager
D. Top management
588
Q2272. The use of object-oriented design and development techniques would

MOST likely:
A. Facilitate the ability to reuse modules.
B. Improve system performance.
C. Enhance control effectiveness.
D. Speed up the system development life cycle.
Q2273. A dry-pipe fire extinguisher system is a system that uses:

A. Water, but in which water does not enter the pipes until a fire has
been detected.
B. Water, but in which the pipes are coated with special watertight
sealants.
C. Carbon dioxide instead of water.
D. Halon instead of water.
Q2274. Which of the following would provide a mechanism whereby IS

management can determine when, and if, the activities of the enterprise
have deviated from planned, or expected levels?
A. Quality management
B. IS assessment methods
C. Management principles
D. Industry standards/benchmarking
Q2275. Which of the following is the BEST way to handle obsolete magnetic
tapes before disposing of them?
A. Overwriting the tapes
B. Initializing the tape labels
C. Degaussing the tapes
D. Erasing the tapes
589
Q2276. Which of the following data entry controls provides the GREATEST
assurance that data entered does not contain errors?
A. Key verification
B. Segregation of the data entry function from data entry verification
C. Maintaining a log/record detailing the time, date, employee’s
initials/user-id and progress of various data preparation and
verification tasks
D. Check digits
Q2277. A universal serial bus USB port:

A. Connects the network without a network card.
B. Connects the network with an ethernet adapter
C. Replaces all existing connections.
D. Connects the monitor.
Q2278. How can an enterprise provide access to its intranet i.e., extranet across
the Internet to its business partners?
A. Virtual private network
B. Client/server
C. Dial-in access
D. Network service provider
Q2279. Top management requested that an IS auditor assist the departmental

management in the implementation of necessary controls. The IS
auditor should:
A. Inform the management about inability to conduct follow-up audit.
B. Refuse the assignment since it is not the role of IS Auditor.
C. Perform the assignment and follow-up audit with due professional
care.
D. Obtain the approval of user management to perform the
implementation and follow up.
590
Q2280. In a client/server architecture, a domain name service DNS is MOST

important because it provides the:
A. Address of the domain server.
B. Resolution service for the name/address.
C. Resolution on the internet for the name/address.
D. Domain name system.
Q2281. Most effective preventive control for use against unlicensed software is:
A. Periodic scans.
B. IT Security Policy.
C. Frequent audits.
D. Inventory of licenses.
Q2282. Protocol analyzer:

A. Analyses the traffic as per protocol rules.
B. Measures performance of network.
C. Prompts for upgradation of networks.
D. Helps in maintaining networks.
Q2283. In a web server, a common gateway interface CGI is MOST often used
as an:
A. Consistent way for data transfer to the application program and
back to the user.
B. Computer graphics imaging method for movie and TV.
C. Graphic user interface for web design.
D. Interface to access the private gateway domain.
Q2284. A virtual private network VPN performs which of the following functions?
A. Hides information from sniffers on the net
B. Enforces security policies
591
C. Detects misuse or mistakes

D. Regulates access
Q2285. In a public key infrastructure PKI , the authority which is responsible

for the identification and authentication of an applicant for a digital
certificate i.e., certificate subjects is the:
A. Registration authority RA .
B. Issuing certification authority.
C. Subject certification authority.
D. Policy management authority.
Q2286. An IS auditor inspects an organization’s offsite storage and plans to

sample the system and program documentation. The IS auditor is
MOST likely interested in reviewing:
A. Error conditions and user manuals.
B. Application run books.
C. Job stream control instructions.
D. Exception processing instructions.
Q2287. Which of the following disaster recovery/continuity plan components

provides the GREATEST assurance for recovery after a disaster?
A. The requirement that the alternate facility be available until the
original information processing facility is restored.
B. User management involvement in the identification of critical
systems and their associated critical recovery times and the
specification of needed procedures.
C. Copies of the plan kept at the homes of key decision making
personnel.
D. Adequate feedback to management to assure that the business
continuity plans are indeed workable and that the procedures are
current.
592
Q2288. Which of the following is a continuity plan test that uses actual
resources to simulate a system crash to cost-effectively obtain evidence
about the plan’s effectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walkthrough
Q2289. An IS auditor participating in new software development projects will

provide an increased contribution and the organization will experience
increased efficiency if:
A. Procedures to identify and document needs and requirements of
the users are established.
B. Procedures to store the developed software are defined in the
systems development life cycle phases.
C. Development, test and production environments are defined
separately from each other.
D. Procedures and formal guidelines are established that identify
each system development life cycle phase.
Q2290. Decision about selection, implementation and risk assessment of

extended ERP solutions is part of:
A. Short term plan
B. Long term plan
C. Steering committee meeting
D. Annual General meeting
Q2291. The difference between white-box testing and black-box testing is that
white-box testing:
A. Involves the IS auditor.
B. Is performed by an independent programmer team.
593
C. Examines the program internal logical structure.

D. Uses the bottom-up approach.
Q2292. Which of the following groups/individuals assume overall direction and

responsibility for costs and timetables of systems development life cycle
projects?
A. User management
B. Project steering committee
C. Senior management
D. Systems development management
Q2293. Which of the following is most appropriate indication that prompts for
changing operating system?
A. Vendor’s report.
B. Requirements.
C. Obsolescence.
D. Response time.
Q2294. Verification of parity bit over communication in network is done at which

layer of ISO:OSI network model?
A. Application layer.
B. Presentation layer.
C. Data Link layer.
D. Network layer.
Q2295. Which of following exposure to the data security occurs before the
computer security can protect the data?
A. Data diddling.
B. Trap Door.
C. Logic Bomb.
D. Trojan Horse.
594
Q2296. Failure to adequately define or manage the requirements for a system

can result in a number of risks. The GREATEST risk is:
A. Inadequate user involvement.
B. Inadequate allocation of resources.
C. Requirement change during development.
D. Inadequate estimation of the critical path.
Q2297. Which of the following is a measure of the size of an information system

based on the number and complexity of a system’s inputs, outputs and
files?
A. Program evaluation review technique PERT
B. Rapid application development RAD
C. Function point analysis FPA
D. Critical path method CPM
Q2298. Which of the following should be performed FIRST when acquiring

software?
A. Identify data processing requirements
B. Compare delivery schedules to requirements
C. Negotiate price
D. Establish business needs
Q2299. The need for the modification of validation and editing routines to
improve efficiency is normally indicated by:
A. Excess overrides.
B. An override activity report.
C. Error control and correction.
D. Separation of duties.
595
Q2300. Which of the following methodologies is appropriate for planning and

control activities and resources in a system project?
A. Critical path methodology CPM
B. Program evaluation review technique PERT
C. Gantt charts
D. Function point analysis
Q2301. An enterprise has established a steering committee to oversee its

e-business program. The steering committee would MOST likely be
involved in the:
A. Documentation of software requirements.
B. Escalation of project issues.
C. Design of interface controls between systems.
D. Specification of management reports.
Q2302. An IS auditor reviewing the design phase of the program development

life cycle would seek to determine that:
A. Program documentation provides little evidence about the quality
of the design approach used during software development.
B. Programmers specify the structure and operations of a program
that will satisfy a requirement specification.
C. An object-oriented approach to design is employed when low-
level programming languages are used to develop programs.
D. A formal approach to design is not followed when high-level
languages are used to develop programs.
Q2303. A company uses a bank to process its weekly payroll. Time sheets and
payroll adjustment forms e.g., hourly rate changes, terminations are
filled in and delivered to the bank, which prepares checks cheques and
reports for distribution. To BEST ensure payroll data accuracy:
A. Payroll reports should be compared to input forms.
B. Gross payroll should be recalculated manually.
596
C. Checks cheques should be compared to input forms.

D. Checks cheques should be reconciled with output reports.
Q2304. An external auditor was planning for the audit for effectiveness of IT
controls. However only internal auditor’s audit report was available
but not the work papers. The auditor could not determine type of tests
performed by the internal auditor to assure the effectiveness of controls
by internal auditor. The auditor should:
A. Change the scope of audit to include the tests.
B. Refuse to perform audit till work papers were made available.
C. Rely on previous audit report and not work papers.
D. Differ the tests till work papers were made available.
Q2305. The performance of flow of traffic within network is handled by which

layer of ISO:OSI model?
A. Data Link.
B. Session.
C. Transport.
D. Network.
Q2306. All of the following are examples of corrective controls except

A. Transaction trails
B. Passwords
C. Upstream resubmission
D. Automatic error correction
Q2307. Which of the following report is most useful for internal auditor in order
to gain understanding about auditee area?
A. Long term IT plan.
B. Annual financial results
C. Annual financial audit report
D. Minutes of Steering committee meeting
597
Q2308. Which of the following is essential process in forensic investigations to

establish the integrity of electronic evidence?
A. Chain of custody
B. Hard disk analysis
C. Third party witness
D. Copy of complaint
Q2309. IS auditor observed that some controls defined by security policy were
not implemented by auditee management. What should auditor do next?
A. Compliance testing of implemented controls .
B. Substantive testing of implemented controls.
C. Risk assessment of non-implemented controls.
D. Suspend the audit and report to Management.
Q2310. Implementing of Questionnaire based Control Self Assessment program

without creating awareness will result in local management:
A. Answering all questions in affirmative.
B. Treating it as replacement of internal audit.
C. Not analyzing the replies.
D. Treat it as another report to top management.
Q2311. In a small organization only one employee looks after analysis,

development and maintenance of application software. Which of the
following function can be entrusted to that employee additionally without
additional controls?
A. Data Base Administrator.
B. Quality Assurance.
C. Computer Operations.
D. System Administration.
598
Q2312. An IS Auditor found that System administrator does user maintenance.

Which of the following controls auditor should check to ensure fictitious
users are not added? Users added into the system should be:
A. Authorized
B. Identified.
C. Authenticated.
D. Registered.
Q2313. While auditing the Business continuity plan for information systems, the
IS auditor should first ensure that the plan:
A. Covers all business processes.
B. Provides for recovery of IT resources.
C. Specifies for insurance cover.
D. Has address of alternate site.
Q2314. Which of the following functions in Information Processing facility if

combined causes serious security concern?
A. Data Base Administrator and System Analyst.
B. Data Base Administrator and Application Programmer.
C. System analyst and Data Entry.
D. System analyst and Application Programmer.
Q2315. Primary objective of reviewing of IT security policy by IS auditor is to:

A. Justify IT implementation projects.
B. Establish the standard of compliance.
C. understand security technology.
D. ensure updation cycle of policy.
599
Q2316. Which of the following will help management in getting feedback about
the achievement of planned IT goals?
A. Key Goal Indicators.
B. Balance Score Card.
C. Critical Success Factors.
D. Key Performance Indicators.
Q2317. Essential difference between RDBMS and Data warehousing is that,

data warehouse:
A. Stores data in relational tables.
B. Implemented using RDBMS systems.
C. Stores data in denormalized form.
D. Implementation precedes RDBM implementation.
Q2318. Which of the following risk in wireless LAN must be controlled first?
A. Terminals are not connected to server.
B. Unauthorized terminal/client.
C. Possible unauthorized use of LAN.
D. Unauthorized software.
Q2319. Which of the following is most useful in providing indication about

required upgradation of hardware?
A. Downtime reports.
B. Availability reports.
C. Utilization reports.
D. Error reports.
Q2320. During the Business continuity audit an IS auditor found that the BCP
covered only critical applications. The IS auditor should first:
A. Assess the impact on business due to non-availability of
processes not covered.
B. Insist on redesigning the BCP covering all is related processes.
600
C. Report the findings with recommendations for redesigning BCP.

D. Look for the approval from the top management.
Q2321. Which of the following technology enables broad band network?

A. Full duplex communication.
B. Vectoring of multiple channels on single carrier.
C. Packet switching network.
D. Store and forward switch.
Q2322. Scalability of network refers to:

A. Flexibility to expand network and support new services.
B. Ability to maintain, support and troubleshoot.
C. Continuous and reliable communication service.
D. Communication between disparate technologies.
Q2323. Which of the following is TRUE about outsourcing?

A. It is only cost dependant decision.
B. It improves internal technical expertise.
C. It has more control implications.
D. It is the decision of legal department.
Q2324. Which of the following is highest risk associated with outsourcing of IT

based business processes?
A. Hidden costs.
B. Performance failure.
C. Loss of ownership.
D. Financial viability of vendor.
601
Q2325 In the event of outsourcing vendor refusing to allow internal IS auditor

to perform audit vendor’s site, which of the following is best alternative?
A. Review vendor’s self audit report.
B. Provide for penalty clause in SLA.(Service level agreement)
C. Review the audit report from independent auditor.
D. Terminate the agreement immediately.
Q2326. IS auditor’s first concern in organization adopting recognized standards

(like ISO) is:
A. Compliance of documented procedures.
B. All IT processes are documented.
C. Critical IT processes achieve planned goals.
D. Cost of implementing standards.
Q2327. While auditing Risk Management program, the auditor should first
ensure that:
A. Management accepts all natural risks.
B. Program monitors all residual risks.
C. Risk mitigation does not have preventive controls
D. Program use qualitative measurement standards.
Q2328. Which of the following will help auditor in determining the effectiveness
of help desk operations?
A. Problem aging analysis.
B. Query log maintained by help desk.
C. problem escalation report.
D. awareness level of end users.
602
Q2329. A manufacturing organization has deployed IT based solutions to reduce

the business process cycle time. Which of the following will give the
feedback on achieving this objective?
A. Business processes.
B. Network connectivity.
C. Hardware and software.
D. Database server.
Q2330. Exception reports generated by application systems are useful to the

management
A. As compensating control for segregation of duties.
B. As feedback on the processing status.
C. In resolving problems in data processing.
D. In evaluating supervisory performance.
Q2331. IS auditor gets first opportunity to understand the compliance of security

policy by:
A. Observing people at work.
B. Reviewing policy document.
C. Performing substantive testing.
D. Reviewing minutes of steering committee meeting.
Q2332. Block sum check in network communication is extension of:

A. Parity check.
B. Encryption.
C. Sequence check.
D. Hash function.
603
Q2333. While auditing hardware acquisition the IS auditor should first ensure
that:
A. Request for Proposal is in accordance with requirement analysis.
B. Hardware is selected on the basis of through put.
C. Request for proposal was sent to all vendors.
D. Selected hardware was offered at lowest cost.
Q2334. Which of the following feature of Job Scheduling software will be most
useful in ensuring successful completion of scheduled jobs?
A. Sequencing of processes.
B. Completion and error reporting.
C. Documentation of system.
D. Defined job dependencies.
Q2335. Centralize data base server is being accessed by users from various
geographical locations. Concurrency controls provided in this system
primarily ensures:
A. Integrity of data.
B. Usability of data.
C. Confidentiality of data.
D. Availability of data.
Q2336. Picture oriented languages like Japanese uses Unicode communication.

The conversion of Unicode to ASCII is handled by:
A. Session layer.
B. Presentation layer.
C. Application layer.
D. Network layer.
604
Q2337. An IS Auditor was asked to audit ERP implementation. The auditor did
not have prior experience of ERP implantation. The auditor should:
A. Take help of independent skilled professional.
B. Refuse the assignment in absence of required skills.
C. Attend the training program on implementation of ERP.
D. Conduct the audit with due professional care.
Q2338. Some organizations have ‘required paid vacation’ facility for its’
employees. The purpose of this facility is :
A. A motivating incentive for hard working employees.
B. Increase the opportunity to discover fraudulent/irregular activities
of the employee.
C. A rest and recuperation refreshes the mind and improves the
quality of life.
D. Give opportunity to spend more time with family.
Q2339. Cross-training means training by colleagues. It helps in decreasing

dependence on one employee. It has some risks associated with it.
Which of the following is MOST serious risk?
A. Risk of all trained employees remain absent.
B. A risk of back-up personnel may be over-worked.
C. A risk of one person knowing all parts of the system.
D. A risk of not having control on situation described in C.
Q2340. It was decided to introduce the image processing technique for handling
of documents. IS auditor is concerned about the use of this technique.
Which of the following is PRIMARY reason of IS auditors’ concern.
A. The image processing software is very expensive.
B. Inadequate training may result in poor quality of images.
C. Imaging system may change or eliminate the traditional controls.
D. Workflow processes may have to be redesigned.
605
Q2341. Which of the following would BEST ensure the proper updating of critical
fields in a master records?
A. Field checks.
B. Control totals.
C. Reasonableness checks.
D. Before and after maintenance report.
Q2342. While auditing the computer installation internal IS auditor found a virus-
infected file. What IS auditor should do FIRST?
A. Report to the IS manager and top management about the
presence of virus.
B. Inform the IS manager about the infection so as to enable him to
take the necessary steps.
C. Disinfect or Erase the infected file and check other computer
systems for infection.
D. Check the other computer systems whether they have similar
infection.
Q2343. Programmers frequently create entry points into a program for

debugging purposes and/or insertion of new program codes at a later
date. These entry points are called :
A. Logic bombs.
B. Worms.
C. Trap doors.
D. Trojan horses.
Q2344. System administrator of a public utility company has to change the

access rights of users, frequently due to change in roles, on account of
leaves and/or transfers of employees. Which of the following the system
administrator should do first?
A. Verify authorization.
B. Create new user id.
606
C. Change access rights.

D. Grant the new role.
Q2345. The auditor observed that, in absence of explicit mention in SLA, the
third party has appointed a sub-contractor to perform the outsourced
function. The auditor should FIRST:
A. Look for the auditability option in third party and sub-contractor.
B. Ascertain the control of third party over sub-contractor.
C. Report the absence of mention about sub-contracting in SLA.
D. Report the risk associated in such arrangement.
Q2346. Which of the following is NOT a feature of an uninterruptible power

supply UPS ?
A. A UPS provides electrical power to a computer in the event of a
power failure.
B. A UPS system is an external piece of equipment or can be built
into the computer itself.
C. A UPS should function to permit an orderly computer shutdown.
D. A UPS uses a greater wattage into the computer to ensure
enough power is available.
Q2347. Which of the following would BEST ensure continuity of a wide area
network WAN across the organization?
A. Built-in alternative routing
B. Full system back-up taken daily
C. A repair contract with a service provider
D. A duplicate machine alongside each server
Q2348. Cryptographic processing depends on the use of keys, which are of

primary importance in the security of a cryptographic system. Which of
607
the following key algorithms decrypt data with the same key used for
encryption?
A. Symmetric key algorithm.
B. Asymmetric key algorithm.
C. Symmetric and public key algorithm.
D. Asymmetric and secret key algorithm.
Q2349. Risk management consists of risk assessment and risk mitigation. Which
of the following is NOT an element of risk mitigation?
A. Measure risk.
B. Select appropriate safeguards.
C. Implement and test safeguards.
D. Accept residual risks.
Q2350. Which of the following controls can validate a transaction?

A. Authorization of the transaction by supervisory personnel in an
adjacent department.
B. Use of programs to check the transaction against criteria set by
management.
C. Authorization of the transaction by a department supervisor prior
to the batch process.
D. Use of key field verification techniques in data entry.
Q2351. As business functions change, pre-printed forms and other supplies

are also likely to change. Which one of the following actions poses a
MAJOR risk to the organization?
A. Inventory list at off-site is not updated.
B. Inventory list, a backup computer and recovery facility is not
updated.
C. The emergency or alternate supplier is not assessed as to
whether or not he is still in business.
D. Outdated materials are not called from useful supplies.
608
Q2352. Your organization has hired a security-consulting firm for testing the
logical access security for dial-up connections. Which of the following
person MOST likely to be hired by the security firm?
A. Hackers.
B. Crackers.
C. Hardware Engineer
D. Software Engineer.

Q2153 Ans. A Q2173 Ans. A Q2193 Ans. C
Q2155 Ans. B Q2175 Ans. A Q2195 Ans. D
Q2158 Ans. A Q2178 Ans. B Q2198 Ans. D
Q2159 Ans. B Q2179 Ans. A Q2199 Ans. D
Q2160 Ans. A Q2180 Ans. C Q2200 Ans. B
Q2161 Ans. B Q2181 Ans. A Q2201 Ans. C
Q2162 Ans. A Q2182 Ans. A Q2202 Ans. B
Q2163 Ans. A Q2183 Ans. C Q2203 Ans. C
Q2164 Ans. C Q2184 Ans. D Q2204 Ans. D
Q2165 Ans. B Q2185 Ans. A Q2205 Ans. B
Q2166 Ans. A Q2186 Ans. A Q2206 Ans. B
Q2167 Ans. A Q2187 Ans. B Q2207 Ans. B
Q2168 Ans. B Q2188 Ans. D Q2208 Ans. B
Q2169 Ans. A Q2189 Ans. A Q2209 Ans. D
609
Q2213 Ans. A Q2243 Ans. C Q2273 Ans. C

Q2214 Ans. C Q2244 Ans. C Q2274 Ans. D
Q2217 Ans. B Q2247 Ans. A Q2277 Ans. C
Q2218 Ans. C Q2248 Ans. A Q2278 Ans. D
Q2219 Ans. C Q2249 Ans. B Q2279 Ans. D
Q2222 Ans. B Q2252 Ans. A Q2282 Ans. B
Q2223 Ans. D Q2253 Ans. B Q2283 Ans. B
Q2230 Ans. A Q2260 Ans. D Q2290 Ans. A
Q2233 Ans. C Q2263 Ans. A Q2293 Ans. C
Q2239 Ans. A Q2269 Ans. D Q2299 Ans. B
Q2241 Ans. D Q2271 Ans. B Q2301 Ans. C
Q2242 Ans. A Q2272 Ans. D Q2302 Ans. D
610

Q2306 Ans. C Q2323 Ans. D Q2340 Ans. D
Q2316 Ans. A Q2333 Ans. C Q2350 Ans. B
Q2317 Ans. D Q2334 Ans. A Q2351 Ans. C
Q2319 Ans. D Q2336 Ans. D
611

Text-DISA Review Questions-1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Text-DISA Review Questions-1 PDF

Uploaded by

Copyright:

Available Formats

DISA Review Questions, Answers

The Institute of Chartered Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in

Edition : October, 2015

Q2. Which of the following would be classified as a corrective control?

Q4 Which one would be a material irregularity?

Q5. With respect to AI, a heuristic refers to :

Q6. Which of the following usually is a purpose of a modem:

Q8. A large organization with numerous applications running on its

Q10. Introduction of computer-based information system has affected auditing.

Q14. As an IS auditor, which would you consider the MOST CRITICAL

Q15. Which of the following types of subversive attacks on a communication

Q18. An apparent error in input data describing an inventory item was

Q19. Hardware controls are important to IS auditors for they:

Q20. Use of public key infrastructure by an eCommerce site, where public

Q 21. Which of the following is considered potential benefits of Electronic Data

Q22. A company has entered into a contract with a service provider to

Q23. A system has adequate set of preventive controls. The installation of

Q24. Which of the following statistical selection technique is least desirable

Q25. In an organisation, Integrated Test Facility (ITF) is not used in:

Q26. Which one of the following is not a substantive test?

Q27. The audit trails are useful to

Q28. ___________ is an estimate of the degree of certainty that the

Q29. Which of the following functions SHOULD NOT BE combined with

Q31. Possible errors related to a security issue during application

Q32. The IS Control Group is NOT responsible for performing

Q33. The auditor plans to select a sample of transactions to assess the

Q35. The primary consideration for a System Auditor , regarding internal

Q38. A firewall ruleset should not block

Q43. Which one of the following is not a compliance test ?

Q45. The class of control used to minimise the impact of a threat is :

Q46. Which of the following is FALSE with regard to a symmetric key

Q48. A Systems Analyst’s duties and roles comprises of:

Q49. An advantage of outsourcing data processing activities in a company is

Q50. A sampling technique that estimates the amount of overstatement in an

Q52. An on line bookseller decides to accept online payment from customers

Q53. Assuming some irregularities exist in a population, the sampling plan to

Q55. In a situation where a public key cryptosystem is in use, the message

Q56. Penetration testers in an attempt to penetrate into the system or the

Q57. Which of the following is not a characteristic of audit evidence?

Q59. A well written and concise job description is IRRELEVANT to

Q60. While conducting the audit of security in an organisation, the procedure

Q62. SQL is an example for

Q63. Which of the following is NOT an element of a LAN environment?

Q64. Which of the following is not a substantive test:

Q65. Which of the following is NOT an advantage of continuous auditing

Q66. Which of the following is NOT TRUE about a database management

C. The physical structure of the data is independent of user needs

Q68. “An agreement between two computer systems related to methods of

Q69. “A service provided to businesses by telecommunication companies

Q70. “A transmission technique in which a complete message is sent to a

Q71. “In Internet architecture, a domain name service (DNS) is MOST

Q72. “In an Internet URL,†http://www.infosys.co, what does the†.co signify?

Q74. Which of the following device is a random access media?

Q75. “Which of the following transmission media would NOT be affected by

Q76. Which type of cable uses a BNC connector

Q77. “Which of the following is not provided by a public key infrastructure

Q78. Which of the following is not a method of Control Self Assessment

Q79. Which of the following is NOT included in the digital certficate:

Q80. Which of the following is not the objective of the establishment of

Q81. While evaluating the IT control environment for obtaining an

Q83. Project management is considered a separate division on the basis of:

Q85. The process of database tuning is carried out by