CISA Practice Exam Questions D.

The auditor is objective, not associated with the

organization, and free of any connections to the
1. Which type of sampling is best when dealing with client
population characteristics such as dollar amounts and
weights? 7. Which of the following meets the description “the
A. Attribute sampling primary objective is to leverage the internal audit
B. Variable sampling function by placing responsibility of control and
C. Stop-and-go sampling monitoring onto the functional areas”?
D. Discovery sampling A. Integrated auditing
B. Control self-assessment
2. Which of the following sampling techniques is C. Automated work papers
generally applied to compliance testing? D. Continuous auditing
A. Attribute sampling
B. Variable sampling 8. Which of the following sampling techniques would
C. Stop-and-go sampling be best to use if the expected discovery rate is
D. Discovery sampling extremely low?
A. Attribute sampling
3. To guarantee the confidentiality of client B. Variable sampling
information, an auditor should do which of the C. Stop-and-go sampling
following when reviewing such information? D. Discovery sampling
A. Contact the CEO or CFO and request what sensitive
information 9. Which of the following offers how-to information?
can and cannot be disclosed to authorities A. Standards
B. Assume full responsibility for the audit archive and B. Policy
stored data C. Guidelines
C. Leave all sensitive information at the owners’ D. Procedures
facility
D. Not back up any of his or her work papers 10. The type of risk that might not be detected by a
system of internal controls is defined as which of the
4. Which of the following best describes materiality? following?
A. An audit technique used to evaluate the need to A. Control risk
perform an auditB. The principle that individuals, B. Audit risk
organizations, and the community are responsible for C. Detection risk
their actions and might be required to explain them D. Inherent risk
C. The auditor’s independence and freedom from
conflict of interest 11. Which of the following items makes computer-
D. An auditing concept that examines the assisted audit techniques (CAAT) important to an
importance of an item of information in regard to auditor?
the impact or effect on the entity being audited A. A large amount of information is obtained by
using specific techniques to analyze systems.
5. Which of the following sampling technique is best B. An assistant or untrained professional with no
to use to prevent excessive sampling? specialized training can utilize CAAT tools, which frees
A. Attribute sampling up the auditor to participate in other activities.
B. Variable sampling C. CAAT requires more human involvement in the
C. Stop-and-go sampling analysis than multifunction audit utilities.
D. Discovery sampling D. CAAT requires the auditor to reduce the sampling
rate and provides a more narrow audit coverage.
6. Which of the following descriptions best defines
auditor independence? 12. The risk that a material error will occur because of
A. The auditor has high regard for the company and weak controls or no controls is known as which of the
holds several hundred shares of the company’s stock following?
B. The auditor has a history of independence and even A. Control risk
though the auditor has a niece that is employed by B. Audit risk
the company, he has stated that this is not a concern C. Detection risk
C. The auditor has previously given advice to the D. Inherent risk
organization’s design staff while employed as the
auditor
13. You have been asked to audit a series of controls.
Using Figure E.1 as your reference, what type of
control have you been asked to examine?
A. Amount total
B. Hash total
C. Item total
D. Data checksum
Figure E.1.
[View full size image]
14. Which of the following is the best tool to extract
data that is relevant to the audit?
A. Integrated auditing
B. Generalized audit software
C. Automated work papers
D. Continuous auditing
15. You have been asked to perform an audit of the
disaster-recovery procedures. As part of this process,
you must use statistical sampling techniques to
inventory all backup tapes. Which of the following
descriptions best defines what you have been asked
to do?
A. Continuous audit
B. Integrated audit
C. Compliance audit
D. Substantive audit
16. According to ISACA, which of the following is the
fourth step in the risk based audit approach?
A. Gather information and plan
B. Perform compliance tests
C. Perform substantive tests
D. Determine internal controls
17. Which general control procedure most closely
maps to the information systems control procedure
that specifies, “Operational controls that are focused
on day-to-day activities”?
A. Business continuity and disaster-recovery
procedures that provide reasonable assurance that
the organization is secure against disasters
B. Procedures that provide reasonable assurance for
the control of database administration
C. System-development methodologies and change-
control procedures that have been implemented to
protect the organization and maintain compliance
D. Procedures that provide reasonable assurance to
control and manage data-processing operations
18. Which of the following is the best example of a
detective control?
A. Access-control software that uses passwords,
tokens, and/or
biometrics
B. Intrusion-prevention systems
C. Backup procedures used to archive data
D. Variance reports
19. Which of the following is not one of the four
common elements needed to determine whether
fraud is present?
A. An error in judgment
B. Knowledge that the statement was false
C. Reliance on the false statement
D. Resulting damages or losses
20. You have been asked to implement a continuous
auditing program. With this in mind, which of the
following should you first identify?
A. Applications with high payback potential
B. The format and location of input and output files
C. Areas of high risk within the organization
D. Targets with reasonable thresholds
21. Which of the following should be the first step for
organizations wanting to develop an information
security program?
A. Upgrade access-control software to a biometric or
token system
B. Approve a corporate information security policy
statement
C. Ask internal auditors to perform a comprehensive
review
D. Develop a set of information security standards
22. Which of the following is primarily tasked with
ensuring that the IT department is properly aligned
with the goals of the business?
A. Chief executive officer
B. Board of directors
C. IT steering committee
D. Audit committee
23. The balanced score card differs from historic
measurement schemes, in that it looks at more than
what?
A. Financial results
B. Customer satisfaction
C. Internal process efficiency
D. Innovation capacity
 28. Which of the following is the best method to
24. Which of the following is the purpose of identify problems between procedure and activity?
enterprise architecture (EA)? A. Policy review
A. Ensure that internal and external strategy are B. Direct observation
aligned C. Procedure review
B. Map the IT infrastructure of the organization D. Interview
C. Map the IT infrastructure of the organization and
ensure that its 29. You are working with a risk-assessment team that
design maps to the organization’s strategy is having a hard time calculating the potential financial
D. Ensure that business strategy and IT investments loss to the company’s brand name that could result
are aligned from a risk. What should the team do next?
A. Calculate the return on investment (ROI)
25. Which of the following types of planning entails an B. Determine the single loss expectancy (SLE)
outlook of greater than three years? C. Use a qualitative approach
A. Daily planning D. Review actuary tables
B. Long-term planning
C. Operational planning 30. What operation-migration strategy has the highest
D. Strategic planning possible level of risk?
A. Parallel
26. A new IT auditor has been asked to examine some B. Hard
processing, editing, and validation controls. Can you C. Phased
help define the control shown in Figure E.2? D. Intermittent
A. Validity check
B. Reasonableness check 31. Many organizations require employees to rotate
C. Existence check to different positions. Why?
D. Range check A. Help deliver effective and efficient services
Figure E.2. B. Provide effective cross-training
[View full size image] C. Reduce the opportunity for fraud or improper or
illegal acts
D. Increase employee satisfaction

32. The balanced score card looks at four metrics.

Which of the following is not one of those metrics?
A. External operations
B. The customer
C. Innovation and learning
D. Financial data

33. You have been assigned to a software-

development project that has 80 linked modules and
is being developed for a system that handles several
million transactions per year. The primary screen of
the application has data items that carry up to 20 data
attributes. You have been asked to work with the
audit staff to determine a true estimate of the
development effort.
Which of the following is the best technique to
27. Senior management needs to select a strategy to determine the size of the project?
determine who will pay for the information system’s A. White-boxing
services. Which of the following payment methods is B. Black-boxing
known as a “pay as you go” system? C. Function point analysis
A. Single cost D. Source lines of code
B. Shared cost
C. Chargeback 34. Which of the following is the preferred tool for
D. Sponsor pays estimating project time when a degree of uncertainty
exists?
A. Program Evaluation and Review Technique (PERT)
B. Source lines of code (SLOC)
C. Gantt
D. Constructive Cost Model (COCOMO)

35. Which of the following techniques is used to

determine what activities are critical and what the
dependencies are among the various tasks?
A. Compiling a list of each task required to complete
the project
B. COCOMO
C. Critical path methodology (CPM)
D. Program Evaluation and Review Technique (PERT)

36. Which of the following is considered a traditional

system development lifecycle model?
A. The waterfall model
B. The spiral development model
40. You have been asked to suggest a control that
C. The prototyping model
could be used to determine whether a credit card
D. Incremental development
transaction is legitimate or potentially from a stolen
credit card. Which of the following would be the best
37. You have been assigned as an auditor to a new
tool for this need?
software project. The team members are currently
A. Decision support systems
defining user needs and then mapping how the
B. Expert systems
proposed solution meets the need. At what phase of
C. Intrusion-prevention systems
the SDLC are they?
D. Data-mining techniques
A. Feasibility
B. Requirements
41. You have been asked to suggest a control that can
C. Design
be used to verify that batch data is complete and was
D. Development
transferred accurately between two applications.
What should you suggest?
38. Which of the following is not a valid output
A. A control total
control?
B. Check digit
A. Logging
C. Completeness check
B. Batch controls
D. Limit check
C. Security signatures
D. Report distribution
42. Which of the following types of programming
language is used to develop decision support
39. The following question references Figure E.3. Item
systems?
A refers to which of the following?
A. 2GL
A. Foreign key
B. 3GL
B. Tuple
C. 4GL
C. Attribute
D. 5GL
D. Primary key
Figure E.3.
43. You have been asked to work with a new project
[View full size image]
manager. The project team has just started work on
the payback analysis. Which of the following is the
best answer to identify the phase of the system
development lifecycle of the project?
A. Feasibility
B. Requirements
C. Design
D. Development

44. In many ways, IS operations is a service

organization because it provides services to its users.
As such, how should an auditor recommend that the
percentage of help-desk or response calls answered
within a given time be measured? 52. The following question references Figure E.4. Item
A. Uptime agreements C refers to which of the following?
B. Time service factor A. Foreign key
C. Abandon rate B. Tuple
D. First call resolution C. Attribute
D. Primary key
45. What is the correct term for items that can occur Figure E.4.
without human interaction? [View full size image]
A. Lights out
B. Automated processing
C. “Follow the sun” operations
D. Autopilot operations

46. Which of the following is an example of a 2GL

language?
A. SQL
B. Assembly
C. FORTRAN
D. Prolog

47. When discussing web services, which of the

following best describes a proxy server?
A. Reduces load for the client system
B. Improves direct access to the Internet
C. Provides an interface to access the private domain
53. Which layer of the OSI model is responsible for
D. Provides high-level security services
packet routing?
A. Application
48. Regarding cohesion and coupling, which is best?
B. Transport
A. High cohesion, high coupling
C. Session
B. High cohesion, low coupling
D. Network
C. Low cohesion, low coupling
D. Low cohesion, high coupling
54. Which of the following types of testing is usually
performed at the implementation phase, when the
49. Bluetooth class 1 meets which of the following
project staff is satisfied with all other tests and the
specifications?
application is ready to be deployed?
A. Up to 5 m of range and .5 mW of power
A. Final acceptance testing
B. Up to 10 m of range and 1 mW of power
B. System testing
C. Up to 20 m of range and 2.5 mW of power
C. Interface testing
D. Up to 100 m of range and 100 mW of power
D. Unit testing
50. When discussing electronic data interface (EDI),
55. Which of the following devices can be on the edge
which of the following terms best describes the device
of networks for basic packet filtering?
that transmits and receives electronic documents
A. Bridge
between trading partners?
B. Switch
A. Value Added Network (VAN)
C. Router
B. X12
D. VLAN
C. Communications handler
D. Electronic Data Interchange For Administration
56. MAC addresses are most closely associated with
Commerce And Transport (EDIFACT)
which layer of the OSI model?
A. Data link
51. Which type of network is used to connect multiple
B. Network
servers to a centralized pool of disk storage?
C. Session
A. PAN
D. Physical
B. LAN
C. SAN
D. MAN
57. The IP address of 128.12.3.15 is considered to be C. RAD
which of the following? D. Spiral
A. Class A
B. Class B 65. Which type of database is shown in Figure E.5?
C. Class C A. Relational
D. Class D B. Network
C. Hierarchical
58. Which of the following statements is most D. Floating flat
correct? RIP is considered... Figure E.5.
A. A routing protocol
B. A routable protocol
C. A distance-vector routing protocol
D. A link-state routing protocol

59. Which of the following test types is used after a

change to verify that inputs and outputs are correct?
A. Regression testing
B. System testing
C. Interface testing
D. Pilot testing

60. Which of the following is an example of a 5GL

language? 66. As a new auditor, you have been asked to review
A. SQL network operations. Which of the following
B. Assembly weaknesses should you consider the most serious?
C. FORTRAN A. Data files can be amended or changed by
D. Prolog supervisors.
B. Data files can be lost during power outages because
61. Which of the following types of network of poor backup.
topologies is hard to expand, with one break possibly C. Sensitive data files can be read by managers.
disabling the entire segment? D. Copies of confidential reports can be printed by
A. Bus anyone.
B. Star
C. Token Ring 67. Which of the following is the best example of a
D. Mesh control mechanism to be used to control component
failure or errors?
62. What is the most important reason to use plenum- A. Redundant WAN links
grade cable? B. Just a Bunch of Disks/Drives (JBOD)
A. Increased network security C. RAID 0
B. Less attenuation D. RAID 1
C. Less cross-talk
D. Fire-retardant coating 68. Which of the following is the best technique for an
auditor to verify firewall settings?
63. Which of the following copper cable network A. Interview the network administrator
configurations is considered the most secure from B. Review the firewall configuration
eavesdropping or interception? C. Review the firewall log for recent attacks
A. A switched VLAN using multimode fiber cable D. Review the firewall procedure
B. A Token Ring network using Cat 5 cabling
C. A switched network that uses Cat 5e shielded 69. Which of the following is not a circuit-switching
cable technology?
D. A bus network using 10BASE2 cabling A. DSL
B. POTS
64. Which of the following is an iterative development C. T1
method in which repetitions are referred to as sprints D. ATM
and typically last 30 days?
A. Scrum
B. Extreme programming
70. Which of the following uses a process to D. Delayed
standardize code modules to allow for cross-platform
operation and program integration? 77. According to ISACA, the second step in the
A. Component-based development (CBD) business continuity planning (BCP) process is which of
B. Web-based application development (WBAD) the following?
C. Object-oriented systems development (OOSD) A. Project management and initiation
D. Data-oriented system development (DOSD) B. Plan design and development
C. Recovery strategy
71. Data warehouses are used to store historic data of D. Business impact analysis
an organization. As such, which of the following is the
most accurate way to describe data warehouses? 78. You have been asked to review the
A. Subject-oriented documentation for a planned database. Which type of
B. Object-oriented database is represented by Figure E.6?
C. Access-oriented A. Relational
D. Control-oriented B. Network
C. Hierarchical
72. Which of the following access-control models D. Floating flat
allows the user to control access? Figure E.6.
A. Mandatory access control (MAC)
B. Discretionary access control (DAC)
C. Role-based access control (RBAC)
D. Access control list (ACL)

73. While auditing the identification and

authentication system, you want to discuss the best
method you reviewed. Which of the following is
considered the strongest?
A. Passwords
B. Tokens
C. Two-factor authentication
D. Biometrics

74. If asked to explain the equal error rate (EER) to 79. Which of the following issues ticket-granting
another auditor, what would you say? tickets?
A. The EER is used to determine the clipping level A. The Kerberos authentication service
used for password lockout. B. The RADIUS authentication service
B. The EER is a measurement that indicates the point C. The Kerberos ticket-granting service
at which FRR equals FAR. D. The RADIUS ticket-granting service
C. The EER is a rating used for password tokens.
D. The EER is a rating used to measure the percentage 80. Which of the following is the most important
of biometric corrective control that an organization has the
users who are allowed access and who are not capability to shape?
authorized users. A. Audit plan
B. Security assessment
75. You have been asked to head up the audit of a C. Business continuity plan
business application system. What is one of the first D. Network topology
tasks you should perform?
A. Interview users 81. Which one of the following is not considered an
B. Review process flowcharts application system testing technique?
C. Evaluate controls A. Snapshots
D. Determine critical areas B. Mapping
C. Integrated test facilities
76. Closed-circuit TV (CCTV) systems are considered D. Base case system evaluation
what type of control?
A. Corrective 82. Which of the following statements regarding
B. Detective recovery is correct?
C. Preventive
A. The greater the recovery point objective (RPO), D. The percentage of legitimate users who are
the more tolerant the process is to interruption. denied access
B. The less the recovery time objective (RTO), the
longer the process can take to be restored. 89. Class A fires are comprised of which of the
C. The less the RPO, the more tolerant the process is following?
to interruption. A. Electronic equipment
D. The greater the RTO, the less time the process can B. Paper
take to be restored. C. Oil
D. Metal
83. Which of the following best defines the service
delivery objective (SDO)? 90. You are performing an audit of an organization’s
A. Defines the maximum amount of time the physical security controls, specifically, emergency
organization can provide services at the alternate site controls. When doors that use relays or electric locks
B. Defines the level of service provided by alternate are said to fail soft, what does that mean?
processes A. Locks of this type fail open.
C. Defines the time that systems can be offline before B. Locks of this type are easy to pick.
causing damage C. Locks of this type fail closed.
D. Defines how long the process can take to be D. Locks of this type are hard to pick.
restored
91. Which type of database is represented by Figure
84. During which step of the business continuity E.7?
planning (BCP) process is a risk assessment A. Relational
performed? B. Network
A. Project management and initiation C. Hierarchical
B. Plan design and development D. Floating flat
C. Recovery strategy Figure E.7.
D. Business impact analysis

85. When auditing security for a data center, the

auditor should look for which of the following as the
best example of long-term power protection?
A. Standby generator
B. Uninterrupted power supply
C. Surge protector
D. Filtered power supply
92. Systems control audit review file and embedded
86. Which of the following would be considered the audit modules (SCARF/EAM) is an example of which of
most complex continuous audit technique? the following?
A. Continuous and intermittent simulation (CIS) A. Output controls
B. Snapshots B. Continuous online auditing
C. Audit hooks C. Input controls
D. Integrated test facilities D. Processing controls
87. Which of the following is not a replacement for 93. Which type of access rights control model is
Halon? widely used by the DoD, NSA, CIA, and FBI?
A. FM-200
A. MAC
B. NAF-S-3 B. DAC
C. FM-100 C. RBAC
D. Argon D. ACL
88. When discussing biometrics, what do Type 1 94. Why is the protection of processing integrity
errors measure? important?
A. The point at which the false rejection rate (FRR) A. To maintain availability to users so they have the
equals the false acceptance rate (FAR) availability to copy and use data without delay
B. The accuracy of the biometric system B. To protect data from unauthorized access while in
C. The percentage of illegitimate users who are given transit
access
C. To prevent output controls from becoming tainted 102. Transport-layer security (TLS) can best be
D. To maintain data encryption on portable devices so described as being found between which two layers of
that data can be relocated to another facility while the OSI model?
being encrypted A. Layers 2 and 3
B. Layers 3 and 4
95. A privacy impact analysis (PIA) is tied to several C. Layers 4 and 5
items. Which of the following is not one of those D. Layers 5 and 6
items?
A. Technology 103. Which of the following descriptions highlights the
B. Processes importance of domain name service (DNS)?
C. People A. Address of a domain server
D. Documents B. Resolves fully qualified domain names to IP
addresses
96. Which of the following is ultimately responsible C. Resolves known IP address for unknown Internet
for the security practices of the organization? addresses
A. Security advisory group D. Resolves IP and MAC addresses needed for delivery
B. Chief security officer of Internet
C. Executive management data
D. Security auditor
104. Using Figure E.8 as a reference, which of the
97. Which of the following guarantees that all foreign following best describes a 10BASE5 network design?
keys reference existing primary keys? A. Item A
A. Relational integrity B. Item B
B. Referential integrity C. Item C
C. Entity integrity D. Item D
D. Tracing and tagging Figure E.8.

98. Which of the following would a company extend

to allow network access to a business partner?
A. Internet
B. Intranet
C. Extranet
D. VLAN

99. What term is used to describe the delay that

information will experience from the source to the
destination?
A. Echo
B. Latency 105. You have been asked to describe a program that
C. Delay can be classified as
D. Congestion terminal-emulation software. Which of the following
would you mention?
100. You have been asked to describe what security A. Telnet
feature can be found in the wireless standard B. FTP
802.11a. How will you respond? C. SNMP
A. Wi-Fi Protected Access (WPA) D. SMTP
B. Wired Equivalent Privacy (WEP)
C. Temporal Key Integrity Protocol (TKIP) 106. Which of the following services operates on ports
D. Wi-Fi Protected Access 2 (WPA2) 20 and 21?
A. Telnet
101. Which of the following is not a packet-switching B. FTP
technology? C. SMTP
A. X.25 D. DHCP
B. ISDN
C. Frame Rely 107. Which layer of the OSI model is responsible for
D. ATM reliable data delivery?
A. Data link
B. Session C. A processing control that is considered detective
C. Transport D. A validation edit control that is considered
D. Network detective

108. An objective of the implementation phase of a 115. Referential integrity is used to prevent which of
newly installed system can include which of the the following?
following? A. Attribute errors
A. Conducting a certification test B. Relational errors
B. Determining user requirements C. Dangling tuples
C. Assessing the project to see if expected benefits D. Integrity constraints
were achieved
D. Reviewing the designed audit trails 116. Which of the following best describes the
difference between accreditation and certification?
109. Which of the following is the best example of a A. Certification is initiated after the accreditation of
processing control? the system to ensure that the system meets required
A. Exception reports standards.
B. Sequence check B. Certification is initiated before accreditation to
C. Key verification ensure that quality personnel are using the new
D. Logical relationship check designed systems.
C. Accreditation is issued after certification.
110. Which of the following devices is most closely Accreditation is a management function, while
related to the data link layer? certification is a technical function.
A. Hub D. Production and management might see
B. Repeater accreditation and certification as basically one and the
C. Bridge same.
D. Router
117. You have been asked to review the organization’s
111. Which of the following provide the capability to planned firewall design. As such, which of the
ensure the validity of data through various stages of following best describes the topology shown in
processing?
A. Manual recalculations Figure E.9?
B. Programming controls A. Packet filter
C. Run-to-run totals B. Screened subnet
D. Reasonableness verification C. Screened host
D. Dual-homed host
112. You overheard the database administrator Figure E.9.
discussing normalizing some tables. What is the
purpose of this activity?
A. Decrease redundancy
B. Increase redundancy
C. Decrease application malfunction
D. Increase accuracy

113. Which of the following is not included in a PERT

chart?
A. The most optimistic time the task can be completed
in
B. The most cost-effective scenario for the task
C. The worst-case scenario or longest time the task
can take
D. The most likely time the task will be completed in 118. Which of the following database designs is
considered a lattice structure because each record
114. Verifications such as existence checks can best be can have multiple parent and child records? Although
described as: this design can work well in stable environments, it
A. A processing control that is considered preventive can be extremely complex.
B. A validation edit control that is considered A. The hierarchical database-management systems
preventive B. The relational database-management systems
C. The network database-management systems 125. Which of the following descriptions best
D. The structured database-management systems describes a delay window?
A. The time between when an event occurs and when
119. Which of the following is not used when the audit
calculating function point analysis? record is reviewed
A. Number of user inquires B. The time between when an incident occurs and
B. Number of files when it is addressed
C. Number of user inputs C. The time between when an event occurs and when
D. Number of expected users the audit record is recorded
D. The difference between a threshold and a trigger
120. Which of the following is an example of an
interpreted programming language? 126. You have been asked to review a console log.
A. FORTRAN What type of information should you expect to find?
B. Assembly A. Names and passwords of system users
C. Basic B. Application access and backup times
D. Java C. System errors
D. Errors from data edits
121. Which of the following is an example of a 4GL
language? 127. During a software change process, auditors might
A. SQL be asked to verify existing source code at some point.
B. Assembly What is the most effective tool for auditors to
C. FORTRAN compare old and new software for unreported
D. Prolog changes?
A. Function point analysis (FPA)
122. Which of the following database takes the form B. Manual review of the software
of a parent/child structure? C. Variation tools
A. The hierarchical database-management systems D. Source code comparison software
B. The relational database-management systems
C. The network database-management systems 128. Which of the following is not a valid processing
D. The structured database-management systems control?
A. Authorization
123. You have been asked to explain rings of B. Processing
protection and how the concept applies to the C. Validation
supervisory mode of the operating system (OS). D. Editing
Which of the following is the best description?
A. System utilities should run in supervisor mode. 129. Which of the following is not part of the project-
B. Supervisor state allows the execution of all management triangle?
instructions, including A. Scope
privileged instructions. B. Time
C. Supervisory mode is used to block access to the C. Resources
security kernel. D. Cost
D. Rings are arranged in a hierarchy from least-
privileged to the most-privileged as the most trusted 130. Using Figure E.10 as a reference, place the four
usually has the highest ring number recovery time objectives in their proper order.
A. Items A, B, C, D
124. You have been asked to design a control. The B. Items B, C, D, A
organization would like to limit what check numbers C. Items D, A, C, B
are used. Specfically, they would like to be able to flag D. Items C, B, D, A
a check numbered 318 if the day’s first check had the Figure E.10.
number 120 and the day’s last check was number 144.
What type of validation check does the department
require?
A. Limit check
B. Range check
C. Validity check
D. Sequence check
 in modern development programs because additional
factors that are not
considered will affect the overall cost?
A. Facilited Risk Assessment Process (FRAP)
B. Gantt
C. Function point analysis (FPA)
D. Source lines of code (SLOC)

135. Which of the following is the best example of a

quantitative risk assessment
technique?
A. The Delphi technique
B. Facilitated risk-assessment process
C. Actuarial tables
D. Risk rating of high, medium, or low
CreCrePrin Html ThuZooZooToggle to PrevNex
131. When dealing with project-management issues,
which of the following is
ultimately responsible and must ensure that
stakeholders’ needs are met?
A. Stakeholders
B. Project steering committee
C. Project manager
D. Quality assurance

132. Projects must take on an organizational form.

These organizational forms or
frameworks can be either loosely structured or very
rigid. Which project
form matches the description “The project manager
has no real authority,
and the functional manager remains in charge”?
A. Weak matrix
B. Pure project
C. Balanced matrix
D. Influence

133. Which of the following is the best description of

the Constructive Cost
Model (COCOMO)?
A. COCOMO is a model that forecasts the cost and
schedule of software development, including the
number of persons and months required for the
development.
B. COCOMO is a model that forecasts network costs
associated with hardware, the physical medium, and
trained personnel.
C. COCOMO is a forecast model that estimates the
time involved in producing a product and shipping to
the end user.
D. COCOMO is a model that forecasts the construction
of additional companies associated with
organizational growth.

134. Which of the following software-estimating

methods does not work as well