Professional Documents
Culture Documents
14. Which of the following is the best tool to extract 20. You have been asked to implement a continuous
data that is relevant to the audit? auditing program. With this in mind, which of the
A. Integrated auditing following should you first identify?
B. Generalized audit software A. Applications with high payback potential
C. Automated work papers B. The format and location of input and output files
D. Continuous auditing C. Areas of high risk within the organization
D. Targets with reasonable thresholds
15. You have been asked to perform an audit of the
disaster-recovery procedures. As part of this process, 21. Which of the following should be the first step for
you must use statistical sampling techniques to organizations wanting to develop an information
inventory all backup tapes. Which of the following security program?
descriptions best defines what you have been asked A. Upgrade access-control software to a biometric or
to do? token system
A. Continuous audit B. Approve a corporate information security policy
B. Integrated audit statement
C. Compliance audit C. Ask internal auditors to perform a comprehensive
D. Substantive audit review
D. Develop a set of information security standards
16. According to ISACA, which of the following is the
fourth step in the risk based audit approach? 22. Which of the following is primarily tasked with
A. Gather information and plan ensuring that the IT department is properly aligned
B. Perform compliance tests with the goals of the business?
C. Perform substantive tests A. Chief executive officer
D. Determine internal controls B. Board of directors
C. IT steering committee
17. Which general control procedure most closely D. Audit committee
maps to the information systems control procedure
that specifies, “Operational controls that are focused 23. The balanced score card differs from historic
on day-to-day activities”? measurement schemes, in that it looks at more than
A. Business continuity and disaster-recovery what?
procedures that provide reasonable assurance that A. Financial results
the organization is secure against disasters B. Customer satisfaction
B. Procedures that provide reasonable assurance for C. Internal process efficiency
the control of database administration D. Innovation capacity
28. Which of the following is the best method to
24. Which of the following is the purpose of identify problems between procedure and activity?
enterprise architecture (EA)? A. Policy review
A. Ensure that internal and external strategy are B. Direct observation
aligned C. Procedure review
B. Map the IT infrastructure of the organization D. Interview
C. Map the IT infrastructure of the organization and
ensure that its 29. You are working with a risk-assessment team that
design maps to the organization’s strategy is having a hard time calculating the potential financial
D. Ensure that business strategy and IT investments loss to the company’s brand name that could result
are aligned from a risk. What should the team do next?
A. Calculate the return on investment (ROI)
25. Which of the following types of planning entails an B. Determine the single loss expectancy (SLE)
outlook of greater than three years? C. Use a qualitative approach
A. Daily planning D. Review actuary tables
B. Long-term planning
C. Operational planning 30. What operation-migration strategy has the highest
D. Strategic planning possible level of risk?
A. Parallel
26. A new IT auditor has been asked to examine some B. Hard
processing, editing, and validation controls. Can you C. Phased
help define the control shown in Figure E.2? D. Intermittent
A. Validity check
B. Reasonableness check 31. Many organizations require employees to rotate
C. Existence check to different positions. Why?
D. Range check A. Help deliver effective and efficient services
Figure E.2. B. Provide effective cross-training
[View full size image] C. Reduce the opportunity for fraud or improper or
illegal acts
D. Increase employee satisfaction
74. If asked to explain the equal error rate (EER) to 79. Which of the following issues ticket-granting
another auditor, what would you say? tickets?
A. The EER is used to determine the clipping level A. The Kerberos authentication service
used for password lockout. B. The RADIUS authentication service
B. The EER is a measurement that indicates the point C. The Kerberos ticket-granting service
at which FRR equals FAR. D. The RADIUS ticket-granting service
C. The EER is a rating used for password tokens.
D. The EER is a rating used to measure the percentage 80. Which of the following is the most important
of biometric corrective control that an organization has the
users who are allowed access and who are not capability to shape?
authorized users. A. Audit plan
B. Security assessment
75. You have been asked to head up the audit of a C. Business continuity plan
business application system. What is one of the first D. Network topology
tasks you should perform?
A. Interview users 81. Which one of the following is not considered an
B. Review process flowcharts application system testing technique?
C. Evaluate controls A. Snapshots
D. Determine critical areas B. Mapping
C. Integrated test facilities
76. Closed-circuit TV (CCTV) systems are considered D. Base case system evaluation
what type of control?
A. Corrective 82. Which of the following statements regarding
B. Detective recovery is correct?
C. Preventive
A. The greater the recovery point objective (RPO), D. The percentage of legitimate users who are
the more tolerant the process is to interruption. denied access
B. The less the recovery time objective (RTO), the
longer the process can take to be restored. 89. Class A fires are comprised of which of the
C. The less the RPO, the more tolerant the process is following?
to interruption. A. Electronic equipment
D. The greater the RTO, the less time the process can B. Paper
take to be restored. C. Oil
D. Metal
83. Which of the following best defines the service
delivery objective (SDO)? 90. You are performing an audit of an organization’s
A. Defines the maximum amount of time the physical security controls, specifically, emergency
organization can provide services at the alternate site controls. When doors that use relays or electric locks
B. Defines the level of service provided by alternate are said to fail soft, what does that mean?
processes A. Locks of this type fail open.
C. Defines the time that systems can be offline before B. Locks of this type are easy to pick.
causing damage C. Locks of this type fail closed.
D. Defines how long the process can take to be D. Locks of this type are hard to pick.
restored
91. Which type of database is represented by Figure
84. During which step of the business continuity E.7?
planning (BCP) process is a risk assessment A. Relational
performed? B. Network
A. Project management and initiation C. Hierarchical
B. Plan design and development D. Floating flat
C. Recovery strategy Figure E.7.
D. Business impact analysis
108. An objective of the implementation phase of a 115. Referential integrity is used to prevent which of
newly installed system can include which of the the following?
following? A. Attribute errors
A. Conducting a certification test B. Relational errors
B. Determining user requirements C. Dangling tuples
C. Assessing the project to see if expected benefits D. Integrity constraints
were achieved
D. Reviewing the designed audit trails 116. Which of the following best describes the
difference between accreditation and certification?
109. Which of the following is the best example of a A. Certification is initiated after the accreditation of
processing control? the system to ensure that the system meets required
A. Exception reports standards.
B. Sequence check B. Certification is initiated before accreditation to
C. Key verification ensure that quality personnel are using the new
D. Logical relationship check designed systems.
C. Accreditation is issued after certification.
110. Which of the following devices is most closely Accreditation is a management function, while
related to the data link layer? certification is a technical function.
A. Hub D. Production and management might see
B. Repeater accreditation and certification as basically one and the
C. Bridge same.
D. Router
117. You have been asked to review the organization’s
111. Which of the following provide the capability to planned firewall design. As such, which of the
ensure the validity of data through various stages of following best describes the topology shown in
processing?
A. Manual recalculations Figure E.9?
B. Programming controls A. Packet filter
C. Run-to-run totals B. Screened subnet
D. Reasonableness verification C. Screened host
D. Dual-homed host
112. You overheard the database administrator Figure E.9.
discussing normalizing some tables. What is the
purpose of this activity?
A. Decrease redundancy
B. Increase redundancy
C. Decrease application malfunction
D. Increase accuracy