(391687872) Cisa -mock_exam

views

Upcoming SlideShare

Loading in...5×

2 of 58

L i k e S h a r e S a v e CISA exam 100 practice question C I S A e x a m 10 0 p r a c t i c e q u e s t i o n b y A r s h a d A J a v e d 192 7 v i e w s CISA Review Courses - Slides Part2 C I S A R e v i e w C o u r s e s - S l i d e s P a r t 2 b y I y a d M o u r t ad a 115 9

v i e w s CISA Review Course Slides - Part1 C I S A R e v i e w C o u r se S l i d e s - P a r t 1 b y I y a d M o u r t ad a

170 7 v i e w s Cisa certified-information-systems-... C i s a c e r t i f i e d - i n f o r m a t i o n - s y s t e m s - .. . b y M a t ee n 7 6

1446 7 v i e w s Sybex cisa-certified-information-sy... S y be x c i s a - c e r t i f i e d - i n f o r m a t i o n - s y .. . b y s a m d x b2 4

909 9 v i e w s Passing CISA P a ss i n g C I S A b y a n i l b a b l a d i 228 0 v i e w s CISA Summary V1.0 C I S A S u mm a r y V 1 . 0 b y c h r i s t i a n r e i n a 457 3 v i e w s Information Systems Audit & CISA Pr... I n f o r m a t i o n S y s t e m s A u d i t & C I S A P r .. . b y D o n a l d H e s t e r 52 1 v i e w s CISA - Web based Course Informatio... CISA - Web based Course Informatio... b y V i d h y a S a m pa t h K u .. . 170 9 v i e w s Self-Serving CISA Study Guide Online S e l f - S e r v i n g C I S A S t u d y G u i d e O n l i n e b y s t e f a nh e n r y 120 5

v i e w s Chap1 2007 Cisa Review Course C h ap 1 200 7 C i s a R e v i e w C o u r se b y D e s m o n d D e v e n d r a n

1012 5 v i e w s It audit presentation_icap I t a u d i t p r e s e n t a t i o n _ i c a p b y I n s t i t u t e o f C o s t.. . 1537 5 v i e w s

Like this? Share it with your network

Share

Cisa -mock_exam 13,927

A l a m e l u B a b u

+ F o ll o w

0 1 0 0

Up loaded on Nov 24, 2011

More in: B u s i n e ss , T e c hno l og y

0 C o mm e n t s 6 Likes Statistics Notes

F u l l N a m e

Comment goes here.

12 hours ago Delete • Reply • Spam • Block

Share your thoughts... Post

Be the first to comment

Transcript

1. Mock Exam CISAComplete 200 Multiple Choice Questions w ith detailed solutions and reasoningFOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

2 . 1. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n): A. Implementor B. FacilitatorCISA MOCK EXAM C. Developer D. Sponsor Answ er: B The

traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator. 2. What is the

Recommended More from User

CISA exam 100 practice ques tionArs had A Javed

1,928 views

CISA Review Cours es - SlidesPart2

Iyad Mourtada

1,159 views

CISA Review Cours e Slides - Part1Iyad Mourtada

1,707 views

Cis a certified-inform ation- s ys tem s -auditor-s tudy- guide.9780470231524.33336

Mateen76

14,468 views

Sybex cis a-certified-inform ation- s ys tem s -auditor-s tudy-guide-2nd- edition-m ar-20……

s am dxb24

primary objective of a control self-assessment (CSA) program? A. Enhancement of the audit responsibility B. Elimination of the audit responsibility C. Replacement of the audit responsibility D. Integrity of the audit responsibility Answ er: A Audit responsibility enhancement is an objective of a control self-assessment (CSA) program. 3. IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are w ithin the acceptable limits. True or false? A. True B. False Answ er: A IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are w ithin the acceptable limits. Think of it this w ay: If any reliance is placed on internal controls, that reliance must be validated through compliance testing. High control risk results in little reliance on internal controls, w hich results in additional substantive testing. 4. Ascompared to understanding an organizations IT process from evidence directly collected, how valuable are prior audit reports as evidence? A. The same value. B. Greater value. C. Lesser value. D. Prioraudit reports are not relevant. http://kaka-pakistani.blogspot.com 1 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

3 . Answ er: C Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding of an organizations IT process than evidence directly collected.CISA MOCK EXAM 5. What is the PRIMARY purpose of audit trails? A. To document auditing efforts B. To correct data integrity errors C. To establish accountability and responsibility for processed transactions D. To prevent unauthorized access to data Answ er: C The primary purpose of audit trails is to establish accountability and responsibility for processed transactions. 6. How does the process of systems auditing benefit from using a risk-based approach to audit planning? A. Controls testing starts earlier. B. Auditing resources are allocated to the areas of highest concern. C. Auditing risk is reduced. D. Controls testing is more thorough. Answ er: B Allocation of auditing resources to the areas of highest concern is a benefit of a risk-based approach to audit planning. 7. After an IS auditor has identified threats and potential impacts, the auditor should: A. Identify and evaluate the existing controls B. Conduct a business impact analysis (BIA) C. Report on existing controls D. Propose new controls Answ er: A After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing controls. http://kaka-pakistani.blogspot.com 2 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

9,099 views

Pas s ing CISAanilbabladi

2,280 views

CISA Sum m ary V1.0 chris tianreina

4,573 views

Inform ation Sys tem s Audit & CISA Prep 2010Donald Hes ter

521 views

CISA - Web bas ed Cours e Inform ation Sys tem s oftware Vidhya Sam path Kum aran

1,709 views

Self-Serving CISA Study GuideOnline s tefanhenry

1,205 views

Chap1 2007 Cis a Review Cours eDes m ond Devendran

10,125 views

4 . 8. The use of statistical sampling procedures helps minimize: A. Detection risk B. Business riskCISA MOCK EXAM C. Controls risk D. Compliance risk Answ er: A The use of statistical sampling procedures helps minimize detection risk. 9. What type of risk results w hen an IS auditor uses an inadequate test procedure and concludes that material errors do not exist w hen errors actually exist? A. Business risk B. Detection risk C. Residual risk D. Inherent risk Answ er: B Detection risk results w hen an IS auditor uses an inadequate test procedure and concludes that material errors do not exist w hen errors actually exist. 10. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can: A. Identify high-risk areas that might need a detailed review later B. Reduce audit costs C. Reduce audit time D. Increase audit accuracy Answ er: C A primary benefit derived from an organization employing control self-assessment (CSA) techniques isthat it can identify high-risk areas that might need a detailed review later. 11. What type of approach to the development of organizational policies is often driven by risk assessment? A. Bottom-up B. Top- dow n C. Comprehensive D. Integrated http://kaka-pakistani.blogspot.com 3 FOR FREE ACCA,CAT,CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

It audit pres entation_icapIns titute of Cos t and Managem entAccountant Pakis tan

15,375 views

Fall 2009 CISA Review Cours eBilly82

885 views

CISA Part2Iyad Mourtada

687 views

5 . Answ er: B A bottom-up approach to the development of organizational policies is often driven by risk assessment.CISA MOCK EXAM 12. Who is accountable for maintaining appropriate security measures over information assets? A. Data and systems ow ners B. Data and systems users C. Data and systems custodians D. Data and systems auditors Answ er: A Data and systems ow ners are accountable for maintaining appropriate security measures over information assets. 13. Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. True or false? A. True B. False Answ er: A Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. 14. What should an IS auditor do if he or she observes that project-approval procedures do not exist? A. Advise senior management to invest in project- management training for the staff B. Create project-approval procedures for future project implementations C. Assign project leaders D. Recommend to management that formal approval procedures be adopted and documented Answ er: D If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented. 15. Who is ultimately accountable for the development of an IS security policy? A. The board of directors B. Middle management C. Security administrators D. Netw ork administrators http://kaka-pakistani.blogspot.com 4 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

6 . Answ er: A The board of directors is ultimately accountable for the development of an IS security policy.CISA MOCK EXAM 16. Proper segregation of duties normally does not prohibit a LAN administrator from also having programming responsibilities. True or false? A. True B. False Answ er: B Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities. 17. A core tenant of an IS strategy is that it must: A. Be inexpensive

B. Be protected as sensitive confidential information C. Protect information confidentiality, integrity, and availability D. Support the business objectives of the organization Answ er: D Above all else, an IS strategy must support the business objectives of the organization. 18. Batch control reconciliation is a (fill in the blank) control for mitigating risk of inadequate segregation of

Introduction to IT AuditChris Nicole Apat

1,110 views


3,494 views


2,919 views

ISACA Update - ISACA CentralOhio ChapterBilly82

1,889 views

1 q is -auditproces sAlam elu Babu

2,221 views

duties. A. Detective B. Corrective C. Preventative D. Compensatory Answ er: D Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties. 19. Key verification is one of the best controls for ensuring that: A. Data is entered correctly B. Only authorized cryptographic keys are used C. Input is authorized http://kaka-pakistani.blogspot.com 5FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

7 . D. Database indexing is performed properly Answ er: ACISA MOCK EXAM Key verification is one of the best controls for ensuring that data is entered correctly. 20. If senior management is not committed to strategic planning, how likely is it that a companys implementation of IT w ill be successful? A. IT cannot be implemented if senior management is not committed to strategic planning. B. More likely. C. Less likely. D. Strategic planning does not affect the success of a companys implementation of IT. Answ er: C A companys implementation of IT w ill be less likely to succeed if senior management is not committed to strategic planning. 21. Which of the follow ing could lead to an unintentional loss of confidentiality? Choose the BEST answ er. A. Lack of employee aw areness of a companys information security policy B. Failure to comply w ith a companys information security policy C. A momentary lapse of reason D. Lack of security policy enforcement procedures Answ er: A Lack of employee aw areness of a companys information security policy could lead to an unintentional loss of confidentiality. 22. What topology provides the greatest redundancy of routes and the greatest netw ork fault tolerance? A. A star netw ork topology B. A mesh netw ork topology w ith packet forw arding enabled at each host C. A bus netw ork topology D. A ring netw ork topology Answ er: B http://kaka-pakistani.blogspot.com 6 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

8 . A mesh netw ork topology provides a point-to-point link betw een every netw ork host. If each host is configured to route and forw ard communication, this topology provides the greatest redundancy of routes and the greatest netw ork fault tolerance.CISA MOCK EXAM 23. An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence? A. Evidence collected through personal observation B. Evidence collected through systems logs provided by the organizations security administration C. Evidence collected through surveys collected from internal staff D. Evidence collected through transaction reports provided by the organizations IT administration Answ er: A An IS auditor usually places more reliance on evidence directly collected, such as through personal observation. 24. What kind of protocols does the OSI Transport Layer of the TCP/IPprotocol suite provide to ensure reliable communication? A. Nonconnection-oriented protocols B. Connection-oriented protocols C. Session-oriented protocols D. Nonsession-oriented protocolsAnsw er: B The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols to ensure reliable communication. 25. How is the time required for transaction processing review usually affected by properly implemented Electronic Data Interface (EDI)? A. EDI usually decreases the time necessary for review . B. EDI usually increases the time necessary for review . C. Cannot be determined. D. EDI does not affect the time necessary for review . Answ er: A Electronic data interface (EDI) supports intervendor communication w hile decreasing the time necessary for review because itis usually configured to readily identify errors requiring follow -up. http://kaka-pakistani.blogspot.com7 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

9 . 26. What w ould an IS auditor expect to find in the console log? Choose the BEST answ er. A. Evidence of passw ord spoofing B. System errorsCISA MOCK EXAM C. Evidence of data copy activities D. Evidence of passw ord sharing Answ er: B An IS auditor can expect to find system errors to be detailed in the console log. 27. Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. True or false? A. True B. False Answ er: A Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing. 28. Why does the IS auditor often review the system logs? A.To get evidence of passw ord spoofing B. To get evidence of data copy activities C. To determine the existence of unauthorized access to data by a user or program D. To get evidence of passw ordsharing Answ er: C When trying to determine the existence of unauthorized access to data by a user or program, the IS auditor w ill often review the system logs. 29. What is essential for the IS auditor to obtain a clear understanding of netw ork management? A. Security administrator access to systems B. Systems logs of all hosts providing application services C. A graphical map of the netw ork topologyD. Administrator access to systems Answ er: C http://kaka-pakistani.blogspot.com 8 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

Audit Proces s , Audit Procedures , Audit Planning, AuditingAdvance Bus ines s Cons ulting

62,262 views

Welcom e to cis a 101 s um m erJenni Davis Lund

970 views


2,094 views

Ch2 2009 cis a as ruls ani09

1,442 views


2,660 views

desDes m ond Devendran

2,311 views

Sybex.Cis a.Certified.Inform ation.Sys te gues t7d67c93

16,246 views

Cis a & cis m people s oft audit plans ic qsSatis h Apparala

922 views

Cwi s yllabus cis a-fall-2013-lund jenlundCWI

799 views

Inform ación Certificación y Form ación CISA 2014 ES ISACA Madrid

3,120 views

Steps in it audit kinjalm kothari92

1,012 views

The Status of IT Audit EducationTim othy212

964 views

10 . A graphical interface to the map of the netw ork topology is essential for the IS auditor to obtain a clear understanding of netw ork management. 30. How is risk affected if users have direct access to a database at the system level?CISA MOCK EXAM A. Risk of unauthorized access increases, but risk of untraceable changes to the database decreases. B. Risk of unauthorized and untraceable changes to the database increases. C. Risk of unauthorized access decreases, but risk of untraceable changes to the database increases. D. Risk of unauthorized and untraceable changes to the database decreases. Answ er: B If users have direct access to a database at the system level, risk of

unauthorized and untraceable changes to the database increases. 31. What is the most common purpose of a virtual private netw ork implementation? A. A virtual private netw ork (VPN) helps to secure access betw een an enterprise and its partners w hen communicating over an otherw ise unsecured channel such as the Internet. B. A virtual private netw ork (VPN) helps to secure access betw

een an enterprise and its partners w hen communicating over a dedicated T1 connection. C. A virtual private netw ork (VPN) helps to secure access w ithin an enterprise w hen communicating over a dedicated T1 connection Cis a 101 s um m er s yllabus

Jenni Davis Lund

666 views

Sa aug09 byrne m cees hie

1,111 views

betw een netw ork segments w ithin the same facility. D. A virtual private netw ork (VPN) helps tosecure access betw een an enterprise and its partners w hen communicating over a w ireless connection. Answ er: A A virtual private netw ork (VPN) helps to secure access betw een an enterprise and its partners w hen communicating over an otherw ise unsecured channel such as the Internet. 32. What benefit does using capacity-monitoring softw are to monitor usage patterns and trends provide to management? Choose the BEST answ er. A. The softw are can dynamically readjust netw ork traffic capabilities based upon current usage. B. The softw are produces nice reports that really impress management. C. It allow s users to properly allocate resources and ensure continuous efficiency of operations. D. It allow s management to properly allocate resources and ensure continuous efficiencyof operations. Answ er: D Using capacity-monitoring softw are to monitor usage patterns and trends enables management to properly allocate resources and ensure continuous efficiency of operations. http://kaka-pakistani.blogspot.com 9 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:http://kaka-pakistani.blogspot.com

Chapter 4MRicky

2,385 views

IS Audit and Internal ControlsBharath Rao

714 views

Audit proces s hem athayanithy

1,387 views

11 . 33. What can be very helpful to an IS auditor w hen determining the efficacy of a systems maintenance program? Choose the BEST answ er. A. Netw ork-monitoring softw areCISA MOCK EXAM B. A system dow ntime log C. Administration activity reports D. Help-desk utilization trend reports Answ er: B A system dow ntime log can be very helpful to an IS auditor w hen determining the efficacy of a systems maintenance program. 34. What are used as a countermeasure for potential database corruption w hen tw o processes attempt to simultaneously edit or update the same information? Choose the BEST answ er. A. Referential integrity controls B. Normalization controls C. Concurrency controls D. Run-to-run totals Answ er: A Concurrency controls are used as a countermeasure for potential database corruption w hen tw o processes attempt to simultaneously editor update the same information. 35. What increases encryption overhead and cost the most? A. A long symmetric encryption key B. A long asymmetric encryption key C. A long Advance Encryption Standard (AES) key D. A long Data Encryption Standard (DES) key Answ er: B A long asymmetric encryption key (public key encryption) increases encryption overhead and cost. All other answ ers are single shared symmetric keys. 36. Which of the follow ing best characterizes "w orms"? A. Malicious programs that can run independently and can propagate w ithout the aid of a carrier program such as email B. Programming code errors that cause a program to repeatedly dump data C. Malicious programs that require the aid of a carrier program such as email http://kaka-pakistani.blogspot.com 10FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

12 . D. Malicious programs that masquerade as common applications such as screensavers or macro- enabled Word documents Answ er: ACISA MOCK EXAM Worms are malicious programs that can run independently and can propagate w ithout the aid of a carrier program such as email. 37. What is an initial step in creating a proper firew all policy? A. Assigning access to users according to the principle of least privilege B. Determining appropriate firew all hardw are and softw are C. Identifying netw ork applications such as mail, w eb, or FTP servers D. Configuring firew all access rules Answ er: C Identifying netw ork applications such as mail, w eb, or FTP servers to be externally accessed is an initial step in creating a proper firew all policy. 38. What type of cryptosystem is characterized by data being encrypted by the sender using the recipients public key, and the data then being decrypted using the recipients private key? A. With public-key encryption, or symmetric encryption B. With public-key encryption, or asymmetric encryption C. With shared-key encryption, or symmetric encryption D. With shared-key encryption, or asymmetric encryption Answ er: B With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipients public key; the data is then decrypted using the recipients private key. 39. How does the SSL netw ork protocol provide confidentiality? A. Through symmetric encryption such as RSA B. Through asymmetric encryption such as Data Encryption Standard, or DES C. Through asymmetric encryption such as Advanced Encryption Standard, or AES D. Through symmetric encryption such as Data Encryption Standard, or DES Answ er: D The SSL protocol provides confidentiality through symmetric encryption such asData Encryption Standard, or DES. http://kaka-pakistani.blogspot.com 11 FOR FREE ACCA,CAT,CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

Proces s us Audit SI Ars ène Ngato

7,659 views

Audit Checklis t for Inform ationSys tem sAHMAD BHATTI

23,724 views

Auditing In Com puter Environm entPres entationSako Mayrick

56,904 views

Internal audit procedure bhavikjariwala

5,713 views

13 . 40. What are used as the framew ork for developing logical access controls? A. Information systems security policies B. Organizational security policiesCISA MOCK EXAM C. Access Control Lists (ACL) D. Organizational charts for identifying roles and responsibilities Answ er: A Information systems security policies are used as the framew ork for developing logical access controls. 41. Which of the follow ing are effective controls for detecting duplicate transactions such as payments made or received? A. Concurrency controls B. Reasonableness checks C. Time stamps D. Referential integrity controls Answ er: C Time stamps are an effective control for detecting duplicate transactions such as payments made or received. 42. Which of the follow ing is a good control for protecting confidential data residing on a PC? A. Personal firew all B. File encapsulation C. File encryption D. Host-based intrusion detection Answ er: C File encryption is a good control for protecting confidential data residing on a PC. 43. Which of the follow ing is a guiding best practice for implementing logical access controls? A. Implementing the Biba Integrity Model B. Access is granted on a least-privilege basis, per the organizations data ow ners C. Implementing the Take-Grant

access control model D. Classifying data according to the subjects requirements Answ er: B http://kaka-pakistani.blogspot.com 12 FORFREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

14 . Logical access controls should be review ed to ensure that access is granted on a least-privilege basis, per the organizations data ow ners. 44. What does PKI use to provide some of the strongest overall control over data confidentiality,CISA MOCK EXAM reliability, and integrity for Internet

transactions? A. A combination of public-key cryptography and digital certificates and tw o-factor authentication B. A combination of public-key cryptography and tw o-factor authentication C. A combination of public-key cryptography and digital certificates D. A combination of digital certificates and tw o-factor authentication Answ er: C PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions. 45. Which of the follow ing do digital signatures provide? A. Authentication and integrity of data B. Authentication and confidentiality of data C. Confidentiality and integrity of data D. Authentication and availability of data Answ er: A The primary purpose of digital signatures is to provide authentication and integrity of data. 46. Regarding digital signature implementation, w hich of the follow ing answ ers is correct? A. A digital signature is created by the sender to prove message integrity by encrypting the message w ith the senders private key. Upon receiving the data, the recipient can decrypt the data using the senders public key. B. A digital signature is created by the sender to prove message integrity by encrypting the message w ith the recipients public key. Upon receiving the data, the recipient can decrypt the data using the recipientspublic key. C. A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it. D. A digital signature is created by the sender to prove message integrity by encrypting the message w ith the senders public key. Upon receiving the data, the recipient can decrypt the data using the recipients private key. Answ er: C http://kaka-pakistani.blogspot.com 13 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:http://kaka-pakistani.blogspot.com

15 . A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value, or message digest, from the entire message contents. Upon receiving the data, the recipient can independently create its ow n message digest from the data for comparison and data integrity validation. Public and private keys are used to enforce confidentiality.CISA MOCK EXAM Hashing algorithms are used to enforce integrity. 47. Which of the follow ing w ould provide the highest degree of server access control? A. A mantrap-monitored entryw ay to the server room B. Host-based intrusion detection combined w ith CCTV C. Netw ork- based intrusion detection D. A fingerprint scanner facilitating biometric access control Answ er: D A fingerprint scanner facilitating biometric access control can provide a very high degree of serveraccess control. 48. What are often the primary safeguards for systems softw are and data? A. Administrative access controls B. Logical access controls C. Physical access controls D. Detective access controls Answ er: B Logical access controls are often the primary safeguards for systems softw are and data. 49. Which of the follow ing is often used as a detection and deterrent control against Internet attacks? A. Honeypots B. CCTV C. VPN D. VLAN Answ er: A Honeypots are often used as a detection and deterrent control against Internet attacks. 50. Which of the follow ing BEST characterizes a mantrap or deadman door, w hich is used as a deterrent control for the vulnerability of piggybacking? A. A monitored double-doorw ay entry system http://kaka-pakistani.blogspot.com 14FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

16 . B. A monitored turnstile entry system C. A monitored doorw ay entry system D. A one-w ay door that does not allow exit after entryCISA MOCK EXAM Answ er: A A monitored double-doorw ay entry system, also referred to as a mantrap or deadman door, is used as a deterrent control for the vulnerability of piggybacking. 51. Which of the follow ing is an effective method for controlling dow nloading of files via FTP? Choose the BEST answ er. A. An application-layer gatew ay, or proxy firew all, but not stateful inspection firew alls B. An application-layer gatew ay, or proxy firew all C. A circuit-level gatew ay D. A first-generation packet-filtering firew all Answ er: B Application-layer gatew ays, or proxy firew alls, are an effective method for controlling dow nloading of files via FTP. Because FTP is an OSI application-layer protocol, the most effective firew all needs to be capable of inspecting through the application layer. 52. Which of the follow ing provides the strongest authentication for physical access control? A. Sign-in logs B. Dynamic passw ords C. Key verification D. Biometrics Answ er: D Biometrics can be used to provide excellent physical access control. 53. What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers w ithout logging off? Choose the BEST answ er. A. Employee security aw arenesstraining B. Administrator alerts C. Screensaver passw ords D. Close supervision Answ er: C http://kaka- pakistani.blogspot.com 15 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

17 . Screensaver passw ords are an effective control to implement as a countermeasure for the vulnerability of data entry operators potentially leaving their computers w ithout logging off. 54. What can ISPs use to implement inbound traffic filtering as a control to identify IP packetsCISA MOCK EXAM transmitted from unauthorized sources? Choose the BEST answ er. A. OSI Layer 2 sw itches w ith packet filtering enabled B. Virtual Private Netw orks C. Access Control Lists (ACL) D. Point-to- Point Tunneling Protocol Answ er: C ISPs can use access control lists to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources. 55. What is the key distinction betw een encryption and hashing algorithms? A. Hashing algorithms ensure data confidentiality. B. Hashing algorithms are irreversible. C. Encryption algorithms ensure

data integrity. D. Encryption algorithms are not irreversible. Answ er: B A key distinction betw een encryption and hashing algorithms is that hashing algorithms are irreversible. 56. Which of the follow ing is BEST characterized by unauthorized modification of data before or during systems data entry? A. Datadiddling B. Skimming C. Data corruption D. Salami attack Answ er: A Data diddling involves modifying

data before or during systems data entry. 57. Which of the follow ing is used to evaluate biometric access controls? A. FAR B. EER C. ERR http://kaka-pakistani.blogspot.com 16 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

18 . D. FRR Answ er: BCISA MOCK EXAM When evaluating biometric access controls, a low equal error rate (EER) is preferred. EER is also called the crossover error rate (CER). 58. Who is ultimately responsible and accountable for review ing user access to systems? A. Systems security administrators B. Data custodians C. Data ow ners D. Information systems auditors Answ er: C Data ow ners are ultimately responsible and accountable for review ing user access to systems. 59. Establishing data ow nership is an important first step for w hich of the follow ing processes? Choose the BEST answ er. A. Assigning user access privileges B. Developing organizational security policies C. Creating roles and responsibilities D. Classifying data Answ er: D To properly implement data classification, establishing data ow nership is an important first step. 60. Which of the follow ing is MOST is critical during the business impact assessment phase of business continuity planning? A. End-user involvement B. Senior management involvement C. Security administration involvement D. IS auditing involvement Answ er:A End-user involvement is critical during the business impact assessment phase of business continuity planning. 61. What type of BCP test uses actual resources to simulate a system crash and validate the plans effectiveness? http://kaka-pakistani.blogspot.com 17 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

19 . A. Paper B. Preparedness C. Walk-throughCISA MOCK EXAM D. Parallel Answ er: B Of the three major types of BCP tests (paper, w alk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plans effectiveness. 62. Which of the follow ing typically focuses on making alternative processes and resources available for transaction processing? A. Cold-site facilities B. Disaster recovery for netw orks C. Diverse processing D.Disaster recovery for systems Answ er: D Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing. 63. Which type of major BCP test only requires representatives from each operational area to meet to review the plan? A. Parallel B. Preparedness C. Walk-thorough D. Paper Answ er: C Of the three major types of BCP tests (paper, w alk-through, and preparedness), a w alk-through test requires only that representatives from each operational area meet to review the plan. 64. What influences decisions regarding criticality of assets? A. The business criticality of the data to be protected B. Internal corporate politics C. The business criticality of the data to be protected, and the scope of the impact upon the organization as a w hole D. The business impact analysis http://kaka-pakistani.blogspot.com 18 FOR FREE ACCA,CAT, CIMA &CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

20 . Answ er: C Criticality of assets is often influenced by the business criticality of the data to be protected and by the scope of the impact upon the organization as a w hole. For example, the loss of a netw ork backboneCISA MOCK EXAM creates a much greater impact on the organization as a w hole than the loss of data on a typical users w orkstation. 65. Of the three major types of off-site processing facilities, w hat type is characterized by at least providing for electricity and HVAC? A. Cold site B. Alternate site C. Hot site D. Warm site Answ er: A Of the three major types of off-site processing facilities (hot, w arm, and cold), a cold site is characterized by at least providing for electricity and HVAC. A w arm site improves upon this by providing for redundant equipment and softw are that canbe made operational w ithin a short time. 66. With the objective of mitigating the risk and impact of a major business interruption, a disaster-recovery plan should endeavor to reduce the length of recovery time necessary, as w ell as costs associated w ith recovery. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false? A. True B. False Answ er: A With the objective of mitigating the risk and impact of a major business interruption, a disaster- recovery plan should endeavor to reduce the length of recovery time necessary and the costs associated w ith recovery. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset byreduced recovery and business impact costs. 67. Of the three major types of off-site processing facilities, w hat type is often an acceptable solution for preparing for recovery of noncritical systems and data? A. Cold site B. Hot site C. Alternate site D. Warm site Answ er: A http://kaka- pakistani.blogspot.com 19 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

21 . A cold site is often an acceptable solution for preparing for recovery of noncritical systems and data. 68. Any changes in systems assets, such as replacement of hardw are, should be immediatelyCISA MOCK EXAM recorded w ithin the assets inventory of w hich of the follow ing? Choose the BEST answ er. A. IT strategic plan B. Business continuity plan C. Business impact analysis D. Incident response plan Answ er: B Any changes in systems assets, such as replacement of hardw are, should be immediately recorded w ithin the assets inventory of a business continuity plan.

69. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain w ith executive management, such as the . (fill-in-the-blank) A. Security administrator B. Systems auditor C. Board of directors D. Financial auditor Answ er: C Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain w ith executive management, such as the board of directors. 70. Obtaining user approval of program changes is very effective for controlling application changes and maintenance. True or false? A. True B. False Answ er: A Obtaining user approval of program changes is very effective for controlling application changes and maintenance. 71. Library control softw are restricts source code to: A. Read-

only access http://kaka-pakistani.blogspot.com 20 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

22 . B. Write-only access C. Full access D. Read-w rite accessCISA MOCK EXAM Answ er: A Library control softw are restricts source code to read-only access. 72. When is regression testing used to determine w hether new application changes have introduced any errors in the remaining unchanged code? A. In program development and change management B. In program feasibility studies C. In program development D. In change management Answ er: A Regression testing is used in program development and change management to determine w hether new changes have introduced any errors in the remaining unchanged code. 73. What is often the most difficult part of initial efforts in application development? Choose the BEST answ er. A. Configuring softw are B. Planning security C. Determining time and resource requirements D. Configuring hardw are Answ er: C Determining time and resource requirements for an application-development project is often the most difficult part of initial efforts in application development. 74. What is a primary high-level goal for an auditor w ho is review ing a system development project? A. To ensure that programming and processingenvironments are segregated B. To ensure that proper approval for the project has been obtained C. To ensure that business objectives are achieved D. To ensure that projects are monitored andadministrated effectively Answ er: C http://kaka-pakistani.blogspot.com 21 FOR FREE ACCA,CAT,CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

23 . A primary high-level goal for an auditor w ho is review ing a systems-development project is to ensure that business objectives are achieved. This objective guides all other systems development objectives. 75. Whenever an application is modified, w hat should be tested to determine the full impact of theCISA MOCK EXAM change? Choose the BEST answ er. A. Interface systems w ith other applications or systems B. The entire program, including any interface systems w ith other applications or systems C. All programs, including interface systems w ith other applications or systems D.Mission-critical functions and any interface systems w ith other applications or systems Answ er: B Whenever an application is modified, the entire program, including any interface systems w ith other applications or systems, should be tested to determine the full impact of the change. 76. The quality of the metadata produced from a data w arehouse is in the w arehouses design. Choose the BEST answ er. A. Often hard to determine because the data is derived from a heterogeneous data environment B. The most important consideration C. Independent of the quality of the w arehoused databases D. Of secondary importance to data w arehouse content Answ er: B The quality of the metadata produced from a data w arehouse is the most important consideration in the w arehouses design. 77. Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a systems inputs and outputs. True or false? A. True B. False Answ er: B Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a systems inputs, outputs, and files. 78. Who assumes ow nership of a systems-development project and the resulting system? A. User management B.Project steering committee C. IT management http://kaka-pakistani.blogspot.com 22 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

24 . D. Systems developers Answ er: ACISA MOCK EXAM User management assumes ow nership of a systems-development project and the resulting system. 79. If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further: A. Documentation development B. Comprehensive integration testing C. Full unit testing D. Full regression testing Answ er: B If an IS auditor observes that individual modules of a system perform correctly in development project tests,the auditor should inform management of the positive results and recommend further comprehensive integration testing. 80. When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false? A. True B. False Answ er: B When participating in a systems-development project, an IS auditor should also strive to ensure that adequate and complete documentation exists for all projects. 81. What is a reliable technique for estimating the scope and cost of a softw are- development project? A. Function point analysis (FPA) B. Feature point analysis (FPA) C. GANTT D. PERT Answ er: A http://kaka-pakistani.blogspot.com 23 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

25 . A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a softw are- development project. 82. Which of the follow ing is a program evaluation review technique that considers differentCISA MOCK EXAM scenarios for planning and control projects? A. Function Point Analysis (FPA) B. GANTT C. Rapid Application Development (RAD) D. PERT Answ er: D PERT is a program-evaluation review technique that considers different scenarios for planning and control projects. 83. If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, w hat should the auditor do? Choose the BEST answ er. A. Lack of IT documentation is not usually material to the controls tested in an IT audit. B. The auditor should at least document the informal standards and policies. Furthermore, the IS auditor should create formal documented policies to be implemented. C. The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS

auditor should recommend to management that formal documented policies be developed and implemented. D. The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should create formal documented policies to be implemented. Answ er: C If an IS auditor observes that an IS department fails to use formal documented methodologies,

policies, and standards, the auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented. 84. What often results in project scope creep w hen functional requirements are not defined as w ell as they could be? A. Inadequate softw are baselining B. Insufficient strategic planning C. Inaccurate resource allocation D. Project delays Answ er: A http://kaka-pakistani.blogspot.com 24 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

26 . Inadequate softw are baselining often results in project scope creep because functional requirements are not defined as w ell as they could be. 85. Fourth-Generation Languages (4GLs) are most appropriate for designing the applicationsCISA MOCK EXAM graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures. True or false? A. True B. False Answ er: A Fourth-generation languages (4GLs) are most appropriate for designing the applications graphical user interface (GUI). They are inappropriate for designing any intensive data- calculation procedures. 86. Run-to-run totals can verify data through w hich stage(s) of application processing? A. Initial B. Various C. Final D. Output Answ er: B Run-to-run totals can verify data through various stages of application processing. 87. (fill in the blank) is/are are ultimately accountable for the functionality, reliability, and security w ithin IT governance. Choose the BEST answ er. A. Data custodians B. The board of directors and executive officers C. IT security administration D. Business unit managers Answ er: B The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security w ithin IT governance. 88. What can be used to help identify and investigate unauthorized transactions? Choose the BEST answ er. A. Postmortem review B. Reasonableness checks C. Data-mining techniques http://kaka- pakistani.blogspot.com 25 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

27 . D. Expert systems Answ er: CCISA MOCK EXAM Data-mining techniques can be used to help identify and investigate unauthorized transactions. 89. Netw ork environments often add to the complexity of program-to-program communication, making the implementation and maintenance of application systems more difficult. True or false? A. True B. False Answ er: A Netw ork environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult. 90. risk analysis is not alw ays possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a risk assessment is more appropriate. Fill in the blanks. A. Quantitative; qualitative B. Qualitative; quantitative C. Residual; subjective D. Quantitative; subjective Answ er: A Quantitative risk analysis is not alw ays possible because the IS auditor isattempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate. 91. What must an IS auditor understand before performing an application audit? Choose the BEST answ er. A. The potential business impact of application risks. B. Application risks must first be identified. C. Relative business processes. D. Relevant application risks. Answ er: C An IS auditor must first understand relative business processes before performing an application audit. http://kaka-pakistani.blogspot.com 26 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

28 . 92. What is the first step in a business process re-engineering project? A. Identifying current business processes B. Forming a BPR steering committeeCISA MOCK EXAM C. Defining the scope of areas to be review ed D. Review ing the organizational strategic plan Answ er: C Defining the scope of areas to be review ed is the first step in a business process re-engineering project. 93. When storing data archives off-site, w hat must be done w ith the data to ensure data completeness? A. The datamust be normalized. B. The data must be validated. C. The data must be parallel-tested. D. The data must be synchronized. Answ er: D When storing data archives off-site, data must be synchronized to ensure data completeness. 94. Which of the follow ing can help detect transmission errors by appending specially calculated bits onto the end of each segment of data? A. Redundancy check B. Completeness check C. Accuracy check D. Parity check Answ er: A A redundancy check can help detect transmission errors by appending especially calculated bits onto the end of each segment of data. 95. What is an edit check to determine w hether a field contains valid data? A. Completeness check B. Accuracy check C. Redundancy check D. Reasonableness check Answ er: A http://kaka- pakistani.blogspot.com 27 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

29 . A completeness check is an edit check to determine w hether a field contains valid data. 96. A transaction journal provides the information necessary for detecting unauthorized (fill in the blank) from a terminal.CISA MOCK EXAM A. Deletion B. Input C. Access D. Duplication Answ er: B A transaction journal provides the information necessary for detecting unauthorized input from a terminal. 97. An intentional or unintentional disclosure of a passw ord is likely to be evident w ithin control logs. True or false? A. True B. False Answ er: B An intentional or unintentional disclosure of a passw ord is not likely to be evident w ithin control logs. 98. When are benchmarking partners identified w ithin the benchmarking process? A. In the design stage B. In the testing stage C. In the research stage D. In the development stage Answ er: C Benchmarking

partners are identified in the research stage of the benchmarking process. 99. A check digit is an effective edit check to: A. Detect data-transcription errors B. Detect data-transposition and transcription errors C. Detect data- transposition, transcription, and substitution errors D. Detect data-transposition errors Answ er: B http://kaka-pakistani.blogspot.com 28 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:

http://kaka-pakistani.blogspot.com

30 . A check digit is an effective edit check to detect data-transposition and transcription errors. 100. Parity bits are a control used to validate:CISA MOCK EXAM A. Data authentication B. Data completeness C. Data source D. Data accuracy Answ er: B Parity bits are a control used to validate data completeness. 101. An IS auditor is using a statistical sample to inventory the tape library. What type of test w ould this be considered? A.Substantive B. Compliance C. Integrated D. Continuous audit Answ er: A Using a statistical sample to inventory the tape library is an example of a substantive test.102. Which of the follow ing w ould prevent accountability for an action performed, thus allow ing nonrepudiation? A. Proper authentication B. Proper identification AND authentication C. Proper identification D. Proper identification, authentication, AND authorization Answ er: B If proper identification and authentication are not performed during access control, no accountability can exist for any action performed. 103. Which of the follow ing is the MOST critical step in planning an audit? A. Implementing a prescribed auditing framew ork such as COBIT B. Identifying current controls C. Identifying high-risk audit targets D. Testing controls http://kaka-pakistani.blogspot.com 29 FORFREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

31 . Answ er: C In planning an audit, the most critical step is identifying the areas of high risk.CISA MOCK EXAM 104. To properly evaluate the collective effect of preventative, detective, or corrective controls w ithin a process, an IS auditor should be aw are of w hich of the follow ing? Choose the BEST answ er. A. The business objectives of the organization B. The effect of segregation of duties on internal controls C. The point at w hich controls are exercised as data flow s through the system D. Organizational control policies Answ er: C When evaluating the collective effect of preventive, detective, or corrective controls w ithin a process, an IS auditor should be aw are of the point at w hichcontrols are exercised as data flow s through the system. 105. What is the recommended initial step for an IS auditor to implement continuous-monitoring systems? A. Document existing internal controls B. Perform compliance testing on internal controls C. Establish a controls-monitoring steering committee D. Identify high-risk areas w ithin the organization Answ er: D When implementing continuous- monitoring systems, an IS auditors first step is to identify high-risk areas w ithin the organization. 106. What type of risk is associated w ith authorized program exits (trap doors)? Choose the BEST answ er. A. Business risk B. Audit risk C. Detective risk D. Inherent risk Answ er: D Inherent risk is associated w ith authorized program exits (trap doors). 107. Which of the follow ing is best suited for searchingfor address field duplications? http://kaka-pakistani.blogspot.com 30 FOR FREE ACCA,CAT, CIMA &CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

32 . A. Text search forensic utility softw are B. Generalized audit softw are C. Productivity audit softw areCISA MOCK EXAM D. Manual review Answ er: B Generalized audit softw are can be used to search for address field duplications. 108. Which of the follow ing is of greatest concern to the IS auditor? A. Failure to report a successful attack on the netw ork B. Failure to prevent a successful attack on the netw ork C. Failure to recover from a successful attack on the netw ork D. Failure to detect a successful attack on the netw ork Answ er: A Lack of reporting of a successful attack on the netw ork is a great concern to an IS auditor. 109. An integrated test facility is not considered a useful audit tool because it cannot compare processing output w ith independently calculated data. True or false? A. True B. False Answ er: B An integrated test facility is considered a useful audit tool because it compares processing output w ith independently calculated data. 110. An advantage of a continuous audit approach is that it can improve system security w hen used in time-sharing environments that process a large number of transactions. True or false? A. True B. False Answ er: A It is true that an advantage of a continuous audit approach is that it can improve system security w hen used in time- sharing environments that process a large number of transactions. http://kaka-pakistani.blogspot.com31 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

33 . 111. If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function, w hat is the auditors primary responsibility?CISA MOCK EXAM A. To advise senior management. B. To reassign job functions to eliminate potential fraud. C. To implement compensator controls. D. Segregation of duties is an administrative control not considered by an IS auditor. Answ er: A An IS auditors primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function. 112. Who is responsible for implementing cost-effective controls in an automated system? A. Security policy administrators B. Business unit management C. Senior management D. Board of directors Answ er: B Business unit management is responsible for implementing cost-effective controls in an automated system. 113. Why does an IS auditor review an organization chart? A. To optimize the responsibilities and authority of individuals B. To control the responsibilities and authority ofindividuals C. To better understand the responsibilities and authority of individuals D. To identify project sponsors Answ er: C The primary reason an IS auditor review s an organization chart is to better understand the responsibilities and authority of individuals. 114. Ensuring that security and

control policies support business and IT objectives is a primary objective of: A. An IT security policies audit B. A processing audit http://kaka-pakistani.blogspot.com 32 FOR FREE ACCA,CAT, CIMA &CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

34 . C. A softw are audit D. A vulnerability assessment Answ er: ACISA MOCK EXAM Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit. 115. When auditing third-party service providers, an IS auditor should be

concerned w ith w hich of the follow ing? Choose the BEST answ er. A. Ow nership of the programs and files B. A statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster C. A statement of due care D. Ow nership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster Answ er: D When auditing third-party service providers, an auditor should be concerned w ith ow nership of programs and files, a statement of due care andconfidentiality, and the capability for continued service of the service provider in the event of a disaster. 116. When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should especially focus on procedures in an audit of IS strategy. True or false? A. True B. False Answ er: B When performing an IS strategy audit, an IS auditor should review both short-term (one- year) and long-term (three- to five-year) IS strategies, interview appropriate corporate managementpersonnel, and ensure that the external environment has been considered. 117. What process allow s ISmanagement to determine w hether the activities of the organization differ from the planned or expected levels? Choose the BEST answ er. A. Business impact assessment B. Risk assessment C. IS assessment methods http://kaka-pakistani.blogspot.com 33 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

35 . D. Key performance indicators (KPIs) Answ er: CCISA MOCK EXAM IS assessment methods allow IS management to determine w hether the activities of the organization differ from the planned or expected levels. 118. When should review ing an audit clients business plan be performed relative to review ing an organizations IT strategic plan? A. Review ing an audit clients business plan should be performed before review ing an organizations IT strategic plan. B. Review ing an audit clients business plan should be performed after review ing an organizations IT strategic plan. C. Review ing an audit clients business plan should be performed during the review of an organizations IT strategic plan. D. Review ing an audit clients business plan should be performed w ithout regard to an organizations IT strategic plan. Answ er: A Review ing an audit clients business plan should be performed before review ing an organizations IT strategic plan. 119. Allow ing application programmers to directly patch or change code in production programs increases risk of fraud. True or false? A. True B. False Answ er: A Allow ing application programmers to directly patch or change code in production programs increases risk of fraud. 120. Who should be responsible for netw ork security operations? A. Business unit managers B. Security administrators C. Netw ork administrators D. IS auditors Answ er: B http://kaka-pakistani.blogspot.com 34 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:http://kaka-pakistani.blogspot.com

36 . Security administrators are usually responsible for netw ork security operations. 121. Proper segregation of duties does not prohibit a quality control administrator from also being responsible for change control and problem management. True or false?CISA MOCK EXAM A. True B. False Answ er: A Proper segregation of duties does not prohibit a quality-control administrator from also being responsible for change control and problem management. 122. What can be implemented to provide the highest level of protection from external attack? A. Layering perimeter netw ork protection by configuring the firew all as a screened host in a screened subnet behind the bastion host B. Configuring the firew all as a screened host behind a router C. Configuring the firew all as the protecting bastion host D. Configuring tw o load-sharing firew alls facilitating VPN access from external hosts to internal hosts Answ er: A Layering perimeter netw ork protection by configuring the firew all as a screened host in a screened subnet behind the bastion host provides a higher level of protection from external attack than all other answ ers. 123. The directory system of a database- management system describes: A. The access method to the data B. The location of data AND the access method C. The location of data D. Neither the location of data NOR the access method Answ er: B The directory system of a database-management system describes the location of data and the access method. 124. How is the risk of improper file access affected upon implementing a database system? A. Risk varies. B. Risk is reduced. C. Risk is not affected. http://kaka- pakistani.blogspot.com 35 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

37 . D. Risk is increased. Answ er: DCISA MOCK EXAM Improper file access becomes a greater risk w hen implementing a database system. 125. In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be sanitized? A. The data should be deleted and overw ritten w ith binary 0s. B. The data should be demagnetized. C. The data should be low -level formatted. D. The data should be deleted. Answ er: B To properly protect against unauthorized disclosure of sensitive data, hard disks should be demagnetized before disposal or release. 126. When review ing print systems spooling, an IS auditor is MOST concerned w ith w hich of the follow ing vulnerabilities? A. The potential for unauthorized deletion of report copies B. The potential for unauthorized modification of report copies C. The potential for unauthorized printing of report copies D. The potential for unauthorized editing of report copies Answ er: C When review ing print systems spooling, an IS auditor is most concerned w ith the potential for unauthorized printing of report copies.127. Why is the WAP gatew ay a component w arranting critical concern and review for the IS auditor w hen auditing and testing controls enforcing message confidentiality? A. WAP is often

configured by default settings and is thus insecure. B. WAP provides w eak encryption for w ireless traffic. C. WAP functions as a protocol-conversion gatew ay for w ireless TLS to Internet SSL. D. WAP often interfaces critical IT systems. Answ er: C http://kaka-pakistani.blogspot.com 36 FOR FREE

ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

38 . Functioning as a protocol-conversion gatew ay for w ireless TLS to Internet SSL, the WAP gatew ay is a component w arranting critical concern and review for the IS auditor w hen auditing and testing controls that enforce message confidentiality.CISA MOCK EXAM 128. Proper segregation of duties prevents a computer operator (user) from performing security administration duties. True or false? A. True B. False Answ er: A Proper segregation of duties prevents a computer operator (user) from performing security administration duties. 129. How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital netw ork? A. Modems convert analog transmissions to digital, and digital transmission to analog. B. Modems encapsulate analog transmissions w ithin digital, and digital transmissions w ithin analog. C. Modems convert digital transmissions to analog, and analog transmissions to digital. D. Modems encapsulate digital transmissions w ithin analog, and analog transmissions w ithin digital. Answ er: A Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to analog, and are required for analog transmissions to enter a digital netw ork. 130. Which of the follow ing are effective in detecting fraud because they have the capability to consider a large number of variables w hen trying to resolve a problem? Choose the BEST answ er. A. Expert systems B. Neural netw orks C. Integrated synchronized systems D. Multitasking applications Answ er: B Neural netw orks are effective in detecting fraud because they have the capability to consider a large number of variables w hen trying to resolve a problem. 131. What supports data transmission through split cable facilities or duplicate cable facilities? A. Diverse routing http://kaka-pakistani.blogspot.com 37 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

39 . B. Dual routing C. Alternate routing D. Redundant routingCISA MOCK EXAM Answ er: A Diverse routing supports data transmission through split cable facilities, or duplicate cable facilities. 132. What type(s) of firew alls provide(s) the greatest degree of protection and control because both firew all technologies inspect all seven OSI layers of netw ork traffic? A. A first-generation packet-filtering firew all B. A circuit-level gatew ay C. An application-layer gatew ay, or proxy firew all, and stateful- inspection firew alls D. An application-layer gatew ay, or proxy firew all, but not stateful-inspection firew alls Answ er: C An application-layer gatew ay, or proxy firew all, and stateful-inspection firew alls provide the greatest degree of protection and control because both firew all technologies inspect all seven OSI layers of netw ork traffic. 133. Which of the follow ing can degrade netw ork performance? Choose the BEST answ er. A. Superfluous use of redundant load-sharing gatew ays B. Increasingtraffic collisions due to host congestion by creating new collision domains C. Inefficient and superfluous use of netw ork devices such as sw itches D. Inefficient and superfluous use of netw ork devices such as hubs Answ er: D Inefficient and superfluous use of netw ork devices such as hubs can degrade netw ork performance. 134. Which of the follow ing provide(s) near-immediate recoverability for time-sensitive systems and transaction processing? A. Automated electronic journaling and parallel processing B. Data mirroring and parallel processing C. Data mirroring D. Parallel processing Answ er:B http://kaka-pakistani.blogspot.com 38 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

40 . Data mirroring and parallel processing are both used to provide near-immediate recoverability for time-sensitive systems and transaction processing. 135. What is an effective control for granting temporary access to vendors and external supportCISA MOCK EXAM personnel? Choose the BEST answ er. A. Creating user accounts that automatically expire by a predetermined date B. Creating permanent guest accounts for temporary use C. Creating user accounts that restrict logon access to certain hours of the day D. Creating a single shared vendor administrator account on the basis of least- privileged access Answ er: A Creating user accounts that automatically expire by a predetermined dateis an effective control for granting temporary access to vendors and external support personnel. 136. Which of the follow ing help(s) prevent an organizations systems from participating in a distributed denial-of-service (DDoS) attack? Choose the BEST answ er. A. Inbound traffic filtering B. Using access control lists (ACLs) to restrict inbound connection attempts C. Outbound traffic filtering D. Recentralizing distributed systems Answ er: C Outbound traffic filtering can help prevent an organizations systems from participating in a distributed denial-of-service (DDoS) attack. 137. What is a common vulnerability, allow ing denial-of-service attacks? A. Assigning access to users according to the principle of least privilege B. Lack of employee aw areness of organizational security policies C. Improperly configured routers and router access lists D. Configuring firew all access rules Answ er: C Improperly configured routers and router access lists are a common vulnerability for denial-of-service attacks. 138. What are trojan horse programs? Choose the BEST answ er. A. A common form of internal attack http://kaka-pakistani.blogspot.com 39 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

41 . B. Malicious programs that require the aid of a carrier program such as email C. Malicious programs that can run independently and can propagate w ithout the aid of a carrier program such as email D. A common form of Internet attackCISA MOCK EXAM Answ er: D Trojan horse programs are a common form of Internet attack. 139. What is/are used to measure and ensure proper netw ork capacity management and availability of services? Choose the BEST answ er. A. Netw ork

performance-monitoring tools B. Netw ork component redundancy C. Syslog reporting D. IT strategic planning Answ er: A Netw ork performance-monitoring tools are used to measure and ensure proper netw ork capacity management and availability of services. 140. What can be used to gather evidence of netw ork attacks? A. Access control lists (ACL) B. Intrusion-detection systems (IDS) C. Syslog reporting D. Antivirus programs Answ er: B Intrusion-detection systems (IDS) are used to gather

evidence of netw ork attacks. 141. Which of the follow ing is a passive attack method used by intruders to determine potential netw ork vulnerabilities? A. Traffic analysis B. SYN flood C. Denial of service (DoS) D. Distributed denial of service (DoS) Answ er: A http://kaka-pakistani.blogspot.com 40 FORFREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

42 . Traffic analysis is a passive attack method used by intruders to determine potential netw ork vulnerabilities. All others are active attacks. 142. Which of the follow ing fire-suppression methods is considered to be the most environmentallyCISA MOCK EXAM friendly? A. Halon gas B. Deluge sprinklers C. Dry-pipe sprinklers D. Wet-pipe sprinklers Answ er: C Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most environmentally friendly. 143. What is a callback system? A. It is a remote-access system w hereby the remote-access server immediately calls the user back at a predetermined number if the dial-in connection fails. B. It is a remote-access system w hereby the users application automatically redials the remote-access server if the initial connection attempt fails. C. It is a remote-access control w hereby the user initially connects to the netw ork systems via dial-up access, only to have the initial connection terminated by the server, w hich then subsequently dials the user back at a predetermined number stored in the servers configuration database. D. It is a remote-access control w hereby the user initially connects to thenetw ork systems via dial-up access, only to have the initial connection terminated by the server, w hich then subsequently allow s the user to call back at an approved number for a limited period of time. Answ er: C A callback system is a remote-access control w hereby the user initially connects to the netw ork systems via dial-up access, only to have the initial connection terminated by the server, w hich then subsequently dials the user back at a predetermined number stored in the servers configuration database. 144. What type of fire-suppression system suppresses fire via w ater that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities? A. A dry-pipe sprinkler system B. A deluge sprinkler system C. A w et-pipe system D. A halon sprinkler system http://kaka-pakistani.blogspot.com 41 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:http://kaka-pakistani.blogspot.com

43 . Answ er: A A dry-pipe sprinkler system suppresses fire via w ater that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities.CISA MOCK EXAM145. Digital signatures require the sender to "sign" the data by encrypting the data w ith the senders public key, to then be decrypted by the recipient using the recipients private key. True or false? A. False B. True Answ er: B Digital signatures require the sender to "sign" the data by encrypting the data w ith the senders private key, to then be decrypted by the recipient using the senders public key. 146. Which of the follow ing provides the BEST single-factor authentication? A. Biometrics B. Passw ord C. Token D. PIN Answ er: A Although biometrics provides only single-factor authentication, many consider it to be an excellent method for user authentication. 147. What is used to provide authentication of the w ebsite and can also be used to successfully authenticate keys used for data encryption? A. An organizational certificate B. A user certificate C. A w ebsite certificate D. Authenticode Answ er: C A w ebsite certificate is used to provide authentication of the w ebsite and can also be used to successfully authenticate keys used for data encryption. 148. What determines the strength of a secret key w ithin a symmetric key cryptosystem? http://kaka-pakistani.blogspot.com 42FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

44 . A. A combination of key length, degree of permutation, and the complexity of the data-encryption algorithm that uses the key B. A combination of key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the keyCISA MOCK EXAM C. A combination of key length and the complexity of the data-encryption algorithm that uses the key D. Initial input vectors and the complexity of the data-encryption algorithm that uses the key Answ er: B The strength of a secret key w ithin a symmetric key cryptosystem is determined by a combination of key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the key. 149. What process is used to validate a subjects identity? A. Identification B. Nonrepudiation C. Authorization D. Authentication Answ er: D Authentication is used to validate a subjects identity. 150. What is often assured through table link verification and reference checks? A. Database integrity B. Database synchronization C. Database normalcy D. Database accuracy Answ er: A Database integrity is most often ensured through table link verification and reference checks. 151. Which of the follow ing should an IS auditor review to determine user permissions that have been granted for a particular resource? Choose the BEST answ er. A. Systems logs B. Access control lists (ACL) C. Application logs D. Error logs Answ er: B http://kaka-pakistani.blogspot.com 43 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

45 . IS auditors should review access-control lists (ACL) to determine user permissions that have been granted for a particular resource. 152. What should IS auditors alw ays check w hen auditing passw ord files?CISA MOCK EXAM A. That deleting passw ord files is protected B. That passw ord files are encrypted C. That passw ord files are not accessible over the netw ork D. That passw ord files are archived Answ er: B IS auditors should alw ays check to ensure that passw ord files are encrypted. 153. Using the OSI reference model, w hat layer(s) is/are used to encrypt data? A. Transport layer B. Session layer C. Session and transport layers D. Data link layer Answ er: C User

applications often encrypt and encapsulate data using protocols w ithin the OSI session layer or farther dow n in the transport layer. 154. When should systems administrators first assess the impact of applications or systems patches? A. Within five business days follow ing installation B. Prior to installation C. No sooner than five business days follow ing installation D. Immediately follow ing installation Answ er: B Systems administrators should alw ays assess the impact of patches before installation. 155. Which of

the follow ing is the most fundamental step in preventing virus attacks? A. Adopting and communicating a comprehensive antivirus policy B. Implementing antivirus protection softw are on users desktop computers C. Implementing antivirus content checking at all netw ork-to-Internet gatew ays D. Inoculating systems w ith antivirus code http://kaka-pakistani.blogspot.com 44 FORFREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

46 . Answ er: A Adopting and communicating a comprehensive antivirus policy is the most fundamental step in preventing virus attacks. All other antivirus prevention efforts rely upon decisions established andCISA MOCK EXAM communicated via policy. 156. Which of the follow ing is of greatest concern w hen performing an IS audit? A. Users ability to directly modify the database B. Users ability tosubmit queries to the database C. Users ability to indirectly modify the database D. Users ability to directly view the database Answ er: A A major IS audit concern is users ability to directly modify the database. 157. What are intrusion-detection systems (IDS) primarily used for? A. To identify AND prevent intrusion attempts to a netw ork B. To prevent intrusion attempts to a netw ork C. Forensic incident response D. To identify intrusion attempts to a netw ork Answ er: D Intrusion-detection systems (IDS) are used to identify intrusion attempts on a netw ork. 158. Rather than simply review ing the adequacy of access control, appropriateness of access policies, and effectiveness of safeguardsand procedures, the IS auditor is more concerned w ith effectiveness and utilization of assets. True or false? A. True B. False Answ er: B Instead of simply review ing the effectiveness and utilization of assets, an IS auditor is more concerned w ith adequate access control, appropriate access policies, and effectiveness of safeguards and procedures. 159. If a programmer has update access to a live system, IS auditors are more concerned w ith the programmers ability to initiate or modify transactions and the ability to access production than w ith the programmers ability to authorize transactions. True or false? http://kaka-pakistani.blogspot.com 45 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:http://kaka-pakistani.blogspot.com

47 . A. True B. FalseCISA MOCK EXAM Answ er: A If a programmer has update access to a live system, IS auditors are more concerned w ith the programmers ability to initiate or modify transactions and the ability to access production than w ith the programmers ability to authorize transactions. 160. Organizations should use off-site storage facilities to maintain (fill in the blank)of current and critical information w ithin backup files. Choose the BEST answ er. A. Confidentiality B. Integrity C. Redundancy D. Concurrency Answ er: C Redundancy is the best answ er because it provides both integrity and availability. Organizations should use off-site storage facilities to maintain redundancy of current and critical information w ithin backup files. 161. The purpose of business continuity planning and disaster-recovery planning is to: A. Transfer the risk and impact of a business interruption or disaster B. Mitigate, or reduce, the risk and impact of a business interruption or disaster C. Accept the risk and impact of a business D. Eliminate the risk and impact of a business interruption or disaster Answ er: B The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster. Total elimination of risk is impossible. 162. If a database is restored from information backed up before the last system image, w hich of the follow ing is recommended? A. The system should be restarted after the last transaction. B. The system should be restarted before the last transaction. C. The system should be restarted at the first transaction. D. The system should be restarted on the last transaction. http://kaka-pakistani.blogspot.com 46 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:http://kaka-pakistani.blogspot.com

48 . Answ er: B If a database is restored from information backed up before the last system image, the system shouldCISA MOCK EXAM be restarted before the last transaction because the final transaction must be reprocessed. 163. An off-site processing facility should be easily identifiable externally because easy identification helps ensure smoother recovery. True or false? A. True B. False Answ er: B An off-site processing facility should not be easily identifiable externally because easy identification w ould create an additional vulnerability for sabotage. 164. Which of the follow ing is thedominating objective of BCP and DRP? A. To protect human life B. To mitigate the risk and impact of a business interruption C. To eliminate the risk and impact of a business interruption D. To transferthe risk and impact of a business interruption Answ er: A Although the primary business objective of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating objective remains the protection of human life. 165. How can minimizing single points of failure or vulnerabilities of a common disaster best be controlled? A. By implementing redundant systems and applications onsite B. By geographically dispersing resources C. By retaining onsite data backup infireproof vaults D. By preparing BCP and DRP documents for commonly identified disasters Answ er: B Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by geographically dispersing resources. 166. Mitigating the risk and impact of a disaster or business interruption usually takes priority over transference of risk to a third party such as an insurer. True

or false? http://kaka-pakistani.blogspot.com 47 FOR FREE ACCA,CAT, CIMA & CISA RESOURCESVISIT: http://kaka-pakistani.blogspot.com

49 . A. True B. FalseCISA MOCK EXAM Answ er: A Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer.167. Off-site data storage should be kept synchronized w hen preparing for recovery of time-sensitive data such as that resulting from w hich of the follow ing? Choose the BEST answ er. A. Financial reporting B. Sales reporting C. Inventory reporting D. Transaction processing Answ er: D Off-site data storage should be kept synchronized w hen preparing for the recovery of time-sensitive data such as that resulting from transaction processing. 168. What is an acceptable recovery mechanism for

extremely time-sensitive transaction processing? A. Off-site remote journaling B. Electronic vaulting C. Shadow file processing D. Storage area netw ork Answ er: C Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing. 169. Off- site data backup and storage should be geographically separated so as to (fill in the blank) the risk of a w idespread physical disaster such as a hurricane or earthquake. A. Accept B. Eliminate C. Transfer D. Mitigate Answ er: D http://kaka-pakistani.blogspot.com 48 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

50 . Off-site data backup and storage should be geographically separated, to mitigate the risk of a w idespread physical disaster such as a hurricane or an earthquake. 170. Why is a clause for requiring source code escrow in an application vendor agreement important?CISA MOCK EXAM A. To segregate systems development and live environments B. To protect the organization from copyright disputes C. To ensure that sufficient code is available w hen needed D. To ensure that the source code remains available even if the application vendor goes out of business Answ er: D A clause for requiring source code escrow in an application vendor agreement is important to ensure that the source code remains available even if the application vendor goes out of business. 171. What uses questionnaires to lead the user through a series of choices to reach a conclusion? Choose the BEST answ er. A. Logic trees B. Decision trees C. Decision algorithms D. Logic algorithms Answ er: B Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion. 172. What protectsan application purchasers ability to fix or change an application in case the application vendor goes out of business? A. Assigning copyright to the organization B. Program back doors C. Source code escrow D. Internal programming expertise Answ er: C Source code escrow protects an application purchasers ability to fix or change an application in case the application vendor goes out of business.173. Who is ultimately responsible for providing requirement specifications to the softw are- development team? A. The project sponsor http://kaka-pakistani.blogspot.com 49 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

51 . B. The project members C. The project leader D. The project steering committeeCISA MOCK EXAM Answ er: A The project sponsor is ultimately responsible for providing requirement specifications to the softw are- development team. 174. What should regression testing use to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors? A. Contrived data B. Independently created data C. Live data D. Data from previous tests Answ er: D Regression testing should use datafrom previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors. 175. An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to: A. Meet business objectives B. Enforce data security C. Be culturally feasible D. Be financially feasible Answ er: A An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives. 176. Which of the follow ing processes are performed during the design phase of the systems- development life cycle (SDLC) model? A. Develop test plans. B. Baseline procedures to prevent scope creep. C. Define the need that requires resolution, and map to the major requirements of the solution. D. Program and test the new system. The tests verify and validate w hat has been developed. http://kaka-pakistani.blogspot.com 50 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

52 . Answ er: B Procedures to prevent scope creep are baselined in the design phase of the systems- development lifeCISA MOCK EXAM cycle (SDLC) model. 177. When should application controls be considered w ithin the system-development process? A. After application unit testing B. After application module testing C. After applications systems testing D. As early as possible, even in the development of the projects functional specifications Answ er: D Application controls should be considered as early as possible in the system-development process, even in the development of the projects functional specifications. 178. What is used to develop strategically important systems faster, reduce development costs, and still maintain high quality? Choose the BEST answ er. A. Rapid application development (RAD) B. GANTT C. PERT D. Decision trees Answ er: A Rapid application development (RAD) is used to develop strategically important systems faster, reduce development costs, and still maintain high quality. 179. Test and development environments should be separated.True or false? A. True B. False Answ er: A Test and development environments should be separated, to control the stability of the test environment. 180. What kind of testing should programmers perform follow ing any changes to an application or system? http://kaka-pakistani.blogspot.com 51 FOR FREEACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

53 . A. Unit, module, and full regression testing B. Module testing C. Unit testing D. Regression testingCISA MOCK EXAM Answ er: A Programmers should perform unit, module, and full regression testing follow ing any changes to an application or system. 181. Which of the follow ing uses a prototype that can be updated continually to meet changing user or business requirements? A. PERTB. Rapid application development (RAD) C. Function point analysis (FPA) D. GANTT Answ er: B Rapid application development (RAD) uses a prototype that can be updated continually to meet

changing user or business requirements. 182. What is the most common reason for information systems to fail to meet the needs of users? Choose the BEST answ er. A. Lack of funding B. Inadequate user participation during system requirements definition C. Inadequate senior management participation during system requirements definition D. Poor IT strategic planning Answ er: B Inadequate user participation during system requirements definition is the most common reason for

information systems to fail to meet the needs of users. 183. Who is responsible for the overall direction, costs, and timetables for systems-development projects? A. The project sponsor B. The project steering committee C. Senior management D. The project team leader http://kaka- pakistani.blogspot.com 52 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

54 . Answ er: B The project steering committee is responsible for the overall direction, costs, and timetables for systems-development projects.CISA MOCK EXAM 184. When should plans for testing for user acceptance be prepared? Choose the BEST answ er. A. In the requirements definition phase of the systems-development project B. In the feasibility phase of the systems-development project C. In the design phase of the systems-development project D. In the development phase of the systems- development project Answ er: A Plans for testing for user acceptance are usually prepared in the requirements definition phase of the systems-development project. 185. Above almost all other concerns, w hat often results in the greatest negative impact on the implementation of new application softw are? A. Failing to perform user acceptance testing B. Lack of user training for the new systemC. Lack of softw are documentation and run manuals D. Insufficient unit, module, and systems testing Answ er: A Above almost all other concerns, failing to perform user acceptance testing often results in the greatest negative impact on the implementation of new application softw are. 186. Input/output controls should be implemented for w hich applications in an integrated systems environment? A. The receiving application B. The sending application C. Both the sending and receiving applications D. Output on the sending application and input on the receiving application Answ er: C Input/output controls should be implemented for both the sending and receiving applications in an integrated systems environment http://kaka-pakistani.blogspot.com 53 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

55 . 187. Authentication techniques for sending and receiving data betw een EDI systems is crucial to prevent w hich of the follow ing? Choose the BEST answ er. A. Unsynchronized transactionsCISA MOCK EXAM B. Unauthorized transactions C. Inaccurate transactions D. Incomplete transactions Answ er: B Authentication techniques for sending and receiving data betw een EDI systems are crucial to prevent unauthorized transactions. 188. After identifying potential security vulnerabilities, w hat should be the IS auditors next step? A. To evaluate potential countermeasures and compensatory controls B. To implement effective countermeasures and compensatory controls C. To perform a business impact analysis of the threats that w ould exploit the vulnerabilities D. To immediately advise senior management of the findings Answ er: C After identifying potential security vulnerabilities, the IS auditors next step is to perform a business impact analysis of the threats that w ould exploit the vulnerabilities. 189. What is the primary security concern for EDI environments? Choose the BEST answ er. A. Transaction authentication B. Transaction completeness C. Transaction accuracy D. Transaction authorization Answ er: D Transaction authorization is the primary security concern for EDI environments. 190. Which of the follow ing exploit vulnerabilities to cause loss or damage to the organization and its assets? A. Exposures B. Threats C. Hazards D. Insufficient controls http://kaka- pakistani.blogspot.com 54 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakistani.blogspot.com

56 . Answ er: B Threats exploit vulnerabilities to cause loss or damage to the organization and its assets.CISA MOCK EXAM 191. Business process re-engineering often results in automation, w hich results in number of people using technology. Fill in the blanks. A. Increased; a greater B. Increased; a few er C. Less; a few er D. Increased; the same Answ er: A Business process re-engineering often results in increased automation, w hich results in a greater number of people using technology. 192. Whenever business processes have been re-engineered, the IS auditor attempts to identify and quantify the impact of any controls that might have been removed, or controls that might not w ork as effectively after business process changes. True or false? A. True B. False Answ er: A Whenever business processes have been re-engineered, the IS auditor should attempt to identify and quantify the impact of any controls that might have been removed, or controls that might not w ork as effectively after business process changes. 193. When should an application- level edit check to verify that availability of funds w as completed at the electronic funds transfer(EFT) interface? A. Before transaction completion B. Immediately after an EFT is initiated C. During run-to-run total testing D. Before an EFT is initiated Answ er: D An application-level edit check to verify availability of funds should be completed at the electronic funds transfer (EFT) interface before an EFT is initiated. http://kaka-pakistani.blogspot.com 55 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

57 . 194. (fill in the blank) should be implemented as early as data preparation to support data integrity at the earliest point possible. A. Control totalsCISA MOCK EXAM B. Authentication controls C. Parity bits D. Authorization controls Answ er: A Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible. 195. What is used as a control to detect loss, corruption, or duplication of data? A. Redundancy check B. Reasonableness check C. Hash totals D. Accuracy check Answ er: C Hash totals are used as a control to detect loss, corruption, or duplication of data. 196. Data edits are implemented before

processing and are considered w hich of the follow ing? Choose the BEST answ er. A. Deterrent integrity controls B. Detective integrity controls C. Corrective integrity controls D. Preventative integrity controls Answ er: D Data edits are implemented before processing and are considered preventive integrity controls. 197. In small office environments, it is not alw ays possible to maintain proper segregation ofduties for programmers. If a programmer has access to production data or applications, compensatory

controls such as the review ing of transaction results to approved input might be necessary. True or false? A. True B. False http://kaka-pakistani.blogspot.com 56 FOR FREE ACCA,CAT, CIMA & CISARESOURCES VISIT: http://kaka-pakistani.blogspot.com

58 . Answ er: A In small office environments, it is not alw ays possible to maintain proper segregation of duties for programmers. If a programmer has access to production data or applications, compensatory controlsCISA MOCK EXAM such as the review of transaction results to approved input might be necessary. 198. Processing controls ensure that data is accurate and complete, and is processed only through w hich of the follow ing? Choose the BEST answ er. A. Documented routines B. Authorized routines C. Accepted routines D. Approved routines Answ er: B Processing controls ensure that data is accurate and complete, and is processed only through authorized routines. 199. What is a data validation edit control that matches input data to an occurrence rate? Choose the BEST answ er. A. Accuracy check B. Completeness check C. Reasonableness check D. Redundancy check Answ er: C A reasonableness check is a data validation edit control that matches input data to anoccurrence rate. 200. Database snapshots can provide an excellent audit trail for an IS auditor. True or false? A. True B. False Answ er: A Database snapshots can provide an excellent audit trail for an IS auditor.

(391687872) Cisa -mock_exam

Documents

Transcript of (391687872) Cisa -mock_exam