Вы находитесь на странице: 1из 61

L ke h s

docu sha e
Ema

Upcoming SlideShare
Loading in...5

2 of 58
Like Share Save
CISA exam 100 practice question C ISA exam 100 practice question by Arshad A Javed 1927 views
CISA Review Courses - Slides Part2 CISA Review C ourses - Slides Part2 by Iyad Mourtada 1159
views CISA Review Course Slides - Part1 C ISA Review Course Slides - Part1 by Iyad Mourtada
1707 views Cisa certified-information-systems-... Cisa certified-information-systems-... by Mateen76
14467 views Sybex cisa-certified-information-sy... Sybex cisa-certified-information-sy... by samdxb24
9099 views Passing CISA Passing CISA by anilbabladi 2280 views
CISA Summary V1.0 CISA Summary V1.0 by christianreina 4573 views
Information Systems Audit & CISA Pr... Information Systems Audit & CISA Pr... by Donald Hester 521 views
CISA - Web based Course Informatio... CISA - Web based Course Informatio... by Vidhya Sampath Ku... 1709 views
Self-Serving CISA Study Guide Online Self-Serving CISA Study Guide Online by stefanhenry 1205
views Chap1 2007 Cisa Review Course Chap1 2007 Cisa Review Course by Desmond Devendran
10125 views It audit presentation_icap It audit presentation_icap by Institute of Cost... 15375 views
traditional role of an IS auditor in a control self-

Like this? Share it with your network

assessment (CSA) should be that of a facilitator. 2. What


is the

Share
13,927

Cisa -mock_exam

views

Alamelu Babu

+ Follow
0

Up loaded on Nov 24, 2011

More in: Business , T echnology

0 Comments

6 Likes

Statistics

Notes

F ull Name

Comment goes here.


12 hours ago Delete Reply Spam Block

Post

Share your thoughts...

Be the first to comment

Transcript
1. Mock Exam CISAComplete 200 Multiple Choice Questions w ith detailed solutions and reasoning
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
2. 1. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):
A. Implementor B. FacilitatorCISA MOCK EXAM C. Developer D. Sponsor Answ er: B The

CISA Review Cours es - Slides


Part2
Iyad Mourtada
1,159 views

CISA Review Cours e Slides - Part1


Iyad Mourtada
1,707 views

Cis a certified-inform ation- s


ys tem s -auditor-s tudyguide.9780470231524.33336
Mateen76

Recommended

14,468 views

More from User

CISA exam 100 practice ques tion


Ars had A Javed

Sybex cis a-certified-inform ations ys tem s -auditor-s tudy-guide2nd- edition-m ar-20


s am dxb24

1,928 views

primary objective of a control self-assessment (CSA) program? A. Enhancement of the audit

9,099 views

responsibility B. Elimination of the audit responsibility C. Replacement of the audit responsibility D.


Integrity of the audit responsibility Answ er: A Audit responsibility enhancement is an objective of a
control self-assessment (CSA) program. 3. IS auditors are MOST likely to perform compliance tests of
internal controls if, after their initial evaluation of the controls, they conclude that control risks are w

Pas s ing CISA


anilbabladi
2,280 views

ithin the acceptable limits. True or false? A. True B. False Answ er: A IS auditors are most likely to
perform compliance tests of internal controls if, after their initial evaluation of the controls, they
conclude that control risks are w ithin the acceptable limits. Think of it this w ay: If any reliance is

CISA Sum m ary V1.0


chris tianreina

placed on internal controls, that reliance must be validated through compliance testing. High control

4,573 views

risk results in little reliance on internal controls, w hich results in additional substantive testing. 4. As
compared to understanding an organizations IT process from evidence directly collected, how valuable
are prior audit reports as evidence? A. The same value. B. Greater value. C. Lesser value. D. Prior
audit reports are not relevant. http://kaka-pakis tani. blogs pot. c om 1 FOR FREE ACCA,CAT, CIMA &
CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om

Inform ation Sys tem s Audit & CISA


Prep 2010
Donald Hes ter
521 views

3. Answ er: C Prior audit reports are considered of lesser value to an IS auditor attempting to gain an
understanding of an organizations IT process than evidence directly collected.CISA MOCK EXAM 5.
What is the PRIMARY purpose of audit trails? A. To document auditing efforts B. To correct data
integrity errors C. To establish accountability and responsibility for processed transactions D. To
prevent unauthorized access to data Answ er: C The primary purpose of audit trails is to establish

CISA - Web bas ed Cours e


Inform ation Sys tem s oftware
Vidhya Sam path Kum aran
1,709 views

accountability and responsibility for processed transactions. 6. How does the process of systems
auditing benefit from using a risk-based approach to audit planning? A. Controls testing starts earlier.
B. Auditing resources are allocated to the areas of highest concern. C. Auditing risk is reduced. D.
Controls testing is more thorough. Answ er: B Allocation of auditing resources to the areas of highest
concern is a benefit of a risk-based approach to audit planning. 7. After an IS auditor has identified

Self-Serving CISA Study Guide


Online s
tefanhenry
1,205 views

threats and potential impacts, the auditor should: A. Identify and evaluate the existing controls B.
Conduct a business impact analysis (BIA) C. Report on existing controls D. Propose new controls
Answ er: A After an IS auditor has identified threats and potential impacts, the auditor should then
identify and evaluate the existing controls. http://kaka-pakis tani. blogs pot. c om 2 FOR FREE

Chap1 2007 Cis a Review Cours e


Des m ond Devendran
10,125 views

ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
4. 8. The use of statistical sampling procedures helps minimize: A. Detection risk B. Business riskCISA
MOCK EXAM C. Controls risk D. Compliance risk Answ er: A The use of statistical sampling
procedures helps minimize detection risk. 9. What type of risk results w hen an IS auditor uses an
inadequate test procedure and concludes that material errors do not exist w hen errors actually exist? A.

It audit pres entation_icap


Ins titute of Cos t and Managem ent
Accountant Pakis tan
15,375 views

Business risk B. Detection risk C. Residual risk D. Inherent risk Answ er: B Detection risk results w
hen an IS auditor uses an inadequate test procedure and concludes that material errors do not exist w hen
errors actually exist. 10. A primary benefit derived from an organization employing control selfassessment (CSA) techniques is that it can: A. Identify high-risk areas that might need a detailed review

Fall 2009 CISA Review Cours e


Billy82
885 views

later B. Reduce audit costs C. Reduce audit time D. Increase audit accuracy Answ er: C A primary
benefit derived from an organization employing control self-assessment (CSA) techniques is
that it can identify high-risk areas that might need a detailed review later. 11. What type of approach to

CISA Part2
Iyad Mourtada

the development of organizational policies is often driven by risk assessment? A. Bottom-up B. Top-

687 views

dow n C. Comprehensive D. Integrated http://kaka-pakis tani. blogs pot. c om 3 FOR FREE ACCA,CAT,
CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om

5. Answ er: B A bottom-up approach to the development of organizational policies is often driven by
risk assessment.CISA MOCK EXAM 12. Who is accountable for maintaining appropriate security

Introduction to IT Audit
Chris Nicole Apat

measures over information assets? A. Data and systems ow ners B. Data and systems users C. Data and

1,110 views

systems custodians D. Data and systems auditors Answ er: A Data and systems ow ners are accountable
for maintaining appropriate security measures over information assets. 13. Proper segregation of duties
prohibits a system analyst from performing quality-assurance functions. True or false? A. True B. False
Answ er: A Proper segregation of duties prohibits a system analyst from performing quality-assurance

Chap5 2007 Cis a Review Cours e


Des m ond Devendran

functions. 14. What should an IS auditor do if he or she observes that project-approval procedures do

3,494 views

not exist? A. Advise senior management to invest in project- management training for the staff B.
Create project-approval procedures for future project implementations C. Assign project leaders D.
Recommend to management that formal approval procedures be adopted and documented Answ er: D If
an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend
to management that formal approval procedures be adopted and documented. 15. Who is ultimately

Chap6 2007 Cis a Review Cours e


Des m ond Devendran
2,919 views

accountable for the development of an IS security policy? A. The board of directors B. Middle
management C. Security administrators D. Netw ork administrators http://kaka-pakis tani. blogs pot. c om 4
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
6. Answ er: A The board of directors is ultimately accountable for the development of an IS security
policy.CISA MOCK EXAM 16. Proper segregation of duties normally does not prohibit a LAN
administrator from also having programming responsibilities. True or false? A. True B. False Answ er: B
Proper segregation of duties normally prohibits a LAN administrator from also having programming
responsibilities. 17. A core tenant of an IS strategy is that it must: A. Be inexpensive B. Be protected as
sensitive confidential information C. Protect information confidentiality, integrity, and availability D.

ISACA Update - ISACA Central


Ohio Chapter
Billy82
1,889 views

1 q is -auditproces s
Alam elu Babu
2,221 views

Support the business objectives of the organization Answ er: D Above all else, an IS strategy must
support the business objectives of the organization. 18. Batch control reconciliation is a
(fill in the blank) control for mitigating risk of inadequate segregation of
duties. A. Detective B. Corrective C. Preventative D. Compensatory Answ er: D Batch control
reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties. 19.
Key verification is one of the best controls for ensuring that: A. Data is entered correctly B. Only
authorized cryptographic keys are used C. Input is authorized http://kaka-pakis tani. blogs pot. c om 5
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om

7 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES


VISIT: http://kaka-pakis tani. blogs pot. c om
9. 26. What w ould an IS auditor expect to find in the
console log? Choose the BEST answ er. A. Evidence of
passw ord spoofing B. System errorsCISA MOCK EXAM C.

7. D. Database indexing is performed properly Answ er: ACISA MOCK EXAM Key verification is one

Evidence of data copy activities D. Evidence of passw ord

of the best controls for ensuring that data is entered correctly. 20. If senior management is not

sharing Answ er: B An IS auditor can expect to find system

committed to strategic planning, how likely is it that a companys implementation of IT w ill be

errors to be detailed in the console log. 27. Atomicity

successful? A. IT cannot be implemented if senior management is not committed to strategic planning.

enforces data integrity by ensuring that a transaction is either

B. More likely. C. Less likely. D. Strategic planning does not affect the success of a companys

completed in its entirely or not at all. Atomicity is part of the

implementation of IT. Answ er: C A companys implementation of IT w ill be less likely to succeed if

ACID test reference for transaction processing. True or

senior management is not committed to strategic planning. 21. Which of the follow ing could lead to an

false? A. True B. False Answ er: A Atomicity enforces data

unintentional loss of confidentiality? Choose the BEST answ er. A. Lack of employee aw areness of a

integrity by ensuring that a transaction is either completed in

companys information security policy B. Failure to comply w ith a companys information security policy

its entirely or not at all. Atomicity is part of the ACID test

C. A momentary lapse of reason D. Lack of security policy enforcement procedures Answ er: A Lack of

reference for transaction processing. 28. Why does the IS

employee aw areness of a companys information security policy could lead to an unintentional loss of

auditor often review the system logs? A.

confidentiality. 22. What topology provides the greatest redundancy of routes and the greatest netw ork

To get evidence of passw ord spoofing B. To get evidence

fault tolerance? A. A star netw ork topology B. A mesh netw ork topology w ith packet forw arding

of data copy activities C. To determine the existence of

enabled at each host C. A bus netw ork topology D. A ring netw ork topology Answ er: B http://kaka-

unauthorized access to data by a user or program D. To get

pakis tani. blogs pot. c om 6 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-

evidence of passw ord

pakis tani. blogs pot. c om

sharing Answ er: C When trying to determine the existence


of unauthorized access to data by a user or program, the IS

8. A mesh netw ork topology provides a point-to-point link betw een every netw ork host. If each host is

auditor w ill often review the system logs. 29. What is

configured to route and forw ard communication, this topology provides the greatest redundancy of

essential for the IS auditor to obtain a clear understanding of

routes and the greatest netw ork fault tolerance.CISA MOCK EXAM 23. An IS auditor usually places

netw ork management? A. Security administrator access to

more reliance on evidence directly collected. What is an example of such evidence? A. Evidence

systems B. Systems logs of all hosts providing application

collected through personal observation B. Evidence collected through systems logs provided by the

services C. A graphical map of the netw ork topology

organizations security administration C. Evidence collected through surveys collected from internal staff

D. Administrator access to systems Answ er: C http://kakapakis tani. blogs pot. c om 8 FOR FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om

D. Evidence collected through transaction reports provided by the organizations IT administration Answ
er: A An IS auditor usually places more reliance on evidence directly collected, such as through personal
observation. 24. What kind of protocols does the OSI Transport Layer of the TCP/IP
protocol suite provide to ensure reliable communication? A. Nonconnection-oriented protocols B.
Connection-oriented protocols C. Session-oriented protocols D. Nonsession-oriented protocols
Answ er: B The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols
to ensure reliable communication. 25. How is the time required for transaction processing review usually
affected by properly implemented Electronic Data Interface (EDI)? A. EDI usually decreases the time
necessary for review . B. EDI usually increases the time necessary for review . C. Cannot be determined.
D. EDI does not affect the time necessary for review . Answ er: A Electronic data interface (EDI)
supports intervendor communication w hile decreasing the time necessary for review because it
is usually configured to readily identify errors requiring follow -up. http://kaka-pakis tani. blogs pot. c om

Audit Proces s , Audit Procedures , Audit Planning, Auditing


Advance Bus ines s Cons ulting
62,262 views

Sybex.Cis a.Certified.Inform ation.Sys te


gues t7d67c93
16,246 views

Welcom e to cis a 101 s um m er


Jenni Davis Lund
970 views

Cis a & cis m people s oft audit


plans ic qs
Satis h Apparala
922 views

Chap3 2007 Cis a Review Cours e


Des m ond Devendran
2,094 views

Cwi s yllabus cis a-fall-2013-lund


jenlundCWI
799 views

Ch2 2009 cis a as ruls ani09


1,442 views

Inform acin Certificacin y


Form acin CISA 2014 ES
ISACA Madrid
3,120 views

Chap2 2007 Cis a Review Cours e


Des m ond Devendran
2,660 views

Steps in it audit
kinjalm kothari92
1,012 views

des
Des m ond Devendran
2,311 views

The Status of IT Audit Education


Tim othy212
964 views

10. A graphical interface to the map of the netw ork topology is essential for the IS auditor to obtain a
clear understanding of netw ork management. 30. How is risk affected if users have direct access to a
database at the system level?CISA MOCK EXAM A. Risk of unauthorized access increases, but risk of

Cis a 101 s um m er s yllabus


Jenni Davis Lund

untraceable changes to the database decreases. B. Risk of unauthorized and untraceable changes to the

666 views

database increases. C. Risk of unauthorized access decreases, but risk of untraceable changes to the
database increases. D. Risk of unauthorized and untraceable changes to the database decreases. Answ
er: B If users have direct access to a database at the system level, risk of unauthorized and untraceable
changes to the database increases. 31. What is the most common purpose of a virtual private netw ork
implementation? A. A virtual private netw ork (VPN) helps to secure access betw een an enterprise and

Sa aug09 byrne m
cees hie
1,111 views

its partners w hen communicating over an otherw ise unsecured channel such as the Internet. B. A
virtual private netw ork (VPN) helps to secure access betw een an enterprise and its partners w hen
communicating over a dedicated T1 connection. C. A virtual private netw ork (VPN) helps to secure
access w ithin an enterprise w hen communicating over a dedicated T1 connection
betw een netw ork segments w ithin the same facility. D. A virtual private netw ork (VPN) helps to
secure access betw een an enterprise and its partners w hen communicating over a w ireless connection.
Answ er: A A virtual private netw ork (VPN) helps to secure access betw een an enterprise and its

Chapter 4
MRicky
2,385 views

partners w hen communicating over an otherw ise unsecured channel such as the Internet. 32. What
benefit does using capacity-monitoring softw are to monitor usage patterns and trends provide to
management? Choose the BEST answ er. A. The softw are can dynamically readjust netw ork traffic
capabilities based upon current usage. B. The softw are produces nice reports that really impress
management. C. It allow s users to properly allocate resources and ensure continuous efficiency of

IS Audit and Internal Controls


Bharath Rao
714 views

operations. D. It allow s management to properly allocate resources and ensure continuous efficiency
of operations. Answ er: D Using capacity-monitoring softw are to monitor usage patterns and trends
enables management to properly allocate resources and ensure continuous efficiency of operations.

Audit proces s hem


athayanithy

http://kaka-pakis tani. blogs pot. c om 9 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om

1,387 views

11. 33. What can be very helpful to an IS auditor w hen determining the efficacy of a systems

or update the same information. 35. What increases

maintenance program? Choose the BEST answ er. A. Netw ork-monitoring softw areCISA MOCK

encryption overhead and cost the most? A. A long symmetric

EXAM B. A system dow ntime log C. Administration activity reports D. Help-desk utilization trend

encryption key B. A long asymmetric encryption key C. A

reports Answ er: B A system dow ntime log can be very helpful to an IS auditor w hen determining the

long Advance Encryption Standard (AES) key D. A long

efficacy of a systems maintenance program. 34. What are used as a countermeasure for potential

Data Encryption Standard (DES) key Answ er: B A long

database corruption w hen tw o processes attempt to simultaneously edit or update the same

asymmetric encryption key (public key encryption) increases

information? Choose the BEST answ er. A. Referential integrity controls B. Normalization controls C.

encryption overhead and cost. All other answ ers are single

Concurrency controls D. Run-to-run totals Answ er: A Concurrency controls are used as a

shared symmetric keys. 36. Which of the follow ing best

countermeasure for potential database corruption w hen tw o processes attempt to simultaneously edit

characterizes "w orms"? A. Malicious programs that can run


independently and can propagate w ithout the aid of a carrier

program such as email B. Programming code errors that cause a program to repeatedly dump data C.
Malicious programs that require the aid of a carrier program such as email http://kakapakis tani. blogs pot. c om 10

Proces s us Audit SI
Ars ne Ngato
7,659 views

FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
12. D. Malicious programs that masquerade as common applications such as screensavers or macroenabled Word documents Answ er: ACISA MOCK EXAM Worms are malicious programs that can run
independently and can propagate w ithout the aid of a carrier program such as email. 37. What is an
initial step in creating a proper firew all policy? A. Assigning access to users according to the principle

Audit Checklis t for Inform ation


Sys tem s
AHMAD BHATTI
23,724 views

of least privilege B. Determining appropriate firew all hardw are and softw are C. Identifying netw ork
applications such as mail, w eb, or FTP servers D. Configuring firew all access rules Answ er: C
Identifying netw ork applications such as mail, w eb, or FTP servers to be externally accessed is an
initial step in creating a proper firew all policy. 38. What type of cryptosystem is characterized by data

Auditing In Com puter Environm ent


Pres entation
Sako Mayrick
56,904 views

being encrypted by the sender using the recipients public key, and the data then being decrypted using the
recipients private key? A. With public-key encryption, or symmetric encryption B. With public-key
encryption, or asymmetric encryption C. With shared-key encryption, or symmetric encryption D. With
shared-key encryption, or asymmetric encryption Answ er: B With public key encryption or asymmetric
encryption, data is encrypted by the sender using the recipients public key; the data is then decrypted
using the recipients private key. 39. How does the SSL netw ork protocol provide confidentiality? A.
Through symmetric encryption such as RSA B. Through asymmetric encryption such as Data
Encryption Standard, or DES C. Through asymmetric encryption such as Advanced Encryption
Standard, or AES D. Through symmetric encryption such as Data Encryption Standard, or DES Answ er:
D The SSL protocol provides confidentiality through symmetric encryption such as
Data Encryption Standard, or DES. http://kaka-pakis tani. blogs pot. c om 11 FOR FREE ACCA,CAT,
CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
13. 40. What are used as the framew ork for developing logical access controls? A. Information systems
security policies B. Organizational security policiesCISA MOCK EXAM C. Access Control Lists (ACL) D.
Organizational charts for identifying roles and responsibilities Answ er: A Information systems security
policies are used as the framew ork for developing logical access controls. 41. Which of the follow ing are
effective controls for detecting duplicate transactions such as payments made or received? A. Concurrency
controls B. Reasonableness checks C. Time stamps D. Referential integrity controls Answ er: C Time
stamps are an effective control for detecting duplicate transactions such as payments made or received. 42.
Which of the follow ing is a good control for protecting confidential data residing on a PC? A. Personal
firew all B. File encapsulation C. File encryption D. Host-based intrusion detection Answ er: C File
encryption is a good control for protecting confidential data residing on a PC. 43. Which of the follow ing
is a guiding best practice for implementing logical access controls? A. Implementing the Biba Integrity
Model B. Access is granted on a least-privilege basis, per the organizations data ow ners C. Implementing
the Take-Grant access control model D. Classifying data according to the subjects requirements Answ er:
B http://kaka-pakis tani. blogs pot. c om 12 FOR
FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
14. Logical access controls should be review ed to ensure that access is granted on a least-privilege
basis, per the organizations data ow ners. 44. What does PKI use to provide some of the strongest
overall control over data confidentiality,CISA MOCK EXAM reliability, and integrity for Internet

Internal audit procedure


bhavikjariwala
5,713 views

transactions? A. A combination of public-key cryptography and digital certificates and tw o-factor


authentication B. A combination of public-key cryptography and tw o-factor authentication C. A
combination of public-key cryptography and digital certificates D. A combination of digital
certificates and tw o-factor authentication Answ er: C PKI uses a combination of public-key
cryptography and digital certificates to provide some of the strongest overall control over data
confidentiality, reliability, and integrity for Internet transactions. 45. Which of the follow ing do
digital signatures provide? A. Authentication and integrity of data B. Authentication and
confidentiality of data C. Confidentiality and integrity of data D. Authentication and availability of
data Answ er: A The primary purpose of digital signatures is to provide authentication and integrity
of data. 46. Regarding digital signature implementation, w hich of the follow ing answ ers is
correct? A. A digital signature is created by the sender to prove message integrity by encrypting the
message w ith the senders private key. Upon receiving the data, the recipient can decrypt the data
using the senders public key. B. A digital signature is created by the sender to prove message
integrity by encrypting the message w ith the recipients public key. Upon receiving the data, the
recipient can decrypt the data using the recipients
public key. C. A digital signature is created by the sender to prove message integrity by initially
using a hashing algorithm to produce a hash value or message digest from the entire message
contents. Upon receiving the data, the recipient can independently create it. D. A digital signature is
created by the sender to prove message integrity by encrypting the message w ith the senders public
key. Upon receiving the data, the recipient can decrypt the data using the recipients private key.
Answ er: C http://kaka-pakis tani. blogs pot. c om 13 FOR FREE ACCA,CAT, CIMA & CISA
RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om
15. A digital signature is created by the sender to prove message integrity by initially using a hashing
algorithm to produce a hash value, or message digest, from the entire message contents. Upon
receiving the data, the recipient can independently create its ow n message digest from the data for
comparison and data integrity validation. Public and private keys are used to enforce
confidentiality.CISA MOCK EXAM Hashing algorithms are used to enforce integrity. 47. Which of
the follow ing w ould provide the highest degree of server access control? A. A mantrap-monitored
entryw ay to the server room B. Host-based intrusion detection combined w ith CCTV C. Netw orkbased intrusion detection D. A fingerprint scanner facilitating biometric access control Answ er: D A
fingerprint scanner facilitating biometric access control can provide a very high degree of server
access control. 48. What are often the primary safeguards for systems softw are and data? A.
Administrative access controls B. Logical access controls C. Physical access controls D.
Detective access controls Answ er: B Logical access controls are often the primary safeguards for
systems softw are and data. 49. Which of the follow ing is often used as a detection and deterrent
control against Internet attacks? A. Honeypots B. CCTV C. VPN D. VLAN Answ er: A Honeypots
are often used as a detection and deterrent control against Internet attacks. 50. Which of the follow
ing BEST characterizes a mantrap or deadman door, w hich is used as a deterrent control for the
vulnerability of piggybacking? A. A monitored double-doorw ay entry system http://kakapakis tani. blogs pot. c om 14
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
16. B. A monitored turnstile entry system C. A monitored doorw ay entry system D. A one-w ay
door that does not allow exit after entryCISA MOCK EXAM Answ er: A A monitored double-doorw
ay entry system, also referred to as a mantrap or deadman door, is used as a deterrent control for the
vulnerability of piggybacking. 51. Which of the follow ing is an effective method for controlling dow
nloading of files via FTP? Choose the BEST answ er. A. An application-layer gatew ay, or proxy
firew all, but not stateful inspection firew alls B. An application-layer gatew ay, or proxy firew all C.
A circuit-level gatew ay D. A first-generation packet-filtering firew all Answ er: B Application-layer
gatew ays, or proxy firew alls, are an effective method for controlling dow nloading of files via FTP.
Because FTP is an OSI application-layer protocol, the most effective firew all needs to be capable of
inspecting through the application layer. 52. Which of the follow ing provides the strongest
authentication for physical access control? A. Sign-in logs B. Dynamic passw ords C. Key
verification D. Biometrics Answ er: D Biometrics can be used to provide excellent physical access
control. 53. What is an effective countermeasure for the vulnerability of data entry operators
potentially leaving their computers w ithout logging off? Choose the BEST answ er. A. Employee
security aw areness
training B. Administrator alerts C. Screensaver passw ords D. Close supervision Answ er: C
http://kaka- pakistani.blogspot.com 15 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES
VISIT: http://kakapakistani.blogspot.com
17. Screensaver passw ords are an effective control to implement as a countermeasure for the
vulnerability of data entry operators potentially leaving their computers w ithout logging off. 54.
What can ISPs use to implement inbound traffic filtering as a control to identify IP packetsCISA
MOCK EXAM transmitted from unauthorized sources? Choose the BEST answ er. A. OSI Layer 2
sw itches w ith packet filtering enabled B. Virtual Private Netw orks C. Access Control Lists (ACL)
D. Point-to- Point Tunneling Protocol Answ er: C ISPs can use access control lists to implement
inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources.
55. What is the key distinction betw een encryption and hashing algorithms? A. Hashing algorithms
ensure data confidentiality. B. Hashing algorithms are irreversible. C. Encryption algorithms ensure

data integrity. D. Encryption algorithms are not irreversible. Answ er: B A key distinction betw een
encryption and hashing algorithms is that hashing algorithms are irreversible. 56. Which of the
follow ing is BEST characterized by unauthorized modification of data before or during systems data
entry? A. Data
diddling B. Skimming C. Data corruption D. Salami attack Answ er: A Data diddling involves modifying

data before or during systems data entry. 57. Which of the follow ing is used to evaluate
biometric access controls? A. FAR B. EER C. ERR http://kaka-pakis tani. blogs pot. c om 16 FOR
FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
18. D. FRR Answ er: BCISA MOCK EXAM When evaluating biometric access controls, a low
equal error rate (EER) is preferred. EER is also called the crossover error rate (CER). 58. Who is
ultimately responsible and accountable for review ing user access to systems? A. Systems security
administrators B. Data custodians C. Data ow ners D. Information systems auditors Answ er: C Data
ow ners are ultimately responsible and accountable for review ing user access to systems. 59.
Establishing data ow nership is an important first step for w hich of the follow ing processes?
Choose the BEST answ er. A. Assigning user access privileges B. Developing organizational
security policies C. Creating roles and responsibilities D. Classifying data Answ er: D To properly
implement data classification, establishing data ow nership is an important first step. 60. Which of
the follow ing is MOST is critical during the business impact assessment phase of business
continuity planning? A. End-user involvement B. Senior management involvement C. Security
administration involvement D. IS auditing involvement Answ er:
A End-user involvement is critical during the business impact assessment phase of business
continuity planning. 61. What type of BCP test uses actual resources to simulate a system crash and
validate the plans effectiveness? http://kaka-pakis tani. blogs pot. c om 17 FOR FREE ACCA,CAT,
CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
19. A. Paper B. Preparedness C. Walk-throughCISA MOCK EXAM D. Parallel Answ er: B Of the
three major types of BCP tests (paper, w alk-through, and preparedness), only the preparedness test
uses actual resources to simulate a system crash and validate the plans effectiveness. 62. Which of
the follow ing typically focuses on making alternative processes and resources available for
transaction processing? A. Cold-site facilities B. Disaster recovery for netw orks C. Diverse
processing D.
Disaster recovery for systems Answ er: D Disaster recovery for systems typically focuses on
making alternative processes and resources available for transaction processing. 63. Which type of
major BCP test only requires representatives from each operational area to meet to review the plan?
A. Parallel B. Preparedness C. Walk-thorough D. Paper Answ er: C Of the three major types of BCP
tests (paper, w alk-through, and preparedness), a w alk-through test requires only that
representatives from each operational area meet to review the plan. 64. What influences decisions
regarding criticality of assets? A. The business criticality of the data to be protected B. Internal
corporate politics C. The business criticality of the data to be protected, and the scope of the impact
upon the organization as a w hole D. The business impact analysis http://kakapakis tani. blogs pot. c om 18 FOR FREE ACCA,CAT, CIMA &
CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
20. Answ er: C Criticality of assets is often influenced by the business criticality of the data to be
protected and by the scope of the impact upon the organization as a w hole. For example, the loss of
a netw ork backboneCISA MOCK EXAM creates a much greater impact on the organization as a w
hole than the loss of data on a typical users w orkstation. 65. Of the three major types of off-site
processing facilities, w hat type is characterized by at least providing for electricity and HVAC? A.
Cold site B. Alternate site C. Hot site D. Warm site Answ er: A Of the three major types of off-site
processing facilities (hot, w arm, and cold), a cold site is characterized by at least providing for
electricity and HVAC. A w arm site improves upon this by providing for redundant equipment and
softw are that can
be made operational w ithin a short time. 66. With the objective of mitigating the risk and impact of a
major business interruption, a disaster-recovery plan should endeavor to reduce the length of
recovery time necessary, as w ell as costs associated w ith recovery. Although DRP results in an
increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced
recovery and business impact costs. True or false? A. True B. False Answ er: A With the objective
of mitigating the risk and impact of a major business interruption, a disaster- recovery plan should
endeavor to reduce the length of recovery time necessary and the costs associated w ith recovery.
Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are
more than offset by
reduced recovery and business impact costs. 67. Of the three major types of off-site processing
facilities, w hat type is often an acceptable solution for preparing for recovery of noncritical
systems and data? A. Cold site B. Hot site C. Alternate site D. Warm site Answ er: A http://kakapakistani.blogspot.com 19 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kakapakistani.blogspot.com
21. A cold site is often an acceptable solution for preparing for recovery of noncritical systems and
data. 68. Any changes in systems assets, such as replacement of hardw are, should be
immediatelyCISA MOCK EXAM recorded w ithin the assets inventory of w hich of the follow ing?
Choose the BEST answ er. A. IT strategic plan B. Business continuity plan C. Business impact
analysis D. Incident response plan Answ er: B Any changes in systems assets, such as replacement
of hardw are, should be immediately recorded w ithin the assets inventory of a business continuity
plan.

69. Although BCP and DRP are often implemented and tested by middle management and end users,
the ultimate responsibility and accountability for the plans remain w ith executive management, such
as the

. (fill-in-the-blank) A. Security administrator B. Systems auditor C. Board

of directors D. Financial auditor Answ er: C Although BCP and DRP are often implemented and
tested by middle management and end users, the ultimate responsibility and accountability for the
plans remain w ith executive management, such as the board of directors. 70. Obtaining user
approval of program changes is very effective for controlling application changes and maintenance.
True or false? A. True B. False Answ er: A Obtaining user approval of program changes is very
effective for controlling application changes and maintenance. 71. Library control softw are restricts
source code to: A. Read-

only access http://kaka-pakis tani. blogs pot. c om 20 FOR FREE ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
22. B. Write-only access C. Full access D. Read-w rite accessCISA MOCK EXAM Answ er: A
Library control softw are restricts source code to read-only access. 72. When is regression testing
used to determine w hether new application changes have introduced any errors in the remaining
unchanged code? A. In program development and change management B. In program feasibility
studies C. In program development D. In change management Answ er: A Regression testing is used
in program development and change management to determine w hether new changes have
introduced any errors in the remaining unchanged code. 73. What is often the most difficult part of
initial efforts in application development? Choose the BEST answ er. A. Configuring softw are B.
Planning security C. Determining time and resource requirements D. Configuring hardw are Answ
er: C Determining time and resource requirements for an application-development project is often
the most difficult part of initial efforts in application development. 74. What is a primary high-level
goal for an auditor w ho is review ing a system development project? A. To ensure that programming
and processing
environments are segregated B. To ensure that proper approval for the project has been obtained C.
To ensure that business objectives are achieved D. To ensure that projects are monitored and
administrated effectively Answ er: C http://kaka-pakis tani. blogs pot. c om 21 FOR FREE ACCA,CAT,
CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
23. A primary high-level goal for an auditor w ho is review ing a systems-development project is to
ensure that business objectives are achieved. This objective guides all other systems development
objectives. 75. Whenever an application is modified, w hat should be tested to determine the full
impact of theCISA MOCK EXAM change? Choose the BEST answ er. A. Interface systems w ith
other applications or systems B. The entire program, including any interface systems w ith other
applications or systems C. All programs, including interface systems w ith other applications or
systems D.
Mission-critical functions and any interface systems w ith other applications or systems Answ er: B
Whenever an application is modified, the entire program, including any interface systems w ith other
applications or systems, should be tested to determine the full impact of the change. 76. The quality
of the metadata produced from a data w arehouse is

in the w arehouses design.

Choose the BEST answ er. A. Often hard to determine because the data is derived from a
heterogeneous data environment B. The most important consideration C. Independent of the quality
of the w arehoused databases D. Of secondary importance to data w arehouse content Answ er: B
The quality of the metadata produced from a data w arehouse is the most important consideration in
the w arehouses design. 77. Function Point Analysis (FPA) provides an estimate of the size of an
information system based only on the number and complexity of a systems inputs and outputs. True
or false? A. True B. False Answ er: B Function point analysis (FPA) provides an estimate of the size
of an information system based on the number and complexity of a systems inputs, outputs, and
files. 78. Who assumes ow nership of a systems-development project and the resulting system? A.
User management B.
Project steering committee C. IT management http://kaka-pakis tani. blogs pot. c om 22 FOR FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
24. D. Systems developers Answ er: ACISA MOCK EXAM User management assumes ow nership
of a systems-development project and the resulting system. 79. If an IS auditor observes that
individual modules of a system perform correctly in development project tests, the auditor should
inform management of the positive results and recommend further: A. Documentation development
B. Comprehensive integration testing C. Full unit testing D. Full regression testing Answ er: B If an
IS auditor observes that individual modules of a system perform correctly in development project
tests,
the auditor should inform management of the positive results and recommend further comprehensive
integration testing. 80. When participating in a systems-development project, an IS auditor should
focus on system controls rather than ensuring that adequate and complete documentation exists for
all projects. True or false? A. True B. False Answ er: B When participating in a systemsdevelopment project, an IS auditor should also strive to ensure that adequate and complete
documentation exists for all projects. 81. What is a reliable technique for estimating the scope and
cost of a softw are- development project? A. Function point analysis (FPA) B. Feature point analysis
(FPA) C. GANTT D. PERT Answ er: A http://kaka-pakis tani. blogs pot. c om 23 FOR FREE
ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
25. A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a
softw are- development project. 82. Which of the follow ing is a program evaluation review
technique that considers differentCISA MOCK EXAM scenarios for planning and control projects?
A. Function Point Analysis (FPA) B. GANTT C. Rapid Application Development (RAD) D. PERT
Answ er: D PERT is a program-evaluation review technique that considers different scenarios for
planning and control projects. 83. If an IS auditor observes that an IS department fails to use
formal documented methodologies, policies, and standards, w hat should the auditor do? Choose the
BEST answ er. A. Lack of IT documentation is not usually material to the controls tested in an IT
audit. B. The auditor should at least document the informal standards and policies. Furthermore, the
IS auditor should create formal documented policies to be implemented. C. The auditor should at
least document the informal standards and policies, and test for compliance. Furthermore, the IS

auditor should recommend to management that formal documented policies be developed and
implemented. D. The auditor should at least document the informal standards and policies, and test
for compliance. Furthermore, the IS auditor should create formal documented policies to be
implemented. Answ er: C If an IS auditor observes that an IS department fails to use formal
documented methodologies,

policies, and standards, the auditor should at least document the informal standards and policies,
and test for compliance. Furthermore, the IS auditor should recommend to management that
formal documented policies be developed and implemented. 84. What often results in project
scope creep w hen functional requirements are not defined as w ell as they could be? A. Inadequate
softw are baselining B. Insufficient strategic planning C. Inaccurate resource allocation D. Project
delays Answ er: A http://kaka-pakis tani. blogs pot. c om 24 FOR FREE ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
26. Inadequate softw are baselining often results in project scope creep because functional
requirements are not defined as w ell as they could be. 85. Fourth-Generation Languages (4GLs) are
most appropriate for designing the applicationsCISA MOCK EXAM graphical user interface (GUI).
They are inappropriate for designing any intensive data-calculation procedures. True or false? A.
True B. False Answ er: A Fourth-generation languages (4GLs) are most appropriate for designing
the applications graphical user interface (GUI). They are inappropriate for designing any intensive
data- calculation procedures. 86. Run-to-run totals can verify data through w hich stage(s) of
application processing? A. Initial B. Various C. Final D. Output Answ er: B Run-to-run totals can
verify data through various stages of application processing. 87.

(fill in the

blank) is/are are ultimately accountable for the functionality, reliability, and security w ithin IT
governance. Choose the BEST answ er. A. Data custodians B. The board of directors and executive
officers C. IT security administration D. Business unit managers Answ er: B The board of directors
and executive officers are ultimately accountable for the functionality, reliability, and security w ithin
IT governance. 88. What can be used to help identify and investigate unauthorized transactions?
Choose the BEST answ er. A. Postmortem review B. Reasonableness checks C. Data-mining
techniques http://kaka- pakistani.blogspot.com 25 FOR FREE ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kakapakistani.blogspot.com
27. D. Expert systems Answ er: CCISA MOCK EXAM Data-mining techniques can be used to
help identify and investigate unauthorized transactions. 89. Netw ork environments often add to the
complexity of program-to-program communication, making the implementation and maintenance of
application systems more difficult. True or false? A. True B. False Answ er: A Netw ork
environments often add to the complexity of program-to-program communication, making
application systems implementation and maintenance more difficult. 90.

risk

analysis is not alw ays possible because the IS auditor is attempting to calculate risk using
nonquantifiable threats and potential losses. In this event, a

risk assessment is

more appropriate. Fill in the blanks. A. Quantitative; qualitative B. Qualitative; quantitative C.


Residual; subjective D. Quantitative; subjective Answ er: A Quantitative risk analysis is not alw ays
possible because the IS auditor is
attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a
qualitative risk assessment is more appropriate. 91. What must an IS auditor understand before
performing an application audit? Choose the BEST answ er. A. The potential business impact of
application risks. B. Application risks must first be identified. C. Relative business processes. D.
Relevant application risks. Answ er: C An IS auditor must first understand relative business
processes before performing an application audit. http://kaka-pakis tani. blogs pot. c om 26 FOR FREE
ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
28. 92. What is the first step in a business process re-engineering project? A. Identifying current
business processes B. Forming a BPR steering committeeCISA MOCK EXAM C. Defining the
scope of areas to be review ed D. Review ing the organizational strategic plan Answ er: C Defining
the scope of areas to be review ed is the first step in a business process re-engineering project. 93.
When storing data archives off-site, w hat must be done w ith the data to ensure data completeness?
A. The data
must be normalized. B. The data must be validated. C. The data must be parallel-tested. D. The data
must be synchronized. Answ er: D When storing data archives off-site, data must be synchronized
to ensure data completeness. 94. Which of the follow ing can help detect transmission errors by
appending specially calculated bits onto the end of each segment of data? A. Redundancy check B.
Completeness check C. Accuracy check D. Parity check Answ er: A A redundancy check can help
detect transmission errors by appending especially calculated bits onto the end of each segment of
data. 95. What is an edit check to determine w hether a field contains valid data? A. Completeness
check B. Accuracy check C. Redundancy check D. Reasonableness check Answ er: A http://kakapakistani.blogspot.com 27 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kakapakistani.blogspot.com
29. A completeness check is an edit check to determine w hether a field contains valid data. 96. A
transaction journal provides the information necessary for detecting unauthorized
(fill in the blank) from a terminal.CISA MOCK EXAM A. Deletion B. Input C. Access D.
Duplication Answ er: B A transaction journal provides the information necessary for detecting
unauthorized input from a terminal. 97. An intentional or unintentional disclosure of a passw ord is
likely to be evident w ithin control logs. True or false? A. True B. False Answ er: B An intentional
or unintentional disclosure of a passw ord is not likely to be evident w ithin control logs. 98. When
are benchmarking partners identified w ithin the benchmarking process? A. In the design stage B. In
the testing stage C. In the research stage D. In the development stage Answ er: C Benchmarking

partners are identified in the research stage of the benchmarking process. 99. A check digit is an
effective edit check to: A. Detect data-transcription errors B. Detect data-transposition and
transcription errors C. Detect data- transposition, transcription, and substitution errors D. Detect
data-transposition errors Answ er: B http://kaka-pakis tani. blogs pot. c om 28 FOR FREE ACCA,CAT,
CIMA & CISA RESOURCES VISIT:

http://kaka-pakis tani. blogs pot. c om


30. A check digit is an effective edit check to detect data-transposition and transcription errors.
100. Parity bits are a control used to validate:CISA MOCK EXAM A. Data authentication B. Data
completeness C. Data source D. Data accuracy Answ er: B Parity bits are a control used to validate
data completeness. 101. An IS auditor is using a statistical sample to inventory the tape library.
What type of test w ould this be considered? A.Substantive B. Compliance C. Integrated D.
Continuous audit Answ er: A Using a statistical sample to inventory the tape library is an example of
a substantive test.
102. Which of the follow ing w ould prevent accountability for an action performed, thus allow ing
nonrepudiation? A. Proper authentication B. Proper identification AND authentication C. Proper
identification D. Proper identification, authentication, AND authorization Answ er: B If proper
identification and authentication are not performed during access control, no accountability can
exist for any action performed. 103. Which of the follow ing is the MOST critical step in planning
an audit? A. Implementing a prescribed auditing framew ork such as COBIT B. Identifying current
controls C. Identifying high-risk audit targets D. Testing controls http://kakapakis tani. blogs pot. c om 29 FOR
FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
31. Answ er: C In planning an audit, the most critical step is identifying the areas of high risk.CISA
MOCK EXAM 104. To properly evaluate the collective effect of preventative, detective, or
corrective controls w ithin a process, an IS auditor should be aw are of w hich of the follow ing?
Choose the BEST answ er. A. The business objectives of the organization B. The effect of
segregation of duties on internal controls C. The point at w hich controls are exercised as data flow
s through the system D. Organizational control policies Answ er: C When evaluating the collective
effect of preventive, detective, or corrective controls w ithin a process, an IS auditor should be aw
are of the point at w hich
controls are exercised as data flow s through the system. 105. What is the recommended initial step
for an IS auditor to implement continuous-monitoring systems? A. Document existing internal
controls B. Perform compliance testing on internal controls C. Establish a controls-monitoring
steering committee D. Identify high-risk areas w ithin the organization Answ er: D When
implementing continuous- monitoring systems, an IS auditors first step is to identify high-risk areas
w ithin the organization. 106. What type of risk is associated w ith authorized program exits (trap
doors)? Choose the BEST answ er. A. Business risk B. Audit risk C. Detective risk D. Inherent risk
Answ er: D Inherent risk is associated w ith authorized program exits (trap doors). 107. Which of the
follow ing is best suited for searching
for address field duplications? http://kaka-pakis tani. blogs pot. c om 30 FOR FREE ACCA,CAT, CIMA &
CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
32. A. Text search forensic utility softw are B. Generalized audit softw are C. Productivity audit
softw areCISA MOCK EXAM D. Manual review Answ er: B Generalized audit softw are can be
used to search for address field duplications. 108. Which of the follow ing is of greatest concern to
the IS auditor? A. Failure to report a successful attack on the netw ork B. Failure to prevent a
successful attack on the netw ork C. Failure to recover from a successful attack on the netw ork D.
Failure to detect a successful attack on the netw ork Answ er: A Lack of reporting of a successful
attack on the netw ork is a great concern to an IS auditor. 109. An integrated test facility is not
considered a useful audit tool because it cannot compare processing output w ith independently
calculated data. True or false? A. True B. False Answ er: B An integrated test facility is considered
a useful audit tool because it compares processing output w ith independently calculated data. 110.
An advantage of a continuous audit approach is that it can improve system security w hen used in
time-sharing environments that process a large number of transactions. True or false? A. True B.
False Answ er: A It is true that an advantage of a continuous audit approach is that it can improve
system security w hen used in time- sharing environments that process a large number of
transactions. http://kaka-pakis tani. blogs pot. c om
31 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
33. 111. If an IS auditor finds evidence of risk involved in not implementing proper segregation of
duties, such as having the security administrator perform an operations function, w hat is the
auditors primary responsibility?CISA MOCK EXAM A. To advise senior management. B. To
reassign job functions to eliminate potential fraud. C. To implement compensator controls. D.
Segregation of duties is an administrative control not considered by an IS auditor. Answ er: A An IS
auditors primary responsibility is to advise senior management of the risk involved in not
implementing proper segregation of duties, such as having the security administrator perform an
operations function. 112. Who is responsible for implementing cost-effective controls in an
automated system? A. Security policy administrators B. Business unit management C. Senior
management D. Board of directors Answ er: B Business unit management is responsible for
implementing cost-effective controls in an automated system. 113. Why does an IS auditor review
an organization chart? A. To optimize the responsibilities and authority of individuals B. To control
the responsibilities and authority of
individuals C. To better understand the responsibilities and authority of individuals D. To
identify project sponsors Answ er: C The primary reason an IS auditor review s an organization
chart is to better understand the responsibilities and authority of individuals. 114. Ensuring that
security and

control policies support business and IT objectives is a primary objective of: A. An IT security
policies audit B. A processing audit http://kaka-pakis tani. blogs pot. c om 32 FOR FREE ACCA,CAT,
CIMA &
CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
34. C. A softw are audit D. A vulnerability assessment Answ er: ACISA MOCK EXAM Ensuring
that security and control policies support business and IT objectives is a primary objective of an
IT security policies audit. 115. When auditing third-party service providers, an IS auditor should
be

concerned w ith w hich of the follow ing? Choose the BEST answ er. A. Ow nership of the programs
and files B. A statement of due care and confidentiality, and the capability for continued service of
the service provider in the event of a disaster C. A statement of due care D. Ow nership of programs
and files, a statement of due care and confidentiality, and the capability for continued service of the
service provider in the event of a disaster Answ er: D When auditing third-party service providers, an
auditor should be concerned w ith ow nership of programs and files, a statement of due care and
confidentiality, and the capability for continued service of the service provider in the event of a
disaster. 116. When performing an IS strategy audit, an IS auditor should review both short-term
(one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate
management personnel, and ensure that the external environment has been considered. The auditor
should especially focus on procedures in an audit of IS strategy. True or false? A. True B. False
Answ er: B When performing an IS strategy audit, an IS auditor should review both short-term
(one- year) and long-term (three- to five-year) IS strategies, interview appropriate corporate
management
personnel, and ensure that the external environment has been considered. 117. What process allow s IS
management to determine w hether the activities of the organization differ from the planned or
expected levels? Choose the BEST answ er. A. Business impact assessment B. Risk assessment C.
IS assessment methods http://kaka-pakis tani. blogs pot. c om 33 FOR FREE ACCA,CAT, CIMA &
CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
35. D. Key performance indicators (KPIs) Answ er: CCISA MOCK EXAM IS assessment methods
allow IS management to determine w hether the activities of the organization differ from the planned
or expected levels. 118. When should review ing an audit clients business plan be performed relative
to review ing an organizations IT strategic plan? A. Review ing an audit clients business plan should
be performed before review ing an organizations IT strategic plan. B. Review ing an audit clients
business plan should be performed after review ing an organizations IT strategic plan. C. Review ing
an audit clients business plan should be performed during the review of an organizations IT strategic
plan. D. Review ing an audit clients business plan should be performed w ithout regard to an
organizations IT strategic plan. Answ er: A Review ing an audit clients business plan should be
performed before review ing an organizations IT strategic plan. 119. Allow ing application
programmers to directly patch or change code in production programs increases risk of fraud. True
or false? A. True B. False Answ er: A Allow ing application programmers to directly patch or change
code in production programs increases risk of fraud. 120. Who should be responsible for netw ork
security operations? A. Business unit managers B. Security administrators C. Netw ork
administrators D. IS auditors Answ er: B http://kaka-pakis tani. blogs pot. c om 34 FOR FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om
36. Security administrators are usually responsible for netw ork security operations. 121. Proper
segregation of duties does not prohibit a quality control administrator from also being responsible
for change control and problem management. True or false?CISA MOCK EXAM A. True B. False
Answ er: A Proper segregation of duties does not prohibit a quality-control administrator from also
being responsible for change control and problem management. 122. What can be implemented to
provide the highest level of protection from external attack? A. Layering perimeter netw ork
protection by configuring the firew all as a screened host in a screened subnet behind the bastion
host B. Configuring the firew all as a screened host behind a router C. Configuring the firew all as
the protecting bastion host D. Configuring tw o load-sharing firew alls facilitating VPN access from
external hosts to internal hosts Answ er: A Layering perimeter netw ork protection by configuring
the firew all as a screened host in a screened subnet behind the bastion host provides a higher level
of protection from external attack than all other answ ers. 123. The directory system of a databasemanagement system describes: A. The access method to the data B. The location of data AND the
access method C. The location of data D. Neither the location of data NOR the access method
Answ er: B The directory system of a database-management system describes the location of data
and the access method. 124. How is the risk of improper file access affected upon implementing a
database system? A. Risk varies. B. Risk is reduced. C. Risk is not affected. http://kakapakistani.blogspot.com 35 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kakapakistani.blogspot.com
37. D. Risk is increased. Answ er: DCISA MOCK EXAM Improper file access becomes a greater
risk w hen implementing a database system. 125. In order to properly protect against unauthorized
disclosure of sensitive data, how should hard disks be sanitized? A. The data should be deleted and
overw ritten w ith binary 0s. B. The data should be demagnetized. C. The data should be low -level
formatted. D. The data should be deleted. Answ er: B To properly protect against unauthorized
disclosure of sensitive data, hard disks should be demagnetized before disposal or release. 126.
When review ing print systems spooling, an IS auditor is MOST concerned w ith w hich of the
follow ing vulnerabilities? A. The potential for unauthorized deletion of report copies B. The
potential for unauthorized modification of report copies C. The potential for unauthorized printing of
report copies D. The potential for unauthorized editing of report copies Answ er: C When review ing
print systems spooling, an IS auditor is most concerned w ith the potential for unauthorized printing
of report copies.
127. Why is the WAP gatew ay a component w arranting critical concern and review for the IS
auditor w hen auditing and testing controls enforcing message confidentiality? A. WAP is often

configured by default settings and is thus insecure. B. WAP provides w eak encryption for w ireless
traffic. C. WAP functions as a protocol-conversion gatew ay for w ireless TLS to Internet SSL. D.
WAP often interfaces critical IT systems. Answ er: C http://kaka-pakis tani. blogs pot. c om 36 FOR
FREE

ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
38. Functioning as a protocol-conversion gatew ay for w ireless TLS to Internet SSL, the WAP
gatew ay is a component w arranting critical concern and review for the IS auditor w hen auditing
and testing controls that enforce message confidentiality.CISA MOCK EXAM 128. Proper
segregation of duties prevents a computer operator (user) from performing security administration
duties. True or false? A. True B. False Answ er: A Proper segregation of duties prevents a computer
operator (user) from performing security administration duties. 129. How do modems
(modulation/demodulation) function to facilitate analog transmissions to enter a digital netw ork? A.
Modems convert analog transmissions to digital, and digital transmission to analog. B. Modems
encapsulate analog transmissions w ithin digital, and digital transmissions w ithin analog. C.
Modems convert digital transmissions to analog, and analog transmissions to digital. D. Modems
encapsulate digital transmissions w ithin analog, and analog transmissions w ithin digital. Answ er:
A Modems (modulation/demodulation) convert analog transmissions to digital, and digital
transmissions to analog, and are required for analog transmissions to enter a digital netw ork. 130.
Which of the follow ing are effective in detecting fraud because they have the capability to consider
a large number of variables w hen trying to resolve a problem? Choose the BEST answ er. A. Expert
systems B. Neural netw orks C. Integrated synchronized systems D. Multitasking applications
Answ er: B Neural netw orks are effective in detecting fraud because they have the capability to
consider a large number of variables w hen trying to resolve a problem. 131. What supports data
transmission through split cable facilities or duplicate cable facilities? A. Diverse routing
http://kaka-pakis tani. blogs pot. c om 37 FOR FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
39. B. Dual routing C. Alternate routing D. Redundant routingCISA MOCK EXAM Answ er: A
Diverse routing supports data transmission through split cable facilities, or duplicate cable facilities.
132. What type(s) of firew alls provide(s) the greatest degree of protection and control because both
firew all technologies inspect all seven OSI layers of netw ork traffic? A. A first-generation packetfiltering firew all B. A circuit-level gatew ay C. An application-layer gatew ay, or proxy firew all, and
stateful- inspection firew alls D. An application-layer gatew ay, or proxy firew all, but not statefulinspection firew alls Answ er: C An application-layer gatew ay, or proxy firew all, and statefulinspection firew alls provide the greatest degree of protection and control because both firew all
technologies inspect all seven OSI layers of netw ork traffic. 133. Which of the follow ing can
degrade netw ork performance? Choose the BEST answ er. A. Superfluous use of redundant loadsharing gatew ays B. Increasing
traffic collisions due to host congestion by creating new collision domains C. Inefficient and
superfluous use of netw ork devices such as sw itches D. Inefficient and superfluous use of netw
ork devices such as hubs Answ er: D Inefficient and superfluous use of netw ork devices such as
hubs can degrade netw ork performance. 134. Which of the follow ing provide(s) near-immediate
recoverability for time-sensitive systems and transaction processing? A. Automated electronic
journaling and parallel processing B. Data mirroring and parallel processing C. Data mirroring D.
Parallel processing Answ er:B http://kaka-pakis tani. blogs pot. c om 38 FOR FREE ACCA,CAT,
CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
40. Data mirroring and parallel processing are both used to provide near-immediate recoverability for
time-sensitive systems and transaction processing. 135. What is an effective control for granting
temporary access to vendors and external supportCISA MOCK EXAM personnel? Choose the BEST
answ er. A. Creating user accounts that automatically expire by a predetermined date B. Creating
permanent guest accounts for temporary use C. Creating user accounts that restrict logon access to
certain hours of the day D. Creating a single shared vendor administrator account on the basis of
least- privileged access Answ er: A Creating user accounts that automatically expire by a
predetermined date
is an effective control for granting temporary access to vendors and external support personnel. 136.
Which of the follow ing help(s) prevent an organizations systems from participating in a distributed
denial-of-service (DDoS) attack? Choose the BEST answ er. A. Inbound traffic filtering B. Using
access control lists (ACLs) to restrict inbound connection attempts C. Outbound traffic filtering D.
Recentralizing distributed systems Answ er: C Outbound traffic filtering can help prevent an
organizations systems from participating in a distributed denial-of-service (DDoS) attack. 137. What
is a common vulnerability, allow ing denial-of-service attacks? A. Assigning access to users
according to the principle of least privilege B. Lack of employee aw areness of organizational
security policies C. Improperly configured routers and router access lists D. Configuring firew all
access rules Answ er: C Improperly configured routers and router access lists are a common
vulnerability for denial-of-service attacks. 138. What are trojan horse programs? Choose the BEST
answ er. A. A common form of internal attack http://kaka-pakis tani. blogs pot. c om 39 FOR FREE
ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
41. B. Malicious programs that require the aid of a carrier program such as email C. Malicious
programs that can run independently and can propagate w ithout the aid of a carrier program such
as email D. A common form of Internet attackCISA MOCK EXAM Answ er: D Trojan horse
programs are a common form of Internet attack. 139. What is/are used to measure and ensure
proper netw ork capacity management and availability of services? Choose the BEST answ er. A.
Netw ork

performance-monitoring tools B. Netw ork component redundancy C. Syslog reporting D. IT


strategic planning Answ er: A Netw ork performance-monitoring tools are used to measure and
ensure proper netw ork capacity management and availability of services. 140. What can be used to
gather evidence of netw ork attacks? A. Access control lists (ACL) B. Intrusion-detection systems
(IDS) C. Syslog reporting D. Antivirus programs Answ er: B Intrusion-detection systems (IDS) are
used to gather

evidence of netw ork attacks. 141. Which of the follow ing is a passive attack method used by
intruders to determine potential netw ork vulnerabilities? A. Traffic analysis B. SYN flood C. Denial
of service (DoS) D. Distributed denial of service (DoS) Answ er: A http://kakapakis tani. blogs pot. c om 40 FOR
FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
42. Traffic analysis is a passive attack method used by intruders to determine potential netw ork
vulnerabilities. All others are active attacks. 142. Which of the follow ing fire-suppression methods
is considered to be the most environmentallyCISA MOCK EXAM friendly? A. Halon gas B. Deluge
sprinklers C. Dry-pipe sprinklers D. Wet-pipe sprinklers Answ er: C Although many methods of fire
suppression exist, dry-pipe sprinklers are considered to be the most environmentally friendly. 143.
What is a callback system? A. It is a remote-access system w hereby the remote-access server
immediately calls the user back at a predetermined number if the dial-in connection fails. B. It is a
remote-access system w hereby the users application automatically redials the remote-access server
if the initial connection attempt fails. C. It is a remote-access control w hereby the user initially
connects to the netw ork systems via dial-up access, only to have the initial connection terminated
by the server, w hich then subsequently dials the user back at a predetermined number stored in the
servers configuration database. D. It is a remote-access control w hereby the user initially connects
to the
netw ork systems via dial-up access, only to have the initial connection terminated by the server, w
hich then subsequently allow s the user to call back at an approved number for a limited period of
time. Answ er: C A callback system is a remote-access control w hereby the user initially connects to
the netw ork systems via dial-up access, only to have the initial connection terminated by the server,
w hich then subsequently dials the user back at a predetermined number stored in the servers
configuration database. 144. What type of fire-suppression system suppresses fire via w ater that is
released from a main valve to be delivered via a system of dry pipes installed throughout the
facilities? A. A dry-pipe sprinkler system B. A deluge sprinkler system C. A w et-pipe system D. A
halon sprinkler system http://kaka-pakis tani. blogs pot. c om 41 FOR FREE ACCA,CAT, CIMA &
CISA RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om
43. Answ er: A A dry-pipe sprinkler system suppresses fire via w ater that is released from a main
valve to be delivered via a system of dry pipes installed throughout the facilities.CISA MOCK
EXAM
145. Digital signatures require the sender to "sign" the data by encrypting the data w ith the senders
public key, to then be decrypted by the recipient using the recipients private key. True or false? A.
False B. True Answ er: B Digital signatures require the sender to "sign" the data by encrypting the
data w ith the senders private key, to then be decrypted by the recipient using the senders public key.
146. Which of the follow ing provides the BEST single-factor authentication? A. Biometrics B.
Passw ord C. Token D. PIN Answ er: A Although biometrics provides only single-factor
authentication, many consider it to be an excellent method for user authentication. 147. What is used
to provide authentication of the w ebsite and can also be used to successfully authenticate keys used
for data encryption? A. An organizational certificate B. A user certificate C. A w ebsite certificate
D. Authenticode Answ er: C A w ebsite certificate is used to provide authentication of the w ebsite
and can also be used to successfully authenticate keys used for data encryption. 148. What
determines the strength of a secret key w ithin a symmetric key cryptosystem? http://kakapakis tani. blogs pot. c om 42
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
44. A. A combination of key length, degree of permutation, and the complexity of the dataencryption algorithm that uses the key B. A combination of key length, initial input vectors, and the
complexity of the data-encryption algorithm that uses the keyCISA MOCK EXAM C. A combination
of key length and the complexity of the data-encryption algorithm that uses the key D. Initial input
vectors and the complexity of the data-encryption algorithm that uses the key Answ er: B The
strength of a secret key w ithin a symmetric key cryptosystem is determined by a combination of
key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the
key. 149. What process is used to validate a subjects identity? A. Identification B. Nonrepudiation C.
Authorization D. Authentication Answ er: D Authentication is used to validate a subjects identity.
150. What is often assured through table link verification and reference checks? A. Database
integrity B. Database synchronization C. Database normalcy D. Database accuracy Answ er: A
Database integrity is most often ensured through table link verification and reference checks. 151.
Which of the follow ing should an IS auditor review to determine user permissions that have been
granted for a particular resource? Choose the BEST answ er. A. Systems logs B. Access control
lists (ACL) C. Application logs D. Error logs Answ er: B http://kaka-pakis tani. blogs pot. c om 43 FOR
FREE ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
45. IS auditors should review access-control lists (ACL) to determine user permissions that have
been granted for a particular resource. 152. What should IS auditors alw ays check w hen auditing
passw ord files?CISA MOCK EXAM A. That deleting passw ord files is protected B. That passw ord
files are encrypted C. That passw ord files are not accessible over the netw ork D. That passw ord
files are archived Answ er: B IS auditors should alw ays check to ensure that passw ord files are
encrypted. 153. Using the OSI reference model, w hat layer(s) is/are used to encrypt data? A.
Transport layer B. Session layer C. Session and transport layers D. Data link layer Answ er: C User

applications often encrypt and encapsulate data using protocols w ithin the OSI session layer or
farther dow n in the transport layer. 154. When should systems administrators first assess the impact
of applications or systems patches? A. Within five business days follow ing installation B. Prior to
installation C. No sooner than five business days follow ing installation D. Immediately follow ing
installation Answ er: B Systems administrators should alw ays assess the impact of patches before
installation. 155. Which of

the follow ing is the most fundamental step in preventing virus attacks? A. Adopting and
communicating a comprehensive antivirus policy B. Implementing antivirus protection softw are
on users desktop computers C. Implementing antivirus content checking at all netw ork-toInternet gatew ays D. Inoculating systems w ith antivirus code http://kakapakis tani. blogs pot. c om 44 FOR
FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
46. Answ er: A Adopting and communicating a comprehensive antivirus policy is the most
fundamental step in preventing virus attacks. All other antivirus prevention efforts rely upon
decisions established andCISA MOCK EXAM communicated via policy. 156. Which of the follow
ing is of greatest concern w hen performing an IS audit? A. Users ability to directly modify the
database B. Users ability to
submit queries to the database C. Users ability to indirectly modify the database D. Users ability to
directly view the database Answ er: A A major IS audit concern is users ability to directly modify
the database. 157. What are intrusion-detection systems (IDS) primarily used for? A. To identify
AND prevent intrusion attempts to a netw ork B. To prevent intrusion attempts to a netw ork C.
Forensic incident response D. To identify intrusion attempts to a netw ork Answ er: D Intrusiondetection systems (IDS) are used to identify intrusion attempts on a netw ork. 158. Rather than
simply review ing the adequacy of access control, appropriateness of access policies, and
effectiveness of safeguards
and procedures, the IS auditor is more concerned w ith effectiveness and utilization of assets. True
or false? A. True B. False Answ er: B Instead of simply review ing the effectiveness and utilization
of assets, an IS auditor is more concerned w ith adequate access control, appropriate access
policies, and effectiveness of safeguards and procedures. 159. If a programmer has update access to
a live system, IS auditors are more concerned w ith the programmers ability to initiate or modify
transactions and the ability to access production than w ith the programmers ability to authorize
transactions. True or false? http://kaka-pakis tani. blogs pot. c om 45 FOR FREE ACCA,CAT, CIMA &
CISA RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om
47. A. True B. FalseCISA MOCK EXAM Answ er: A If a programmer has update access to a live
system, IS auditors are more concerned w ith the programmers ability to initiate or modify
transactions and the ability to access production than w ith the programmers ability to authorize
transactions. 160. Organizations should use off-site storage facilities to maintain
(fill in the blank)
of current and critical information w ithin backup files. Choose the BEST answ er. A. Confidentiality
B. Integrity C. Redundancy D. Concurrency Answ er: C Redundancy is the best answ er because it
provides both integrity and availability. Organizations should use off-site storage facilities to maintain
redundancy of current and critical information w ithin backup files. 161. The purpose of business
continuity planning and disaster-recovery planning is to: A. Transfer the risk and impact of a
business interruption or disaster B. Mitigate, or reduce, the risk and impact of a business
interruption or disaster C. Accept the risk and impact of a business D. Eliminate the risk and impact
of a business interruption or disaster Answ er: B The primary purpose of business continuity
planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business
interruption or disaster. Total elimination of risk is impossible. 162. If a database is restored from
information backed up before the last system image, w hich of the follow ing is recommended? A.
The system should be restarted after the last transaction. B. The system should be restarted before
the last transaction. C. The system should be restarted at the first transaction. D. The system should
be restarted on the last transaction. http://kaka-pakis tani. blogs pot. c om 46 FOR FREE ACCA,CAT,
CIMA & CISA RESOURCES VISIT:
http://kaka-pakis tani. blogs pot. c om
48. Answ er: B If a database is restored from information backed up before the last system image,
the system shouldCISA MOCK EXAM be restarted before the last transaction because the final
transaction must be reprocessed. 163. An off-site processing facility should be easily identifiable
externally because easy identification helps ensure smoother recovery. True or false? A. True B.
False Answ er: B An off-site processing facility should not be easily identifiable externally because
easy identification w ould create an additional vulnerability for sabotage. 164. Which of the follow
ing is the
dominating objective of BCP and DRP? A. To protect human life B. To mitigate the risk and impact
of a business interruption C. To eliminate the risk and impact of a business interruption D. To
transfer
the risk and impact of a business interruption Answ er: A Although the primary business objective
of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating
objective remains the protection of human life. 165. How can minimizing single points of failure
or vulnerabilities of a common disaster best be controlled? A. By implementing redundant systems
and applications onsite B. By geographically dispersing resources C. By retaining onsite data
backup in
fireproof vaults D. By preparing BCP and DRP documents for commonly identified disasters Answ
er: B Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by
geographically dispersing resources. 166. Mitigating the risk and impact of a disaster or business
interruption usually takes priority over transference of risk to a third party such as an insurer. True

or false? http://kaka-pakis tani. blogs pot. c om 47 FOR FREE ACCA,CAT, CIMA & CISA
RESOURCES
VISIT: http://kaka-pakis tani. blogs pot. c om
49. A. True B. FalseCISA MOCK EXAM Answ er: A Mitigating the risk and impact of a
disaster or business interruption usually takes priority over transferring risk to a third party such
as an insurer.
167. Off-site data storage should be kept synchronized w hen preparing for recovery of timesensitive data such as that resulting from w hich of the follow ing? Choose the BEST answ er. A.
Financial reporting B. Sales reporting C. Inventory reporting D. Transaction processing Answ er: D
Off-site data storage should be kept synchronized w hen preparing for the recovery of time-sensitive
data such as that resulting from transaction processing. 168. What is an acceptable recovery
mechanism for

extremely time-sensitive transaction processing? A. Off-site remote journaling B. Electronic vaulting


C. Shadow file processing D. Storage area netw ork Answ er: C Shadow file processing can be
implemented as a recovery mechanism for extremely time-sensitive transaction processing. 169. Offsite data backup and storage should be geographically separated so as to

(fill in

the blank) the risk of a w idespread physical disaster such as a hurricane or earthquake. A. Accept B.
Eliminate C. Transfer D. Mitigate Answ er: D http://kaka-pakis tani. blogs pot. c om 48 FOR FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
50. Off-site data backup and storage should be geographically separated, to mitigate the risk of a w
idespread physical disaster such as a hurricane or an earthquake. 170. Why is a clause for requiring
source code escrow in an application vendor agreement important?CISA MOCK EXAM A. To
segregate systems development and live environments B. To protect the organization from copyright
disputes C. To ensure that sufficient code is available w hen needed D. To ensure that the source
code remains available even if the application vendor goes out of business Answ er: D A clause for
requiring source code escrow in an application vendor agreement is important to ensure that the
source code remains available even if the application vendor goes out of business. 171. What uses
questionnaires to lead the user through a series of choices to reach a conclusion? Choose the BEST
answ er. A. Logic trees B. Decision trees C. Decision algorithms D. Logic algorithms Answ er: B
Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion.
172. What protects
an application purchasers ability to fix or change an application in case the application vendor goes
out of business? A. Assigning copyright to the organization B. Program back doors C. Source code
escrow D. Internal programming expertise Answ er: C Source code escrow protects an application
purchasers ability to fix or change an application in case the application vendor goes out of business.
173. Who is ultimately responsible for providing requirement specifications to the softw
are- development team? A. The project sponsor http://kaka-pakis tani. blogs pot. c om 49 FOR
FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
51. B. The project members C. The project leader D. The project steering committeeCISA MOCK
EXAM Answ er: A The project sponsor is ultimately responsible for providing requirement
specifications to the softw are- development team. 174. What should regression testing use to
obtain accurate conclusions regarding the effects of changes or corrections to a program, and
ensuring that those changes and corrections have not introduced new errors? A. Contrived data B.
Independently created data C. Live data D. Data from previous tests Answ er: D Regression testing
should use data
from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to
a program, and ensuring that those changes and corrections have not introduced new errors. 175. An
IS auditor should carefully review the functional requirements in a systems-development project to
ensure that the project is designed to: A. Meet business objectives B. Enforce data security C. Be
culturally feasible D. Be financially feasible Answ er: A An IS auditor should carefully review the
functional requirements in a systems-development project to ensure that the project is designed to
meet business objectives. 176. Which of the follow ing processes are performed during the design
phase of the systems- development life cycle (SDLC) model? A. Develop test plans. B. Baseline
procedures to prevent scope creep. C. Define the need that requires resolution, and map to the major
requirements of the solution. D. Program and test the new system. The tests verify and validate w hat
has been developed. http://kaka-pakis tani. blogs pot. c om 50 FOR FREE ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
52. Answ er: B Procedures to prevent scope creep are baselined in the design phase of the systemsdevelopment lifeCISA MOCK EXAM cycle (SDLC) model. 177. When should application controls
be considered w ithin the system-development process? A. After application unit testing B. After
application module testing C. After applications systems testing D. As early as possible, even in the
development of the projects functional specifications Answ er: D Application controls should be
considered as early as possible in the system-development process, even in the development of the
projects functional specifications. 178. What is used to develop strategically important systems
faster, reduce development costs, and still maintain high quality? Choose the BEST answ er. A.
Rapid application development (RAD) B. GANTT C. PERT D. Decision trees Answ er: A Rapid
application development (RAD) is used to develop strategically important systems faster, reduce
development costs, and still maintain high quality. 179. Test and development environments should
be separated.
True or false? A. True B. False Answ er: A Test and development environments should be separated,
to control the stability of the test environment. 180. What kind of testing should programmers
perform follow ing any changes to an application or system? http://kaka-pakis tani. blogs pot. c om 51
FOR FREE
ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
53. A. Unit, module, and full regression testing B. Module testing C. Unit testing D. Regression
testingCISA MOCK EXAM Answ er: A Programmers should perform unit, module, and full
regression testing follow ing any changes to an application or system. 181. Which of the follow ing
uses a prototype that can be updated continually to meet changing user or business requirements? A.
PERT
B. Rapid application development (RAD) C. Function point analysis (FPA) D. GANTT Answ er: B
Rapid application development (RAD) uses a prototype that can be updated continually to meet

changing user or business requirements. 182. What is the most common reason for information
systems to fail to meet the needs of users? Choose the BEST answ er. A. Lack of funding B.
Inadequate user participation during system requirements definition C. Inadequate senior
management participation during system requirements definition D. Poor IT strategic planning
Answ er: B Inadequate user participation during system requirements definition is the most
common reason for

information systems to fail to meet the needs of users. 183. Who is responsible for the overall
direction, costs, and timetables for systems-development projects? A. The project sponsor B. The
project steering committee C. Senior management D. The project team leader http://kakapakistani.blogspot.com 52 FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT:
http://kakapakistani.blogspot.com
54. Answ er: B The project steering committee is responsible for the overall direction, costs, and
timetables for systems-development projects.CISA MOCK EXAM 184. When should plans for
testing for user acceptance be prepared? Choose the BEST answ er. A. In the requirements
definition phase of the systems-development project B. In the feasibility phase of the systemsdevelopment project C. In the design phase of the systems-development project D. In the
development phase of the systems- development project Answ er: A Plans for testing for user
acceptance are usually prepared in the requirements definition phase of the systems-development
project. 185. Above almost all other concerns, w hat often results in the greatest negative impact on
the implementation of new application softw are? A. Failing to perform user acceptance testing B.
Lack of user training for the new system
C. Lack of softw are documentation and run manuals D. Insufficient unit, module, and systems
testing Answ er: A Above almost all other concerns, failing to perform user acceptance testing often
results in the greatest negative impact on the implementation of new application softw are. 186.
Input/output controls should be implemented for w hich applications in an integrated systems
environment? A. The receiving application B. The sending application C. Both the sending and
receiving applications D. Output on the sending application and input on the receiving application
Answ er: C Input/output controls should be implemented for both the sending and receiving
applications in an integrated systems environment http://kaka-pakis tani. blogs pot. c om 53 FOR FREE
ACCA,CAT, CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
55. 187. Authentication techniques for sending and receiving data betw een EDI systems is crucial
to prevent w hich of the follow ing? Choose the BEST answ er. A. Unsynchronized
transactionsCISA MOCK EXAM B. Unauthorized transactions C. Inaccurate transactions D.
Incomplete transactions Answ er: B Authentication techniques for sending and receiving data betw
een EDI systems are crucial to prevent unauthorized transactions. 188. After identifying potential
security vulnerabilities, w hat should be the IS auditors next step? A. To evaluate potential
countermeasures and compensatory controls B. To implement effective countermeasures and
compensatory controls C. To perform a business impact analysis of the threats that w ould exploit
the vulnerabilities D. To immediately advise senior management of the findings Answ er: C After
identifying potential security vulnerabilities, the IS auditors next step is to perform a business
impact analysis of the threats that w ould exploit the vulnerabilities. 189. What is the primary
security concern for EDI environments? Choose the BEST answ er. A. Transaction authentication
B. Transaction completeness C. Transaction accuracy D. Transaction authorization Answ er: D
Transaction authorization is the primary security concern for EDI environments. 190. Which of the
follow ing exploit vulnerabilities to cause loss or damage to the organization and its assets? A.
Exposures B. Threats C. Hazards D. Insufficient controls http://kaka- pakistani.blogspot.com 54
FOR FREE ACCA,CAT, CIMA & CISA RESOURCES VISIT: http://kakapakistani.blogspot.com
56. Answ er: B Threats exploit vulnerabilities to cause loss or damage to the organization and its
assets.CISA MOCK EXAM 191. Business process re-engineering often results in
automation, w hich results in

number of people using technology. Fill in the blanks.

A. Increased; a greater B. Increased; a few er C. Less; a few er D. Increased; the same Answ er: A
Business process re-engineering often results in increased automation, w hich results in a greater
number of people using technology. 192. Whenever business processes have been re-engineered, the
IS auditor attempts to identify and quantify the impact of any controls that might have been
removed, or controls that might not w ork as effectively after business process changes. True or
false? A. True B. False Answ er: A Whenever business processes have been re-engineered, the IS
auditor should attempt to identify and quantify the impact of any controls that might have been
removed, or controls that might not w ork as effectively after business process changes. 193. When
should an application- level edit check to verify that availability of funds w as completed at the
electronic funds transfer
(EFT) interface? A. Before transaction completion B. Immediately after an EFT is initiated C.
During run-to-run total testing D. Before an EFT is initiated Answ er: D An application-level edit
check to verify availability of funds should be completed at the electronic funds transfer (EFT)
interface before an EFT is initiated. http://kaka-pakis tani. blogs pot. c om 55 FOR FREE ACCA,CAT,
CIMA & CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
57. 194.

(fill in the blank) should be implemented as early as data preparation to

support data integrity at the earliest point possible. A. Control totalsCISA MOCK EXAM B.
Authentication controls C. Parity bits D. Authorization controls Answ er: A Control totals should be
implemented as early as data preparation to support data integrity at the earliest point possible. 195.
What is used as a control to detect loss, corruption, or duplication of data? A. Redundancy check B.
Reasonableness check C. Hash totals D. Accuracy check Answ er: C Hash totals are used as a
control to detect loss, corruption, or duplication of data. 196. Data edits are implemented before

processing and are considered w hich of the follow ing? Choose the BEST answ er. A. Deterrent
integrity controls B. Detective integrity controls C. Corrective integrity controls D. Preventative
integrity controls Answ er: D Data edits are implemented before processing and are considered
preventive integrity controls. 197. In small office environments, it is not alw ays possible to
maintain proper segregation of
duties for programmers. If a programmer has access to production data or applications, compensatory

controls such as the review ing of transaction results to approved input might be necessary. True or
false? A. True B. False http://kaka-pakis tani. blogs pot. c om 56 FOR FREE ACCA,CAT, CIMA &
CISA
RESOURCES VISIT: http://kaka-pakis tani. blogs pot. c om
58. Answ er: A In small office environments, it is not alw ays possible to maintain proper
segregation of duties for programmers. If a programmer has access to production data or
applications, compensatory controlsCISA MOCK EXAM such as the review of transaction results
to approved input might be necessary. 198. Processing controls ensure that data is accurate and
complete, and is processed only through w hich of the follow ing? Choose the BEST answ er. A.
Documented routines B. Authorized routines C. Accepted routines D. Approved routines Answ er:
B Processing controls ensure that data is accurate and complete, and is processed only through
authorized routines. 199. What is a data validation edit control that matches input data to an
occurrence rate? Choose the BEST answ er. A. Accuracy check B. Completeness check C.
Reasonableness check D. Redundancy check Answ er: C A reasonableness check is a data
validation edit control that matches input data to an
occurrence rate. 200. Database snapshots can provide an excellent audit trail for an IS auditor. True
or false? A. True B. False Answ er: A Database snapshots can provide an excellent audit trail for an
IS auditor.