Академический Документы
Профессиональный Документы
Культура Документы
Question No.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Page 1
Sheet1
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Page 2
Sheet1
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
Page 3
Sheet1
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
Page 4
Sheet1
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
Page 5
Sheet1
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
Page 6
Sheet1
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
Page 7
Sheet1
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
Page 8
Sheet1
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
Page 9
Sheet1
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
Page 10
Sheet1
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
Page 11
Sheet1
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
Page 12
Sheet1
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
Page 13
Sheet1
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
Page 14
Sheet1
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
Page 15
Sheet1
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
Page 16
Sheet1
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
Page 17
Sheet1
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
Page 18
Sheet1
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
Page 19
Sheet1
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
Page 20
Sheet1
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
Page 21
Sheet1
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
Page 22
Sheet1
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
Page 23
Sheet1
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
Page 24
Sheet1
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
Page 25
Sheet1
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
Page 26
Sheet1
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
Page 27
Sheet1
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
Page 28
Sheet1
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
Page 29
Sheet1
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
Page 30
Sheet1
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
Page 31
Sheet1
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
Page 32
Sheet1
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
Page 33
Sheet1
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
Page 34
Sheet1
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
Page 35
Sheet1
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
Page 36
Sheet1
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
Page 37
Sheet1
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
Page 38
Sheet1
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
Page 39
Sheet1
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
Page 40
Sheet1
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
Page 41
Sheet1
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
Page 42
Sheet1
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
Page 43
Sheet1
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
Page 44
Sheet1
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
Page 45
Sheet1
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
Page 46
Sheet1
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
Page 47
Sheet1
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
Page 48
Sheet1
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
Page 49
Sheet1
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
Page 50
Sheet1
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
Page 51
Sheet1
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
Page 52
Sheet1
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
Page 53
Sheet1
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
Page 54
Sheet1
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
Page 55
Sheet1
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
Page 56
Sheet1
Question
All of the following assumptions about legacy application systems are correct except
For a high security installation the most effective physical access control devices is
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which of the following is NOT TRUE about a database management system application environment?
Which one of the following network architectures is designed to provide data services using physical networks that are mo
Which of the following is not a function of operations management:
Which of the following tests would be used to ensure whether a software product fails or not?
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Control over data preparation is important because:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Computer viruses could be detected by which one of the following actions?
Concentration technique in a communication network DOES NOT
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Internet was established NOT for
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
All of the following should be in place prior to programming except:
The biggest benefit of prototyping is:
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The DISADVANTAGE in cross training employees is that:
The following is an advantage of using link encryption
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
The test of access control, over a distributed database, can be carried out by The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
In data processing, which of the following causes the maximum losses
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encryp
Network performance monitoring tools will MOST affect which of the following?
The Digital Signature system uses the services of an Arbitrator to prevent
The initial validation control for a credit card transaction capture application would MOST like be to:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
The following estimates the probability of a computer system being destroyed in a natural disaster and the corresponding
The software test objective of operating in different platforms is achieved by conducting:
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
. After you enter a purchase order in an on-line system, you get the message, The request could not be processed due to
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
The communication of signals is subjected to noise MOST LIKELY because of
Which of the following activities should not be permitted when operators use a communications network control terminal:
An auditor performing a statistical sampling of the financial transactions in a financial MIS would BEST use :
The Duties of a Database administrator does NOT comprise of :
The duty of the Quality Assurance Group is
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
The residual dump technique in backup has the disadvantage of
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which of the following is not true in respect of Expert systems?
What makes Rapid prototyping technique portable?
All of the following assumptions about legacy application systems are correct except
Identify the EARLIEST software development model
Page 57
Sheet1
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
The following is an advantage of using link encryption
End-to-end encryption provides only limited protection against a subversive attack that uses:
Which of the following is not an audit objective in the review of hardware acquisition?
In Information Technology projects, which of the following factors is most crucial?
Out of the following pairs of services, which provides an access control over a network of computers
The major risk in prototyping model is :
Prototyping approach to system design is resorted to when
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
When users of an information system are dispersed over a wide area and are authorized to use dial-up lines for getting ac
Which of the following is NOT TRUE about a database management system application environment?
Which of the following is not a function of operations management:
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
. The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATE
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
. Which of the following activities would not be performed by control section personnel when they collect the output of a b
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
The duty of the Quality Assurance Group is
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
Control over data preparation is important for :
The quantification of the sample size depends on which of the following criteria.
A procedure to have an overall environmental review which is NOT performed by an IS auditor during pre audit planning i
The application run manual would normally comprise of :
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
. An IS auditor carrying out review of logical access control, shall have the PRIMARY OBJECTIVE of
Incorrect initialization occurs on account of which of the following faults ?
The biggest benefit of prototyping is:
The comment which is NOT true regarding ISO 9000 is
Auditors of IS face an acute problem of evaluating the general authorization methods in a computerized accounting syste
Which of the following is not a function of operations management:
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
The complete information about all data in a database is found in :
Use of public key infrastructure by an eCommerce site, where public key is widely distributed and the private key is for the
Which of the following is NOT a proper responsibility of functional users.
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following is NOT true relating to the use of fiber optics:
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
Which of the following represents a typical prototype of an interactive application?
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
Which of the following is not a function of operations management:
The following message service provides the strongest protection about the occurrence of a specific action:
Which one of the following techniques is represented by structured analysis 'and design?
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
Which would ensure that IS organizations do not take more resources for less output?
Which of the following controls would prevent unauthorized access to specific data elements in a database management
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following activities should not be permitted when operators use a communications network control terminal:
User interface prototyping may NOT focus on :
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
Due Professional Care requires an IS auditor to possess which of the following quality
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
Page 58
Sheet1
Which of the following systems are MOST important for business resumption following a disaster?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Prototyping approach does not assume the existence of
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
Which of the following is not a function of operations management:
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the f
The public audit trail of a Digital Signature system will not contain which of the following?
In Information Technology projects, which of the following factors is most crucial?
The class of control used to overcome problems before they acquire gigantic proportions is :
The DES is an example of a:
The initial validation control for a credit card transaction capture application would MOST like be to:
The MOST secured access control mechanism is
The class of control used to minimise the impact of a threat is :
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following can be construed as a COMPREHENSIVE preventive method 'in locating a bug?
Which one of the following is not an operating control:
The Duties of a Computer operations does NOT comprise of :
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
The snapshot technique involves:
The validity of a program recalculation could be audited by the following techniques except:
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
During the review of logical access controls over a company s various application systems, an auditor found that access c
An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
In which phase of SDLC Desk Checking is practiced?
In the system development life cycle approach, which of the following is MOST likely to be constant?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Which of the comments about Business Process Re-engineering (BPR) is NOT false?
While valuing the assets, an information systems(IS) auditor is likely to value MOST
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Personal Computers and Laptops have both a floppy disk drive and a hard disk drive. The major difference between the t
Electronic methods of data transfer are involved in all of the following except:
The database administrator is not responsible for which one of the following functions?
The major reason why quality metrics need to be chosen for a specific information systems project is:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
It would not be possible to use the Checkpoint/restart facilities when:
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
During the detailed design phase of SDLC, which one of the following tasks performed?
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
With respect to AI, a heuristic refers to :
Which of the following is not a function of operations management:
A PIN if stored for reference purposes, must be stored in:
Which of the following tests would be used to ensure whether a software product fails or not?
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following functions cannot be performed using a communications network control terminal:
When using message switching in a communication network, the following is not a desirable control?
Which of the following utilities can be used to directly examine the quality of data in the database:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
A control is NOT designed and implemented to:
The work schedule of a clerk in a Control Group is of
The Duties of a Computer operations does NOT comprise of :
Page 59
Sheet1
To protect computer systems from short term power fluctuations, the best environmental control is A main advantage of a standard access control software implemented properly is Which of the following is not a major benefit of applications software prototyping ?
In Information Technology projects, which of the following factors is most crucial?
Identify the factor that is not part of an expert system architrcture.
The software test objective of operating in different platforms is achieved by conducting:
Identify the EARLIEST software development model
what is the major risk that is faced by a user organization during system integration projects?
In segregation of duties, the organisation will exposed to a very HIGH risk if the duties of
The least commonly used medium for local area network (LAN) environment is:
In an online processing system, to reconstruct correctly the interrupted transactions on a failure, the system should have
Which of the following terms best describes the purpose of control practice over the input Output control is best described by which of the following ?
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
Passwords belong to the following class of authentication information:
The DES is an example of a:
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is a responsibility of computer operations department?
Which of the following represents a typical prototype of an interactive application?
The software test objective of operating in different platforms is achieved by conducting:
The most important factor while creating test data for checking a system, is :
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which one of the following is not an operating control:
Which one of the following uses a modem technology as a common means of communicating between computers?
Analyzing data protection requirements for installing a local area network (LAN) does not include:
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
Concentration technique in a communication network DOES NOT
PC-based analysis and design tools are used alongwith mainframe computer-based tools.
Which one of the following is not a substantive test?
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
The control procedure of installing the anti-virus software in the system is called Interference is resisted MOST by
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
Which one of the following is performed FIRST in a system development life cycle project?
Which one of the following graphical user interface (GUI) development approaches would create more user-friendly intera
Which of the following system life factors is most difficult to control by a user organization?
Which of the following statements about national and international information systems standard is true?
The following is not a desirable property of a cipher system:
The person responsible for providing access rights to each of the user and access profile for each data element stored in
In a manufacturing company, which of the following computer files is MOST critical?
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Many automated tools are designed for testing and evaluating computer systems. Which one of the following such tools im
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
The estimate of time which has the MOST important relevance in evaluation of the activities in a Program Evaluation Revi
The work schedule of a clerk in a Control Group is of
Which one of the following statements is False?
Which of the following would not be considered a characteristic of a private key cryptosystem?
The DES is an example of a:
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
The duties of a Data Security Officer does NOT comprise of :
When using message switching in a communication network, the following is not a desirable control?
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
Page 60
Sheet1
During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Compliance auditing is used to do?
The reason for the IS auditor NOT preparing a formal audit program is :
While reviewing the telecommunication access control, the primary concern of the IS Auditor will be on the An IS Auditor carrying out security review for verification of the implementation of certain security measures, will be LEAS
Which of the following is NOT relevant in the case of a Business Continuity Plan Testing?
Which of the following statements about digital signatures is NOT true?
Operations audit trail rather than the accounting audit trail is likely to show
In the case of a bank teller the access control policy is an example of:
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
The use of programming aids, data and instructions that are prepared for one computer and can be used on another com
Which one of the following is NOT false:
Most computer systems have hardware controls that are built in by the computer manufacturer. Common hardware contro
Which of the following principles should guide the ways in which QA personnel monitor compliance with information syste
In general, output controls over reports of batch systems would be more compared with that of online systems because:
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following is NOT an advantage of continuous auditing approach ?
Which of the following statements about automated operations facility parameters is not true?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
In Information Technology projects, which of the following factors is most crucial?
Which one of the following will be included in the application software testing phase for effective controls?
To which one of the following issues that an information systems (IS) auditor participating 'in a system development life cy
To provide the management with appropriate information about the process being used 'by the software development pro
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
The Duties of a Computer operations does NOT comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following is NOT an input control objective?
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Which of the following is not a desirable control feature in a modem:
When encryption is used in the communication subsystem, the primary purpose of an error propagation code is to protec
A modem is NOT intended to
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
The reason for the IS auditor NOT preparing a formal audit program is :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
A main advantage of a standard access control software implemented properly is Which of the following electronic commerce systems handle non-monetary documents?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
All of the following assumptions about legacy application systems are correct except
Which of the following is not an audit objective in the review of hardware acquisition?
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
After you enter a purchase order in an on-line system, you get the message, The request could not be processed due to l
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
The class of control used to overcome problems before they acquire gigantic proportions is :
Which of the following is NOT a proper responsibility of functional users.
Which of the following is NOT included in the digital certficate:
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
In Information Technology projects, which of the following factors is most crucial?
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic e
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
Page 61
Sheet1
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following conditions lead to increase in white noise:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Computer viruses could be detected by which one of the following actions?
Link encryption in communication of signals
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
The first step the IS Internal Audit manager should take, when preparing the Annual audit plan is to:
Which of the following utilities can be used to directly examine the quality of data in the database:
The inherent risk in an applicable system is NOT likely to be influenced by
Which of the following network risk apply to EDI transactions irrespective of the type of network involved?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
In the case of Business Process re-engineering which of the following is NOT true ?
Which of the following areas would an IS auditor NOT do while conducting a review of an organisation s IS Strategies.
The following is an advantage of using link encryption
Which of the following is not a desirable property of a cipher system:
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
The general control that concern the proper segregation of duties and responsibilities is called Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
An upper CASE tool is used in :
Identify the cost that does NOT form part of software package installation or implementation cost?
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
The following is NOT a desirable property of a cipher system:
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
What makes Rapid prototyping technique portable?
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan documen
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested p
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
System Auditor primarily uses the information provided by a detailed understanding of the Information system controls an
When the results of production data files processing with a generalized audit software do not agree with the total balance
Link encryption in communication of signals
Which among the following hacking techniques DOES NOT facilitate impersonation?
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Which of the following does NOT need to be considered in determining statistical sample sizes?
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of an
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
Accuracy of data is important most likely to a
A main advantage of a standard access control software implemented properly is Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
In the case of electronic funds transfer (EFT), which one of the following is MOST vulnerable to fraud and physical attack
Which among the following is NOT true of start topologies?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which phase of SDLC uses "Program slicing" technique?
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
Which of the following terms best describes the purpose of control practice over the input
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
An Information System Auditor observed that technical support personnel have unlimited access to all data and program f
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
Machine maintenance engineers pose some difficult control programs because:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Page 62
Sheet1
Page 63
Sheet1
Which of the following events is recorded on a public audit trail in a digital signature system?
Which of the following is NOT an input control objective?
The manager of the information systems QA function should report to the:
An example for a concurrent audit tool whose complexity is low is :
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
The duty of the Quality Assurance Group is
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
You would NOT use stubs or drivers in which of the following testing approaches?
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wit
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Which of the following should find a place in a disaster recovery plan
Which of the following activities should not be permitted when operators use a communications network control terminal:
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
The FIRST and preliminary step in the process of information security program establishment is :
Which one of the following graphical user interface (GUI) development approaches would create more user-friendly intera
With respect to expert systems, a heuristic is not a:
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following is not a desirable control feature in a modem:
Which of the following conditions lead to increase in white noise:
The DES is an example of a:
The following is not a desirable property of a cipher system:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
The main objective of separation of duties is to ensure that:
The purpose of electronic signature is
Which of the following is considered potential benefits of Electronic Data Interchange (EDI)?
Which one of the following local area network devices functions as a data regenerator?
During an audit of the tape management system at a data center, an IS auditor discovered that some parameters are set
Which one of the following is NOT an essential component of a distributed computing environment?
In order to achieve more perfection of an already working software system, what method will be adopted?
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Analyzing data protection requirements for installing a local area network (LAN) does not include:
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
To properly control access to accounting data held in a Database Management System, the database administrator shou
When the results of production data files processing with a generalized audit software do not agree with the total balance
Control over data preparation is important for :
Identify the test-case design techniques that is used in unit and integration testing of applications software.
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
If fraud or errors are suspected in the population , the auditor would use:
Which among the following statements about information systems personnel is NOT true?
The MOST likely characteristic of an informational systems OPERATIONAL plan is:
The following resources are protected by Logical access controls
Which of the following electronic commerce systems handle non-monetary documents?
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
Which one of the following design approaches would address data sharing and system access problems in legacy applica
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Page 64
Sheet1
Which of the following is NOT true about a database management system application environment?
Overall responsibility to protect and control the database and monitor and improve the efficiency of the database are the
The test of access control, over a distributed database, can be carried out by In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedur
The initial validation control for a credit card transaction capture application would MOST like be to:
The main objective of separation of duties is to ensure that:
Which of the following controls would address the concern that data uploaded from a microcomputer to the company's ma
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following statements about computer is correct?
An MIS Manager has only enough resources to install either a new payroll system or a new data security system, but not b
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
Control over data preparation is important for :
Which one of the following criteria shall NOT be considered for choosing an appropriate Computer platform to suit a give
The database administrator is not responsible for which one of the following functions?
Which of the following is not an important control step of the input/output control group?
A company s management wants to implement a computerised system to facilitate communications among auditors, who
To properly control access to accounting data held in a Database Management System, the database administrator shou
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilit
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Which of the following does NOT need to be considered in determining statistical sample sizes?
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
Which one of the following design approaches would address data sharing and system access problems in legacy applic
All of the following should be in place prior to programming except:
Which of the following is an upper CASE tool?
Identify the factor that is not part of an expert system architrcture.
A document-driven approach is used in :
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
what is the major risk that is faced by a user organization during system integration projects?
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Uninterruptible power supplies are used in computer centers to reduce the likelihood of :
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following is NOT True as a mode of network reliability enhancement:
The following method of PIN validation seems to result in the fewest control problems?
As an IS auditor, which would you consider the MOST CRITICAL CONTROL over an employee performing a function.
In an IPF (Information processing facility) is typically a large computer centre, which of the following has the primary cons
Network downtime is very costly and should be kept to minimum as much as possible. Which one of the following networ
The class of control used to minimise the impact of a threat is :
Which of the following is not a function of the control section:
Which of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?
Which of the following usually is a purpose of a modem:
Which of the following is NOT a proper responsibility of functional users.
Identify the document which is LEAST effective during the acceptance test of applications software.
Which of the following is FALSE with regard to a public key cryptosystem?
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
In order to achieve more perfection of an already working software system, what method will be adopted?
Removing sequences of extraneous zeros or spaces in a file is an application of:
A company s management wants to implement a computerised system to facilitate communications among auditors, who
You would NOT use stubs or drivers in which of the following testing approaches?
When the Auditor uses generalised audit software to access a data maintained by a database management system, whi
The snapshot technique involves:
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilit
Which of the following statistical selection technique is least desirable for use by the IS auditor.
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Which of the following statement is TRUE about an offsite information processing facility?
The MAIN purpose of having Compensating Controls are to
Page 65
Sheet1
Page 66
Sheet1
The main focus of the graphical user interface (GUI) environments is:
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
A Systems Analyst s duties and roles comprises of:
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following is not a function of operations management:
Which of the following is NOT True as a mode of network reliability enhancement:
The database administrator is not responsible for which one of the following functions?
Which of the following statements about national and international information systems standard is true?
It would not be possible to use the Checkpoint/restart facilities when:
Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
Identify the document which is LEAST effective during the acceptance test of applications software.
In data processing, which of the following causes the maximum losses
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
Passwords belong to the following class of authentication information:
The presence of an arbitrator in a digital signature system will prevent:
Which of the following would greatly affect the project estimate if any changes made to it while developing a project?
Which of the following usually is a purpose of a modem:
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would
Which one of the following statements is False?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance lo
Which of the following utilities can be used to directly examine the quality of data in the database:
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which of the following is deemed as good system design practice?
To conduct a System audit the IS auditor should:
An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
Which among the following is NOT a serious problem in a ring topology based LAN?
Operations audit trail rather than the accounting audit trail is likely to show
Which of the following alternate facilities has the GREATEST chance of failure due to change in systems and personnel?
Which of the following system life factors is most difficult to control by a user organization?
A lower cost software product metric that is used for data collection :
The MAIN purpose of having Compensating Controls are to
Which of the comments about Business Process Re-engineering (BPR) is NOT false?
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following would not normally be considered a typical file structure for a database management system:
Which one of the following is NOT true relating to the use of fiber optics:
Which of the following is not a function of the control section:
The manager of the information systems QA function should report to the:
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
Identify the EARLIEST software development model
In the system development life cycle approach, which of the following is MOST likely to be constant?
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the f
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
The class of control used to overcome problems before they acquire gigantic proportions is :
Which of the following represents a typical prototype of an interactive application?
Software quality assurance process does NOT undertake:
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
User interface prototyping may NOT focus on :
Computer viruses could be detected by which one of the following actions?
When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed
Page 67
Sheet1
Which among the following components is of PRIMARY concern for evolving a recovery plan after a communication failur
Which one of the following is not a substantive test?
Which of the below is a TRUE statement concerning Test Data Techniques.
One of the advantages of using naming convention for access control is that Processing control procedures include
The residual dump technique in backup has the disadvantage of
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Identify the EARLIEST software development model
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In which phase of a system development life cycle would you perform Mutation analysis?
Which one of the following is NOT true relating to the use of fiber optics:
Analyzing data protection requirements for installing a local area network (LAN) does not include:
The major reason why quality metrics need to be chosen for a specific information systems project is:
For a high security installation the most effective physical access control devices is
Output control is best described by which of the following ?
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
The class of control used to minimise the impact of a threat is :
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
What makes Rapid prototyping technique portable?
Which of the following is NOT TRUE about a database management system application environment?
With respect to AI, a heuristic refers to :
The DES is an example of a:
In a central computer system users specify where their output is printed, but some users give the wrong destination code
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
The following is an advantage of using link encryption
Which of the following network architecture is most reliable?
Which is the primary reason for replacing cheques with Electronic Funds Transfer (EFT) systems in the accounts payable
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wi
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
Computer viruses could be detected by which one of the following actions?
The following measures will protect the computer systems from virus attack EXCEPT:
Which one of the following errors will occur because of overflow conditions?
what is the major risk that is faced by a user organization during system integration projects?
Which of the following features is least likely to be found in a real time application?
The installation of a database management system (DBMS) does not have any direct impact on :
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following statements about personnel training in QA standards and procedures is false?
The following statement applies to a capability based approach to authorisation?
The control to provide security against accidental destruction of records and to ensure continuous operations is called Determining what components to include in the network configuration is called a:
The following is NOT a desirable property of a cipher system:
The media that is rarely used in present day LANs is:
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following is not a function of the control section:
Which one of the following is not an operating control:
The class of control used to monitor inputs and operation is :
Which of the following represents a typical prototype of an interactive application?
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which one of the following network architectures is designed to provide data services using physical networks that are m
Page 68
Sheet1
When the account number is entered into an online banking system, the computer responds with a message that reads:
Which of the following controls would prevent unauthorized access to specific data elements in a database management
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
Which one would be a material irregularity?
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
A modem is NOT intended to
Which phase of SDLC uses 'Program slicing' technique?
The application run manual would normally comprise of :
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
Which of the following encryption algorithms or schemes is MOST difficult to break?
Which one of the following is a control weakness in the treatment of user messages in electronic mail system?
Which one of the following documents would be least effective in performing unit testing of an applications software?
After the system is developed, the auditor's objective in conducting a general review is to
Which of the following lines prevents tapping?
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Electronic methods of data transfer are involved in all of the following except:
Which of the following would not be considered a characteristic of a private key cryptosystem?
A public key cryptosystem uses:
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
The manager of the information systems QA function should report to the:
The class of control used to minimise the impact of a threat is :
An audit technique used to select items from a population for audit testing purposes based on the characteristics is terme
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Software quality assurance process does NOT undertake:
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Which of the following is not a function of the control section:
Where would you handle finite state machines in SDLC?
Which one of the following statements is correct with regard to reciprocal processing agreement?
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
A function NOT possible of being accomplished using CAATs is :
To properly control access to accounting data held in a Database Management System, the database administrator shou
Which among the following is NOT true of start topologies?
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Which one of the following is performed FIRST in a system development life cycle project?
A less formal review technique is:
Which of the following is deemed as good system design practice?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
A Systems Analyst s duties and roles comprises of:
Which one of the following is not an essential component of a distributed computing environment?
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Information system crimes and abuses in comparison to those of the general category are likely to be
A document-driven approach is used in :
Identify the contractual provision that is objective and enforceable among the parties involved in a system development lif
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
The following is NOT a desirable property of a cipher system:
The initial validation control for a credit card transaction capture application would MOST like be to:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
Page 69
Sheet1
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Formal change control mechanism would start after which of the following in an overall system development project?
Which one of the following techniques is represented by structured analysis 'and design?
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
Which one of the following uses a modem technology as a common means of communicating between computers?
Internal controls are not designed to provide reasonable assurance that:
Which one would be a material irregularity?
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
The independence of an IS auditor who was involved in the development of an appliction system shall be impaired when
The auditor of an IS can exercise control over
Control of employee activities in a computerized environment is, vis- -vis manual systems,
The basic control requirement in a real time application system is :
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from o
The first step in the installation of an information security program is the The technique employed in packet switching mode of transmission is:
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
A lower cost software product metric that is used for data collection :
Replacing the manual system with a computerized system is MORE likely to result in the assets and records
Which of the following is likely to be a benefit of electronic data interchange (EDI)
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
The Digital Signature system uses the services of an Arbitrator to prevent
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
Machine maintenance engineers pose some difficult control programs because:
Prototyping approach to system design is resorted to when
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
What makes Rapid prototyping technique portable?
Which of the following software metrics would refer to function points?
Which of the following statements about automated operations facility parameters is not true?
Which one of the following pair of items is a primary cause of signal distortion in data communications?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been lo
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
To provide the management with appropriate information about the process being used 'by the software development pro
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
The snapshot technique involves:
To properly control access to accounting data held in a Database Management System, the database administrator shou
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
In selecting the applications to be audited, which criteria is LEAST likely to be used:
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
Which of the following statements about encryption is NOT correct?
Dual protection or mirroring of servers mitigates the exposures from
The DISADVANTAGE in cross training employees is that:
Which one of the following is not part of a computer capacity management function?
The general control that concern the proper segregation of duties and responsibilities is called An access control policy for a Customer Service Representative in a banking application is an example of the implementa
dentify the factor that is not part of an expert system architecture.
In the system development life cycle approach, which of the following is MOST likely to be constant?
Page 70
Sheet1
The best control to ensure that a customer uses a debit/credit card carefully is:
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The information technology pilot projects envisages which of the following concepts?
Which of the following is NOT an input control objective?
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
In Information Technology projects, which of the following factors is most crucial?
The science of cryptography provides all of the following safeguards except
Which of the following usually is a purpose of a modem:
Which would ensure that IS organizations do not take more resources for less output?
The work schedule of a clerk in a Control Group is of
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
When encryption is used in the communication subsystem, the primary purpose of an error propagation code is to protec
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Which one would be a material irregularity?
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Identify the test-case design techniques that is used in unit and integration testing of applications software.
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
Which one of the following methodologies require efficient system requirements analysis?
The software test objective of operating in different platforms is achieved by conducting:
A document-driven approach is used in :
In order to trace data through several application programs, an auditor needs to know what programs use the data, which
Electronic methods of data transfer are involved in all of the following except:
The following statement applies to a capability based approach to authorisation?
Ability to operate on multiple computer types from different vendors is envisaged by
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
Passwords belong to the following class of authentication information:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developmen
The software test objective of operating in different platforms is achieved by conducting:
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following is considered potential benefits of Electronic Data Interchange (EDI)?
Which of the following is not a function of operations management:
Which one of the following protocols is used by the Internet?
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
Wiretapping CANNOT easily be done without detection in
Which of the following activities should not be permitted when operators use a communications network control terminal:
Control over data preparation is important because:
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
Which of the following is not a desirable control feature in a modem:
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
Which of the following Technical specifications will NOT be included in a functional
The BEST and the most reliable form of evidence that an IS auditor would look for in audit of an IS environment is
Segregation of duties is TRUE in which of the following cases ?
The IS Control Group is NOT responsible for performing
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
The duties and role of an IS Steering Committee is:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following statements about national and international information systems standard is true?
Which of the following principles should not guide the way in which QA personnel report to management?
The following statement is true about a mandatory access control policy?
. The test of access control, over a distributed database, can be carried out by The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
Page 71
Sheet1
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
Hardware controls are important to IS auditors for they:
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
Which of the following decisions most likely CANNOT BE made on the basis of reports prepared from the maintenance lo
Which of the following pairs of items perform similar functions?
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
Passwords belong to the following class of authentication information:
The comment which is a DISADVANTAGE concerning prototyping is:
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following best describes feature of statistical sampling?
Internal controls are not designed to provide reasonable assurance that:
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informa
The residual dump technique in backup has the disadvantage of
Which is the primary reason for replacing cheques with Electronic Funds Transfer (EFT) systems in the accounts payable
Which of the following activities is undertaken during data preparation:
Which one of the following is not a compliance test ?
To properly control access to accounting data held in a Database Management System, the database administrator shou
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
The control procedure of installing the anti-virus software in the system is called An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
Which of the following is not a desirable property of a cipher system:
Which of the following principles should not guide the way in which QA personnel report to management?
Staffing the QA function is often difficult because:
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
A major advantage of associating passwords with users in the access control mechanism, over associating the password
It would not be possible to use the Checkpoint/restart facilities when:
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Identify the wrong statement with respect to structured programming concepts and program modularity.
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
Which of the following pairs of items perform similar functions?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
Which of the following functions SHOULD NOT BE combined with Control Group.
Which of the following is NOT included in the digital certficate:
Which of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?'
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
Which one of the following network types will play an important role in implementing E-commerce?
Which one of the following controls would protect the production libraries without compromising the efficiency of open acc
The primary objective of security software is to:
Which one of the following statements is correct with regard to reciprocal processing agreement?
Which of the following actions provides the IS Auditor with the greatest assurance that certain weaknesses in internal con
A function NOT possible of being accomplished using CAATs is :
The basic character / purpose of an audit charter is best described by which of the following.
Reciprocal Agreements are normally entered between two or more organisations:
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
what is the major risk that is faced by a user organization during system integration projects?
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Most computer systems have hardware controls that are built in by the computer manufacturer. Common hardware contro
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
Page 72
Sheet1
Page 73
Sheet1
Logging of authorised and unauthorised attempts to access the computer systems and Disconnection of a terminal after i
Which one of the following documents would be least effective in performing unit testing of an applications software?
Which of the following is a dynamic analysis to detect software errors?
With respect to expert systems, a heuristic is not a:
The comment which is NOT true regarding ISO 9000 is
The MAIN purpose of having Compensating Controls are to
Which of the following features is least likely to be found in a real time application?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
Which of the following is NOT True as a mode of network reliability enhancement:
Identify the EARLIEST software development model
The class of control used to monitor inputs and operation is :
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
Which of the following statements about computer is correct?
Which phase of SDLC uses Data Flow Diagram?
Identify the document which is LEAST effective during the acceptance test of applications software.
The biggest benefit of prototyping is:
The application run manual would normally comprise of :
The IS Control Group is NOT responsible for performing
Which one of the following uses a modem technology as a common means of communicating between computers?
In a central computer system users specify where their output is printed, but some users give the wrong destination code
Where would you handle finite state machines in SDLC?
The FIRST and preliminary step in the process of information security program establishment is :
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
As against link encryption, end-to-end encryption cannot protect against
Which of the following should find a place in a disaster recovery plan
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
The activity of detective control in detecting virus relates to
Application's access control will be seriously jeopardised if Business continuity plan of an organisation should address early recovery of which of the following?
Which among the following is NOT a serious problem in a ring topology based LAN?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Which one of the following reasons is the most important to retain a legacy application system?
Which of the following is a dynamic analysis to detect software errors?
Which of the following is deemed as good system design practice?
What makes Rapid prototyping technique portable?
A well written and concise job description is IRRELEVANT to
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which of the following functions cannot be performed using a communications network control terminal:
The least commonly used medium for local area network (LAN) environment is:
What is the major risk that is faced by a user organization during system integration projects?
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following statements about automated operations facility parameters is not true?
Control over data preparation is important for :
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
The application run manual would normally comprise of :
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested pr
Which of the following is not an important control step of the input/output control group?
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
To examine the existence of the entities described by the data , which of the functional capabilities in the generilise audit
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
The reason for the IS auditor NOT preparing a formal audit program is :
Access to the work area restricted through a swipe card or only through otherwise authorised process and when visitors e
IS security policy of an organisation will not contain details about the following:
A newly released virus was enabled into LAN, from a floppy drive in one of the workstations connected to the LAN. The e
Page 74
Sheet1
One of the main tasks performed by a Security Administrator is Which of the following alternate facilities has the GREATEST chance of failure due to change in systems and personnel?
Which one of the following is performed FIRST in a system development life cycle project?
Which one of the following reasons is the most important to retain a legacy application system?
Information system is broken into various subsystems. Which among the following is NOT a component of the application
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
The following is an advantage of using link encryption
Personal Computers and Laptops have both a floppy disk drive and a hard disk drive. The major difference between the t
Which of the following is not a function of operations management:
The least commonly used medium for local area network (LAN) environment is:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
In general, output controls over reports of batch systems would be more compared with that of online systems because:
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
Identify the wrong statement with respect to structured programming concepts and program modularity.
In which phase of SDLC Desk Checking is practiced?
The main focus of the graphical user interface (GUI) environments is:
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which of the following is NOT a proper responsibility of functional users.
The following estimates the probability of a computer system being destroyed in a natural disaster and the corresponding
Machine maintenance engineers pose some difficult control programs because:
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
The application run manual would normally comprise of :
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following characteristics is not associated with a public key cryptosystem?
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
The primary objective of security software is to:
The validity of a program recalculation could be audited by the following techniques except:
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
Which among the following components is of PRIMARY concern for evolving a recovery plan after a communication failur
Which one would be a material irregularity?
The Duties of a Computer operations does NOT comprise of :
Which of the following feature may seriously affect or nullify the utility of audit trails for an application system ?
Which of the following is TRUE about Automated Teller Machines (ATMs)?
Identify the wrong statement with respect to structured programming concepts and program modularity.
The main focus of the graphical user interface (GUI) environments is:
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Which of the following is likely to be a benefit of electronic data interchange (EDI)
The following is an advantage of using link encryption
The DES is an example of a:
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Out of the following pairs of services, which provides an access control over a network of computers
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Identify the cost that does NOT form part of software package installation or implementation cost?
The software test objective of operating in different platforms is achieved by conducting:
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls an
Which of the following lines prevents tapping?
Concentration technique in a communication network DOES NOT
Link encryption in communication of signals
Operations audit trail rather than the accounting audit trail is likely to show
Identify the test-case design techniques that is used in unit and integration testing of applications software.
Which of the following is deemed as good system design practice?
Page 75
Sheet1
Page 76
Sheet1
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
Control over data preparation is important because:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
To properly control access to accounting data held in a Database Management System, the database administrator shou
When the results of production data files processing with a generalized audit software do not agree with the total balance
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Which phase of SDLC uses 'Program slicing' technique?
Due Professional Care requires an IS auditor to possess which of the following quality
Which among the following statements about information systems personnel is NOT true?
Which of the following encryption algorithms or schemes is MOST difficult to break?
Which of the following statement is TRUE about an offsite information processing facility?
Which of the following is an upper CASE tool?
In the system development life cycle approach, which of the following is MOST likely to be constant?
In which phase of a system development life cycle would you perform Mutation analysis?
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
In order to trace data through several application programs, an auditor needs to know what programs use the data, which
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Which of the following physical access control devices would be most effective for a high security installation?
An upper CASE tool is used in :
During a fire in a data centre, an automatic fire suppression system would first:
Identify the EARLIEST software development model
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
he best control to ensure that a customer uses a debit/credit card carefully is:
The complete information about all data in a database is found in :
The primary advantage of a derived Personal Identification Number (PIN) is that :
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which one of the following is not an operating control:
Prototyping approach to system design is resorted to when
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
. Which of the following is NOT TRUE with regard to network reliability enhancement:
The Duties of a Database administrator does NOT comprise of :
Which of the following is not a function of the control section:
As against link encryption, end-to-end encryption cannot protect against
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
The main difference in terms of control between a manual system and a computer system is:
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
When the results of production data files processing with a generalized audit software do not agree with the total balance
Access to the work area restricted through a swipe card or only through otherwise authorised process and when visitors e
. For reviewing the physical security of the IPF facility, the necessity of the following document is the LEAST Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Which of the following is the most difficult to manage in a SDLC project?
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
The MAIN purpose of having Compensating Controls are to
The Digital Signature system uses the services of an Arbitrator to prevent
While classifying controls on the basis of the operations involved, input control can be classified as Which of the following physical access control devices would be most effective for a high security installation?
All of the following assumptions about legacy application systems are correct except
As an IS auditor, which would you consider the MOST CRITICAL CONTROL over an employee performing a function.
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Out of the following pairs of services, which provides an access control over a network of computers
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Page 77
Sheet1
Page 78
Sheet1
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Which of the following controls would address the concern that data uploaded from a microcomputer to the company's ma
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following tests would be used to ensure whether a software product fails or not?
When the account number is entered into an online banking system, the computer responds with a message that reads: A
The least commonly used medium for local area network (LAN) environment is:
Control over data preparation is important because:
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
Computer viruses could be detected by which one of the following actions?
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
The Duties of a Computer operations does NOT comprise of :
Which of the following feature may seriously affect or nullify the utility of audit trails for an application system ?
Which of the following is TRUE about Automated Teller Machines (ATMs)?
Which of the following electronic commerce systems handle non-monetary documents?
Which of the following cryptographic algorithm does both encryption and digital signature?
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
MAC or message authentication code prevents
Fuzzy logic is most effective when :
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
Identify the wrong statement with respect to structured programming concepts and program modularity.
Ability to operate on multiple computer types from different vendors is envisaged by
Which one of the following statements concerning microcomputer systems NOT true?
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
. It would not be possible to use the Checkpoint/restart facilities when:
A major advantage of associating passwords with users in the access control mechanism, over associating the password
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
In an automated processing system of records, processing control total reconciliation is a type of In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
Which one of the following transmission media is unsuitable for handling intra-building data or voice communications?
Machine maintenance engineers pose some difficult control programs because:
An example for a concurrent audit tool whose complexity is low is :
Passwords belong to the following class of authentication information:
What is the control that should have been in vogue so as to enable detection of a change made in a payroll program by a
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
. Which one of the following is not an essential component of a distributed computing environment?
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
The internet is made up of a series of networks that include
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
Active attack on communication network DOES NOT include
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which of the following best describes feature of statistical sampling?
The Duties of a Database administrator does NOT comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trai
To prevent virus attack effectively in an IS environment, the first and the foremost step to be taken is In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
Which of the following is not part of an emergency plan?
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Identify the item that is not a part of performance guarantees in software contract negotiations.
Identify the wrong statement with respect to structured programming concepts and program modularity.
The database administrator is not responsible for which one of the following functions?
Page 79
Sheet1
The test of access control, over a distributed database, can be carried out by A major drawback of a remote dial up network communication system is
Which of the following physical access control devices would be most effective for a high security installation?
Identify the factor that is not part of an expert system architecture.
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
The class of control used to minimise the impact of a threat is :
Which of the following is a common security practice in a LAN.
Which of the following statement is true about a mandatory access control policy?
The objective of compliance testing is to find :
A document-driven approach is used in :
The biggest benefit of prototyping is:
The most important factor while creating test data for checking a system, is :
Which one of the following statements is FALSE?
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
Wiretapping CANNOT easily be done without detection in
In selecting the applications to be audited, which criteria is LEAST likely to be used:
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
The Duties of a Computer operations does NOT comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
For reviewing the physical security of the IPF facility, the necessity of the following document is the LEAST Which of the following cryptographic algorithm does both encryption and digital signature?
Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Interference is resisted MOST by
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
With respect to expert systems, a heuristic is not a:
The comment which is NOT true regarding ISO 9000 is
The duties and role of an IS Steering Committee is:
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which of the following is NOT true about a database management system application environment?
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
For a stand alone system, the best security control is to have A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
The class of control used to overcome problems before they acquire gigantic proportions is :
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
he main objective of separation of duties is to ensure that:
The manager of the information systems QA function should report to the:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developmen
When implementing local area networks, the major implementation choices involve decisions about all of the following exc
Which of the following software metrics would refer to function points?
Which of the following statements about computer is correct?
Which one of the following testing order is correct?
Which of the following activities should not be permitted when operators use a communications network control terminal:
. Where would you handle finite state machines in SDLC?
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informa
Which of the following lines prevents tapping?
Which one would be a material irregularity?
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
Which of the following utilities can be used to directly examine the quality of data in the database:
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informati
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
The control procedure of installing the anti-virus software in the system is called An IS auditor reviewing an organisation s Business Continuity Plan discovered that the plan provides for an alternate site
Incorrect initialization occurs on account of which of the following faults ?
Page 80
Sheet1
Page 81
Sheet1
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
To effectively prevent intrusion, usually the following controls are established. Of this which control BEST detects intrusion
The following measures will protect the computer systems from virus attack EXCEPT:
Password control procedures incorporate all the following features EXCEPT Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
In the case of message encryption, which of the following is more secure?
Identify the cost that does NOT form part of software package installation or implementation cost?
During the detailed design phase of SDLC, which one of the following tasks performed?
A major drawback of a remote dial up network communication system is
Which of the following physical access control devices would be most effective for a high security installation?
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
The major risk in prototyping model is :
The software test objective of operating in different platforms is achieved by conducting:
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following incidents can seriously damage a digital signature system?
Which of the following is NOT a proper responsibility of functional users.
Which of the following types of subversive attacks on a communication network is not an active attack:
Which one of the following poses a major threat in using remote workstations?
Which one of the following statements is FALSE?
Which of the following is NOT an input control objective?
Which of the following would not be considered a characteristic of a private key cryptosystem?
The DES is an example of a:
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Control over data preparation is important for :
Which one would be a material irregularity?
In selecting the applications to be audited, which criteria is LEAST likely to be used:
Which of the following does NOT need to be considered in determining statistical sample sizes?
The BEST and reliable form of evidence that assists the IS auditor to develop audit conclusions is :
Segregation of duties is TRUE in which of the following cases ?
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Link encryption in communication of signals
In the case of a bank teller the access control policy is an example of:
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Information system is broken into various subsystems. Which among the following is NOT a component of the application
Uninterruptible power supplies are used in computer centers to reduce the likelihood of :
Which one of the following is not an operating control:
Which of the following is not a desirable property of a cipher system:
The primary advantage of the list-oriented approach to authorisation is:
The following method of PIN validation seems to result in the fewest control problems?
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Which of the following is FALSE with regard to a public key cryptosystem?
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
Which one of the following poses a major threat in using remote workstations?
A software metric will NOT define which one of the following?
Software quality assurance process does NOT undertake:
In evaluation of an organisation s IS strategy, which of the following would an IS auditor consider to be the MOST importa
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from ins
The following is an advantage of using link encryption
Which of the following is not a function of operations management:
User interface prototyping may NOT focus on :
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
When the results of production data files processing with a generalized audit software do not agree with the total balance
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Which of the following activities should not be permitted when operators use a communications network control terminal:
Page 82
Sheet1
The most important factor while creating test data for checking a system, is :
Which of the following does NOT need to be considered in determining statistical sample sizes?
Which of the following cryptographic algorithm does both encryption and digital signature?
Concentration technique in a communication network DOES NOT
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
An upper CASE tool is used in :
A document-driven approach is used in :
In the system development life cycle approach, which of the following is MOST likely to be constant?
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
Which of the following would not be considered a characteristic of a private key cryptosystem?
Control over data preparation is important because:
When a compliance failure occurs, QA personnel should:
The public audit trail of a Digital Signature system will not contain which of the following?
Within an EDI system which of the following is used to determine non-repudiation?, Only Digital signautres can ensure no
In general, output controls over reports of batch systems would be more compared with that of online systems because:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used w
ne main reason for using Redundant Array of Inexpensive Disks (RAID) is :
The basic purpose of an IS audit is :
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Machine maintenance engineers pose some difficult control programs because:
Identify the document which is LEAST effective during the acceptance test of applications software.
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which one of the following protocols is used by the Internet?
Which one of the following techniques is represented by structured analysis 'and design?
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
After you enter a purchase order in an on-line system, you get the message, The request could not be processed due to
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following is likely to be a benefit of electronic data interchange (EDI)
The duties of a Data Security Officer does NOT comprise of :
Which of the following conditions lead to increase in white noise:
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Which of the following encryption algorithms or schemes is MOST difficult to break?
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
Which of the following system life factors is most difficult to control by a user organization?
The software test objective of operating in different platforms is achieved by conducting:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
A major drawback of a remote dial up network communication system is
Ability to operate on multiple computer types from different vendors is envisaged by
For electronic-Commerce deals through web-based transactions involving acceptance of payment through credit cards, in
In which phase of SDLC Desk Checking is practiced?
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Which of the following functions SHOULD NOT BE combined with Control Group.
During an audit of the tape management system at a data center, an IS auditor discovered that some parameters are set
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following tests would be used to ensure whether a software product fails or not?
The duty of the Quality Assurance Group is
End-to-end encryption provides only limited protection against a subversive attack that uses:
Page 83
Sheet1
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Which among the following is NOT true of start topologies?
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
Substantive Testing and Compliance Testing can be best differentiated as :
An IS auditor carrying out review of logical access control, shall have the PRIMARY OBJECTIVE of
The IS security policy of a company usually incorporates all of the following features EXCEPT Which of the following access rights if allotted to a computer operator, will violate a standard access control rules :
Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?
An IS Auditor carrying out security review for verification of the implementation of certain security measures, will be LEAS
Which of the following statement is TRUE about an offsite information processing facility?
Which among the following is NOT true of start topologies?
What makes Rapid prototyping technique portable?
Which of the following computer technologies is a major shift in the develpoment and maintenance of application systems
The main focus of the graphical user interface (GUI) environments is:
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Which of the following characteristics is not associated with a public key cryptosystem?
A public key cryptosystem uses:
IS Auditor performing a security review will perform all the following steps. However he will begin with Abuse of information system (IS) is BEST described as :
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
When users of an information system are dispersed over a wide area and are authorized to use dial-up lines for getting ac
Which of the following functions SHOULD NOT BE combined with Control Group.
Which of the following is NOT TRUE about a database management system application environment?
The main objective of separation of duties is to ensure that:
The software test objective of operating in different platforms is achieved by conducting:
Ability to operate on multiple computer types from different vendors is envisaged by
The biggest benefit of prototyping is:
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Which one of the following statements is FALSE?
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict t
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
What is the control that should have been in vogue so as to enable detection of a change made in a payroll program by a
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Software metric that deals with measurement of lines of code is:
Dual protection or mirroring of servers mitigates the exposures from
Which one of the following statements is correct with regard to reciprocal processing agreement?
Which of the following activities is undertaken during data preparation:
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
All of the following assumptions about legacy application systems are correct except
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
In today s business environment one can hardly find a company without a computer. But an IPF (Information processing f
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
During the detailed design phase of SDLC, which one of the following tasks performed?
For a high security installation the most effective physical access control devices is
Identify the cost that does NOT form part of software package installation or implementation cost?
In an automated processing system of records, processing control total reconciliation is a type of In Information Technology projects, which of the following factors is most crucial?
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The installation of a database management system (DBMS) does not have any direct impact on :
Page 84
Sheet1
Page 85
Sheet1
Page 86
Sheet1
Which of the following controls would prevent unauthorized access to specific data elements in a database management
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
An access control policy for a Customer Service Representative in a banking application is an example of the implementa
Hardware controls are important to IS auditors for they:
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
Machine maintenance engineers pose some difficult control programs because:
Of the following, the most critical component in a LAN is likely to be the:
The major risk in prototyping model is :
The principle of least privilege is a important concept in access controls of a network. Among the four enumerated here, w
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the f
Which of the following converts digital pulses from the computer into frequencies within the audio signals
Availability of computer time is taken care of in which part of the Project Planning and scheduling ?
The following is NOT a desirable property of a cipher system:
Which of the following tests address the interaction and consistency issues of successfully tested 'Parts of a system?
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
The snapshot technique involves:
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
The Duties of a Computer operations does NOT comprise of :
An IS auditor carrying out review of logical access control, shall have the PRIMARY OBJECTIVE of
Which of the following statement is TRUE about an offsite information processing facility?
What is the most important factor to be considered when comparing system alternatives before making the final selection
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
A Systems Analyst s duties and roles comprises of:
Which of the following statements regarding security concerns for lap top computers is NOT false?
Which of the following is not a function of the control section:
The least commonly used medium for local area network (LAN) environment is:
The following is not a desirable property of a cipher system:
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Errors in an information system based on computers are less tolerable than in a manual system primarily because:
For a high security installation the most effective physical access control devices is
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
The main objective of separation of duties is to ensure that:
What would you use to enforce integration rules so as to integrate one component with another?
Which of the following is NOT a proper responsibility of functional users.
Which of the following is NOT included in the digital certficate:
Which one of the following transmission media is unsuitable for handling intra-building data or voice communications?
Which of the following is NOT a proper responsibility of functional users.
Identify the document which is LEAST effective during the acceptance test of applications software.
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
The major difference between a client/server and a mainframe-based application 'may NOT likely to occur with regard to
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
Which one of the following is not a compliance test ?
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
Control of employee activities in a computerized environment is, vis- -vis manual systems,
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
The primary objective of security software is to:
The following is NOT a pre-requisite for installing a new anti-virus software
The communication of signals is subjected to noise MOST LIKELY because of
In the case of a bank teller the access control policy is an example of:
Which one of the following errors will occur because of overflow conditions?
What makes Rapid prototyping technique portable?
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
Page 87
Sheet1
Page 88
Sheet1
Which of the following system life factors is most difficult to control by a user organization?
Identify the item that is not a part of performance guarantees in software contract negotiations.
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Packet switching is an example of:
To effectively implement the principle of least privilege, it is necessary to have:
For a high security installation the most effective physical access control devices is
The public audit trail of a Digital Signature system will not contain which of the following?
In an automated processing system of records, processing control total reconciliation is a type of Which of the following control objectives is violated when the theft of proprietary software or corporate data is stolen:
An audit technique used to select items from a population for audit testing purposes based on the characteristics is terme
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which of the following steps provide the highest assurance in achieving confidentiality, message integrity and non-repudia
Which one of the following is ideally suited for multimedia applications?
Identify the document which is LEAST effective during the acceptance test of applications software.
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
Which one of the following testing order is correct?
Software quality assurance process does NOT undertake:
The work schedule of a clerk in a Control Group is of
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Which of the following controls would prevent unauthorized access to specific data elements in a database management
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Which one of the following is not part of a computer capacity management function?
Which of the following lines prevents tapping?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
To properly control access to accounting data held in a Database Management System, the database administrator shou
MAC or message authentication code prevents
Identify the wrong statement with respect to structured programming concepts and program modularity.
A Systems Analyst s duties and roles comprises of:
An advantage of outsourcing data processing activities in a company is obtained by:
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Output control is best described by which of the following ?
During a review of system access rules, an IS Auditor noted that the System Administrator has unlimited access to all dat
Retention date on magnetic tape files would:
Which of the following control objectives is violated when the theft of proprietary software or corporate data is stolen:
The class of control used to monitor inputs and operation is :
Which of the following events is recorded on a public audit trail in a digital signature system?
Which of the following incidents can seriously damage a digital signature system?
Which of the following is not true in respect of Expert systems?
Which one of the following techniques is represented by structured analysis 'and design?
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
How the control in a loan processing edit program which ensures a logical relationship between the amount advanced, the
In which phase of SDLC would you use software sneak circuit analysis?
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel,
The snapshot technique involves:
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Link encryption in communication of signals
Internet was established NOT for
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
The IS Control Group is NOT responsible for performing
To disable easy detection of password, it should be arranged in the following convention as shown below:
Page 89
Sheet1
A main advantage of a standard access control software implemented properly is Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
The objective of software quality assurance is not:
Maintenance of adequate security measures over IS assets and accountability for the same rests with the:
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
The DES is an example of a:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
The designer of a cryptosystem is called a:
The primary advantage of the list-oriented approach to authorisation is:
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Abuse of information system (IS) is BEST described as :
A sampling technique that estimates the amount of overstatement in an account balance is termed as :
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
In an automated processing system of records, processing control total reconciliation is a type of In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The software test objective of operating in different platforms is achieved by conducting:
Which of the following is NOT a desirable property of a cipher system:
Which of the following is NOT a proper responsibility of functional users.
A software metric will NOT define which one of the following?
The major difference between a client/server and a mainframe-based application 'may NOT likely to occur with regard to w
Which of the following is NOT an input control objective?
In which phase of SDLC would you use software sneak circuit analysis?
User interface prototyping may NOT focus on :
The snapshot technique involves:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
In evaluation of an organisation s IS strategy, which of the following would an IS auditor consider to be the MOST importa
During the review of logical access controls over a company s various application systems, an auditor found that access c
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
In the development life cycle model, the place to start software quality process is:
Which of the following is the most difficult to manage in a SDLC project?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
A Systems Analyst s duties and roles comprises of:
Which of the comments about Business Process Re-engineering (BPR) is NOT false?
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Packet switching is an example of:
While down sizing a material inventory system, data center personnel considered redundant array of inexpensive disks (R
Which of the following is not an audit objective in the review of hardware acquisition?
. Which of the following is not a function of operations management:
Which of the following terms best describes the purpose of control practice over the input A document-driven approach is used in :
In data processing, which of the following causes the maximum losses
Passwords belong to the following class of authentication information:
The information technology pilot projects envisages which of the following concepts?
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
In order to achieve more perfection of an already working software system, what method will be adopted?
Segregation of duties is TRUE in which of the following cases ?
When constructing the communications infrastructure for moving data over a local area network, the major implementation
Which of the following is NOT an input control objective?
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Which of the following is not a substantive test:
Page 90
Sheet1
Which one of the following statements is correct with regard to reciprocal processing agreement?
Which of the following actions provides the IS Auditor with the greatest assurance that certain weaknesses in internal con
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
The logical access exposure involving data changing before and/or while being entered into the computer is called Which of the following systems are MOST important for business resumption following a disaster?
In the case of electronic funds transfer (EFT), which one of the following is MOST vulnerable to fraud and physical attack
Which among the following is NOT a serious problem in a ring topology based LAN?
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but many
Which one of the following reasons is the most important to retain a legacy application system?
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
Identify the wrong statement with respect to structured programming concepts and program modularity.
The biggest benefit of prototyping is:
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Staffing the QA function is often difficult because:
An example for a concurrent audit tool whose complexity is low is :
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
Machine maintenance engineers pose some difficult control programs because:
The following statement about controls over computer operators is true:
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and control
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
The FIRST and preliminary step in the process of information security program establishment is :
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Link encryption in communication of signals
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
Which of the following is not a substantive test:
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
The Duties of a Computer operations does NOT comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
The validity of a program recalculation could be audited by the following techniques except:
Where a transaction processing application is very complex, involving many sources of data capture and many routes for
An IS Auditor carrying out security review for verification of the implementation of certain security measures, will be LEAS
Which of the following electronic commerce systems handle non-monetary documents?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which one of the following reasons is the most important to retain a legacy application system?
Which phase of SDLC uses Data Flow Diagram?
Information system is broken into various subsystems. Which among the following is NOT a component of the application
Which one of the following is not an essential component of a distributed computing environment?
The least commonly used medium for local area network (LAN) environment is:
For a stand alone system, the best security control is to have Access to an online system running an application program, requires users to validate themselves with a user ID and pas
A major advantage of associating passwords with users in the access control mechanism, over associating the password
dentify the document which is LEAST effective during the acceptance test of applications software.
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
In the system development life cycle approach, which of the following is MOST likely to be constant?
Network performance monitoring tools will MOST affect which of the following?
Software piracy is a common threat to an organization and so while choosing an application software package what shoul
The main objective of separation of duties is to ensure that:
Which of the following statements about automated operations facility parameters is not true?
Which one of the following protocols is used by the Internet?
Page 91
Sheet1
During an audit of the tape management system at a data center, an IS auditor discovered that some parameters are set
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following usually is a purpose of a modem:
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
Which of the following lines prevents tapping?
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
The BEST and reliable form of evidence that assists the IS auditor to develop audit conclusions is :
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
The validity of a program recalculation could be audited by the following techniques except:
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is A main advantage of a standard access control software implemented properly is . MAC or message authentication code prevents
Requirement specification errors lead to:
After the system is developed, the auditor's objective in conducting a general review is to
During the detailed design phase of SDLC, which one of the following tasks performed?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
Which of the following is not a desirable control feature in a modem:
The DES is an example of a:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
An Information System Auditor observed that technical support personnel have unlimited access to all data and program
Identify the wrong statement with respect to structured programming concepts and program modularity.
The following message service provides the strongest protection about the occurrence of a specific action:
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which one of the following is NOT an essential component of a distributed computing environment?
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
The DES is an example of a:
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is :
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Which one of the following statements is False?
Control over data preparation is important because:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
User interface prototyping may NOT focus on :
Which one would be a material irregularity?
PC-based analysis and design tools are used alongwith mainframe computer-based tools.
Internet was established NOT for
Control over data preparation is important for :
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Which among the following is NOT a serious problem in a ring topology based LAN?
Which one of the following errors will occur because of overflow conditions?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which of the following would not normally be considered a typical file structure for a database management system:
Which of the following statements about national and international information systems standard is true?
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
A major advantage of associating passwords with users in the access control mechanism, over associating the password
Software piracy is a common threat to an organization and so while choosing an application software package what shou
Select the BEST control to mitigate the risk of creation of duplicate user name and Password during sign on procedures, i
The best control to ensure that a customer uses a debit/credit card carefully is:
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The MOST secured access control mechanism is
Page 92
Sheet1
When users of an information system are dispersed over a wide area and are authorized to use dial-up lines for getting ac
Which of the following controls would address the concern that data uploaded from a microcomputer to the company's ma
Which of the following functions cannot be performed using a communications network control terminal:
An Information System Auditor observed that technical support personnel have unlimited access to all data and program f
The application run manual would normally comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
In which phase of SDLC would you use software sneak circuit analysis?
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
In the case of Business Process re-engineering which of the following is NOT true ?
Internal controls are not designed to provide reasonable assurance that:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
Substantive Testing and Compliance Testing can be best differentiated as :
A control is NOT designed and implemented to:
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
The technique employed in packet switching mode of transmission is:
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Identify the wrong statement with respect to structured programming concepts and program modularity.
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Hardware controls usually are those built into the equipment by the manufacturer. One such control, an echo check , is be
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
The DES is an example of a:
In an online processing system, to reconstruct correctly the interrupted transactions on a failure, the system should have
Identify the document which is LEAST effective during the acceptance test of applications software.
Out of the following pairs of services, which provides an access control over a network of computers
The biggest benefit of prototyping is:
The class of control used to monitor inputs and operation is :
he complete information about all data in a database is found in :
The objective of compliance testing is to find :
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
The main objective of separation of duties is to ensure that:
Which one of the following is NOT an essential component of a distributed computing environment?
. Which one of the following protocols is used by the Internet?
Which of the following usually is a purpose of a modem:
The test approach that includes ALL of the systems requirement, system design, and 'systems development documents i
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
If fraud or errors are suspected in the population , the auditor would use:
Which among the following is NOT a serious problem in a ring topology based LAN?
Dual protection or mirroring of servers mitigates the exposures from
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
The BEST and the most reliable form of evidence that an IS auditor would look for in audit of an IS environment is
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
Access control list of a firewall can have the following parameters, on the basis of which it may filter access, EXCEPT one
The following is NOT a pre-requisite for installing a new anti-virus software
Maximum reliability is available in
Which one of the following errors will occur because of overflow conditions?
In an IS based on computerized environment, the audit trail is
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
During a review of system access rules, an IS Auditor noted that the System Administrator has unlimited access to all dat
Retention date on magnetic tape files would:
Identify the cost that does NOT form part of software package installation or implementation cost?
Page 93
Sheet1
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which one of the following local area network devices functions as a data regenerator?
Which one of the following pair of items is a primary cause of signal distortion in data communications?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
The biggest benefit of prototyping is:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
here access control mechanism is implemented in an open environment, the users are allowed to access a resource:
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
Which of the following would not be appropriate to consider in the physical design of a data centre?
The technique employed in packet switching mode of transmission is:
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following is not a function of operations management:
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Accuracy of data is important most likely to a
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
Which of the following BEST describes a warm site?
Which of the following cryptographic algorithm does both encryption and digital signature?
Wiretapping CANNOT easily be done without detection in
Operations audit trail rather than the accounting audit trail is likely to show
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
Fuzzy logic is most effective when :
Which of the following factors would bring down the risks most in Joint Application Design (JAD) meetings?
The main focus of the graphical user interface (GUI) environments is:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
In the case of Business Process re-engineering which of the following is NOT true ?
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which of the following is least likely to be a reason for making QA personnel responsible for identifying areas where quali
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
The software test objective of operating in different platforms is achieved by conducting:
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Which one of the following will be included in the application software testing phase for effective controls?
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
For effective implementaion of a software quality program the MOST important prerequisite is:
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
Which one of the following is the most essential activity for effective computer capacity planning:
Which one of the following controls would protect the production libraries without compromising the efficiency of open acc
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Wiretapping CANNOT easily be done without detection in
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Concentration technique in a communication network DOES NOT
Which among the following is NOT a serious problem in a ring topology based LAN?
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of a
The snapshot technique involves:
Substantive Testing and Compliance Testing can be best differentiated as :
Computer viruses could be detected by which one of the following actions?
The first step in the installation of an information security program is the Which of the following cryptographic algorithm does both encryption and digital signature?
As against link encryption, end-to-end encryption cannot protect against
During the detailed design phase of SDLC, which one of the following tasks performed?
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Page 94
Sheet1
Page 95
Sheet1
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
The least commonly used medium for local area network (LAN) environment is:
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
The following statement applies to a capability based approach to authorisation?
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
A major drawback of a remote dial up network communication system is
Which of the following physical access control devices would be most effective for a high security installation?
A PIN if stored for reference purposes, must be stored in:
The best control to ensure that a customer uses a debit/credit card carefully is:
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following is NOT included in the digital certficate:
The manager of the information systems QA function should report to the:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following is NOT TRUE with regard to network reliability enhancement:
The presence of an arbitrator in a digital signature system will prevent:
Which one of the following is not an operating control:
Which of the following tests address the interaction and consistency issues of successfully tested 'Parts of a system?
The estimate of time which has the MOST important relevance in evaluation of the activities in a Program Evaluation Rev
Segregation of duties is TRUE in which of the following cases ?
. Which of the following activities should not be permitted when operators use a communications network control terminal:
Software metric that deals with measurement of lines of code is:
The snapshot technique involves:
Which of the following Technical specifications will NOT be included in a functional
The reason for the IS auditor NOT preparing a formal audit program is :
The definition of expected loss from a threat is:
The duty of the Quality Assurance Group is
When the account number is entered into an online banking system, the computer responds with a message that reads:
The control procedure of installing the anti-virus software in the system is called Logging of authorised and unauthorised attempts to access the computer systems and Disconnection of a terminal after i
Which of the following is not part of an emergency plan?
Which of the following system life factors is most difficult to control by a user organization?
After the system is developed, the auditor's objective in conducting a general review is to
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In segregation of duties, the organisation will exposed to a very HIGH risk if the duties of
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Which one of the following uses a modem technology as a common means of communicating between computers?
The manager of the information systems QA function should report to the:
The class of control used to monitor inputs and operation is :
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Which of the following usually is a purpose of a modem:
Which one of the following statements is FALSE?
The biggest benefit of prototyping is:
A PIN if stored for reference purposes, must be stored in:
Which one of the following criteria shall NOT be considered for choosing an appropriate Computer platform to suit a given
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
The test approach that includes ALL of the systems requirement, system design, and 'systems development documents is
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
Which one of the following statements is False?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
The following is an advantage of using link encryption
Which among the following is NOT a serious problem in a ring topology based LAN?
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Which of the following activities is undertaken during data preparation:
Several risk are inherent in the evaluation of evidence that has been obtained through the use of statistical sampling .A b
If fraud or errors are suspected in the population , the auditor would use:
Which one would be a material irregularity?
Page 96
Sheet1
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
To examine the existence of the entities described by the data , which of the functional capabilities in the generilise audit
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
The application run manual would normally comprise of :
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
When the account number is entered into an online banking system, the computer responds with a message that reads:
To protect computer systems from short term power fluctuations, the best environmental control is Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
In an online processing system, to reconstruct correctly the interrupted transactions on a failure, the system should have
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested p
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used w
Of the following, the most critical component in a LAN is likely to be the:
The best control to ensure that a customer uses a debit/credit card carefully is:
What is the major risk that is faced by a user organization during system integration projects?
What makes Rapid prototyping technique portable?
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which of the following software metrics would refer to function points?
Which one of the following is NOT true relating to the use of fiber optics:
Which one of the following network architectures is designed to provide data services using physical networks that are m
Which of the following is NOT a proper responsibility of functional users.
Prototyping approach to system design is resorted to when
The software test objective of operating in different platforms is achieved by conducting:
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
The primary objective of security software is to:
Link encryption in communication of signals
As against link encryption, end-to-end encryption cannot protect against
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
The quantification of the sample size depends on which of the following criteria.
The independence of an IS auditor who was involved in the development of an appliction system shall be impaired when
The duty of the Quality Assurance Group is
When the results of production data files processing with a generalized audit software do not agree with the total balance
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
The following resources are protected by Logical access controls
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The MAIN purpose of having Compensating Controls are to
Which of the following areas would an IS auditor NOT do while conducting a review of an organisation s IS Strategies.
A ring network
The person responsible for providing access rights to each of the user and access profile for each data element stored in
A PIN if stored for reference purposes, must be stored in:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
Which of the following is a responsibility of computer operations department?
Which of the following is NOT included in the digital certficate:
Which of the following statement is true about a mandatory access control policy?
Which one of the following is ideally suited for multimedia applications?
Which of the following is NOT TRUE with regard to network reliability enhancement:
Which one of the following protocols is used by the Internet?
A software metric will NOT define which one of the following?
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
Active attack on communication network DOES NOT include
When the results of production data files processing with a generalized audit software do not agree with the total balance
Page 97
Sheet1
Which of the following activities should not be permitted when operators use a communications network control terminal:
The most important factor while creating test data for checking a system, is :
A control is NOT designed and implemented to:
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
During the review of logical access controls over a company s various application systems, an auditor found that access c
An interest calculation program of a Bank has several schemes and several interest rates. The MOST APPROPRIATE co
A compensating control for the weakness in access controls is the daily review of log files. The IS Auditor reviewing the ad
Wiretapping CANNOT easily be done without detection in
In Information Technology projects, which of the following factors is most crucial?
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Prototyping approach to system design is resorted to when
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following would not be considered a characteristic of a private key cryptosystem?
Which of the following is NOT True as a mode of network reliability enhancement:
Identify the cost that does NOT form part of software package installation or implementation cost?
Passwords belong to the following class of authentication information:
Prototyping approach to system design is resorted to when
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following is not a database model :
hich of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?'
The DES is an example of a:
The duty of the Quality Assurance Group is
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
Computer viruses could be detected by which one of the following actions?
A modem is NOT intended to
Control over data preparation is important for :
Which of the following activities is undertaken during data preparation:
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of a
Which among the following statements about information systems personnel is NOT true?
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
When the results of production data files processing with a generalized audit software do not agree with the total balance
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Business continuity plan of an organisation should address early recovery of which of the following?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
Which one of the following design approaches would address data sharing and system access problems in legacy applica
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The Job responsibilities and rights of an application programmer does NOT include
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Which of the following characteristics is not associated with a public key cryptosystem?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
For a high security installation the most effective physical access control devices is
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
How the control in a loan processing edit program which ensures a logical relationship between the amount advanced, th
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
The following is NOT a desirable property of a cipher system:
The principle of least privilege is a important concept in access controls of a network. Among the four enumerated here, w
The science of cryptography provides all of the following safeguards except
Which of the following software metrics would refer to function points?
Which one of the following local area network devices functions as a data regenerator?
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
Which of the following usually is a purpose of a modem:
Formal change control mechanism would start after which of the following in an overall system development project?
Which one of the following metrics deal with "number of entries/exits per module" ?
The longest phase in SDLC is :
Page 98
Sheet1
Page 99
Sheet1
Page 100
Sheet1
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the fo
ith respect to AI, a heuristic refers to :
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
In order to achieve more perfection of an already working software system, what method will be adopted?
Which one of the following is not an essential component of a distributed computing environment?
Which of the following is not an important control step of the input/output control group?
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
Which of the following utilities can be used to directly examine the quality of data in the database:
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informa
Transmission of electronic signals is not free of impairments. Which of the following statements is true?
A reasonably controlled practice in the distributed executable programs that execute in background of a web browser clie
The unauthorised use of data files can be best prevented by using IS security policy of an organisation will not contain details about the following:
Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?
Which of the following is NOT true about Pretty good privacy (PGP) and privacy enhanced mail (PEM)?
Which of the following statements about encryption is NOT correct?
Conditioning of the transmission lines is LEAST effective against
Dual protection or mirroring of servers mitigates the exposures from
Which one of the following reasons is the most important to retain a legacy application system?
What is the most important factor to be considered when comparing system alternatives before making the final selection
Which phase of SDLC uses Data Flow Diagram?
In the case of Business Process re-engineering which of the following is NOT true ?
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Control over data preparation is important because:
While reviewing an organisation that has a mainframe and a client/server environment where all production data reside, t
The Digital Signature system uses the services of an Arbitrator to prevent
Which of the following terms best describes the purpose of control practice over the input Software piracy is a common threat to an organization and so while choosing an application software package what shou
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following protocols is used by the Internet?
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
Identify the document which is LEAST effective during the acceptance test of applications software.
he biggest benefit of prototyping is:
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following characteristics is not associated with a public key cryptosystem?
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Which of the following computer technologies is a major shift in the development and maintenance of application systems
Which one of the following is not a substantive test?
The independence of an IS auditor who was involved in the development of an appliction system shall be impaired when
The auditor of an IS can exercise control over
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
Password control procedures incorporate all the following features EXCEPT Reciprocal Agreements are normally entered between two or more organisations:
Active attack on communication network DOES NOT include
Which of the following is an upper CASE tool?
Which of the following features is least likely to be found in a real time application?
Which of the following is not a function of the control section:
Which one of the following is the most essential activity for effective computer capacity planning:
Which of the following is least likely to be a reason for making QA personnel responsible for identifying areas where quali
. The control to provide security against accidental destruction of records and to ensure continuous operations is called Retention date on magnetic tape files would:
Duplication of submitting corrections to errors could be prevented by:
Page 101
Sheet1
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In the system development life cycle approach, which of the following is MOST likely to be constant?
etworks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
The complete information about all data in a database is found in :
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following is FALSE with regard to a symmetric key cryptosystem?
Which of the following statement is true about a mandatory access control policy?
Which of the following types of subversive attacks on a communication network is not an active attack:
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
The objective of compliance testing is to find :
Identify the cost that does NOT form part of software package installation or implementation cost?
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
Which of the following utilities can be used to directly examine the quality of data in the database:
When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed
The BEST and the most reliable form of evidence that an IS auditor would look for in audit of an IS environment is
Which of the below is a TRUE statement concerning Test Data Techniques.
Accuracy of data is important most likely to a
The BEST method to verify the data values through the various stages of processing
Which of the following is the LEAST important in the case of backup and recovery plan?
As against link encryption, end-to-end encryption cannot protect against
Operations audit trail rather than the accounting audit trail is likely to show
All of the following should be in place prior to programming except:
What makes Rapid prototyping technique portable?
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
During the detailed design phase of SDLC, which one of the following tasks performed?
Which of the following areas would an IS auditor NOT do while conducting a review of an organisation s IS Strategies.
When a compliance failure occurs, QA personnel should:
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
Whenever there is a modification made to an existing software, which of the following testing approaches should be used?
Which of the following is NOT a proper responsibility of functional users.
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
Availability of computer time is taken care of in which part of the Project Planning and scheduling ?
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
A PIN if stored for reference purposes, must be stored in:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
Wiretapping CANNOT easily be done without detection in
In the case of Business Process re-engineering which of the following is NOT true ?
When using message switching in a communication network, the following is not a desirable control?
Which one of the following is not a substantive test?
An auditor performing a statistical sampling of the financial transactions in a financial MIS would BEST use :
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
To properly control access to accounting data held in a Database Management System, the database administrator shou
Exposure that could have been caused by the line - grabbing technique is IS security policy of an organisation will not contain details about the following:
Password control procedures incorporate all the following features EXCEPT . The technique employed in packet switching mode of transmission is:
Prototyping approach does not assume the existence of
A document-driven approach is used in :
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
Page 102
Sheet1
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which one of the following is the most essential activity for effective computer capacity planning:
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
A PIN if stored for reference purposes, must be stored in:
The installation of a database management system (DBMS) does not have any direct impact on :
The presence of an arbitrator in a digital signature system will prevent:
Which one of the following is ideally suited for multimedia applications?
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
An example for a concurrent audit tool whose complexity is low is :
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Passwords belong to the following class of authentication information:
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
End-to-end encryption provides only limited protection against a subversive attack that uses:
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Dual protection or mirroring of servers mitigates the exposures from
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
Which phase of SDLC uses 'Program slicing' technique?
Which of the following activities is undertaken during data preparation:
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Which of the following systems are MOST important for business resumption following a disaster?
Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Active attack on communication network DOES NOT include
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
The residual dump technique in backup has the disadvantage of
Which one of the following errors cannot be detected during an inspection activiy?
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
An advantage of outsourcing data processing activities in a company is obtained by:
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Which of the following statements about personnel training in QA standards and procedures is false?
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Most computer systems have hardware controls that are built in by the computer manufacturer. Typical hardware controls
The following statement about controls over computer operators is true:
The manager of the information systems QA function should report to the:
The primary advantage of a derived Personal Identification Number (PIN) is that :
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following statement is true about a mandatory access control policy?
Which of the following steps provide the highest assurance in achieving confidentiality, message integrity and non-repudia
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
Which of the following functions SHOULD NOT BE combined with Control Group.
The following is NOT a desirable property of a cipher system:
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
When the account number is entered into an online banking system, the computer responds with a message that reads:
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
The following is an advantage of using link encryption
Which of the following activities should not be permitted when operators use a communications network control terminal:
The snapshot technique involves:
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
To protect computer systems from short term power fluctuations, the best environmental control is The control procedure of installing the anti-virus software in the system is called -
Page 103
Sheet1
Page 104
Sheet1
Which one of the following methodologies require efficient system requirements analysis?
Which of the following is the most difficult to manage in a SDLC project?
A less formal review technique is:
Which of the following computer technologies is a major shift in the develpoment and maintenance of application systems
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
All computers have a central processing unit (CPU) that works in conjunction with peripheral devices. The function of the
Which one of the following is the most essential activity for effective computer capacity planning:
Which one of the following uses a modem technology as a common means of communicating between computers?
The manager of the information systems QA function should report to the:
Which of the following statements about personnel training in QA standards and procedures is false?
A remote dial up order entry system using portable computers for sales man to place order should have the following con
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Information system crimes and abuses in comparison to those of the general category are likely to be
Ability to operate on multiple computer types from different vendors is envisaged by
In data processing, which of the following causes the maximum losses
Network performance monitoring tools will MOST affect which of the following?
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
Which of the following represents a typical prototype of an interactive application?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originati
Which one of the following local area network devices functions as a data regenerator?
Formal change control mechanism would start after which of the following in an overall system development project?
Which of the following tests address the interaction and consistency issues of successfully tested 'Parts of a system?
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
End-to-end encryption provides only limited protection against a subversive attack that uses:
The main difference between manual and computerized systems in so far as separation of duties is concerned is :
The Duties of a Computer operations does NOT comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Which one of the following methodologies require efficient system requirements analysis?
With respect to expert systems, a heuristic is not a:
In an IS based on computerized environment, the audit trail is
Which of the following statements regarding security concerns for lap top computers is NOT false?
A computer can call into primary storage only that portion of a program and data needed immediately while storing the rem
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
Overall responsibility to protect and control the database and monitor and improve the efficiency of the database are the
Most computer systems have hardware controls that are built in by the computer manufacturer. Typical hardware controls
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developmen
To effectively prevent intrusion, usually the following controls are established. Of this, which control BEST detects intrusion
What would you use to enforce integration rules so as to integrate one component with another?
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is not true in respect of Expert systems?
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which one of the following pair of items is a primary cause of signal distortion in data communications?
What makes Rapid prototyping technique portable?
Which of the following is NOT TRUE with regard to network reliability enhancement:
In a central computer system users specify where their output is printed, but some users give the wrong destination code
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
Which of the following statistical selection technique is least desirable for use by the IS auditor.
Page 105
Sheet1
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Which of the following statistical selection technique is least desirable for use by the IS auditor.
Each of the following is a general control concern EXCEPT:
A procedure to have an overall environmental review which is NOT performed by an IS auditor during pre audit planning i
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is The unauthorised use of data files can be best prevented by using An IS auditor reviewing an organisation s Business Continuity Plan discovered that the plan provides for an alternate site
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Which phase of SDLC uses "Program slicing" technique?
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
Which one of the following is NOT true relating to the use of fiber optics:
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
The following statement is true about a mandatory access control policy?
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
Which of the following physical access control devices would be most effective for a high security installation?
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
The following statement about controls over computer operators is true:
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is NOT TRUE with regard to network reliability enhancement:
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
The application run manual would normally comprise of :
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
Which of the following best describes feature of statistical sampling?
Which of the following conditions lead to increase in white noise:
In SDLC, in which phase would you perform Boundary value analysis?
. Which one would be a material irregularity?
The reason for the IS auditor NOT preparing a formal audit program is :
When the account number is entered into an online banking system, the computer responds with a message that reads:
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
One of the advantages of using naming convention for access control is that Rollback is easily accomplished with differential file backup technique for which of the following reasons?
What is the most important factor to be considered when comparing system alternatives before making the final selection
A less formal review technique is:
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which one of the following is not an essential component of a distributed computing environment?
A public key cryptosystem uses:
To effectively implement the principle of least privilege, it is necessary to have:
A major drawback of a remote dial up network communication system is
Retention date on magnetic tape files would:
Information system crimes and abuses in comparison to those of the general category are likely to be
An on line bookseller decides to accept online payment from customers after implementing agreements with major credit
In which phase Rapid prototyping is used in Waterfall life cycle development model?
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
The class of control used to overcome problems before they acquire gigantic proportions is :
The complete information about all data in a database is found in :
The initial validation control for a credit card transaction capture application would MOST like be to:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following is a responsibility of computer operations department?
Page 106
Sheet1
Page 107
Sheet1
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Which one of the following metrics deal with "number of entries/exits per module" ?
Conditioning of the transmission lines is LEAST effective against
Where would you handle finite state machines in SDLC?
A ring network
Computer viruses could be detected by which one of the following actions?
Which of the following Technical specifications will NOT be included in a functional
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
When the results of production data files processing with a generalized audit software do not agree with the total balance
Wiretapping CANNOT easily be done without detection in
Operations audit trail rather than the accounting audit trail is likely to show
Which of the following threats, vulnerabilities, or risks do not arise in an in-house system development project?
Identify the item that is not a part of performance guarantees in software contract negotiations.
Identify the document which is LEAST effective during the acceptance test of applications software.
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
Which of the following statements about computer is correct?
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
To which of the following resource type are the most complex action privileges assigned?
To effectively implement the principle of least privilege, it is necessary to have:
Duplication of submitting corrections to errors could be prevented by:
Of the following, the most critical component in a LAN is likely to be the:
The class of control used to overcome problems before they acquire gigantic proportions is :
The main objective of separation of duties is to ensure that:
The presence of an arbitrator in a digital signature system will prevent:
What makes Rapid prototyping technique portable?
Which of the following is FALSE with regard to a symmetric key cryptosystem?
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following statements is FALSE?
The main objective of separation of duties is to ensure that:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
The DES is an example of a:
Which would ensure that IS organizations do not take more resources for less output?
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following is not a function of operations management:
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
MAC or message authentication code prevents
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Which phase of SDLC uses 'Program slicing' technique?
Which among the following components is of PRIMARY concern for evolving a recovery plan after a communication failur
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
Each of the following is a general control concern EXCEPT:
The main difference between manual and computerized systems in so far as separation of duties is concerned is :
The duties of a Data Security Officer does NOT comprise of :
Which of the following is not true in respect of Expert systems?
Identify the cost that does NOT form part of software package installation or implementation cost?
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
When a compliance failure occurs, QA personnel should:
The following is not a desirable property of a cipher system:
The primary advantage of the list-oriented approach to authorisation is:
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
A PIN if stored for reference purposes, must be stored in:
Page 108
Sheet1
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Identify the factor that is not part of an expert system architecture.
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following is not a function of the control section:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
An example for a concurrent audit tool whose complexity is low is :
Which one of the following will be included in the application software testing phase for effective controls?
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
Control over data preparation is important because:
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
To properly control access to accounting data held in a Database Management System, the database administrator shou
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
An Integrated Test Facility (ITF) is BEST described as:
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which of the following statements about digital signatures is NOT true?
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
A less formal review technique is:
Identify the item that is not a part of performance guarantees in software contract negotiations.
An upper CASE tool is used in :
In which phase of SDLC Desk Checking is practiced?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
The advantage of an ISO 9001 quality system implementation is:
The least commonly used medium for local area network (LAN) environment is:
Machine maintenance engineers pose some difficult control programs because:
Select the BEST control to mitigate the risk of creation of duplicate user name and Password during sign on procedures, i
The complete information about all data in a database is found in :
Whenever there is a modification made to an existing software, which of the following testing approaches should be used?
Which of the following is NOT TRUE with regard to network reliability enhancement:
Which of the following statement is true about a mandatory access control policy?
The class of control used to monitor inputs and operation is :
The DES is an example of a:
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
The Duties of a Database administrator does NOT comprise of :
Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
Which of the following functions cannot be performed using a communications network control terminal:
. OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
When the results of production data files processing with a generalized audit software do not agree with the total balance
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Exposure that could have been caused by the line - grabbing technique is The following measures will protect the computer systems from virus attack EXCEPT:
Which of the following is the LEAST important in the case of backup and recovery plan?
With respect to expert systems, a heuristic is not a:
"Availability of computer time" is taken care of in which part of the Project Planning and scheduling ?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
Page 109
Sheet1
Page 110
Sheet1
Page 111
Sheet1
Page 112
Sheet1
Option A
A legacy system is a mainframe computer-based application system
User ID and password
Increased access violations
SCARF/EAM
applets damaging machines on the network by opening connections from the client machine
Multiple users use data concurrently
Transmission control protocol/Internet Protocol (TCP/IP)
performance monitoring
Quality assurance test
Requirements
whether new hardware/system software resources are needed
it is often a major cost area taking about 50% of the data processing budget
CIS can not collect data for performance monitoring purposes
Maintain backups of program and data.
route the message over alternate path if the normal path fails
Substantive tests
Special audit routines do not have to be embedded
The input and output process of data entry and reports generated.
mid-level formatting of hard disk
minimizing the high risk protocol conversion functions that the gateways perform
Presentation
User manual
Better version control
Compliance Testing
Succession planning is not provided for.
it protects messages against traffic analysis
modem
User ID and Password
Reconciliation of batch control totals
Tests of user controls
poor computer centre design
Mr. R.'s private key.
accuracy
the complaint of non-receipt of message by the receiver
check that the transaction is not invalid for that card type
It is the average length of time the hardware is functional
System A - Likelihood 10%, Losses(in$) 6 million
Recovery test
Input edit checks
Modifications to physical and facilities
Detection
Interviewing the system operator
Confidence risk
Defective switching equipment
Monitoring network activity levels
Generalised Audit Software
Monitoring database usage
Ensuring completeness of the output on processing.
Afterimages
complexity of recovery more than a physical dump
Beforeimages of the modified records have been kept in the differential file
Expert system's knowledge is represented declaratively
User friendliness
A legacy system is a mainframe computer-based application system
The Waterfall model
Page 113
Sheet1
Page 114
Sheet1
Vital systems
Beforeimages of the modified records have been kept in the differential file
Delay in transmission of the data
Reusable software
Waterfall model
performance monitoring
Unshielded Twisted pair
Such access authority is appropriate, if they are logged completely.
Public Key registrations
Adhering to the project schedule
Preventive
long-key cipher system
check that the transaction is not invalid for that card type
encryption
Preventive
the encryption key can be known to all communication users
Formal inspections
Library security and use of proper file labels
Trouble shooting teleprocessing problems.
Substantive tests
Selecting transaction that must pass through input program
Use of Generalized Audit software
Remote processing site after transmission to the central processing site.
Beforeimages of the modified records have been kept in the differential file
only if authorisation information specifies users can access the resource
Consider the use of access control software.
Software backup should be kept in an offsite location in a fireproof safe.
Requirements
Allocation of resources for purchase of software platforms and hardware
Build or buy
Lesser accountability and Weaker Organisational structures are the outcome of a BPR.
Data files and backup
electronic bulletin board system
Has much larger storage capacity than a floppy disk and can also access information much more quickly
remote batch processing
Physical design of a database
to alleviate conflict between stakeholders
QA personnel should have the most knowledge about the impact of national and international
quality standards on the
A Power loss occurred
whether access logs are maintained of use of various system resources
Defining control, security, and audit requirements
Error detection and correction
Data Control
Rule of thumb
performance monitoring
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Quality assurance test
Change management forms
Repeaters
resetting message queue lengths
store-and-forward capability
Pointer validation utility
Time and cost involved and resources utilised in conducting an audit.
reduce the enormity of the loss when a threat materializes
Authorising all the transactions.
Trouble shooting teleprocessing problems.
Page 115
Sheet1
Page 116
Sheet1
Page 117
Sheet1
Restore infected systems with authorized versions.
Repeaters
whether new hardware/system software resources are needed
the transmission speed of actual documents increases
faulty switching gear
CIS can not collect data for performance monitoring purposes
Maintain backups of program and data.
controls the exposures from traffic analysis
A log
Meet the audit committee members to discuss the IS audit plan
Pointer validation utility
the criticality of the application
Failure to detect the recipient
White-box, code-based, logic-driven technique
Development of a project plan and defining the key areas to be reviewed is a key factor for
Interviewing concerned Corporate Management personnel.
it protects messages against traffic analysis
simplicity
User ID and Password
An output control
Integrated Test Facility
modem
Design
Cost of hardware
sender's private key
high work factor
appropriate, but all access should be logged
User friendliness
a component that signals the control unit that an operation has been performed
No, since the BCP is a personal document of the vendor.
Reasonableness test
Unauthorised program changes.
Substantive tests
Tell data processing that the inventory application has a bug in it.
controls the exposures from traffic analysis
Forging the signature
only if authorisation information specifies users can access the resource
Desired precision
Vulnerabilities of assets
To identify a control weakness and trace its effects has become harder
Decision Support System (DSS)
use of security guards can be dispensed with
Transmits transactions using sophisticated formats and file definitions
Point-of-sale system
Ring topologies are more reliable than start topologies
Beforeimages of the modified records have been kept in the differential file
Requirements
audit trail subsystem
Mr. R. 's private key.
Authorisation of access to data files
Check-digit verification
Audit trails are not enabled
appropriate, but all access should be logged
Increased access violations
they possess very high level of computing skills
data preparation, data capture, data input
Page 118
Sheet1
Page 119
Sheet1
registration of public keys
Maintenance of accurate batch registers
managing director of the organisation
SCARF/EAM
checking basic control totals
A scatter diagram
Ensuring completeness of the output on processing.
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
Interviewing the system operator
A top-down approach
Expected rate of occurrence
The vendor table will not contain current information.
Program coding standards for the organization
Monitoring network activity levels
A log
The input and output process of data entry and reports generated.
A decrease in desired audit risk
test of controls
Acquisition of a software for the purpose of controlling the security access.
Object-oriented user interfaces
Rule of thumb
Component isolation
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
end to end data encryption
attenuation amplification
faulty switching gear
short key cipher system
high work factor
User ID and passwords
The workload in the organisation is shared
to establish the authenticity of the message
improving a vendor's response time to buyer orders
Network interface card
tape header should be manually logged and checked by the operators
Distributed computing infrastructure
Program changes due to changes in rules, laws, and regulations
Identify the business objectives of the network
Check-digit verification
Uninterruptible power source
Approved
Read-only access to the database files.
Tell data processing that the inventory application has a bug in it.
it is often a major cost area taking about 50% of the data processing budget
White-box, code-based, logic-driven technique
mail the cards in an envelope that identifies the name of the issuing institution
Attribute sampling
IS personnel have always lacked ethics
assessing the strengths and limitations of the hardware to be installed and software platform to be used
All the nodes in a LAN
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Test mailbox
Develop a shareware application
Compliance Testing
detective control
audit trail subsystem
File integrity
Page 120
Sheet1
Page 121
Sheet1
All business problems are assured of quality solutions.
authorizations have been replaced by system software controls
Lower communication costs
performance monitoring
Disk striping
Authorisation of access to data files
Tests of user controls
Encapsulation
To identify control objectives
A data flow diagram
Establishing data ownership guidelines
Maintenance of accurate batch registers
The Web server and the Web browser
the encryption key can be known to all communication users
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Authorising all the transactions.
Requirements
Requirements
Attribute sampling
Expected rate of occurrence
access logs on usage of various system resources
Retransmission of the corrupted messages
Presentation
Program source code
Testing follows debugging
Adhering to the project schedule
White-box, code-based, logic-driven technique
Defining control, security, and audit requirements
Ease to use compared with other systems.
Control Risk assessment.
Information technologies will remain unaltered.
Lower communication costs
message duplication
modem
checking basic control totals
the complaint of non-receipt of message by the receiver
Data Custodian
Integrity
determine whether a critical application system needs modification due to a recent change in the statute
Improving of business relationship with trading partners
data preparation, data capture, data input
system availability
Reviewing library controls
Trouble shooting teleprocessing problems.
message sequence number
Approved
A tree structure
Data dictionary
Exhibits the expected and actual results
more difficult as the IS personnel resent being supervised at every step
Software configuration management is established and enforced
Disaster notification to personnel
They are both based on public-key cryptography
both rollforward and rollback to be effected in case of a disater
Cost of preventive action
Requirements
Page 122
Sheet1
Portability guidelines
Remove possible disruption caused when going on leave for a day at a time.
Scheduling of computer resources.
File integrity
performance monitoring
Redundant switching equipment
Physical design of a database
the adoption of national and international information systems standards will increase the cost of the QA function
A Power loss occurred
Integrated Test Facility
Controlled disposal of documents
Program source code
poor computer centre design
Increased access violations
physical attributes
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Time
increase line errors caused by noise
No, since the BCP is a personal document of the vendor.
Encryption of data files on the notebook computer.
Check-digit verification
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
whether to move files from one storage medium to another to reduce read/write errors
Pointer validation utility
Monitoring network activity levels
High cohesion of modules, low coupling of modules, and high modularity of programs
Be technically at par with client's technical staff
Software backup should be kept in an offsite location in a fireproof safe.
Corruption of tokens during transmission may occur
message sequence number
Reciprocal agreement
The length of time the system will satisfy the needs ofthe initial user
Requirements tracing
Report the errors and omissions noticed.
Lesser accountability and Weaker Organisational structures are the outcome of a BPR.
File integrity
Hierarchical structure
Data is transmitted rapidly
dispatching input to the computer room
managing director of the organisation
Such access authority is appropriate, if they are logged completely.
Develop "seamless" processes
The Waterfall model
Allocation of resources for purchase of software platforms and hardware
Such access authority is appropriate, if they are logged completely.
whether new hardware/system software resources are needed
Incorporate into hardware upgrades
Preventive
Screens and process programs
Reviewing library controls
Security card
Preventing privileged software from being installed on the mainframe.
modem
Screen layouts
Maintain backups of program and data.
Manually comparing detail transaction files used by an edit program with the program's generated error listings to determ
Page 123
Sheet1
Software
Determining program changes are approved
Requires the usage of a Test Data Generator.
ambiguity in the resource name is avoided
Authorisation and authentication of users
complexity of recovery more than a physical dump
Both rollforward and rollbackward of transactions after a disaster is rendered easier
The Waterfall model
Component isolation
Requirements
Data is transmitted rapidly
Uninterruptible power source
to alleviate conflict between stakeholders
User ID and password
the controls that are designed to provide reasonable assurance that data received for processing have been properly aut
network interface card(NIC)
identifying who the user is
Physical layer
Component isolation
User ID and passwords
Preventive
entry via phone
User friendliness
Multiple users use data concurrently
Rule of thumb
short key cipher system
Centrally monitor the print queues for correct destinations
store electronic purchase orders of one organisation to be accessed by another organisation
it protects messages against traffic analysis
star network
to ensure compliance with international EFT standard
Expected rate of occurrence
Evaluation of potential risks from air flight paths.
The mainframe computer should be backed-up on a regular basis.
Maintain backups of program and data)
once the diskettes are checked for virus and cleaned, write protect them
Requirement errors
Isolated islands of information
User manuals
Data redundancy within files
Emulation
Uninterruptible power source
a personal development plan with respect to QA training should exist for each employee in the information systems functi
a list of users who can access the resource is associated with each resource together with each user s action privileges w
A processing control
Configuration control
high work factor
Fibre optics cable
SCARF/EAM
Control Group
dispatching input to the computer room
Library security and use of proper file labels
Preventive
Screens and process programs
whether new hardware/system software resources are needed
Transmission control protocol/Internet Protocol (TCP/IP)
Page 124
Sheet1
Existence check
Sign-on verification security at the physical terminals.
The number of workstations that can be connected to a network
Remove possible disruption caused when going on leave for a day at a time.
Programmers forgot to indicate file retention periods
Remote processing site after transmission to the central processing site.
reduce the noise level in the transmission
Requirements
Change records for the application source code.
Preventing privileged software from being installed on the mainframe.
International data encryption algorithm (IDEA)
Retransmission of the corrupted messages
Program source code
determine whether a critical application system needs modification due to a recent change in the statute
an optical fiber line
File integrity
remote batch processing
the encryption key can be transmitted through the system over the normal communication path
two private keys
Ensuring sophisticated and state-of-the-art recovery mechanism
network interface card(NIC)
Component isolation
Error detection and correction
managing director of the organisation
Preventive
Continuous Sampling
The Business Plan of the organization
Reviewing library controls
Encryption of data files on the notebook computer.
Check-digit verification
dispatching input to the computer room
Requirements
It should be documented in writing and signed by both parties.
Special audit routines do not have to be embedded
Time and cost involved and resources utilised in conducting an audit.
Calculating the age-wise outstandings of Receivables and Payables.
Read-only access to the database files.
Ring topologies are more reliable than start topologies
the last full dump
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Developing program flow chart
Inspections
High cohesion of modules, low coupling of modules, and high modularity of programs
Build or buy
Scheduling of computer resources.
Unix platform
Interactivity
context-dependent security
Of less serious nature
The prototyping model
Commitment to quality
File management control
high work factor
check that the transaction is not invalid for that card type
It is the average length of time the hardware is functional
appropriate, but all access should be logged
Page 125
Sheet1
only if authorisation information specifies users can access the resource
Completing the system planning document
Function-oriented techniques
At what point was the first baseline established?
Packet-switched networks
Irregularities will be eliminated
Programmers forgot to indicate file retention periods
CIS can not collect data for performance monitoring purposes
only if authorisation information specifies users can access the resource
Actively involves himself while designing and implementing the application system.
Desired audit risk
more difficult as the IS personnel resent being supervised at every step
Logging of all transactions
Corrective controls
Installation of a security control software
modulation technique
Test mailbox
Requirements tracing
getting concentrated more in a single location
the transmission speed of actual documents increases
modem
the complaint of non-receipt of message by the receiver
Controlled disposal of documents
Input edit checks
File management control
they possess very high level of computing skills
the SDLC method is chosen
User ID and Password
User friendliness
Requirements metrics
operating system will identify an inaccuracy
Sudden change in weather and temperature
Incorporate into hardware upgrades
Open purchase orders
whether new hardware/system software resources are needed
Software quality assurance management
Code Correction
Lower communication costs
determine the business purpose of the network
Remove possible disruption caused when going on leave for a day at a time.
Selecting transaction that must pass through input program
Read-only access to the database files.
mail the cards in an envelope that identifies the name of the issuing institution
Technological complexity
A tree structure
Exhibits the expected and actual results
Time and cost involved and resources utilised in conducting an audit.
Whether deleted files on the hard disk have been completely erased.
Encryption protect data in transit from unauthorised interception and manipulation
a power loss
Succession planning is not provided for.
Service management
An output control
User-directed policy
Knowledge base
Allocation of resources for purchase of software platforms and hardware
Page 126
Sheet1
to make the customer liable if the careless use of a card leads to a fraud,
entry via phone
To test a new idea
Maintenance of accurate batch registers
appropriate, but all access should be logged
Adhering to the project schedule
system availability
increase line errors caused by noise
Full-scale projects
Authorising all the transactions.
Unshielded Twisted pair
store electronic purchase orders of one organisation to be accessed by another organisation
release of message contents
Systems and procedure manuals of the user department.
Programmers forgot to indicate file retention periods
multiple transmission speeds
White-box, code-based, logic-driven technique
Substantive tests
In sharing of resources, ownership is difficult to be established.
Transmits transactions using sophisticated formats and file definitions
In ring topology, nodes are connected on a point to point basis whereas it is a multipoint connection in a bus network
Reverse engineering
Recovery test
The prototyping model
Database schema
remote batch processing
a list of users who can access the resource is associated with each resource together with each user s action privileges w
Integrity
sender's private key
physical attributes
Waterfall model
Recovery test
The Business Plan of the organization
improving a vendor's response time to buyer orders
performance monitoring
DNA
Data Control
optical fibre transmission
Monitoring network activity levels
it is often a major cost area taking about 50% of the data processing budget
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
attenuation amplification
Confidence risk
System design
The IS auditor s test results
Improvement of an organistion s efficiency and communication can be achieved through a restrictive separation of duties
Logging of data input
Remove possible disruption caused when going on leave for a day at a time.
Performance review of the system department.
Lower communication costs
File integrity
the adoption of national and international information systems standards will increase the cost of the QA function
the recommendation that QA personnel make should be backed up by concrete facts
it is not possible for users to change their classification level, though they can change their clearance levels
Reconciliation of batch control totals
Tests of user controls
Page 127
Sheet1
Page 128
Sheet1
substitution cipher
hardware
Test of evidence of physical access at suspected locations
absence of logging of attempted sign-on
Proximity sensing card reader
Supervisory Control
Knowledge base
Allocation of resources for purchase of software platforms and hardware
Requirements
Modifications to physical and facilities
Product portability
Fibre optics cable
A data flow diagram
The Business Plan of the organization
Reduction in development costs
checking basic control totals
high work factor
Cross referencer
Disk striping
Unshielded Twisted pair
optical fibre transmission
message duplication
it protects messages against traffic analysis
only if authorisation information specifies users can access the resource
Systematic sampling selection technique
To structure the IS auditor s own planning.
Passwords may be changed by the user at his discretion and users at their discretion need not even change the initial pa
Requirements Definition
Conversion
There is a delay of more than 36 months in application development.
Service management
substitution cipher
the recommendation that QA personnel make should be backed up by concrete facts
high levels of interpersonal conflict often arise among QA personnel
Cable Modems
firewall architecture hides the internal network
Inform the top management of the complexities and risks in doing so.
File management control
minimise the distance that data control personnel must travel to deliver data and reports
Data redundancy within files
SCARF/EAM
only through authorized procedures, user creation and privileges are granted
Hierarchical structure
Data is transmitted rapidly
The Business Plan of the organization
No, since the BCP is a personal document of the vendor.
Restore infected systems with authorized versions.
Lower communication costs
modem
it protects messages against traffic analysis
Requirements metrics
star network
Data dictionary
Satellite signals are not easily affected by other electronic transmissions.
All the nodes in a LAN
the contents of the log file
Page 129
Sheet1
Physical access controls
Program source code
Inspections
Rule of thumb
Documentation of activities is the main focus of the standard.
Report the errors and omissions noticed.
User manuals
whether to move files from one storage medium to another to reduce read/write errors
Redundant switching equipment
The Waterfall model
Preventive
Improving of business relationship with trading partners
Notebook computers usually cost more than Personal Computers but less than mainframes
Requirements
Program source code
Better version control
Change records for the application source code.
Logging of data input
Packet-switched networks
Centrally monitor the print queues for correct destinations
Requirements
Acquisition of a software for the purpose of controlling the security access.
Special audit routines do not have to be embedded
insertion of a spurious message
Program coding standards for the organization
Exhibits the expected and actual results
Daily scanning of the entire file server and moving to a safer area all the doubtful files
Passwords are allowed to be shared
All applications designed by the IS Manager
Corruption of tokens during transmission may occur
Delay in transmission of the data
It meets the needs of the organization
Inspections
High cohesion of modules, low coupling of modules, and high modularity of programs
User friendliness
Providing a little indication of segregation of duties.
the firm would be dependent on others for system maintenance
resetting message queue lengths
Fiber optics cable
Isolated islands of information
receiver's private key
operating system will identify an inaccuracy
it is often a major cost area taking about 50% of the data processing budget
Physical layer
A scatter diagram
Change records for the application source code.
Controlled disposal of documents
Reasonableness test
verifying input authorisation
A log
File assess capabilities
Data dictionary
To structure the IS auditor s own planning.
Organisational controls
the overall security philosophy of the organisation
ensuring compulsory scanning of all floppy disks before use
Page 130
Sheet1
Page 131
Sheet1
Be technically at par with client's technical staff
Understanding of business risks by interviewing management s key personnel.
Change records for the application source code.
Security card
Complete details of the IPF floor plans
Hot sites can be used for an extended amount of time.
Better version control
Integrity
Scheduling of computer resources.
Lower communication costs
the firm would be dependent on others for system maintenance
remote batch processing
performance monitoring
checking basic control totals
short key cipher system
Disk striping
Organisation control
Modules should perform only one principal function
they possess very high level of computing skills
the SDLC method is chosen
high work factor
the encryption key can be known to all communication users
Requirements metrics
Preventive
Continuous Sampling
simplicity
Pointer validation utility
Read-only access to the database files.
Control access to information system resources.
minimizing the high risk protocol conversion functions that the gateways perform
Increased workloads
Special audit routines do not have to be embedded
Confirmation of data with outside sources
The input and output process of data entry and reports generated.
Calculating the age-wise outstandings of Receivables and Payables.
Whether deleted files on the hard disk have been completely erased.
mid-level formatting of hard disk
once the diskettes are checked for virus and cleaned, write protect them
the contents of the log file
modulation technique
minimizing the high risk protocol conversion functions that the gateways perform
Defining control, security, and audit requirements
Computer Operator and Quality Assurance are combined.
Packet-switched networks
high work factor
entry via phone
Restrict updating and read access to one position
analysing system degradation
Hierarchical structure
Incorporate into hardware upgrades
substitution cipher
Continuous Sampling
Ensuring sophisticated and state-of-the-art recovery mechanism
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Library security and use of proper file labels
Reviewing library controls
Page 132
Sheet1
Inappropriate
The terminal used to make the attempt
it is often a major cost area taking about 50% of the data processing budget
Lower communication costs
Read-only access to the database files.
Tell data processing that the inventory application has a bug in it.
the last full dump
both rollforward and rollback to be effected in case of a disater
Increased workloads
Requirements
Good amount of programming skills in the required software.
IS personnel have always lacked ethics
International data encryption algorithm (IDEA)
Should be located near to the originating site so that it can quickly be made operational
Debugging tool
Allocation of resources for purchase of software platforms and hardware
Requirements
Control Risk assessment.
Database schema
Emulation
Proximity sensing card reader
Design
Cut power to data processing equipment.
The Waterfall model
sender's private key
to make the customer liable if the careless use of a card leads to a fraud,
Database schema
it is easy to remember
Evaluation of potential risks from air flight paths.
Library security and use of proper file labels
the SDLC method is chosen
mail the cards in an envelope that identifies the name of the issuing institution
Redundant switching equipment
Monitoring database usage
dispatching input to the computer room
insertion of a spurious message
Interviewing the system operator
there is a difference in the internal control principles
Evaluation of potential risks from air flight paths.
The mainframe computer should be backed-up on a regular basis.
Tell data processing that the inventory application has a bug in it.
Organisational controls
Complete details of the IPF floor plans
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Personnel turnover
Conversion
Report the errors and omissions noticed.
the complaint of non-receipt of message by the receiver
Organisation control
Proximity sensing card reader
A legacy system is a mainframe computer-based application system
Supervisory Control
Build or buy
Identification and authentication
data preparation, data capture, data input
Page 133
Sheet1
It is the average length of time the hardware is functional
Systems analysis and design
Preventive
Integrity
encrypt the message with the sender's public key, and sign the message with the receiver's private key
Check-digit verification
whether to move files from one storage medium to another to reduce read/write errors
determine the business purpose of the network
Requirements metrics
Read-only access to the database files.
route the message over alternate path if the normal path fails
Substantive tests
Desired precision
the criticality of the application
Adequately supporting the business objectives of the organisation.
Use of Generalized Audit software
the overall security philosophy of the organisation
Right only to read data
Defective switching equipment
Attenuation
Requirements
The Waterfall model
All business problems are assured of quality solutions.
attenuation amplification
Duplicate processing of transactions
identifying who the user is
in transit to the computer
Preventive
formulated by the person who develops the application system for the microcomputers
Hydrometer
Cumulative effects for the year is tested.
Time
Transmission control protocol/Internet Protocol (TCP/IP)
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Identification and authentication
system availability
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
increase line errors caused by noise
Logging of data input
Unix platform
Reconciling accounts
CIS can not collect data for performance monitoring purposes
messages getting changed by hackers
message sequence number
both rollforward and rollback to be effected in case of a disater
Programmers forgot to indicate file retention periods
To structure the IS auditor s own planning.
Encryption
International data encryption algorithm (IDEA)
Flooding the network with spurious messages
ROI
Requirements phase
Modules should perform only one principal function
Input, Output and arithmetic-logic
Appropriate, but all access should be logged.
in transit to the computer
Page 134
Sheet1
Page 135
Sheet1
Reconciliation of batch control totals
absence of logging of attempted sign-on
Proximity sensing card reader
Knowledge base
Error detection and correction
Preventive
Matching user ID and name with password
it is not possible for users to change their classification level, though they can change their clearance levels
Whether statutory regulations are complied with.
The prototyping model
Better version control
Have a sufficient quantity of data for each test case
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Security card
The number of workstations that can be connected to a network
optical fibre transmission
Technological complexity
A decrease in desired audit risk
Trouble shooting teleprocessing problems.
The terminal used to make the attempt
Complete details of the IPF floor plans
International data encryption algorithm (IDEA)
Use of dedicated network
transmission by radio frequency
Functional testing
Rule of thumb
Documentation of activities is the main focus of the standard.
Performance review of the system department.
the firm would be dependent on others for system maintenance
Multiple users use data concurrently
Interactivity
User ID and passwords
Duplicate processing of transactions
Preventive
formulated by the person who develops the application system for the microcomputers
The workload in the organisation is shared
managing director of the organisation
Waterfall model
Repeaters
Requirements metrics
Notebook computers usually cost more than Personal Computers but less than mainframes
Integration test, unit test, systems test, acceptance test
Monitoring network activity levels
Requirements
Compliance Testing
Statistical sampling
an optical fiber line
Programmers forgot to indicate file retention periods
Substantive tests
Pointer validation utility
Software configuration management is established and enforced
The terminal used to make the attempt
An integrated test facility.
Preventive control
Ensure that the alternate site could process all the critical applications.
Data fault
Page 136
Sheet1
Page 137
Sheet1
Security card
only through authorized procedures, user creation and privileges are granted
once the diskettes are checked for virus and cleaned, write protect them
Forcing frequent changes of password by the user
Transmits transactions using sophisticated formats and file definitions
Cost of hardware
Defining control, security, and audit requirements
absence of logging of attempted sign-on
Proximity sensing card reader
Cable Modems
The prototype becomes the finished system
Recovery test
receiver's private key
compromise of a key server's private key
Establishing data ownership guidelines
message modification
Standard software packages
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Maintenance of accurate batch registers
the encryption key can be transmitted through the system over the normal communication path
short key cipher system
Compliance Testing
Systems and procedure manuals of the user department.
it is often a major cost area taking about 50% of the data processing budget
Programmers forgot to indicate file retention periods
Technological complexity
Desired precision
Control Self Assessment assurance received on the working of the application from a line management personnel.
Improvement of an organistion s efficiency and communication can be achieved through a restrictive separation of duties
Software configuration management is established and enforced
controls the exposures from traffic analysis
User directed policy
detective control
hardware components
failing to control concurrent access to data
Library security and use of proper file labels
simplicity
it introduces run-time efficiency
allow the customer to make a small number of PIN entry attempts, close the account after the limit has been reached, an
Check-digit verification
failing to control concurrent access to data
the encryption key can be known to all communication users
Systems analysis and design
Standard software packages
Number of defects per thousand lines of code
Reviewing library controls
Adequately supporting the business objectives of the organisation.
Restore infected systems with authorized versions.
it protects messages against traffic analysis
performance monitoring
Screen layouts
Active data dictionary system
Tell data processing that the inventory application has a bug in it.
Presentation
Monitoring network activity levels
Page 138
Sheet1
Have a sufficient quantity of data for each test case
Desired precision
International data encryption algorithm (IDEA)
route the message over alternate path if the normal path fails
Cost of preventive action
Design
The prototyping model
Allocation of resources for purchase of software platforms and hardware
Control Risk assessment.
the encryption key can be transmitted through the system over the normal communication path
it is often a major cost area taking about 50% of the data processing budget
notify external auditors because it may affect the audit plan
Public Key registrations
Private key cryptosystem.
Batch output is more detailed than online output.
User ID and passwords
all data can still be reconstructed even if one drive fails
To identify control objectives
receiver's private key
whether new hardware/system software resources are needed
they possess very high level of computing skills
Program source code
data preparation, data capture, data input
DNA
Function-oriented techniques
At what point was the first baseline established?
Preventing privileged software from being installed on the mainframe.
Detection
whether new hardware/system software resources are needed
resetting message queue lengths
Lower communication costs
end to end data encryption
the transmission speed of actual documents increases
Monitoring whether security of data is adequate and effective.
faulty switching gear
Beforeimages of the modified records have been kept in the differential file
Software configuration management is established and enforced
International data encryption algorithm (IDEA)
Functional testing
The length of time the system will satisfy the needs ofthe initial user
Recovery test
Waterfall model
Database administrator.
Emulation
absence of logging of attempted sign-on
Integrity
Encryption of all transactions
Requirements
formulated by the person who develops the application system for the microcomputers
Systems Analyst
tape header should be manually logged and checked by the operators
all data can still be reconstructed even if one drive fails
The Business Plan of the organization
Quality assurance test
Ensuring completeness of the output on processing.
message duplication
Page 139
Sheet1
electronic bulletin board system
Ring topologies are more reliable than start topologies
Approved
The latter tests details while the former tests procedures.
ensuring that access is given in accordance with the organisation's authorities
complete details about the computer hardware and software used
Right only to read data
Approval of the plan by Board of Directors.
the timely and efficient delivery of information by the EDP department
Should be located near to the originating site so that it can quickly be made operational
Ring topologies are more reliable than start topologies
User friendliness
RDBMS technology
Portability guidelines
Database administrator.
the encryption key can be known to all communication users
two private keys
Test of evidence of physical access at suspected locations
Unauthorized modification of pay roll cheque printing program to inflate the amount for the perpetrator.
Physical layer
Error detection and correction
forced change of password after every day
Systems Analyst
Multiple users use data concurrently
The workload in the organisation is shared
Recovery test
Integrity
Better version control
a component that signals the control unit that an operation has been performed
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
A scatter diagram
Change management forms
Output of the payroll journal s audit trail.
Check-digit verification
store electronic purchase orders of one organisation to be accessed by another organisation
Substantive tests
Systems and procedure manuals of the user department.
Requirements metrics
a power loss
It should be documented in writing and signed by both parties.
errors identified during the input validation phase are corrected
A tree structure
A decrease in desired audit risk
No, since the BCP is a personal document of the vendor.
Corrective controls
A legacy system is a mainframe computer-based application system
store electronic purchase orders of one organisation to be accessed by another organisation
minimise the distance that data control personnel must travel to deliver data and reports
Tests of user controls
Defining control, security, and audit requirements
User ID and password
Cost of hardware
File management control
Adhering to the project schedule
Increased access violations
Data redundancy within files
Page 140
Sheet1
Page 141
Sheet1
Requirements
substitution cipher
appropriate, but all access should be logged
The workload in the organisation is shared
Network interface card
physical attributes
Quality assurance test
Full-scale projects
verifying input authorisation
Control access to information system resources.
Monitoring network activity levels
to ensure compliance with international EFT standard
Properly define the population
Programmers forgot to indicate file retention periods
Selecting unusual data as per the auditor s choice.
Consider the use of access control software.
Installation of a security control software
optical fibre transmission
the last full dump
Inspections
Milestones
Cost of hardware
Develop "seamless" processes
Isolated islands of information
Report the errors and omissions noticed.
passwords cannot be included in the packet
User ID and Password
Input edit checks
Defining control, security, and audit requirements
they possess very high level of computing skills
Identification and authentication
Identify the business objectives of the network
multiplexor
Expert system's knowledge is represented declaratively
A scatter diagram
Function-oriented techniques
Technical issues
modulation technique
verifying input authorisation
higher cost per transaction
Reconciling accounts
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Daily scanning of the entire file server and moving to a safer area all the doubtful files
test of controls
Read-only access to the database files.
controls for validating data
once the diskettes are checked for virus and cleaned, write protect them
Complete details of the IPF floor plans
Disaster notification to personnel
Delay in transmission of the data
Design
Succession planning is not provided for.
release of message contents
the extent of substantive testing to be carried out by the auditors can be decreased substantially when QA function is wor
hardware
After errors have been corrected, the error reports should be discarded
Page 142
Sheet1
Sign-on verification security at the physical terminals.
Ensuring sophisticated and state-of-the-art recovery mechanism
User-directed policy
Ensure correct programming of operating system functions
Component isolation
Error detection and correction
they possess very high level of computing skills
LAN cables
The prototype becomes the finished system
Privilege based on the time and day
Such access authority is appropriate, if they are logged completely.
multiplexor
Milestones
high work factor
Unit testing
both rollforward and rollback to be effected in case of a disater
Selecting transaction that must pass through input program
Continuity of service by the agency in case of a happening of a disaster.
Trouble shooting teleprocessing problems.
ensuring that access is given in accordance with the organisation's authorities
Should be located near to the originating site so that it can quickly be made operational
ROI
Compliance Testing
Scheduling of computer resources.
Decentralised controls over the selection and acquisition of hardware and software is a major concern
dispatching input to the computer room
Fiber optics cable
high work factor
Tests of user controls
context-dependent security
Users have almost a blind faith that any output generated by a computers has to be correct
User ID and password
File management control
The workload in the organisation is shared
A data flow diagram
Establishing data ownership guidelines
The private key of the sender
Unshielded Twisted pair
Establishing data ownership guidelines
Program source code
checking basic control totals
only if authorisation information specifies users can access the resource
Change management forms
The system development environment
Restore infected systems with authorized versions.
Reconciling accounts
test of controls
more difficult as the IS personnel resent being supervised at every step
Software configuration management is established and enforced
Control access to information system resources.
the machine should have a compatible operating system
Defective switching equipment
User directed policy
Requirement errors
User friendliness
Develop "seamless" processes
Page 143
Sheet1
Page 144
Sheet1
The length of time the system will satisfy the needs ofthe initial user
Terms of payment
detective control
multiplexing technique
a ticket oriented approach to authorisation
User ID and password
Public Key registrations
File management control
preserving data integrity
Continuous Sampling
Data redundancy within files
applets damaging machines on the network by opening connections from the client machine
the recipient uses his/her private key to decrypt the secret key.
Integrated services digital network (ISDN) and broadband ISDN
Program source code
Data Control
only if authorisation information specifies users can access the resource
It is the average length of time the hardware is functional
Integration test, unit test, systems test, acceptance test
Reviewing library controls
Authorising all the transactions.
Duplicate processing of transactions
Sign-on verification security at the physical terminals.
Software configuration management is established and enforced
Service management
an optical fiber line
Has much larger storage capacity than a floppy disk and can also access information much more quickly
To identify a control weakness and trace its effects has become harder
Read-only access to the database files.
messages getting changed by hackers
Modules should perform only one principal function
Scheduling of computer resources.
Requirement of more user involvement in communicating user needs.
determine the business purpose of the network
whether new hardware/system software resources are needed
the controls that are designed to provide reasonable assurance that data received for processing have been properly aut
Appropriate, but all access should be logged.
Enable files with the same generation number to be distinguished
preserving data integrity
Preventive
registration of public keys
compromise of a key server's private key
Expert system's knowledge is represented declaratively
Function-oriented techniques
Controlled disposal of documents
A format check
Requirements
Systems and procedure manuals of the user department.
Selecting transaction that must pass through input program
The vendor table will not contain current information.
controls the exposures from traffic analysis
minimizing the high risk protocol conversion functions that the gateways perform
Afterimages
A tree structure
Logging of data input
RAMA
Page 145
Sheet1
Page 146
Sheet1
It should be documented in writing and signed by both parties.
Discussing with the management the corrective procedures that were implemented to strengthen the internal controls.
Continuity of service by the agency in case of a happening of a disaster.
The terminal used to make the attempt
Virus
Vital systems
Point-of-sale system
Corruption of tokens during transmission may occur
the last full dump
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
It meets the needs of the organization
Functional testing
Modules should perform only one principal function
Better version control
Database administrator.
whether new hardware/system software resources are needed
high levels of interpersonal conflict often arise among QA personnel
SCARF/EAM
whether access logs are maintained of use of various system resources
Conversion
Increased access violations
they possess very high level of computing skills
segregation of operator duties is not a very effective control
Software configuration management is established and enforced
The terminal used to make the attempt
Asynchronous communication
Lower communication costs
Acquisition of a software for the purpose of controlling the security access.
multiple transmission speeds
controls the exposures from traffic analysis
Interviewing the system operator
Confirmation of data with outside sources
To identify a control weakness and trace its effects has become harder
Trouble shooting teleprocessing problems.
Centrally monitor the print queues for correct destinations
Use of Generalized Audit software
controls for validating data
the timely and efficient delivery of information by the EDP department
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Beforeimages of the modified records have been kept in the differential file
It meets the needs of the organization
Requirements
hardware components
Unix platform
Fiber optics cable
User ID and passwords
context-dependent security
Processing time saved is substantial.
Program source code
File management control
Allocation of resources for purchase of software platforms and hardware
accuracy
Product portability
The workload in the organisation is shared
operating system will identify an inaccuracy
DNA
Page 147
Sheet1
Page 148
Sheet1
forced change of password after every day
The mainframe computer should be backed-up on a regular basis.
resetting message queue lengths
appropriate, but all access should be logged
Change records for the application source code.
The terminal used to make the attempt
Requirements
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
Development of a project plan and defining the key areas to be reviewed is a key factor for the success of a BPR.
Irregularities will be eliminated
CIS can not collect data for performance monitoring purposes
only if authorisation information specifies users can access the resource
A log
The latter tests details while the former tests procedures.
reduce the enormity of the loss when a threat materializes
Software configuration management is established and enforced
modulation technique
Delay in transmission of the data
Modules should perform only one principal function
Conversion
electronic bulletin board system
a component that signals the control unit that an operation has been performed
whether new hardware/system software resources are needed
long-key cipher system
Reconciliation of batch control totals
Program source code
Identification and authentication
Better version control
preventive
Database schema
Whether statutory regulations are complied with.
parallel simulation technique
The workload in the organisation is shared
Distributed computing infrastructure
DNA
increase line errors caused by noise
Unit testing
Systems and procedure manuals of the user department.
A tree structure
Attribute sampling
Corruption of tokens during transmission may occur
a power loss
checking basic control totals
A log
The IS auditor s test results
Continuity of service by the agency in case of a happening of a disaster.
An integrated test facility.
IP address
the machine should have a compatible operating system
Bus topology network
Requirement errors
becoming redundant as the validations and authorizations are more and more online and real time based
store electronic purchase orders of one organisation to be accessed by another organisation
Appropriate, but all access should be logged.
Enable files with the same generation number to be distinguished
Cost of hardware
Page 149
Sheet1
Page 150
Sheet1
Page 151
Sheet1
Page 152
Sheet1
Approved
File assess capabilities
Special audit routines do not have to be embedded
Change records for the application source code.
Code Correction
Existence check
an alternative source of power
Use of dedicated network
audit trail subsystem
Reconciliation of batch control totals
Restrict updating and read access to one position
network interface card(NIC)
User ID and passwords
LAN cables
to make the customer liable if the careless use of a card leads to a fraud,
Isolated islands of information
User friendliness
whether new hardware/system software resources are needed
Requirements metrics
Data is transmitted rapidly
Transmission control protocol/Internet Protocol (TCP/IP)
Establishing data ownership guidelines
the SDLC method is chosen
Recovery test
the encryption key can be known to all communication users
Data dictionary
Control access to information system resources.
controls the exposures from traffic analysis
insertion of a spurious message
mail the cards in an envelope that identifies the name of the issuing institution
The sample size decreases as the precision amount decreases.
Actively involves himself while designing and implementing the application system.
Ensuring completeness of the output on processing.
Tell data processing that the inventory application has a bug in it.
Corrective controls
All the nodes in a LAN
Compliance Testing
Report the errors and omissions noticed.
Interviewing concerned Corporate Management personnel.
has all computers linked to a host computer, and each linked computer routes all data through the host computer
Data Custodian
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Identify the business objectives of the network
User ID and Password
analysing system degradation
The private key of the sender
it is not possible for users to change their classification level, though they can change their clearance levels
Integrated services digital network (ISDN) and broadband ISDN
Redundant switching equipment
DNA
Number of defects per thousand lines of code
Redundant switching equipment
Lower communication costs
A log
Flooding the network with spurious messages
Tell data processing that the inventory application has a bug in it.
Page 153
Sheet1
Monitoring network activity levels
Have a sufficient quantity of data for each test case
reduce the enormity of the loss when a threat materializes
test of controls
Consider the use of access control software.
Interviewing all data entry operators about the method of input entry adopted
the contents of the log file
optical fibre transmission
Adhering to the project schedule
The Business Plan of the organization
the SDLC method is chosen
Build or buy
the transmission speed of actual documents increases
the encryption key can be transmitted through the system over the normal communication path
Redundant switching equipment
Cost of hardware
physical attributes
the SDLC method is chosen
Data redundancy within files
Hierarchical structure
encrypt the message with the sender's public key, and sign the message with the receiver's private key
short key cipher system
Ensuring completeness of the output on processing.
Active data dictionary system
Maintain backups of program and data.
reduce the noise level in the transmission
it is often a major cost area taking about 50% of the data processing budget
errors identified during the input validation phase are corrected
Vulnerabilities of assets
IS personnel have always lacked ethics
Preventing privileged software from being installed on the mainframe.
Tell data processing that the inventory application has a bug in it.
Remote processing site after transmission to the central processing site.
All applications designed by the IS Manager
Beforeimages of the modified records have been kept in the differential file
Test mailbox
Develop a shareware application
Compliance Testing
Access to system program libraries.
Lower communication costs
the encryption key can be known to all communication users
whether to move files from one storage medium to another to reduce read/write errors
User ID and password
Tests of user controls
A format check
Mr. R.'s private key.
high work factor
Privilege based on the time and day
system availability
Requirements metrics
Network interface card
parallel simulation technique
increase line errors caused by noise
Completing the system planning document
Requirements metrics
Requirements and analysis
Page 154
Sheet1
Page 155
Sheet1
Change records for the application source code.
Controlled disposal of documents
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Service management
It allows the auditors to have the same degree of confidence as with judgement sampling
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Beforeimages of the modified records have been kept in the differential file
Technological complexity
Daily scanning of the entire file server and moving to a safer area all the doubtful files
complete details about the computer hardware and software used
They are both based on public-key cryptography
reduce the noise level in the transmission
Presentation
audit trail subsystem
has all computers linked to a host computer, and each linked computer routes all data through the host computer
electronic bulletin board system
resetting message queue lengths
whether to move files from one storage medium to another to reduce read/write errors
Unix platform
long-key cipher system
it introduces run-time efficiency
User ID and Password
A processing control
Design
Allocation of resources for purchase of software platforms and hardware
they possess very high level of computing skills
Database schema
To test a new idea
receiver's private key
Library security and use of proper file labels
DNA
Preventive
Repeaters
It allows the auditors to have the same degree of confidence as with judgement sampling
Data dictionary
route the message over alternate path if the normal path fails
The input and output process of data entry and reports generated.
The sample size decreases as the precision amount decreases.
To structure the IS auditor s own planning.
the anticipated loss from the failure of the system to meet its functional, efficiency and effectiveness objectives
more difficult as the IS personnel resent being supervised at every step
access logs on usage of various system resources
Preventive control
Approval of the plan by Board of Directors.
International data encryption algorithm (IDEA)
Hot sites can be used for an extended amount of time.
Have a sufficient quantity of data for each test case
The prototyping model
Requirement of more user involvement in communicating user needs.
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
User manuals
minimise the distance that data control personnel must travel to deliver data and reports
Proximity sensing card reader
duplicate circuitry, echo checks, tape file protection and internal header labels
Preventive
SCARF/EAM
Page 156
Sheet1
Page 157
Sheet1
Check-digit verification
Component isolation
Allocation of resources for purchase of software platforms and hardware
Modifications to physical and facilities
Database schema
resetting message queue lengths
the encryption and decryption process is fast
it is not possible for users to change their classification level, though they can change their clearance levels
message modification
appropriate, but all access should be logged
Whether statutory regulations are complied with.
Cost of hardware
a component that signals the control unit that an operation has been performed
Modifications to physical and facilities
Lower communication costs
Substantive tests
Pointer validation utility
Manually comparing detail transaction files used by an edit program with the program's generated error listings to determ
The IS auditor s test results
Requires the usage of a Test Data Generator.
Decision Support System (DSS)
Check digits
Frequency of the backup
insertion of a spurious message
message sequence number
User manual
User friendliness
Develop "seamless" processes
Defining control, security, and audit requirements
Interviewing concerned Corporate Management personnel.
notify external auditors because it may affect the audit plan
parallel simulation technique
Unit testing
Establishing data ownership guidelines
Systems analysis and design
Milestones
whether new hardware/system software resources are needed
Input edit checks
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Identify the business objectives of the network
Restore infected systems with authorized versions.
optical fibre transmission
Development of a project plan and defining the key areas to be reviewed is a key factor for the success of a BPR.
store-and-forward capability
Determining program changes are approved
Generalised Audit Software
To identify a control weakness and trace its effects has become harder
Read-only access to the database files.
excessive usage of the hard disk space
the overall security philosophy of the organisation
Forcing frequent changes of password by the user
modulation technique
Reusable software
The prototyping model
Waterfall model
Compliance Testing
Page 158
Sheet1
Page 159
Sheet1
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
reduce the noise level in the transmission
multiple transmission speeds
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Cost of hardware
the encryption key can be known to all communication users
short key cipher system
context-dependent security
Check-digit verification
firewall architecture hides the internal network
Conversion
Modules should perform only one principal function
The prototype becomes the finished system
Preventive
a component that signals the control unit that an operation has been performed
A scatter diagram
Technical issues
At what point was the first baseline established?
Network control programs
Trouble shooting teleprocessing problems.
Encryption of data files on the notebook computer.
Controlled disposal of documents
whether new hardware/system software resources are needed
the encryption key can be known to all communication users
message duplication
Monitoring network activity levels
Authorising all the transactions.
Preventive control
Page 160
Sheet1
Reverse engineering
Personnel turnover
Inspections
RDBMS technology
the firm would be dependent on others for system maintenance
Input, Output and arithmetic-logic
Scheduling of documents
Packet-switched networks
managing director of the organisation
a personal development plan with respect to QA training should exist for each employee in the information systems functi
Modem equalisation
context-dependent security
Of less serious nature
Integrity
poor computer centre design
accuracy
Data redundancy within files
It is the average length of time the hardware is functional
Screens and process programs
Build or buy
modem
a component that signals the control unit that an operation has been performed
data preparation, data capture, data input
Input edit checks
Network interface card
Completing the system planning document
Unit testing
checking basic control totals
message duplication
separation of duties is essential in manual systems whereas in-built checks and balances take care in computerized syste
Trouble shooting teleprocessing problems.
Centrally monitor the print queues for correct destinations
Security card
Transmits transactions using sophisticated formats and file definitions
Delay in transmission of the data
Reverse engineering
Rule of thumb
becoming redundant as the validations and authorizations are more and more online and real time based
Decentralised controls over the selection and acquisition of hardware and software is a major concern
compiling
QA personnel should have the most knowledge about the impact of national and international quality standards on their o
Mr. R. 's private key.
Security administrator
duplicate circuitry, echo checks, tape file protection and internal header labels
Waterfall model
only through authorized procedures, user creation and privileges are granted
A data flow diagram
Hydrometer
Expert system's knowledge is represented declaratively
Evaluation of potential risks from air flight paths.
Sudden change in weather and temperature
User friendliness
Redundant switching equipment
Centrally monitor the print queues for correct destinations
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
Systematic sampling selection technique
Page 161
Sheet1
Active data dictionary system
Remote processing site after transmission to the central processing site.
Systematic sampling selection technique
Security policy
Understanding of business risks by interviewing management s key personnel.
mid-level formatting of hard disk
hardware lock
Ensure that the alternate site could process all the critical applications.
multiple transmission speeds
Requirements
There is a delay of more than 36 months in application development.
Data is transmitted rapidly
modem
it is not possible for users to change their classification level, though they can change their clearance levels
Tests of user controls
Proximity sensing card reader
Cable Modems
Ensuring sophisticated and state-of-the-art recovery mechanism
segregation of operator duties is not a very effective control
applets damaging machines on the network by opening connections from the client machine
Control Group
Hydrometer
Redundant switching equipment
Build or buy
sender's private key
Change records for the application source code.
Uninterruptible power source
Interviewing the system operator
It allows the auditors to have the same degree of confidence as with judgement sampling
faulty switching gear
Requirements
Programmers forgot to indicate file retention periods
To structure the IS auditor s own planning.
Existence check
Whether deleted files on the hard disk have been completely erased.
Security card
ambiguity in the resource name is avoided
Beforeimages of the modified records have been kept in the differential file
ROI
Inspections
higher cost per transaction
Unix platform
two private keys
a ticket oriented approach to authorisation
absence of logging of attempted sign-on
Enable files with the same generation number to be distinguished
Of less serious nature
firewall architecture hides the internal network
Requirements
Modifications to physical and facilities
Preventive
Database schema
check that the transaction is not invalid for that card type
Identify the business objectives of the network
data preparation, data capture, data input
analysing system degradation
Page 162
Sheet1
Page 163
Sheet1
Page 164
Sheet1
a component that signals the control unit that an operation has been performed
Knowledge base
Improving of business relationship with trading partners
receiver's private key
Control Group
dispatching input to the computer room
It is the average length of time the hardware is functional
SCARF/EAM
Test cases, test documentation
The number of workstations that can be connected to a network
Unshielded Twisted pair
it is often a major cost area taking about 50% of the data processing budget
end to end data encryption
modem
In sharing of resources, ownership is difficult to be established.
Data dictionary
Read-only access to the database files.
Interviewing the system operator
Tagging and extending master records.
Evaluation of potential risks from air flight paths.
It prevents non-repudiation by the receiver
Cost of preventive action
Inspections
Terms of payment
Design
Requirements
Ease to use compared with other systems.
All business problems are assured of quality solutions.
Fiber optics cable
they possess very high level of computing skills
security policy should be modified
Database schema
Unit testing
Redundant switching equipment
it is not possible for users to change their classification level, though they can change their clearance levels
Preventive
short key cipher system
Change management forms
Requirements
Monitoring database usage
Integrated Test Facility
resetting message queue lengths
Presentation
both rollforward and rollback to be effected in case of a disater
The input and output process of data entry and reports generated.
A decrease in desired audit risk
Whether deleted files on the hard disk have been completely erased.
Tell data processing that the inventory application has a bug in it.
mid-level formatting of hard disk
excessive usage of the hard disk space
once the diskettes are checked for virus and cleaned, write protect them
Frequency of the backup
Rule of thumb
Milestones
Build or buy
store electronic purchase orders of one organisation to be accessed by another organisation
Page 165
Sheet1
Page 166
Sheet1
Page 167
Sheet1
Calculating the age-wise outstandings of Receivables and Payables.
Approval of the plan by Board of Directors.
Point-of-sale system
Inspections
White-box, code-based, logic-driven technique
Build or buy
the encryption key can be known to all communication users
Packet-switched networks
hardware
User ID and passwords
It is error-prone because the software is highly complex.
Page 168
Sheet1
Option B
A legacy system is old and hence no longer good
Magnetic Card reader
Increased cost per transaction
ITF
a program that deposits a virus on a client
Data are shared by passing files between programs or systems
File transfer protocol
file library maintenance
Interface test
Design
whether unauthorised use is being made of hardware/system software resources
unauthorised changes to data and program can take place
CIS requires modification of the database management system used by the application
Monitor usage of the device.
reduce the wiretapper s capabilities to tap more data
Attribute sample tests
The limiting the conditions to be tested in the system
The higher the Return on Investment by the application.
deleting all the files in the hard disk
controlling all the networks connected in a better way
Physical
Coding standards
Better communications between developers and users
Risk Assessment
Increases the dependence on a single employee.
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
multiplexer
Anti-virus and anti-piracy softwares
Examination of logged activity
Edit checks of data entered
theft of machine time
Mr. S 's public key
completeness
the sender from disowning the message
ensure that the transaction amount entered is within the cardholder's credit limit
Low MTBF values imply good reliability
System B - Likelihood 15%, Losses(in$) 5 million
Regression test
missing data validity checks
Network utilization by the existing users
Correction
Reading the operator's manual
Sampling risk
Poor contact points in the wiring
down line loading a program
Regression Testing
Altering physical data definitions for improving performance.
adherence of established standards by programs, program changes and documentation.
Beforeimages
the inability of the backup operation to run in the background while operations are being carried out
Beforeimages of the modified records have been kept in the primary file
Expert system computations are performed through symbolic reasoning
Quality
A legacy system is old and hence no longer good
Prototyping model
Page 169
Sheet1
Page 170
Sheet1
Sensitive systems
Beforeimages of the modified records have been kept in the primary file
Duplicated transactions
Formal specification languages
Incremental development model
file library
Microwave transmission
Such access authority is appropriate because they have the full knowledge and understanding
about the entire system
Signature registrations
Anticipating problems
Detective
short key cipher system
ensure that the transaction amount entered is within the cardholder's credit limit
user identification with a password of not less than 6 characters
Detective
the processing time required in private key cryptosystem is faster than that of public key
cryptosystem
Programming languages
Halt and error controls
Analysis of degradation of the system.
Attribute sample tests
Capturing the working of an application at a point in time.
Source code review
Central processing site after application program processing.
Beforeimages of the modified records have been kept in the primary file
unless authorisation information specifies users cannot access the resource
Consider the use of utility software
An inventory of backup tapes at the offsite storage location should be maintained.
Design
Certain phases can be dropped
Purchase and tailor
Information protection has a high risk and always deviates from with BPR.
Programs
electronic data interchange
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
stand alone data processing
Security of a database
to reduce the amount of monitoring of compliance with standards that QA personnel will have to undertake
QA personnel will be best placed to recommend corrective actions when they formulate,
promulgate, and maintain s
The hardware temporarily malfunctioned.
whether data stored on servers are adequately protected by means of encryption or any other means
Developing screen flows with specifications
System response time and system uptime
Systems Analysis
Known fact
file library maintenance
ciphertext form produced only from an reversible encryption algorithm
Interface test
Logs
File servers
starting and terminating lines and processes
automatic message purge facility when maximum queue size at the node is exceeded
HIPO charter
Audit programs and audit procedures.
reduce the probability of the threat materializing
Carrying out corrections in the master file.
Analysis of degradation of the system.
Page 171
Sheet1
Page 172
Sheet1
Page 173
Sheet1
Page 174
Sheet1
analysing user specifications
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
The information systems audit plan
A run chart
Data-oriented techniques
Consider the use of utility software
Create destination defaults for printing based on each employee s departmental affiliation.
altering source data to correct input errors
Reading the operator's manual
Precision limit
A test to access the quality of data.
transmission over coaxial cable
Simulation tools
the last residual dump
Reading the operator's manual
Document the conditions that lead to a particular action.
Linking to external systems thro a firewall
the reliability of the controls in the system as perceived by the auditor
Altering physical data definitions for improving performance.
The date and time of access attempt.
Preparation and monitoring of System implementation plans.
dedicated phone lines
The primary methods of controls usually involves general controls
the controls that provide reasonable assurance that all transactions are processed as authorised
write protect security
Programmers have access to the live environment
Anticipating problems
Data dictionary
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
sender's private key
appropriate, because technical support personnel need to access all data and program files
Checking to see whether any programs terminated abnormally
Altering physical data definitions for improving performance.
Wiretapping
Checking to see whether any programs terminated abnormally
32 bit key system
Collection evidence process has been rendered more difficult
Capturing the working of an application at a point in time.
line conditioning technique
Checking to see whether any programs terminated abnormally
Determining whether security policy is available
the loss likely to occur in the ordinary course of business
Monitor usage of the device.
Review the data field definitions and logic in the audit software.
An inventory of backup tapes at the offsite storage location should be maintained.
Changing the order of the message
Beforeimages
After a disaster, the transactions can be reentered easily, if needed
Design errors
Design
Certain phases can be dropped
Human-computer interaction guidelines
Checking to see whether any programs terminated abnormally
stakeholders should be informed of the contents of reports before they are released to management
Indicate when the file should be again backed up
the design is for a human resources division of the organization
Page 175
Sheet1
terminal identifier
Completeness of batch processing
project leader
ITF
Checking to see whether any programs terminated abnormally
A Pareto diagram
Adherence of established standards by programs, program changes and documentation.
organisations must use firewalls if they wish to maintain security over internal data
Reading the operator's manual
A bottom-up approach
Precision limit
Clerks will enter an incorrect but valid code for payment.
History of updates to the operating system
down line loading a program
Check digit
The higher the Return on Investment by the application.
A decrease in detection risk
analytical review
Framing and adherence of a Corporate IS policy statement
Application-oriented user interfaces
Known fact
Component modularity
Inform and advise the Senior Management of the high risks involved in it.
dedicated phone lines
dynamic equalisation
temperature increases
32 bit key system
low work factor
Biometric checks
Controls exist over efficient usage of hardware
to encrypt the message for confidentiality
increasing data integrity by defining standards for retrieving paper based information
Switch
staging and job set-up procedures are not appropriate compensating controls
Systems management
Program changes due to errors discovered
Review the network with reference to the ISO/OSI model of seven layers
Master file lookup
Fault tolerance
Documented
Updating from privileged utilities.
Review the data field definitions and logic in the audit software.
unauthorised changes to data and program can take place
Black-box, code-based, data-driven technique
make the same groups responsible for the mailing of cards and the investigation of returned cards
Discover sampling
There has been a dearth of IS personnel from the initial days
focusing on the strategy for the next three years for the IS division
The entire storage devices in all the servers
Electronic funds transfer system (EFTS)
System programmer mailbox
Develop a freeware application
Risk Assessment
corrective control
systems development management subsystem
Read Only Memory (ROM)
Page 176
Sheet1
Page 177
Sheet1
Worries over cost effectiveness are well addressed.
authorizations are more distributed among users
availability of alternate processing sites, in case of a disaster
file library
Data streaming
Authorisation of access to program files
Edit checks of data entered
Idempotence
To suggest the best possible hardware for the company
An entity relationship diagram
Establishing data custodianship outlines
Completeness of batch processing
Assembler and compiler
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
the sender from forging a message using the receiver s private key
Carrying out corrections in the master file.
Design
Design
Discover sampling
Precision limit
protection of stored data in the server by encryption or otherwise
Restoration of corrupted message from backups
Physical
System requirements definition
Debugging follows testing
Anticipating problems
Black-box, code-based, data-driven technique
Developing screen flows with specifications
User friendly features built in.
Contract reviews with the legal counsel.
It improves the product, service and profitability.
availability of alternate processing sites, in case of a disaster
spurious associations
multiplexer
Checking to see whether any programs terminated abnormally
the sender from disowning the message
Security administrator
Reliability
conduct a test of controls to ensure that the no necessary control is omitted in the design
Increasing of the transmission speed of documents
data capture, data preparation, data input
data confidentiality
Monitoring and reporting system
Analysis of degradation of the system.
queue length at each network node the message traverses before reaching the destination
Documented
A sequential file structure
Macro
Document the conditions that lead to a particular action.
more difficult because employees access the system remotely and perform duties electronically
User access to the corporate database is controlled by passwords
Equipment shutdown procedures
They both have same uses
recording the time sequence of the successful transactions alone
Cost of implementation of management directives
Design
Page 178
Sheet1
Page 179
Sheet1
Documentation
Performing aging analysis
Tests only pre-conceived situations
rules for protecting resources can be minimised
Access control for on line data
the inability of the backup operation to run in the background while operations are being carried out
After a disaster, the transactions can be reentered easily, if needed
Prototyping model
Component modularity
Design
Fiber optic cable is small and flexible
Fault tolerance
to reduce the amount of monitoring of compliance with standards that QA personnel will have to undertake
Magnetic Card reader
the controls that provide reasonable assurance that all transactions are processed as authorised
port
identifying what the user possesses
Data Link layer
Component modularity
Biometric checks
Detective
PIN entry at the issuer's premises
Quality
Data are shared by passing files between programs or systems
Known fact
32 bit key system
Create destination defaults for printing based on each employee s departmental affiliation.
provide translations from clients computer applications to a standard protocol used for EDI communication
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
mesh network
to decrease the number of paper-based forms
Precision limit
Proximity to earthquake zone.
Two persons should be present at the microcomputer when it is uploading data.
Monitor usage of the device.
all new software before loaded should be scanned for viruses and cleaned
Design errors
Processing and computing power
Preformatted screens
Sharing of common data
Networking
Fault tolerance
training in general QA standards should be provided by QA personnel whereas training in specific QA standards should b
the mechanism associates with each user the resources they can access together with the action privileges they have wit
An operations control
Configuration management
low work factor
Twisted-pair (shielded) cable
ITF
DBA
altering source data to correct input errors
Halt and error controls
Detective
Screens, interactive edits, and sample reports
whether unauthorised use is being made of hardware/system software resources
File transfer protocol
Page 180
Sheet1
Dependency check
Sign-on verification security when logging on to the database management system
The length of cable to connect a workstation to the network
Cross train with another employee of another department.
Operation personnel did not follow a procedure due to an oversight
Central processing site after application program processing.
encrypt the messages transmitted and decrypt them on reception
Design
Program Logic flow charts and file definition.
Restricting privileged access to test versions of applications.
RC2 and RC4
Restoration of corrupted message from backups
System requirements definition
conduct a test of controls to ensure that the no necessary control is omitted in the design
a digital line
Read Only Memory (ROM)
stand alone data processing
two different keys are used for the encryption and decryption
a two public keys
Ensuring concurrent access control
port
Component modularity
System response time and system uptime
project leader
Detective
Discrete Sampling
The information systems audit plan
Monitoring and reporting system
Setting up a password for the screensaver program on the notebook computer.
Master file lookup
altering source data to correct input errors
Design
It provides for parallel processing capability at a hot site and in the production environment.
The limiting the conditions to be tested in the system
Audit programs and audit procedures.
Checking and reconciling of postings done in the General Ledger.
Updating from privileged utilities.
Star networks are more easily maintained than a bus network
the last residual dump
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Determining system inputs and outputs
Testing
Low cohesion of modules, high coupling of modules, and high modularity of programs
Purchase and tailor
Testing and evaluating programmer and optimisation tools.
Distributed computing infrastructure
Availability
write protect security
Unaffected by stringent legal and/or organizational controls
The waterfall model
Penalties for late delivery
Output control
low work factor
ensure that the transaction amount entered is within the cardholder's credit limit
Low MTBF values imply good reliability
appropriate, because technical support personnel need to access all data and program files
Page 181
Sheet1
unless authorisation information specifies users cannot access the resource
Completing the system requirements document
Data-oriented techniques
Were the test strategies sufficient to determine whether the 'software is safe and effective?
Frame relay
logical access is permitted only in accordance with authorization
Operation personnel did not follow a procedure due to an oversight
CIS requires modification of the database management system used by the application
unless authorisation information specifies users cannot access the resource
Performs a post-implementation evaluation of the application independently.
Inherent risk
more difficult because employees access the system remotely and perform duties electronically
Logging of all terminals
Preventive controls
A detailed review by the IS Auditor of the security controls
multiplexing technique
System programmer mailbox
Defect counts
getting concentrated as much as in the manual system
liability relating to protection of proprietary business data decreases
multiplexer
the sender from disowning the message
Encryption of data files and safe keeping of encryption keys
missing data validity checks
Output control
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
the design is for a human resources division of the organization
Anti-virus and anti-piracy softwares
Quality
Design metrics
they need to be maintained in a secure file
Attenuation and propagation delay
Incorporate into change management procedures
Paid EDI invoices
whether unauthorised use is being made of hardware/system software resources
Software configuration management
Job submission
availability of alternate processing sites, in case of a disaster
review the open systems interconnect network model
Cross train with another employee of another department.
Capturing the working of an application at a point in time.
Updating from privileged utilities.
make the same groups responsible for the mailing of cards and the investigation of returned cards
Inherent Risk
A sequential file structure
Document the conditions that lead to a particular action.
Audit programs and audit procedures.
Whether the computer has viruses.
Verify authenticity of a transaction or document
an operating system error
Increases the dependence on a single employee.
Performance management
An access control
Role-based policy
Computing environment
Certain phases can be dropped
Page 182
Sheet1
Page 183
Sheet1
Page 184
Sheet1
product cipher
software
An overview understanding of the functions being audited and evaluate the audit and business risk
inability to disconnect after invalid access attempts
Retina scanner
Periodic rotation of duties
Computing environment
Certain phases can be dropped
Design
Network utilization by the existing users
Vendor support
Twisted-pair (shielded) cable
An entity relationship diagram
The information systems audit plan
Faster delivery of the system
Checking to see whether any programs terminated abnormally
low work factor
Change control
Data streaming
Microwave transmission
satellite transmission
spurious associations
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
unless authorisation information specifies users cannot access the resource
Stratified sampling selection technique
Guiding the ^assistants in performing planned procedures.
Initial password assignment shall be done by the user department incharge
Detailed Design
Supplies
System maintenance constitutes about 65% of the programming costs.
Performance management
product cipher
stakeholders should be informed of the contents of reports before they are released to management
incumbents have little opportunity to exercise high-level information systems skills
Authentication Techniques
encryption is required
Develop a small program that will give a picture of what is happening during the absence of the operator
Output control
provide security
Sharing of common data
ITF
procedure to ensure that the workstation is logged off automatically when not in use for a particular period of time
Batched sequential structure
Fibre optic cable is small and flexible
The information systems audit plan
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Recompile infected programs from source code backups.
availability of alternate processing sites, in case of a disaster
multiplexer
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
Design metrics
mesh network
Macro
Attenuation is the delay in transmission of signals due to difference in frequency
The entire storage devices in all the servers
the controls available and implemented for the protection of the log file
Page 185
Sheet1
Terminal access controls
System requirements definition
Code reading
Known fact
Quality compliance requirement sets are defined in ISO 9000.
Solve the problems encountered by the detective controls.
Preformatted screens
whether only valid and authorised transactions were processed
Parallel physical circuits
Spiral model
Detective
Increasing of the transmission speed of documents
Because of the increase in use of distributed system, the need for mainframes will increase in the near future
Design
System requirements definition
Better communications between developers and users
Program Logic flow charts and file definition.
Review and scrutiny of error listing.
Frame relay
Create destination defaults for printing based on each employee s departmental affiliation.
Design
Framing and adherence of a Corporate IS policy statement
The limiting the conditions to be tested in the system
spurious associations
History of updates to the operating system
Document the conditions that lead to a particular action.
Linking to external systems thro a firewall
Password files are not encrypted
All information system processes
Collision of tokens during transmission may occur
Duplicated transactions
Changing the computing platform may not improve the legacy system
Code reading
Low cohesion of modules, high coupling of modules, and high modularity of programs
Quality
Assisting in defining the relationship between various job functions.
coaxial cabling would have to be installed throughout the building
starting and terminating lines and processes
Twisted-pair (shielded) cable
Processing and computing power
sender's private key
they need to be maintained in a secure file
unauthorised changes to data and program can take place
Data Link layer
A Pareto diagram
Program Logic flow charts and file definition.
Encryption of data files and safe keeping of encryption keys
Validity test
identifying questionable data
Check digit
Analytical review capability
Macro
Guiding the ^assistants in performing planned procedures.
Physical access controls
the authorisation procedure for accessing data
formatting of the network file server
Page 186
Sheet1
Page 187
Sheet1
Be able to understand the system that is being audited
Determining adherence of regulatory requirements by conducting compliance tests.
Program Logic flow charts and file definition.
Encryption routine
SDLC procedure statement
Hot sites can be made ready for operation within a short period of time.
Better communications between developers and users
Reliability
Testing and evaluating programmer and optimisation tools.
availability of alternate processing sites, in case of a disaster
coaxial cabling would have to be installed throughout the building
stand alone data processing
file library
Checking to see whether any programs terminated abnormally
32 bit key system
Data streaming
General control
Interaction between modules should be minimal
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
the design is for a human resources division of the organization
low work factor
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Design metrics
Detective
Discrete Sampling
small key
HIPO charter
Updating from privileged utilities.
Restrict access to prevent installation of unauthorized utility software.
controlling all the networks connected in a better way
Lengthy retraining
The limiting the conditions to be tested in the system
A test to access the quality of data.
The higher the Return on Investment by the application.
Checking and reconciling of postings done in the General Ledger.
Whether the computer has viruses.
deleting all the files in the hard disk
all new software before loaded should be scanned for viruses and cleaned
the controls available and implemented for the protection of the log file
multiplexing technique
controlling all the networks connected in a better way
Developing screen flows with specifications
The work of a Data entry clerk is also done by a Tape Librarian.
Frame relay
low work factor
PIN entry at the issuer s premises
Permit updating and read access for everyone in IS
analysing user specifications
Batched sequential structure
Incorporate into change management procedures
product cipher
Discrete Sampling
Ensuring concurrent access control
ciphertext form produced only from an reversible encryption algorithm
Halt and error controls
Monitoring and reporting system
Page 188
Sheet1
Page 189
Sheet1
Low MTBF values imply good reliability
System design and programming
Detective
Reliability
encrypt the message with the sender's private key and sign the message with the receiver's public key
Master file lookup
whether only valid and authorised transactions were processed
review the open systems interconnect network model
Design metrics
Updating from privileged utilities.
reduce the wiretapper s capabilities to tap more data
Attribute sample tests
Size of the population
the reliability of the controls in the system as perceived by the auditor
Consistent with the IS department s preliminary budget
Source code review
the authorisation procedure for accessing data
Right to read and execute program
Poor contact points in the wiring
Wiretapping
Design
Prototyping model
Worries over cost effectiveness are well addressed.
dynamic equalisation
LAN Server Overload
identifying what the user possesses
during the return of the data to the user department
Detective
performed by the operations manager responsible for the mainframe computer
Hygrometer
Findings are generally more material to the organisation
Scope
File transfer protocol
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Certification and accreditation
data confidentiality
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
produce encrypted messages
Review and scrutiny of error listing.
Distributed computing infrastructure
Determining whether security policy is available
CIS requires modification of the database management system used by the application
traffic analysis by sniffing
queue length at each network node the message traverses before reaching the destination
recording the time sequence of the successful transactions alone
Operation personnel did not follow a procedure due to an oversight
Guiding the ^assistants in performing planned procedures.
Unique password
Digital signature standard (DSS)
Changing the order of the message
IRR
Design phase
Interaction between modules should be minimal
Control and Output
Appropriate, because System Administrator has to back up all data and program files.
during the return of the data to the user department
Page 190
Sheet1
Page 191
Sheet1
Examination of logged activity
inability to disconnect after invalid access attempts
Retina scanner
Computing environment
System response time and system uptime
Detective
Principle of highest privilege should be implemented to perform the file backup function
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Whether assets are properly valued.
The waterfall model
Better communications between developers and users
Keep the test data to a minimum to conserve testing time
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Encryption routine
The length of cable to connect a workstation to the network
satellite transmission
Inherent Risk
A decrease in detection risk
Analysis of degradation of the system.
The date and time of access attempt.
SDLC procedure statement
Digital signature standard (DSS)
Use of a single value-added network
transmission over coaxial cable
Unit testing
Known fact
Quality compliance requirement sets are defined in ISO 9000.
Preparation and monitoring of System implementation plans.
coaxial cabling would have to be installed throughout the building
Data are shared by passing files between programs or systems
Availability
Detailed logical access control procedures
LAN Server Overload
Detective
performed by the operations manager responsible for the mainframe computer
Controls exist over efficient usage of hardware
project leader
Incremental development model
File servers
Design metrics
Because of the increase in use of distributed system, the need for mainframes will increase in the near future
Unit test, systems test, integration test, acceptance test
down line loading a program
Design
Risk Assessment
Policy and procedural variations
a digital line
Operation personnel did not follow a procedure due to an oversight
Attribute sample tests
HIPO charter
User access to the corporate database is controlled by passwords
The date and time of access attempt.
Statistical sampling.
Compensating control
Recommend that the processing capacity of the alternate site should be increased.
Requirement fault
Page 192
Sheet1
Page 193
Sheet1
Encryption routine
procedure to ensure that the workstation is logged off automatically when not in use for a particular period of time
all new software before loaded should be scanned for viruses and cleaned
Ensuring that the passwords are not distributed indiscriminately
Applications, transactions and trading partners supported remain static over time
Multiple encryption
Cost of file conversion
Developing screen flows with specifications
inability to disconnect after invalid access attempts
Retina scanner
Authentication Techniques
User expectations are inflated
Regression test
sender's private key
compromise of a receiver's private key
Establishing data custodianship outlines
denial of message services
Response time
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Completeness of batch processing
two different keys are used for the encryption and decryption
32 bit key system
Risk Assessment
Interviews with the IS personnel and the end users.
unauthorised changes to data and program can take place
Operation personnel did not follow a procedure due to an oversight
Inherent Risk
Size of the population
A Letter of confirmation received from an outsider regarding the account balance.
Policies on segregation of duties in IS must highlight the variations between the logical and physical access to assets.
User access to the corporate database is controlled by passwords
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
Role based policy
corrective control
database subsystem
losing data stored in main memory
Halt and error controls
small key
it allows efficient administration of capabilities
allow the customer to make a small number of PIN entry attempts, do not close the account after the limit has been reach
Master file lookup
losing data stored in main memory
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
System design and programming
Response time
Number of defects over the life of a software product
Monitoring and reporting system
Consistent with the IS department s preliminary budget
Recompile infected programs from source code backups.
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
file library
Dialogue styles
Passive data dictionary system
Review the data field definitions and logic in the audit software.
Physical
down line loading a program
Page 194
Sheet1
Keep the test data to a minimum to conserve testing time
Size of the population
Digital signature standard (DSS)
reduce the wiretapper s capabilities to tap more data
Cost of implementation of management directives
Code
The waterfall model
Certain phases can be dropped
Contract reviews with the legal counsel.
two different keys are used for the encryption and decryption
unauthorised changes to data and program can take place
implement corrective actions as and when compliance failure occurs
Signature registrations
Digital Signatures.
There are more intermediaries involved in producing and distributing batch output.
Biometric checks
all data are split evenly across pairs of drives
To suggest the best possible hardware for the company
sender's private key
whether unauthorised use is being made of hardware/system software resources
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
System requirements definition
data capture, data preparation, data input
ISO/OSI
Data-oriented techniques
Were the test strategies sufficient to determine whether the 'software is safe and effective?
Restricting privileged access to test versions of applications.
Correction
whether unauthorised use is being made of hardware/system software resources
starting and terminating lines and processes
availability of alternate processing sites, in case of a disaster
dedicated phone lines
liability relating to protection of proprietary business data decreases
Suggesting and enforcing security measures (ex. Changes in password)
temperature increases
Beforeimages of the modified records have been kept in the primary file
User access to the corporate database is controlled by passwords
RC2 and RC4
Unit testing
The rate at which computer technology is expected to advance
Regression test
Incremental development model
Systems development manager.
Networking
inability to disconnect after invalid access attempts
Reliability
Authentication of all transaction in time
Design
performed by the operations manager responsible for the mainframe computer
DBA
staging and job set-up procedures are not appropriate compensating controls
all data are split evenly across pairs of drives
The information systems audit plan
Interface test
Adherence of established standards by programs, program changes and documentation.
spurious associations
Page 195
Sheet1
electronic data interchange
Star networks are more easily maintained than a bus network
Documented
The former tests procedures while the latter tests plans.
reviewing the software based access controls
commitment of the management for the implementation of the policy
Right to read and execute program
Plan is tested once in a year.
existence of adequate controls to minimize the potential for loss due to computer fraud or embezzlement
Should have the same amount of physical access restrictions as the primary processing site
Star networks are more easily maintained than a bus network
Quality
Client/server technology
Human-computer interaction guidelines
Systems development manager.
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
a two public keys
An overview understanding of the functions being audited and evaluate the audit and business risk
Any incident involving the IS whereby a perpetrator is able to inflict a loss to a would-be victim for his/her personal gain
Data Link layer
System response time and system uptime
end-to-end encryption
DBA
Data are shared by passing files between programs or systems
Controls exist over efficient usage of hardware
Regression test
Reliability
Better communications between developers and users
two units that provide read-after-write and dual-read capabilities
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
A Pareto diagram
Logs
Review of the control totals.
Master file lookup
provide translations from clients computer applications to a standard protocol used for EDI communication
Attribute sample tests
Interviews with the IS personnel and the end users.
Design metrics
an operating system error
It provides for parallel processing capability at a hot site and in the production environment.
captured data are converted into machine readable form
A sequential file structure
A decrease in detection risk
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Preventive controls
A legacy system is old and hence no longer good
provide translations from clients computer applications to a standard protocol used for EDI communication
provide security
Edit checks of data entered
Developing screen flows with specifications
Magnetic Card reader
Cost of file conversion
Output control
Anticipating problems
Increased cost per transaction
Sharing of common data
Page 196
Sheet1
Name of the TTP/CA
Detective
Controls exist over efficient usage of hardware
Data Link layer
Pilot projects
Restricting privileged access to test versions of applications.
unauthorised changes to data and program can take place
automatic message purge facility when maximum queue size at the node is exceeded
Operation personnel did not follow a procedure due to an oversight
install secured sockets layer (SSL)
Operation personnel did not follow a procedure due to an oversight
The higher the Return on Investment by the application.
Restricting privileged access to test versions of applications.
Initial password assignment shall be done by the user department incharge
physical access to back up storage devices can be restricted effectively
Must provide high levels of logical and physical security
Determining system inputs and outputs
Code
Quality compliance requirement sets are defined in ISO 9000.
generated always by the updating routines
Record check
There are more intermediaries involved in producing and distributing batch output.
LAN Server Overload
Role-based policy
Authentication of all transaction in time
Anticipating problems
completeness
data confidentiality
DBA
Faster delivery of the system
Known fact
Leaving the decision to the MIS manager
Data Link layer
Planning of adequate security and controls in the computer center
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
Discover sampling
a digital line
Physical
Beforeimages of the modified records have been kept in the primary file
unauthorised changes to data and program can take place
Stratified sampling selection technique
Dependency check
The right people
Black-box, code-based, data-driven technique
Worries over cost effectiveness are well addressed.
its asset safeguarding capabilities
getting concentrated as much as in the manual system
multiplexor channeling
Data streaming
Availability
Frame relay
a list oriented approach to authorisation
Indicate when the file should be again backed up
Increased cost per transaction
32 bit key system
the sender from disowning the message
Page 197
Sheet1
Design
product cipher
appropriate, because technical support personnel need to access all data and program files
Controls exist over efficient usage of hardware
Switch
personal details
Interface test
Pilot projects
identifying questionable data
Restrict access to prevent installation of unauthorized utility software.
down line loading a program
to decrease the number of paper-based forms
Draw a random sample from the population.
Operation personnel did not follow a procedure due to an oversight
Performing intricate and complex calculations
Consider the use of utility software
A detailed review by the IS Auditor of the security controls
satellite transmission
the last residual dump
Testing
Deliverables
Cost of file conversion
Eliminate mainframe computer processing
Processing and computing power
Solve the problems encountered by the detective controls.
packet lengths are variable and each packet contains the same amount of information
Anti-virus and anti-piracy softwares
missing data validity checks
Developing screen flows with specifications
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
Certification and accreditation
Review the network with reference to the ISO/OSI model of seven layers
protocol converter
Expert system computations are performed through symbolic reasoning
A Pareto diagram
Data-oriented techniques
Organizational issues
multiplexing technique
identifying questionable data
unauthorised access and activity
Determining whether security policy is available
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Linking to external systems thro a firewall
analytical review
Updating from privileged utilities.
checking of internal credibility
all new software before loaded should be scanned for viruses and cleaned
SDLC procedure statement
Equipment shutdown procedures
Duplicated transactions
Code
Increases the dependence on a single employee.
change of message sequence
QA personnel are likely to check information systems controls more comprehensively than auditors
software
Data input validation programs should highlight the situation by showing input controls do not balance
Page 198
Sheet1
Sign-on verification security when logging on to the database management system
Ensuring concurrent access control
Role-based policy
Assure that the vendors support current versions of the software.
Component modularity
System response time and system uptime
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
parallel port
User expectations are inflated
Privilege based on an application
Such access authority is appropriate because they have the full knowledge and understanding about the entire system.
protocol converter
Deliverables
low work factor
Acceptance testing
recording the time sequence of the successful transactions alone
Capturing the working of an application at a point in time.
Statement of due care and confidentiality.
Analysis of degradation of the system.
reviewing the software based access controls
Should have the same amount of physical access restrictions as the primary processing site
IRR
Risk Assessment
Testing and evaluating programmer and optimisation tools.
The primary methods of controls usually involves general controls
altering source data to correct input errors
Twisted-pair (shielded) cable
low work factor
Edit checks of data entered
write protect security
Computers systems commit errors sporadically and not in a pattern
Magnetic Card reader
Output control
Controls exist over efficient usage of hardware
An entity relationship diagram
Establishing data custodianship outlines
Name of the TTP/CA
Microwave transmission
Establishing data custodianship outlines
System requirements definition
Checking to see whether any programs terminated abnormally
unless authorisation information specifies users cannot access the resource
Logs
The system test deliverables
Recompile infected programs from source code backups.
Determining whether security policy is available
analytical review
more difficult because employees access the system remotely and perform duties electronically
User access to the corporate database is controlled by passwords
Restrict access to prevent installation of unauthorized utility software.
the security policy should be clear about administration of the anti-virus policy
Poor contact points in the wiring
Role based policy
Design errors
Quality
Eliminate mainframe computer processing
Page 199
Sheet1
Page 200
Sheet1
Page 201
Sheet1
Page 202
Sheet1
It provides for parallel processing capability at a hot site and in the production environment.
Obtaining a letter of representation from management stating that the weakness has been corrected.
Statement of due care and confidentiality.
The date and time of access attempt.
Logical bombs
Sensitive systems
Home banking system
Collision of tokens during transmission may occur
the last residual dump
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Changing the computing platform may not improve the legacy system
Unit testing
Interaction between modules should be minimal
Better communications between developers and users
Systems development manager.
whether unauthorised use is being made of hardware/system software resources
incumbents have little opportunity to exercise high-level information systems skills
ITF
whether data stored on servers are adequately protected by means of encryption or any other means
Supplies
Increased cost per transaction
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
User access to the corporate database is controlled by passwords
The date and time of access attempt.
Synchronous communication
availability of alternate processing sites, in case of a disaster
Framing and adherence of a Corporate IS policy statement
auto-dial features
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
Reading the operator's manual
A test to access the quality of data.
Collection evidence process has been rendered more difficult
Analysis of degradation of the system.
Create destination defaults for printing based on each employee s departmental affiliation.
Source code review
checking of internal credibility
existence of adequate controls to minimize the potential for loss due to computer fraud or embezzlement
Electronic funds transfer system (EFTS)
Beforeimages of the modified records have been kept in the primary file
Changing the computing platform may not improve the legacy system
Design
database subsystem
Distributed computing infrastructure
Twisted-pair (shielded) cable
Detailed logical access control procedures
write protect security
Control can be exercised to a very fine level of authorisation
System requirements definition
Output control
Certain phases can be dropped
completeness
Vendor support
Controls exist over efficient usage of hardware
they need to be maintained in a secure file
ISO/OSI
Page 203
Sheet1
staging and job set-up procedures are not appropriate compensating controls
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
produce encrypted messages
Were the test strategies sufficient to determine whether the 'software is safe and effective?
a digital line
Attribute sample tests
Macro
A Letter of confirmation received from an outsider regarding the account balance.
Statistical sampling.
Source code review
deleting all the files in the hard disk
physical access to back up storage devices can be restricted effectively
traffic analysis by sniffing
System bugs
conduct a test of controls to ensure that the no necessary control is omitted in the design
Developing screen flows with specifications
User friendly features built in.
dynamic equalisation
short key cipher system
Biometric checks
Record check
appropriate, because technical support personnel need to access all data and program files
Interaction between modules should be minimal
submission proof
a program that deposits a virus on a client
Systems management
Paid EDI invoices
32 bit key system
Job submission
Whether the computer has viruses.
User access to the corporate database is controlled by passwords
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
unauthorised changes to data and program can take place
availability of alternate processing sites, in case of a disaster
Risk Assessment
Dialogue styles
Operation personnel did not follow a procedure due to an oversight
Simulation tools
controlling all the networks connected in a better way
unauthorised changes to data and program can take place
Macro
Programmers have access to the live environment
deleting all the files in the hard disk
Collision of tokens during transmission may occur
Design errors
User friendly features built in.
unauthorised access and activity
Batched sequential structure
QA personnel will perform better when their organisation adopts national and international information systems standards
QA personnel are likely to check information systems controls more comprehensively than auditors
Control can be exercised to a very fine level of authorisation
Vendor support
users should be educated about weak password
blocking a card if it is not used for a period of 3 months
PIN entry at the issuer's premises
user identification with a password of not less than 6 characters
Page 204
Sheet1
end-to-end encryption
Two persons should be present at the microcomputer when it is uploading data.
starting and terminating lines and processes
appropriate, because technical support personnel need to access all data and program files
Program Logic flow charts and file definition.
The date and time of access attempt.
Design
Inform and advise the Senior Management of the high risks involved in it.
Implementation and monitoring of the new process is the management s responsibility.
logical access is permitted only in accordance with authorization
CIS requires modification of the database management system used by the application
unless authorisation information specifies users cannot access the resource
Check digit
The former tests procedures while the latter tests plans.
reduce the probability of the threat materializing
User access to the corporate database is controlled by passwords
multiplexing technique
Duplicated transactions
Interaction between modules should be minimal
Supplies
electronic data interchange
two units that provide read-after-write and dual-read capabilities
whether unauthorised use is being made of hardware/system software resources
short key cipher system
Anticipation and hash total
System requirements definition
Certification and accreditation
Better communications between developers and users
Detective
Data dictionary
Whether assets are properly valued.
data encryption technique
Controls exist over efficient usage of hardware
Systems management
ISO/OSI
produce encrypted messages
Integration testing
Interviews with the IS personnel and the end users.
A sequential file structure
Discover sampling
Collision of tokens during transmission may occur
an operating system error
Checking to see whether any programs terminated abnormally
Check digit
The auditee s oral explanation / statement of the evidence
Statement of due care and confidentiality.
Statistical sampling.
Activity/service type
the security policy should be clear about administration of the anti-virus policy
Ring topology network
Design errors
generated always by the updating routines
provide translations from clients computer applications to a standard protocol used for EDI communication
Appropriate, because System Administrator has to back up all data and program files.
Indicate when the file should be again backed up
Cost of file conversion
Page 205
Sheet1
Page 206
Sheet1
Page 207
Sheet1
Page 208
Sheet1
Documented
Analytical review capability
The limiting the conditions to be tested in the system
Program Logic flow charts and file definition.
Job submission
Dependency check
a dedicated power generator
Use of a single value-added network
systems development management subsystem
Anticipation and hash total
Permit updating and read access for everyone in IS
port
Biometric checks
parallel port
blocking a card if it is not used for a period of 3 months
Processing and computing power
Quality
whether unauthorised use is being made of hardware/system software resources
Design metrics
Fibre optic cable is small and flexible
File transfer protocol
Establishing data custodianship outlines
the design is for a human resources division of the organization
Regression test
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Macro
Restrict access to prevent installation of unauthorized utility software.
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
spurious associations
make the same groups responsible for the mailing of cards and the investigation of returned cards
The expected population error rate does not affect the sample size.
Performs a post-implementation evaluation of the application independently.
Adherence of established standards by programs, program changes and documentation.
Review the data field definitions and logic in the audit software.
Preventive controls
The entire storage devices in all the servers
Risk Assessment
Solve the problems encountered by the detective controls.
Consideration of external environment likely to benefit / affect the organisation.
attaches all channel messages along one common line with communication to the appropriate location via direct access
Security administrator
ciphertext form produced only from an reversible encryption algorithm
Review the network with reference to the ISO/OSI model of seven layers
Anti-virus and anti-piracy softwares
analysing user specifications
Name of the TTP/CA
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Broadband ISDN, fiber optics, and ATM
Parallel physical circuits
ISO/OSI
Number of defects over the life of a software product
Parallel physical circuits
availability of alternate processing sites, in case of a disaster
Check digit
Changing the order of the message
Review the data field definitions and logic in the audit software.
Page 209
Sheet1
down line loading a program
Keep the test data to a minimum to conserve testing time
reduce the probability of the threat materializing
analytical review
Consider the use of utility software
Physical verification of actual data entry operations
the controls available and implemented for the protection of the log file
satellite transmission
Anticipating problems
The information systems audit plan
the design is for a human resources division of the organization
Purchase and tailor
liability relating to protection of proprietary business data decreases
two different keys are used for the encryption and decryption
Parallel physical circuits
Cost of file conversion
personal details
the design is for a human resources division of the organization
Sharing of common data
Batched sequential structure
encrypt the message with the sender's private key and sign the message with the receiver's public key
32 bit key system
Adherence of established standards by programs, program changes and documentation.
Passive data dictionary system
Monitor usage of the device.
encrypt the messages transmitted and decrypt them on reception
unauthorised changes to data and program can take place
captured data are converted into machine readable form
Probabilities of occurrence of threats
There has been a dearth of IS personnel from the initial days
Restricting privileged access to test versions of applications.
Review the data field definitions and logic in the audit software.
Central processing site after application program processing.
All information system processes
Beforeimages of the modified records have been kept in the primary file
System programmer mailbox
Develop a freeware application
Risk Assessment
Defining backup procedures.
availability of alternate processing sites, in case of a disaster
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
whether only valid and authorised transactions were processed
Magnetic Card reader
Edit checks of data entered
An existence check
Mr. S 's public key
low work factor
Privilege based on an application
data confidentiality
Design metrics
Switch
data encryption technique
produce encrypted messages
Completing the system requirements document
Design metrics
Design
Page 210
Sheet1
Page 211
Sheet1
Program Logic flow charts and file definition.
Encryption of data files and safe keeping of encryption keys
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Performance management
It allows the auditor to substitute sampling technique for his judgement.
After a disaster, the transactions can be reentered easily, if needed
Beforeimages of the modified records have been kept in the primary file
Inherent Risk
Linking to external systems thro a firewall
commitment of the management for the implementation of the policy
They both have same uses
encrypt the messages transmitted and decrypt them on reception
Physical
systems development management subsystem
attaches all channel messages along one common line with communication to the appropriate location via direct access
electronic data interchange
starting and terminating lines and processes
whether only valid and authorised transactions were processed
Distributed computing infrastructure
short key cipher system
it allows efficient administration of capabilities
Anti-virus and anti-piracy softwares
An operations control
Code
Certain phases can be dropped
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
Data dictionary
To prove a new concept
sender's private key
Halt and error controls
ISO/OSI
Detective
File servers
It allows the auditor to substitute sampling technique for his judgement.
Macro
reduce the wiretapper s capabilities to tap more data
The higher the Return on Investment by the application.
The expected population error rate does not affect the sample size.
Guiding the ^assistants in performing planned procedures.
the loss likely to occur in the ordinary course of business
more difficult because employees access the system remotely and perform duties electronically
protection of stored data in the server by encryption or otherwise
Compensating control
Plan is tested once in a year.
Digital signature standard (DSS)
Hot sites can be made ready for operation within a short period of time.
Keep the test data to a minimum to conserve testing time
The waterfall model
Establishment and enforcement of processing priorities internally.
organisations must use firewalls if they wish to maintain security over internal data
Preformatted screens
provide security
Retina scanner
duplicate circuitry, echo check and internal header labels
Detective
ITF
Page 212
Sheet1
Such access authority is appropriate because they have the full knowledge and understanding about the entire system.
Known fact
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Program changes due to errors discovered
Distributed computing infrastructure
identifying questionable data
Cross train with another employee of another department.
HIPO charter
Policy and procedural variations
Attenuation is the delay in transmission of signals due to difference in frequency
usage of a secure web connection
library control software
the authorisation procedure for accessing data
Plan is tested once in a year.
They both have same uses
Verify authenticity of a transaction or document
Wiretapping
an operating system error
Changing the computing platform may not improve the legacy system
IRR
Design
Implementation and monitoring of the new process is the management s responsibility.
Networking
unauthorised changes to data and program can take place
Business continuity plan for the mainframe system's non - critical applications is not proper
the sender from disowning the message
Authorisation of access to program files
Vendor support
Systems management
ISO/OSI
all data are split evenly across pairs of drives
System requirements definition
Better communications between developers and users
missing data validity checks
User access to the corporate database is controlled by passwords
Fault tolerance
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
The limiting the conditions to be tested in the system
Statistical sampling.
the last residual dump
Client/server technology
Performing aging analysis
Performs a post-implementation evaluation of the application independently.
Inherent risk
Preventive controls
Ensuring that the passwords are not distributed indiscriminately
With different business activities
Changing the order of the message
Source code generation tool
Preformatted screens
altering source data to correct input errors
Planning of adequate security and controls in the computer center
QA personnel are charged with being knowledgeable about and remaining up-to-date with best practice in information sys
An operations control
Indicate when the file should be again backed up
Data input validation programs should highlight the situation by showing input controls do not balance
Page 213
Sheet1
Page 214
Sheet1
Page 215
Sheet1
Page 216
Sheet1
Page 217
Sheet1
Passive data dictionary system
Central processing site after application program processing.
Stratified sampling selection technique
Environmental control within the IS department.
Determining adherence of regulatory requirements by conducting compliance tests.
deleting all the files in the hard disk
library control software
Recommend that the processing capacity of the alternate site should be increased.
auto-dial features
Design
System maintenance constitutes about 65% of the programming costs.
Fiber optic cable is small and flexible
multiplexer
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Edit checks of data entered
Retina scanner
Authentication Techniques
Ensuring concurrent access control
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
a program that deposits a virus on a client
DBA
Hygrometer
Parallel physical circuits
Purchase and tailor
receiver's public key
Program Logic flow charts and file definition.
Fault tolerance
Reading the operator's manual
It allows the auditor to substitute sampling technique for his judgement.
temperature increases
Design
Operation personnel did not follow a procedure due to an oversight
Guiding the ^assistants in performing planned procedures.
Dependency check
Whether the computer has viruses.
Encryption routine
rules for protecting resources can be minimised
Beforeimages of the modified records have been kept in the primary file
IRR
Testing
unauthorised access and activity
Distributed computing infrastructure
a two public keys
a list oriented approach to authorisation
inability to disconnect after invalid access attempts
Indicate when the file should be again backed up
Unaffected by stringent legal and/or organizational controls
encryption is required
Design
Network utilization by the existing users
Detective
Data dictionary
ensure that the transaction amount entered is within the cardholder's credit limit
Review the network with reference to the ISO/OSI model of seven layers
data capture, data preparation, data input
analysing user specifications
Page 218
Sheet1
Page 219
Sheet1
Page 220
Sheet1
two units that provide read-after-write and dual-read capabilities
Computing environment
Increasing of the transmission speed of documents
sender's private key
DBA
altering source data to correct input errors
Low MTBF values imply good reliability
ITF
Test summaries, test execution reports
The length of cable to connect a workstation to the network
Microwave transmission
unauthorised changes to data and program can take place
dedicated phone lines
multiplexer
In the rapid development of technology, the duties change very frequently.
Macro
Updating from privileged utilities.
Reading the operator's manual
Programming options permitting printout of specific transactions.
Proximity to earthquake zone.
It provides sender authenticity
Cost of implementation of management directives
Testing
Warranty provisions
Code
Design
User friendly features built in.
Worries over cost effectiveness are well addressed.
Twisted-pair (shielded) cable
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
users should be educated about weak password
Data dictionary
Acceptance testing
Parallel physical circuits
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Detective
32 bit key system
Logs
Design
Altering physical data definitions for improving performance.
Database authorizations
starting and terminating lines and processes
Physical
recording the time sequence of the successful transactions alone
The higher the Return on Investment by the application.
A decrease in detection risk
Whether the computer has viruses.
Review the data field definitions and logic in the audit software.
deleting all the files in the hard disk
blocking of CPU functions
all new software before loaded should be scanned for viruses and cleaned
Usage of backup tapes
Known fact
Deliverables
Purchase and tailor
provide translations from clients computer applications to a standard protocol used for EDI communication
Page 221
Sheet1
Page 222
Sheet1
Page 223
Sheet1
Checking and reconciling of postings done in the General Ledger.
Plan is tested once in a year.
Home banking system
Code reading
Black-box, code-based, data-driven technique
Purchase and tailor
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Frame relay
software
Biometric checks
The output could be redirected to another printer.
Page 224
Sheet1
Option C
A legacy system uses a proprietary programming language
Bio-metric devices
Inadequate backup and recovery procedures
Snapshot
applets recording keystrokes made by the client and, therefore passwords
The physical structure of the data is independent of user needs
Permanent Virtual Circuit (PV(c)
program source code modification
Integration test
Implementation
whether the system being monitored has provided users with a strategic advantage over their competitors
the work is boring so high turnover always occurs
Only targeted transactions can be examined using CIS.
Use write-protect tabs on disks.
send different packets of the same message over different available lines
Variable sample tests
Source documents do not have to be redesigned.
The Organisation s critical and high risk business areas
deleting all the data on the hard disk
improving the overall reliability of the networks
Data Link
Detail design documents
Increased productivity
Observation
Allow individuals to understand all parts of a system.
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
channel
DES Cryptosystem
Prohibition of random access
Tests of general controls
errors and omissions
Mr. R 's public key
secrecy
forging of messages by the receiver
verify the format of the number entered and then locate it on the database
It is the total functioning life of an item divided by the total number of failures during the measurement interval
System C - Likelihood 20%, Losses(in$) 2.5 million
Integration test
transmittal control
Increased business activity and revenue
Prevention
Observing the system operator's work
Statistical sampling
Humidity increase
transmitting system warning and status messages
Spreadsheets
Designing database applications
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or des
All valid transactions
duplicity of backup operations more than other techniques
It facilitates identification of the users that have effected changes to the database
Expert system's knowledge is combined into program control
Software independence
A legacy system uses a proprietary programming language
Spiral model
Page 225
Sheet1
Page 226
Sheet1
Critical systems
It facilitates identification of the users that have effected changes to the database
Invalid transactions
Detail requirements document
Evolutionary development model
program source code modification
Shielded Twisted pair
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
Key compromise notifications
Testing the system thoroughly
Corrective
31 bit cipher system
verify the format of the number entered and then locate it on the database
plastic cards with magnetic stripe and a PIN
Corrective
the decryption key should be kept a secret
Software compilers
Batch controls
Review and analysis of user specifications.
Variable sample tests
Taking the afterimages of all data items changed for accuracy and completeness.
Source code comparison
Central processing site during application program processing.
It facilitates identification of the users that have effected changes to the database
have to authenticate themselves only once, and not after that
Consider the use of Data Base Management System
IS security measures including controls over access to data should be strengthened.
Implementation
Each phase will have to be present
Lease or purchase
Decrease in complexity and volatility in IT leads to considerable decrease in costs.
Personnel like the DBA and systems analysts
fax/modem software
provides an automatic audit trail, whereas a floppy disk does not
message switching
Coordinate and resolve conflicting needs and desires of users in their diverse application areas
to clarify the basis on which QA personnel will evaluate whether quality goals have been met
QA personnel should have most experience of information systems development, implementation, operations, and main
A wrong tape reel is loaded in a multireel file
accountability system and the ability to properly identify any terminal accessing system resources
Identifying major purpose(s) of the system
Distributed databases and application programs
Systems Programming
Known procedure
program source code modification
ciphertext form produced only from an irreversible encryption algorithm
Integration test
Checklists
Routers
generating a control total for a point-of-sale device
fast transmission of a message once it arrives at a node
Terminal simulator
Recommendations and conclusions based on the findings from the audit.
reduce the expected loss from a threat
Maintaining the error log.
Review and analysis of user specifications.
Page 227
Sheet1
Page 228
Sheet1
Page 229
Sheet1
Page 230
Sheet1
reviewing software quality
provides an automatic audit trail, whereas a floppy disk does not
The organization's information technology architecture
A bar graph
Control-oriented techniques
Consider the use of Data Base Management System
Centrally print and distribute the outputs.
batch containing errors would be rejected for correction prior to processing
Observing the system operator's work
Result of substantive audit procedure
A test to compare data with an output source
transmission on terrestrial microwave
Export/import tools
the second-last full dump
Observing the system operator's work
Exhibits the rules for different conditional value
Pre-usage scan of all secondary storage media brought from outside.
the implementation of advanced technology in the application
Designing database applications
The user-id used to make the attempt
Initiating computer applications.
call-back features
segregation of duties becomes increasingly important
the controls that prevents unauthorised and improper use of data and program
data security
Group logons are being used for critical functions
Testing the system thoroughly
Data encryptor
a malicious operator can undermine a disaster recovery operation by corrupting backup files progressively over time
receiver's public key
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Scanning the output for obvious errors
Designing database applications
Delay distortion
Scanning the output for obvious errors
long key cipher system
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Taking the afterimages of all data items changed for accuracy and completeness.
concentration technique
Scanning the output for obvious errors
Determining whether access controls are in place
the loss likely to occur if the threat materializes multiplied by the probability of the threat
Use write-protect tabs on disks.
Rerun the audit software against a backup of the inventory master file.
IS security measures including controls over access to data should be strengthened.
Traffic analysis
All valid transactions
The transactions shall be recorded chronologically as they are put through
Process errors
Implementation
Each phase will have to be present
System navigation guidelines
Scanning the output for obvious errors
the recipients of project based reports should be agreed upon at the start of a project
Prevent the file from being overwritten before the expiry of the retention date
the designer is circumspect of the user s cooperation in spelling out their requirements
Page 231
Sheet1
resources provided/denied
Authorisation of file updates
manager in charge of the information systems function
Snapshot
Scanning the output for obvious errors
A run chart
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or destr
companies that wish to engage in electronic commerce on the Internet must meet required security standards establishe
Observing the system operator's work
A sandwich approach
Result of substantive audit procedure
Vendors not in the table file will be paid.
List of applications under development
transmitting system warning and status messages
Batch control totals
The Organisation s critical and high risk business areas
An increase in inherent risk
substantive test
Developing and implementing an IS security standards manual
Screen-oriented manipulation user interfaces
Known procedure
Component redundancy
Develop CAATs in detecting such instances.
call-back features
automatic dial-up capabilities
thunder and lighting
long key cipher system
small key
Frequently changed access controls
a single person do not have the complete control over a transaction from start to finish
to prevent compromises when using a private key
enabling use of a multiplicity of formats and coding standards
Repeater
staging and job set-up procedures compensate for the tape label control weakness
Distributed applications or services
Program changes due to fine tuning of existing systems
Identify the various layers of ISO/OSI model to which each component belongs
Duplicate record check
Operating systems
Implemented
Access only to authorized logical views.
Rerun the audit software against a backup of the inventory master file.
the work is boring so high turnover always occurs
White-box, specification-based, logic-driven technique
communicate the PIN to the cardholder over phone
Dollar unit sampling
Generally, the tasks performed by IS personnel are more complex than those in manual systems
documenting the major milestones to be achieved in the system development process
All the back up storage devices and the backed up floppies & disks
Electronic data interchange (EDI)
Production mailbox
Develop an API application
Observation
preventive control
data management subsystem
Firmware
Page 232
Sheet1
Page 233
Sheet1
Page 234
Sheet1
Page 235
Sheet1
Telecommunication
Performing system activity analysis
Requires the minimum computer usage and manual personnel.
naming convention gives a unique identity to the resources
Reporting of before and after images
duplicity of backup operations more than other techniques
The transactions shall be recorded chronologically as they are put through
Spiral model
Component redundancy
Implementation
They are unaffected by electrical interference
Operating systems
to clarify the basis on which QA personnel will evaluate whether quality goals have been met
Bio-metric devices
the controls that prevents unauthorised and improper use of data and program
service type
identifying what the user knows or remembers
Presentation layer
Component redundancy
Frequently changed access controls
Corrective
PIN entry via a secure terminal
Software independence
The physical structure of the data is independent of user needs
Known procedure
long key cipher system
Centrally print and distribute the outputs.
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
ring network
to increase the efficiency of the payment process
Result of substantive audit procedure
Design of authorization tables for operating system access.
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
Use write-protect tabs on disks.
no demonstration packages should be allowed to be run on the company owned machines
Process errors
Maintenance costs
Automatic error correction
The internal control of data accuracy and access and inconsistencies within common data fields
Modularity
Operating systems
the quality of QA training is an important indicator of top management s commitment to the attainment of quality assuranc
into which user s password falls
A development control
Configuration status accounting
small key
Twisted-pair (unshielded) cable
Snapshot
Data Entry
batch containing errors would be rejected for correction prior to processing
Batch controls
Corrective
Interactive edits, process programs and sample reports
whether the system being monitored has provided users with a strategic advantage over their competitors
Permanent Virtual Circuit (PVC)
Page 236
Sheet1
Format check
Authorized user access privileges for each data file or element
A single link failure, a repeater failure, or a break in the cable could disable a large part or all of the network.
Diminish chances of committing improper / illegal acts by the employee.
Librarian forgot to log tape movement
Central processing site during application program processing.
convert digital signals to analog signals
Implementation
Data base structures and the source codes.
Limiting and monitoring the use of privileged software.
One-time pad
Editing of corrupted message by the network staff
Detailed design documents
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
a microwave radio system
Firmware
message switching
Data Encyption Standard (DES) is a typical type of private key cryptosystem
private key and a public key
Ensuring seamless integration
service type
Component redundancy
Distributed databases and application programs
manager in charge of the information systems function
Corrective
Attribute Sampling
The organization's information technology architecture
Reviewing change controls
Installing an access control software.
Duplicate record check
batch containing errors would be rejected for correction prior to processing
Implementation
It requires the hardware vendor to provide compatible computer equipment.
Source documents do not have to be redesigned.
Recommendations and conclusions based on the findings from the audit.
Calculation of Foot Totals
Access only to authorized logical views.
Malfunctioning in one node will not bring a star network down
the second-last full dump
If afterimages have been corrupted, rollback is not achievable
Developing design documents
Reviews
High cohesion of modules, high coupling of modules, and high modularity of programs
Lease or purchase
Ascertaining user needs for application programming.
Systems management
Reliability
data security
Of higher volume and of bigger size
The spiral model
Problem support
Input control
small key
verify the format of the number entered and then locate it on the database
It is the total functioning life of an item divided by the total number of failures during the measurement interval
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Page 237
Sheet1
have to authenticate themselves only once, and not after that
Completing the system design document
Control-oriented techniques
What actions were taken in response to the metrics results?
Wireless Local Area Network
Segregation of duties is maintained
Librarian forgot to log tape movement
Only targeted transactions can be examined using CIS.
have to authenticate themselves only once, and not after that
Suggests the management of control and system enhancements.
Control risk
less difficult because audit trails can be looked upon for tracing out unauthorized activities
Logging of console transaction
Detective controls
Preparation of the information security standards manual
line conditioning technique
Production mailbox
Function points
getting distributed than in a manual system
decreased requirements for backup and contingency planning
channel
forging of messages by the receiver
Access control at application system level
transmittal control
Input control
they have available special hardware/software tools that enable them to breach data integrity
the designer is circumspect of the user s cooperation in spelling out their requirements
DES Cryptosystem
Software independence
Code metrics
standards should be prepared to guide their maintenance
Sudden increase in number of users
Incorporate into software upgrades
Paid non-EDI invoices
whether the system being monitored has provided users with a strategic advantage over their competitors
Software requirements management
Resource management
investment in hardware is smaller for each site than for a central site
identify the operating costs of the network
Diminish chances of committing improper / illegal acts by the employee.
Taking the afterimages of all data items changed for accuracy and completeness.
Access only to authorized logical views.
communicate the PIN to the cardholder over phone
Sensitivity of transactions
A random structured
Exhibits the rules for different conditional value
Recommendations and conclusions based on the findings from the audit.
Whether all the software on the computer is properly licensed.
Encryption will solve all problems of industrial espionage
an application program error
Allow individuals to understand all parts of a system.
Capacity planning
Organisation control
Identity-based policy
Inference engine
Each phase will have to be present
Page 238
Sheet1
Page 239
Sheet1
Page 240
Sheet1
bit cipher
commodity
Determine the risks/threats to thedata center site
existence of call forwarding devices
Photo identification card
Keep them motivated
Inference engine
Each phase will have to be present
Coding
Increased business activity and revenue
Software licensing
Twisted-pair (unshielded) cable
A state transition diagram
The organization's information technology architecture
Meeting user requirements
Scanning the output for obvious errors
small key
Comparator
Data editing
Shielded Twisted pair
twisted pair wire transmission
traffic analysis
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
have to authenticate themselves only once, and not after that
Cluster sampling selection technique
Overall risk assessment of operations in the organisation.
The system should display the password to enable the user to enter it correctly
Implementation
Maintenance
Concurrent / parallel existence of Duplicate Information system functions.
Capacity planning
bit cipher
the recipients of project based reports should be agreed upon at the start of a project
QA personnel require high level of interpersonal skills because of potential conflict between QA personnel and information
Call-back techniques
timed authentication is required
Examine the accounting data recorded in the system for any irregularities
Input control
be easily accessible by a majority of company personnel
The internal control of data accuracy and access and inconsistencies within common data fields
Snapshot
unsuccessful attempts after a specified number of times, should result in the automatic log off of the workstation
Network structure
They are unaffected by electrical interference
The organization's information technology architecture
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing comp
Institute program change control procedures.
investment in hardware is smaller for each site than for a central site
channel
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
Code metrics
ring network
Output analyser
Inductive wiretaps can pick up the free space emissions emanating from amplifiers
All the back up storage devices and the backed up floppies & disks
list of persons authorised to alter the log file contents and the software controlling the log file updating.
Page 241
Sheet1
Processing controls
Detailed design documents
Testing
Known procedure
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
Foresee important problems prior to occurring.
Automatic error correction
whether a storage medium should be retired
Licensed software
Prototyping model
Corrective
Decreasing of contingency and backup planning efforts
PCs and notebook computers must be programmed directly in machine language while mainframes use higher level lang
Implementation
Software acceptance criteria
Increased productivity
Data base structures and the source codes.
Rectification of errors
Wireless Local Area Network
Centrally print and distribute the outputs.
Implementation
Developing and implementing an IS security standards manual
Source documents do not have to be redesigned.
changing the order of the message
List of applications under development
Exhibits the rules for different conditional value
Pre-usage scan of all secondary storage media brought from outside.
Redundant log-on Ids are removed
Processes in priority order, as defined by the business manager
Tokens may be captured by a node and before releasing it the node may fail
Invalid transactions
resistance to change
Testing
High cohesion of modules, high coupling of modules, and high modularity of programs
Software independence
Often being used as tool in evaluation of performance.
the system cannot easily handle large volumes of data
generating a control total for a point-of-sale device
Twisted-pair (unshielded) cable
Maintenance costs
receiver's public key
standards should be prepared to guide their maintenance
the work is boring so high turnover always occurs
Presentation layer
A run chart
Data base structures and the source codes.
Access control at application system level
Limit test
verifying control totals
Batch control totals
Stratification and frequency analysis capability
Output analyser
Overall risk assessment of operations in the organisation.
Logical access controls
security awareness programme
regular scanning of all network drives as per the established routines
Page 242
Sheet1
Page 243
Sheet1
Possess knowledge in the area of current technical words.
Reviewing audit reports of the previous years.
Data base structures and the source codes.
Disk utility
List of all authorised users of IPF
Costs associated with the hot sites are low.
Increased productivity
Maintainability
Ascertaining user needs for application programming.
investment in hardware is smaller for each site than for a central site
the system cannot easily handle large volumes of data
message switching
program source code modification
Scanning the output for obvious errors
long key cipher system
Data editing
Processing control
Modules should have only one entry and one exit point
they have available special hardware/software tools that enable them to breach data integrity
the designer is circumspect of the user s cooperation in spelling out their requirements
small key
the decryption key should be kept a secret
Code metrics
Corrective
Attribute Sampling
high error propagation
Terminal simulator
Access only to authorized logical views.
Detect the presence of viruses.
improving the overall reliability of the networks
More accountability
Source documents do not have to be redesigned.
A test to compare data with an output source
The Organisation s critical and high risk business areas
Calculation of Foot Totals
Whether all the software on the computer is properly licensed.
deleting all the data on the hard disk
no demonstration packages should be allowed to be run on the company owned machines
list of persons authorised to alter the log file contents and the software controlling the log file updating.
Line conditioning technique
improving the overall reliability of the networks
Identifying major purpose(s) of the system
A tape librarian are carried out by an application programmer.
Wireless Local Area Network
small key
PIN entry via a secure terminal
Permit updating for everyone in IS but restrict read access to source code to one position
reviewing software quality
Network structure
Incorporate into software upgrades
bit cipher
Attribute Sampling
Ensuring seamless integration
ciphertext form produced only from an irreversible encryption algorithm
Batch controls
Reviewing change controls
Page 244
Sheet1
Page 245
Sheet1
It is the total functioning life of an item divided by the total number of failures during the measurement interval
Programming and testing
Corrective
Maintainability
encrypt the message with the receiver's public key and sign the message with the sender's private key
Duplicate record check
whether a storage medium should be retired
identify the operating costs of the network
Code metrics
Access only to authorized logical views.
send different packets of the same message over different available lines
Variable sample tests
Nature of the population
the implementation of advanced technology in the application
Procurement procedures are complied with.
Source code comparison
security awareness programme
Access to Job control languages/script files
Humidity increase
Delay distortion
Implementation
Spiral model
Software Life Cycle activities are improved.
automatic dial-up capabilities
Transaction processing delay
identifying what the user knows or remembers
during the data preparation
Corrective
determined by and the individuals who use the microcomputers
Barometer
Audit resources are more effectively directed.
Quality
Permanent Virtual Circuit (PV(c)
provides an automatic audit trail, whereas a floppy disk does not
Access control lists and access control privileges
message authentication
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
increase the speed of data transmission
Rectification of errors
Systems management
Determining whether access controls are in place
Only targeted transactions can be examined using CIS.
violating the confidentiality of the message
time and date of dispatch of the message
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Librarian forgot to log tape movement
Overall risk assessment of operations in the organisation.
Unique user ID and password
Rivest, Shamir, Adleman (RSA)
Traffic analysis
User satisfaction
Coding phase
Modules should have only one entry and one exit point
Control and arithmetic-logic
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
during the data preparation
Page 246
Sheet1
Page 247
Sheet1
Page 248
Sheet1
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
data management subsystem
generating a control total for a point-of-sale device
Wireless Local Area Network
data security
Application software
Authorized user access privileges for each data file or element
A list of all cards issued and the individuals to whom they were issued.
Lease or purchase
authentication message's origin
password encryption technique
data preparation, data input
receiver's public key
Implementation
Vendors may go out of business and discontinue service support on their products
double wiring of the CPU and peripheral equipment to prevent malfunctioning
ciphertext form produced only from an irreversible encryption algorithm
Maintaining the error log.
Authorized user access privileges for each data file or element
Operating systems
Stratification and frequency analysis capability
Exhibits the rules for different conditional value
dynamic equalization
The transactions shall be recorded chronologically as they are put through
More accountability
Run-to-run totals
Traffic analysis
Invalid transactions
Coding phase
Flow-charting tool
Design bugs
Inference engine
Allow individuals to understand all parts of a system.
Information from clients and customers will not be required.
the work is boring so high turnover always occurs
Twisted-pair (unshielded) cable
it is less likely to be used in a business systems environment than a discretionary access control policy
Group logons are being used for critical functions
Examine the accounting data recorded in the system for any irregularities
Inference engine
secrecy
No attention is paid to cosmetic details
data preparation, data input
it is less likely to be used in a business systems environment than a discretionary access control policy
Maintainability
channel
Value-added network
Quality assurance audit
Systems management
Diminish chances of committing improper / illegal acts by the employee.
It provides a means for measuring the actual misstatement statement in assertions
transmission on terrestrial microwave
All valid transactions
Determining whether access controls are in place
separation of duties is easy to achieve in manual systems and impossible in computerized systems
Designing database applications
Page 249
Sheet1
Disk utility
unsuccessful attempts after a specified number of times, should result in the automatic log off of the workstation
no demonstration packages should be allowed to be run on the company owned machines
Disabling all the redundant passwords
System that performs based on business needs and activities
Encrypting once with the same key
Cost of computer downtime
Identifying major purpose(s) of the system
existence of call forwarding devices
Photo identification card
Call-back techniques
No attention is paid to cosmetic details
Integration test
receiver's public key
compromise of a sender's private key
Establishing data usage guidelines
traffic analysis
Data transfer speed
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Authorisation of file updates
Data Encyption Standard (DES) is a typical type of private key cryptosystem
long key cipher system
Observation
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
the work is boring so high turnover always occurs
Librarian forgot to log tape movement
Sensitivity of transactions
Nature of the population
An analytical review of the ratios by the IS auditor from the information received from the internal line management.
While evaluating an organisation s policy of segregation of duty, the competancy of the employees are of no relevance.
Data ownership resides with the most appropriate users
does not require each node through which the message passes to be protected against hacking
Rule based policy
preventive control
boundary controls
dropping bits in data transmission
Batch controls
high error propagation
access control lists are stored on a fast memory device to facilitate easy access to the list
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, but do not retain th
Duplicate record check
dropping bits in data transmission
the decryption key should be kept a secret
Programming and testing
Data transfer speed
Number of customer problems reported to the size of the product
Reviewing change controls
Procurement procedures are complied with.
Institute program change control procedures.
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
program source code modification
Ergonomics
Deadlock resolution
Rerun the audit software against a backup of the inventory master file.
Data Link
transmitting system warning and status messages
Page 250
Sheet1
Page 251
Sheet1
fax/modem software
Malfunctioning in one node will not bring a star network down
Implemented
Substantive testing tests validation while compliance testing tests for regulatory requirements.
carrying out personal examination of the existing physical access environment
procedure for authorising access to computer resources
Access to Job control languages/script files
Plan is reviewed and updated regularly.
installation of proper physical security cover over the data processing installation
Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive
Malfunctioning in one node will not bring a star network down
Software independence
Object-oriented technology
System navigation guidelines
Operations Manager.
the decryption key should be kept a secret
private key and a public key
Determine the risks/threats to thedata center site
Breaching in the security of the IS resulting in destruction of hardware or software
Presentation layer
Distributed databases and application programs
dial-disconnect-callback features
Security Administration
The physical structure of the data is independent of user needs
a single person do not have the complete control over a transaction from start to finish
Integration test
Maintainability
Increased productivity
double wiring of the CPU and peripheral equipment to prevent malfunctioning
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
A run chart
Checklists
Review of the payroll by the payroll department on a regular basis.
Duplicate record check
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
Variable sample tests
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Code metrics
an application program error
It requires the hardware vendor to provide compatible computer equipment.
economic events that are relevant to the ongoing operations of an organisation are identified and recorded
A random structured
An increase in inherent risk
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing comp
Detective controls
A legacy system uses a proprietary programming language
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
be easily accessible by a majority of company personnel
Tests of general controls
Identifying major purpose(s) of the system
Bio-metric devices
Cost of computer downtime
Input control
Testing the system thoroughly
Inadequate backup and recovery procedures
The internal control of data accuracy and access and inconsistencies within common data fields
Page 252
Sheet1
Public key of the sender
Corrective
a single person do not have the complete control over a transaction from start to finish
Presentation layer
Grand design projects
Limiting and monitoring the use of privileged software.
the work is boring so high turnover always occurs
fast transmission of a message once it arrives at a node
Librarian forgot to log tape movement
adequate definition in contractual relationship
Librarian forgot to log tape movement
The Organisation s critical and high risk business areas
Limiting and monitoring the use of privileged software.
The system should display the password to enable the user to enter it correctly
authorized files are logically allowed access to authorized users
Are usually located in populous areas to prevent theft or vandalism
Developing design documents
Implementation
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
generated as a printer output necessarily
Check digit
Only managers typically receive online reports so less misuse is likely.
Transaction processing delay
Identity-based policy
Architecture of the firewall hiding the internal network
Testing the system thoroughly
secrecy
message authentication
Data Entry
Meeting user requirements
Known procedure
Increasing MIS staff output in order for both systems to be installed
Presentation layer
Estimating electrical load
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
Dollar - unit sampling
a microwave radio system
Data Link
It facilitates identification of the users that have effected changes to the database
the work is boring so high turnover always occurs
Cluster sampling selection technique
Format check
The right training
White-box, specification-based, logic-driven technique
Software Life Cycle activities are improved.
the maintenance of data integrity
getting distributed than in a manual system
virtual storage
Data editing
Reliability
Wireless Local Area Network
small protection domains
Prevent the file from being overwritten before the expiry of the retention date
Inadequate backup and recovery procedures
long key cipher system
forging of messages by the receiver
Page 253
Sheet1
Implementation
bit cipher
inappropriate, since access should be limited to a need-to-know basis, regardless of position
a single person do not have the complete control over a transaction from start to finish
Repeater
possessed objects
Integration test
Grand design projects
verifying control totals
Detect the presence of viruses.
transmitting system warning and status messages
to increase the efficiency of the payment process
Reject the statistical hypothesis that value is not misstated when the true value is materially misstated.
Librarian forgot to log tape movement
Preparation of multiple reports and output files.
Consider the use of Data Base Management System
Preparation of the information security standards manual
twisted pair wire transmission
the second-last full dump
Reviews
Baseline
Cost of computer downtime
Develop a data synchronization software
Maintenance costs
Foresee important problems prior to occurring.
Transmission cost is not charged by packet
DES Cryptosystem
transmittal control
Identifying major purpose(s) of the system
they have available special hardware/software tools that enable them to breach data integrity
Access control lists and access control privileges
Identify the various layers of ISO/OSI model to which each component belongs
modem
Expert system's knowledge is combined into program control
A run chart
Control-oriented techniques
Behavioral issues
line conditioning technique
verifying control totals
duplicate transaction processing
Determining whether access controls are in place
provides an automatic audit trail, whereas a floppy disk does not
Pre-usage scan of all secondary storage media brought from outside.
substantive test
Access only to authorized logical views.
manual control procedures
no demonstration packages should be allowed to be run on the company owned machines
List of all authorised users of IPF
Evacuation procedures
Invalid transactions
Implementation
Allow individuals to understand all parts of a system.
spurious associations
the inherent risk associated with an organisation decreases considerably when an organisation has an information system
commodity
Corrected errors should be initialed by the person correcting the error
Page 254
Sheet1
Page 255
Sheet1
Page 256
Sheet1
The probability of continued availability of system support
Package fixes
preventive control
concentration technique
small protection domains
Bio-metric devices
Key compromise notifications
Input control
achieving system effectiveness
Attribute Sampling
The internal control of data accuracy and access and inconsistencies within common data fields
applets recording keystrokes made by the client and, therefore passwords
the encrypted pre-hash code and the message are encrypted using a secret key
Narrowband ISDN, central office switches, Voice Mail system
Software acceptance criteria
Systems Programming
have to authenticate themselves only once, and not after that
It is the total functioning life of an item divided by the total number of failures during the measurement interval
Acceptance test, unit test, integration test, systems test
Reviewing change controls
Maintaining the error log.
Transaction processing delay
Authorized user access privileges for each data file or element
Data ownership resides with the most appropriate users
Capacity planning
a microwave radio system
provides an automatic audit trail, whereas a floppy disk does not
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Access only to authorized logical views.
violating the confidentiality of the message
Modules should have only one entry and one exit point
Ascertaining user needs for application programming.
Best IS expertise from the outside source.
identify the operating costs of the network
whether the system being monitored has provided users with a strategic advantage over their competitors
the controls that prevents unauthorised and improper use of data and program
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
Prevent the file from being overwritten before the expiry of the retention date
achieving system effectiveness
Corrective
resources provided/denied
compromise of a sender's private key
Expert system's knowledge is combined into program control
Control-oriented techniques
Access control at application system level
A dependency check
Implementation
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Taking the afterimages of all data items changed for accuracy and completeness.
Vendors not in the table file will be paid.
does not require each node through which the message passes to be protected against hacking
improving the overall reliability of the networks
All valid transactions
A random structured
Rectification of errors
BHAGWAN SRIGANESH
Page 257
Sheet1
Page 258
Sheet1
Page 259
Sheet1
staging and job set-up procedures compensate for the tape label control weakness
the decryption key should be kept a secret
increase the speed of data transmission
What actions were taken in response to the metrics results?
a microwave radio system
Variable sample tests
Output analyser
An analytical review of the ratios by the IS auditor from the information received from the internal line management.
Generalized audit software.
Source code comparison
deleting all the data on the hard disk
authorized files are logically allowed access to authorized users
violating the confidentiality of the message
Design bugs
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
Identifying major purpose(s) of the system
Focusing on broad problems to a specific view.
automatic dial-up capabilities
31 bit cipher system
Frequently changed access controls
Check digit
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Modules should have only one entry and one exit point
authentication message's origin
applets recording keystrokes made by the client and, therefore passwords
Distributed applications or services
Paid non-EDI invoices
long key cipher system
Resource management
Whether all the software on the computer is properly licensed.
Data ownership resides with the most appropriate users
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
the work is boring so high turnover always occurs
investment in hardware is smaller for each site than for a central site
Observation
Ergonomics
Librarian forgot to log tape movement
Export/import tools
improving the overall reliability of the networks
the work is boring so high turnover always occurs
Output analyser
Group logons are being used for critical functions
deleting all the data on the hard disk
Tokens may be captured by a node and before releasing it the node may fail
Process errors
Focusing on broad problems to a specific view.
duplicate transaction processing
Network structure
widespread acceptance of national and international information systems standards can undermine an organisation s com
the inherent risk associated with an organisation decreases considerably when an organisation has an information system
Users need not remember multiple passwords rather than a single passwords
Software licensing
proper validation procedures to be built in during user creation and password change
to educate the customer about the importance of card security
PIN entry via a secure terminal
plastic cards with magnetic stripe and a PIN
Page 260
Sheet1
dial-disconnect-callback features
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
generating a control total for a point-of-sale device
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Data base structures and the source codes.
The user-id used to make the attempt
Implementation
Develop CAATs in detecting such instances.
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
Segregation of duties is maintained
Only targeted transactions can be examined using CIS.
have to authenticate themselves only once, and not after that
Batch control totals
Substantive testing tests validation while compliance testing tests for regulatory requirements.
reduce the expected loss from a threat
Data ownership resides with the most appropriate users
line conditioning technique
Invalid transactions
Modules should have only one entry and one exit point
Maintenance
fax/modem software
double wiring of the CPU and peripheral equipment to prevent malfunctioning
whether the system being monitored has provided users with a strategic advantage over their competitors
31 bit cipher system
Concurrency and sequence number
Software acceptance criteria
Access control lists and access control privileges
Increased productivity
Corrective
Data encryptor
Whether appropriate controls have been incorporated.
password encryption technique
a single person do not have the complete control over a transaction from start to finish
Distributed applications or services
TCP/IP
increase the speed of data transmission
Systems testing
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
A random structured
Dollar - unit sampling
Tokens may be captured by a node and before releasing it the node may fail
an application program error
Scanning the output for obvious errors
Batch control totals
A confirmation letter received by the IS auditor directly from an outside source
Detailed specifications of the vendor s hardware.
Generalized audit software.
Port
the installation of the anti-virus software should be properly authorised
Star topology network
Process errors
generated as a printer output necessarily
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
Prevent the file from being overwritten before the expiry of the retention date
Cost of computer downtime
Page 261
Sheet1
Page 262
Sheet1
Page 263
Sheet1
Page 264
Sheet1
Implemented
Stratification and frequency analysis capability
Source documents do not have to be redesigned.
Data base structures and the source codes.
Resource management
Format check
an UPS and spike buster
Use of two VANs
data management subsystem
Concurrency and sequence number
Permit updating for everyone in IS but restrict read access to source code to one position
service type
Frequently changed access controls
file server
to educate the customer about the importance of card security
Maintenance costs
Software independence
whether the system being monitored has provided users with a strategic advantage over their competitors
Code metrics
They are unaffected by electrical interference
Permanent Virtual Circuit (PV(c)
Establishing data usage guidelines
the designer is circumspect of the user s cooperation in spelling out their requirements
Integration test
the decryption key should be kept a secret
Output analyser
Detect the presence of viruses.
does not require each node through which the message passes to be protected against hacking
changing the order of the message
communicate the PIN to the cardholder over phone
The sample size decreases with a decrease in the standard deviation.
Suggests the management of control and system enhancements.
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or dest
Rerun the audit software against a backup of the inventory master file.
Detective controls
All the back up storage devices and the backed up floppies & disks
Observation
Foresee important problems prior to occurring.
Assessing the required Security procedures for the IS environment.
organises itself along hierarchical lines of communication to a central host computer.
Data owner
ciphertext form produced only from an irreversible encryption algorithm
Identify the various layers of ISO/OSI model to which each component belongs
DES Cryptosystem
reviewing software quality
Public key of the sender
it is less likely to be used in a business systems environment than a discretionary access control policy
Narrowband ISDN, central office switches, Voice Mail system
Licensed software
TCP/IP
Number of customer problems reported to the size of the product
Licensed software
investment in hardware is smaller for each site than for a central site
Batch control totals
Traffic analysis
Rerun the audit software against a backup of the inventory master file.
Page 265
Sheet1
Page 266
Sheet1
Rectification of errors
program source code modification
Developing and implementing an IS security standards manual
Dollar - unit sampling
improving the overall reliability of the networks
Only targeted transactions can be examined using CIS.
Recommendations and conclusions based on the findings from the audit.
Vendors not in the table file will be paid.
Deadlock resolution
Run-to-run totals
Preparation of the information security standards manual
Rivest, Shamir, Adleman (RSA)
Delay distortion
Malfunctioning in one node will not bring a star network down
does not require each node through which the message passes to be protected against hacking
Develop CAATs in detecting such instances.
Communication protocol
Licensed software
existence of call forwarding devices
System navigation guidelines
manager in charge of the information systems function
data preparation, data input
program source code modification
encrypt the message with the receiver's public key and sign the message with the sender's private key
they have available special hardware/software tools that enable them to breach data integrity
Program changes due to fine tuning of existing systems
Systems management
Application system errors
Central processing site during application program processing.
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Verify specific) balance-sheet and Profit and loss account values
the loss likely to occur if the threat materializes multiplied by the probability of the threat
Designing database applications
Detect the presence of viruses.
transmission delay
Trojan Horse
One-time pad
All valid transactions
The transactions shall be recorded chronologically as they are put through
If afterimages have been corrupted, rollback is not achievable
Screen-oriented manipulation user interfaces
Creeping functions
Function points
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
Concurrent / parallel existence of Duplicate Information system functions.
concentration technique
the work is boring so high turnover always occurs
Twisted-pair (unshielded) cable
the controls that prevents unauthorised and improper use of data and program
Frequently changed access controls
Increased business activity and revenue
Limiting access to local drives and directories
program source code modification
Completing the system design document
Integration test
Actual time
Page 267
Sheet1
Page 268
Sheet1
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
Known procedure
provides an automatic audit trail, whereas a floppy disk does not
Program changes due to fine tuning of existing systems
Systems management
verifying control totals
Diminish chances of committing improper / illegal acts by the employee.
Terminal simulator
Application system errors
Inductive wiretaps can pick up the free space emissions emanating from amplifiers
acceptance of executable only from the established and trusted source
tape librarian
security awareness programme
Plan is reviewed and updated regularly.
They both encrypt messages
Encryption will solve all problems of industrial espionage
Delay distortion
an application program error
resistance to change
User satisfaction
Implementation
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
Modularity
the work is boring so high turnover always occurs
Regular back ups by many of the LAN nodes are not taken in the file server.
forging of messages by the receiver
Completeness, accuracy and validity of update
Software licensing
Distributed applications or services
TCP/IP
snap shots of all transactions are taken
Software acceptance criteria
Increased productivity
transmittal control
Data ownership resides with the most appropriate users
Operating systems
the decryption key should be kept a secret
Source documents do not have to be redesigned.
Generalized audit software.
the second-last full dump
Object-oriented technology
Performing system activity analysis
Suggests the management of control and system enhancements.
Control risk
Detective controls
Disabling all the redundant passwords
With compatible equipment and applications
Traffic analysis
Flow-charting tool
Automatic error correction
batch containing errors would be rejected for correction prior to processing
Estimating electrical load
QA personnel should have the greatest incentives to effect improvements to information systems standards
A development control
Prevent the file from being overwritten before the expiry of the retention date
Corrected errors should be initialed by the person correcting the error
Page 269
Sheet1
Page 270
Sheet1
Page 271
Sheet1
Page 272
Sheet1
Page 273
Sheet1
Deadlock resolution
Central processing site during application program processing.
Cluster sampling selection technique
Daily control totals.
Reviewing audit reports of the previous years.
deleting all the data on the hard disk
tape librarian
Under normal circumstances only about 25% of the processing is critical to an organisation. Hence, there is no need to ta
dynamic equalization
Implementation
Concurrent / parallel existence of Duplicate Information system functions.
They are unaffected by electrical interference
channel
it is less likely to be used in a business systems environment than a discretionary access control policy
Tests of general controls
Photo identification card
Call-back techniques
Ensuring seamless integration
a malicious operator can undermine a disaster recovery operation by corrupting backup files progressively over time
applets recording keystrokes made by the client and, therefore passwords
Data Entry
Barometer
Licensed software
Lease or purchase
sender's public key
Data base structures and the source codes.
Operating systems
Observing the system operator's work
It provides a means for measuring the actual misstatement statement in assertions
thunder and lighting
Implementation
Librarian forgot to log tape movement
Overall risk assessment of operations in the organisation.
Format check
Whether all the software on the computer is properly licensed.
Disk utility
naming convention gives a unique identity to the resources
It facilitates identification of the users that have effected changes to the database
User satisfaction
Reviews
duplicate transaction processing
Systems management
private key and a public key
small protection domains
existence of call forwarding devices
Prevent the file from being overwritten before the expiry of the retention date
Of higher volume and of bigger size
timed authentication is required
Coding
Increased business activity and revenue
Corrective
Data encryptor
verify the format of the number entered and then locate it on the database
Identify the various layers of ISO/OSI model to which each component belongs
data preparation, data input
reviewing software quality
Page 274
Sheet1
Page 275
Sheet1
Page 276
Sheet1
Page 277
Sheet1
Page 278
Sheet1
Page 279
Sheet1
Calculation of Foot Totals
Plan is reviewed and updated regularly.
Automated teller machine system
Testing
White-box, specification-based, logic-driven technique
Lease or purchase
the decryption key should be kept a secret
Wireless Local Area Network
commodity
Frequently changed access controls
It can be used to obtain an unauthorized copy of a report.
Page 280
Sheet1
Option C
A legacy system is difficult to port to other environments
Laser activated photo identification.
Duplicate transaction processing
Audit hooks
downloaded codes reading files on the client s hard disk
Each request for data made by an application program must be analysed by DBMS.
Integrated services digital network (ISDN)
production work flow control
Volume test
Maintenance
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
it can be a major bottleneck in the work flow in a data processing installation
CIS is can not write exceptions identified to a log file
Examine the creation date and file size.
free channel utilization to make more capacity available for the user
Compliance tests
Test transactions are representative of normal application system processing.
Availability of adequate manpower for the effective implementation of the system.
demagnetising the hard disk
restricting access to sensitive messages by restricting them to specific parts of the network
Transport
Unit test cases
Faster delivery
Detailed Testing
Does not provide backup in the event of absence.
It is easy to assign the cost of using link encryption to the users of the link
Link editor
Digital signature.
Analysis of system generated core dumps
Substantive tests of executed program logic
machine room fires
Mr. S 's private key
availability
defrauding by the receiver by colluding with the sender.
confirm that the card is not listed as hot
High MTBF values imply good reliability
System D - Likelihood 25%, Losses(in$) 4 million
Configuration test
error log
Extension of the network to new users
Recovery
Interviewing the system operator's supervisor
Tolerable rate and the expected deviation rate.
Temperature increase
altering the audit trail to correct an error
Paralled simulation
Specifying physical data definition
Reviewing execution of computer processing tasks.
All input transactions
lesser flexibility in leveling system workloads
The technique provides for taking the backup on a high speed medium like CDROM
Expert systems can explain their own actions
Productivity
A legacy system is difficult to port to other environments
Incremental model
Page 281
Sheet1
Development time of a high priority system is more than 12 months.
redundancy control
It is easy to assign the cost of using link encryption to the users of the link
denial of message services
Ensure that management s hardware acquisition plan has taken into consideration technological obsolescence.
Managing end-user expectations
Accreditation and assurance
The model is iterated too many times
the designer is uncertain as well as the user about the requirements and it is likely to evolve as the design progresses
maintaining a test deck
dedicated telephone lines
Each request for data made by an application program must be analysed by DBMS.
production work flow control
A control chart
Estimate the operating costs of the communication subsystem
Maintenance
checking the transaction log
inadequate backup and recovery capabilities
Reviewing execution of computer processing tasks.
d. Record locking
Less computer equipment
network defence program
it can be a major bottleneck in the work flow in a data processing installation
The confidence level increases as the sample size decreases.
Touring key activities of the organisation.
Recovery actions for the error codes.
The users should be required to review a random sample of processed data.
The audit review file.
using CAAT techniques to know the access provided in the software
Design fault
Faster delivery
Both the Internal and External business processes are covered under the standard.
authorizations are no more needed
production work flow control
Field-size check
Decision table
customer over the authenticity of the hosting site
Establishing data disclosure guidelines
Windows NT platform
It has high risk of wire-tapping
Test case preparation and test case execution
Screens, interactive edits, process programs and sample reports
Application Programming
production work flow control
non-repudiation
Information-oriented techniques
Maintenance
Conversion projects
Sign-on verification security at the operating system level
Terminal controllers
altering the audit trail to correct an error
System performance
The technique provides for taking the backup on a high speed medium like CDROM
is suitable for an online system whereas a floppy disk is not
Skills and judgement that are commonly possessed by IS practitioners of that speciality.
Test all new software on a stand-alone microcomputer.
Page 282
Sheet1
Non-critical systems
The technique provides for taking the backup on a high speed medium like CDROM
Repudiated transactions
Fourth-generation programming languages
Rapid prototyping model
production work flow control
Optical fiber
Such access authority is inappropriate because they have the full knowledge and understanding about the system
Private key modifications
Managing end-user expectations
Suggestive
15 bit cipher system
confirm that the card is not listed as hot
call-back telephone facility
Suggestive
the decryption key is the same as the encryption key
Software testing
Duplicate files and backup procedures
Analysing system schedules
Compliance tests
Taking picture of transaction as it flows through a system
Manual recalculation of sample items
Remote processing site prior to transmission to the central processing site.
The technique provides for taking the backup on a high speed medium like CDROM
with full access to read, write and execute
Expand the use of the built-in access controls to new applications.
Offsite storage location should be secured and should not be easily identified from the outside.
Maintenance
The sequence of the phases cannot vary
Rent or purchase
Increased number of people using the technology causes a serious concern for BPR projects.
Hardware
private branch exchange
is suitable for an online system whereas a floppy disk is not
time sharing
Logical design of a database
to alleviate conflict between the Statutory Auditors and Information Systems Auditors
QA personnel should have incentives to ensure their organisation adopts the best set of
quality assurance standards
The program contained a serious logic error
whether users are authorised and authenticated prior to granting access to system resources
Developing system justification
Security mechanisms
Application Programming
Guaranteed procedure
production work flow control
ciphertext form that is a function of the account number
Volume test
Face-to-face communications
Terminal controllers
correcting a hardware error in a modem
facility to change queue sizes at a node
Decision- table preprocessor
Functional business areas under audit.
control the normality of the distribution curve of the loss from the threat
Custody and control over the non IS assets.
Analysing system schedules
Page 283
Sheet1
Page 284
Sheet1
Page 285
Sheet1
Page 286
Sheet1
Page 287
Sheet1
Page 288
Sheet1
Each request for data made by an application program must be analysed by DBMS.
database administrator
Analysis of system generated core dumps
Access control
confirm that the card is not listed as hot
none of the above
The users should be required to review a random sample of processed data.
the decryption key is the same as the encryption key
The cost per transaction to process on each type of computer has decreased in recent years
Having the information systems steering committee set the priority
mail the card and PIN mailer separately in registered envelopes
it can be a major bottleneck in the work flow in a data processing installation
Data storage
Logical design of a database
establishing control over output
private branch exchange
User updates of their access profiles.
All input transactions
checking the transaction log
Standard deviation of the population
Cost of technical action
Develop a GUI application
Unit test cases
Project Management tool
End user interface
The iterative model
Develop a client/server system
System size and complexity
Communication channel
crashing disk drives read-write heads
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Standby power supplies
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, and retain the card
Continuous training
be in the top floor
Database replication
Suggestive
follow-up on unpaid accounts if a transfer pricing scheme is being used
encrypt the message with the receiver's private key and sign the message with the sender's public key
dynamically share a smaller number of output channels
Establishing data disclosure guidelines
System external specifications
the decryption key is the same as the encryption key
Extension of the network to new users
Program changes due to changes in data formats
Data compression
private branch exchange
A big bang approach
A index sequential
Taking picture of transaction as it flows through a system
All input transactions
Sequential sampling selection technique
Using a locking device that can secure the notebook computer to an immovable object.
Unauthorized vendors invoices will be paid)
Should be easily identified from outside so that in the event of an emergency it can be easily found
Reduce risks of existing or anticipated control weaknesses.
Page 289
Sheet1
Page 290
Sheet1
Page 291
Sheet1
Page 292
Sheet1
Check digit
Sign-on verification security at the operating system level
The ability of a personal computer to act as a data terminal
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Knowingly, an IS Manager , approved a payment for his uncle's IS software firm for a job not done by them.
Remote processing site prior to transmission to the central processing site.
convert analog signals to digital signals
Maintenance
Recovery actions for the error codes.
Keeping sensitive programs and data on an isolated machine.
Data encryption standard (DES)
Introduction of automated checks to detect corruption of messages
General design documents
conduct a substantive test of the application system
a satellite line
Random Access Memory (RAM)
time sharing
For the decryption, the decryption key should be equivalent to the encryption key
a new key is generated for each transaction
Allowing distribution processing
Internet Protocol (IP) address
Information hiding
Security mechanisms
manager responsible for the internal audit function
Suggestive
Statistical Sampling
How the new application will fit with other applications
Evaluating software distribution
Using a locking device that can secure the notebook computer to an immovable object.
Range check
follow-up on unpaid accounts if a transfer pricing scheme is being used
Maintenance
It provides for full processing capability in the event of a disaster.
Test transactions are representative of normal application system processing.
Functional business areas under audit.
Selection of testing sample data
User updates of their access profiles.
Malfunctioning of the hub will bring the star network down
the second-last residual dump
It is not always possible to determine how much damage has been done for undoing it
Developing conversion plans
Walkthroughs
Low cohesion of modules, low coupling of modules, and low modularity of programs
Rent or purchase
Corporate database definition.
Distributed applications or services
Grade of Service
physical security
Punishable by law relatively easily
The iterative model
Project staff skills
Access control
low error propagation
confirm that the card is not listed as hot
High MTBF values imply good reliability
inappropriate, because technical support personnel are capable of running the system
Page 293
Sheet1
Page 294
Sheet1
enforced periodic change of the PINs
PIN entry at acquirer's premises
To explore the use of new technology
Appropriate accounting for rejections and exceptions
inappropriate, because technical support personnel are capable of running the system
Managing end-user expectations
message integrity
dynamically share a smaller number of output channels
Conversion projects
Custody and control over the non IS assets.
Optical fiber
maintain a log of all transactions of an organisation with its trading partner
denial of message services
Information processing facilities operations and procedures manuals.
Knowingly, an IS Manager , approved a payment for his uncle's IS software firm for a job not done by them.
attenuation amplification
Black-box, specification-based, data-driven technique
Compliance tests
Ownership is irrelevant on account of diversified control.
Provides utility programs for a limited number of application systems
Encryption is resorted to as a control technique more in bus topology than ring topology
Traditional system development life cycle
Configuration test
The iterative model
Decision table
time sharing
the users are assigned privileges only if they know the password for each resource
Portability
receiver's private key
remembered information
Rapid prototyping model
Configuration test
How the new application will fit with other applications
increasing inventory by reducing order lead-time
production work flow control
X.12
Application Programming
thin ethernet cable transmission
altering the audit trail to correct an error
it can be a major bottleneck in the work flow in a data processing installation
Review system logs on such occasions to identify irregularities encountered if any.
multiple transmission speeds
Tolerable rate and the expected deviation rate.
On-line system response times
A report generated by the accountant from internal evidence
An organisation chart provides a precise definition of the segregation of duties among the employees.
Managing distribution of outputs.
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Ensuring data processing resources are efficiently used.
security measures are easier to provide
Random Access Memory (RAM)
the adoption of national and international information systems standards reduces for conflict within the management
QA report must degenerate into a long list of defects that have been identified
an audit trail is not required with a mandatory access control policy
Analysis of system generated core dumps
Substantive tests of executed program logic
Page 295
Sheet1
Page 296
Sheet1
transmission cipher
data
Interviewing people at the site for the specific tasks performed by them.
required display of user codes and passwords
Magnetic card reader
Continuous training
User interface
The sequence of the phases cannot vary
Testing
Extension of the network to new users
Product reliability
Coaxial cable
A data dictionary
How the new application will fit with other applications
Reduced software maintenance efforts
checking the transaction log
low error propagation
Diagnostic routines
Data compression
Optical fiber
thin ethernet cable transmission
denial of message services
It is easy to assign the cost of using link encryption to the users of the link
with full access to read, write and execute
Sequential sampling selection technique
Providing audit documentation for review and reference.
Password files are encrypted and the system should force the user to change the initial password allotted and also at sub
Testing
Obsolescence
Development time of a high priority system is more than 12 months.
Chargeback system
transmission cipher
QA report must degenerate into a long list of defects that have been identified
information systems personnel tend to prefer a development role to a monitoring role
Cryptographic devices
traffic is exchanged through the firewall at the application layer only
Appoint a qualified computer operator on a temporary basis.
Access control
be in the top floor
The logic needed to solve a problem in an application program
Audit hooks
log of unsuccessful log on attempts are reviewed online and the active monitoring of the same by the security administrat
Relational structure
It has high risk of wire-tapping
How the new application will fit with other applications
No, since this backup provision is adequately provided for in the agreement.
Test all new software on a stand-alone microcomputer.
security measures are easier to provide
Link editor
It is easy to assign the cost of using link encryption to the users of the link
Test metrics
multidrop line network
Code optimiser
Analog signals are less attenuated than digital signals
Data ownership and classification
The period up to which the log file is retained
Page 297
Sheet1
Operations controls
General design documents
Tracing
Guaranteed procedure
Both the Internal and External business processes are covered under the standard.
Reduce risks of existing or anticipated control weaknesses.
Turnaround documents
whether a master file should be stored on a particular storage medium
Standby power supplies
Incremental model
Suggestive
Decreasing of the legal liabilities over proprietary data
The cost per transaction to process on each type of computer has decreased in recent years
Maintenance
System external specifications
Faster delivery
Recovery actions for the error codes.
Managing distribution of outputs.
Public switched telephone network
Train current users in how to specify the right destination codes for their printing.
Maintenance
The IS auditor conducting a comprehensive security control study.
Test transactions are representative of normal application system processing.
traffic analysis
Responsibilities of each organizational unit
Indicates the action to be taken when a rules is saisfied)
Updation of anti-virus configuration settings on logging in by the user.
Allocation of log-on Ids are controlled
All financial processing applications
The receiver might not have captured the token but it might have passed the addressee node
Repudiated transactions
Low maintenance cost
Tracing
Low cohesion of modules, low coupling of modules, and low modularity of programs
Productivity
An important means of discouraging illegal acts.
relocating devices in the office is an expensive and difficult task
correcting a hardware error in a modem
Coaxial cable
System size and complexity
sender's public key and receiver's private key
an offsite back copy should be maintained
it can be a major bottleneck in the work flow in a data processing installation
Application layer
A control chart
Recovery actions for the error codes.
Access control at data base management system level
Control total
establishing control over output
Range check
Statistical sampling capabilities
Code optimiser
Providing audit documentation for review and reference.
Operational controls
highlights and identity of the sensitive security features
installing anti-virus software on all nodes
Page 298
Sheet1
distribution of output
Cold site
Developing conversion plans
Low maintenance cost
input subsystem
map the network software and hardware products into their respective layers
It is easy to assign the cost of using link encryption to the users of the link
is suitable for an online system whereas a floppy disk is not
production work flow control
Coaxial cable
QA personnel should have incentives to ensure their organisation adopts the best set of quality assurance standards pos
The only way to breach the privacy of online reports is to wiretap the communications line
Access control at data base management system level
The same user can initiate transactions and also change related parameters
whether users are authorised and authenticated prior to granting access to system resources
Modularity means program segmentation
Maintenance
System migration guidelines
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Establishing data disclosure guidelines
System D - Likelihood 25%, Losses(in$) 4 million
for them to carry out their work, normally the application system controls have to be relaxed
Allowing distribution processing
Recovery actions for the error codes.
Concurrent transaction processing
Standby power supplies
the decryption key is the same as the encryption key
all of the above
Log attempts of unauthorized access.
Manual recalculation of sample items
Record locking
Hard disk free space
Knowingly, an IS Manager , approved a payment for his uncle s IS software firm for a job not done by them.
Analysing system schedules
Audit trail records can be amended by the users.
Allow for cash withdrawal and cash deposits only
Modularity means program segmentation
System migration guidelines
Communication channel
improved business relationships with trading partners
It is easy to assign the cost of using link encryption to the users of the link
encryption system that can not be used more than once
Substantive tests of executed program logic
Rent or purchase
Accreditation and assurance
formulated by the operations manager and promulgated as a standard through-out the organisation
crashing disk drives read-write heads
Cost of initial debugging of software
Configuration test
Compliance tests
a satellite line
free channel utilization to make more capacity available for the user
renders charge back system easier and effective
the unique identifier of the sender s node from which it was sent
Black-box, specification-based, data-driven technique
Low cohesion of modules, low coupling of modules, and low modularity of programs
Page 299
Sheet1
Page 300
Sheet1
Use of individual passwords plus separate access passwords for customer data and product data
The password used to make the attempt.
it can be a major bottleneck in the work flow in a data processing installation
security measures are easier to provide
User updates of their access profiles.
Process the data using a different generalized audit software.
the second-last residual dump
elimination of control total problems when the transactions are resubmitted after a disaster and a restoration of the backu
Less computer equipment
Maintenance
Skills and judgement that are commonly possessed by IS practitioners of that speciality.
IS personnel do not enjoy the as much power and clout in organizations as manual systems personnel do like the HR per
Data encryption standard (DES)
Should be easily identified from outside so that in the event of an emergency it can be easily found
Project Management tool
The sequence of the phases cannot vary
Maintenance
Assessing the organisation s business needs.
Decision table
Standardisation
Magnetic card reader
Maintenance
Activate the fire extinguishing system.
Incremental model
receiver's private key
enforced periodic change of the PINs
Decision table
changing the cryptographic key has no implications for existing PINs
Inclusion of an uninterruptible power supply system and surge protection.
Duplicate files and backup procedures
the designer is uncertain as well as the user about the requirements and it is likely to evolve as the design progresses
mail the card and PIN mailer separately in registered envelopes
Standby power supplies
Specifying physical data definition
follow-up on unpaid accounts if a transfer pricing scheme is being used
traffic analysis
Interviewing the system operator's supervisor
the control objectives pose more problems for implementing
Inclusion of an uninterruptible power supply system and surge protection.
The users should be required to review a random sample of processed data.
Process the data using a different generalized audit software.
Operational controls
Detailed organisation chart
There will be no need for taking a data dump
It is not always possible to determine how much damage has been done for undoing it
Changes in project scheduling
Obsolescence
Reduce risks of existing or anticipated control weaknesses.
defrauding by the receiver by colluding with the sender.
Application control
Magnetic card reader
A legacy system is difficult to port to other environments
Continuous training
Rent or purchase
Accreditation and assurance
data capture, data preparation, data capture, data input
Page 301
Sheet1
Page 302
Sheet1
Page 303
Sheet1
Analysis of system generated core dumps
required display of user codes and passwords
Magnetic card reader
User interface
Security mechanisms
Suggestive
Controlling file-transfer rights
an audit trail is not required with a mandatory access control policy
The time and cost parameters for software projects are within schedule and comply with the estimated ones.
The iterative model
Faster delivery
Include data which represent conditions that occur in actual processing
A communications terminal control hardware unit that controls a number of computer terminals.
Multiplexor
The ability of a personal computer to act as a data terminal
thin ethernet cable transmission
Legal requirements
An increase in control risk
Analysing system schedules
The password used to make the attempt.
Detailed organisation chart
Data encryption standard (DES)
Point-to-point network
transmission on satellite microwave
User acceptance testing
Guaranteed procedure
Both the Internal and External business processes are covered under the standard.
Ensuring data processing resources are efficiently used.
relocating devices in the office is an expensive and difficult task
Each request for data made by an application program must be analysed by DBMS.
Grade of Service
Regular back ups taken at periodical intervals
Concurrent transaction processing
Suggestive
formulated by the operations manager and promulgated as a standard through-out the organisation
none of the above
manager responsible for the internal audit function
Rapid prototyping model
Terminal controllers
Test metrics
The cost per transaction to process on each type of computer has decreased in recent years
Unit test, integration test, systems test, acceptance test
altering the audit trail to correct an error
Maintenance
Detailed Testing
Lack of internal program documentation
a satellite line
Knowingly, an IS Manager , approved a payment for his uncle s IS software firm for a job not done by them.
Compliance tests
Decision- table preprocessor
Access privileges are established on a need-to-know basis
The password used to make the attempt.
The audit review file.
Corrective control
Identify applications that could be processed at the alternate site and develop manual procedures for other applications.
Design fault
Page 304
Sheet1
Both the Internal and External business processes are covered under the standard.
security administration subsystem
correcting a hardware error in a modem
Public switched telephone network
physical security
Operating System
Sign-on verification security at the operating system level
Identification on the cardkeys documenting the name and address of the data centre.
Rent or purchase
non-repudiation
maintaining a test deck
data capture, data preparation, data capture, data input
sender's public key and receiver's private key
Maintenance
Only the IS Auditor can determine whether the controls in the system are adequate
validations logic to fields and records based o their interrelationships with controls established for the batch.
ciphertext form that is a function of the account number
Custody and control over the non IS assets.
Sign-on verification security at the operating system level
Destruction of the logging and auditing data
Statistical sampling capabilities
Indicates the action to be taken when a rules is satisfied.
attenuation amplification
There will be no need for taking a data dump
Less computer equipment
Automated controls
Modification of the message
Repudiated transactions
Testing phase
Project Management tool
Data bugs
End user interface
Does not provide backup in the event of absence.
Business priorities will not be modified.
it can be a major bottleneck in the work flow in a data processing installation
Coaxial cable
an audit trail is not required with a mandatory access control policy
The same user can initiate transactions and also change related parameters
Appoint a qualified computer operator on a temporary basis.
User interface
availability
The model is iterated too many times
data capture, data preparation, data capture, data input
an audit trail is not required with a mandatory access control policy
Portability
Link editor
ISP's network
Quality assurance review
Distributed applications or services
Ensure a standard quality of life is lead by the employee which could enhance productivity.
It provides a means for assessing the risk that the sample results will not accurately represent the population characterist
transmission on satellite microwave
All input transactions
Determining whether system specification documents are available
separation of duties does not totally eliminate frauds in manual systems whereas computerized systems do not allow frau
Specifying physical data definition
Page 305
Sheet1
Multiplexor
log of unsuccessful log on attempts are reviewed online and the active monitoring of the same by the security administrat
always boot from the diskettes
Helping the user by reminding the user's password through the screen
Provides utility programs for a limited number of application systems
Encrypting twice with the same key
Cost of initial debugging of software
Developing system justification
required display of user codes and passwords
Magnetic card reader
Cryptographic devices
The model is iterated too many times
Configuration test
sender's public key and receiver's private key
use of a fake public key
Establishing data disclosure guidelines
message deletion
Security
A communications terminal control hardware unit that controls a number of computer terminals.
Appropriate accounting for rejections and exceptions
For the decryption, the decryption key should be equivalent to the encryption key
encryption system that can not be used more than once
Detailed Testing
Information processing facilities operations and procedures manuals.
it can be a major bottleneck in the work flow in a data processing installation
Knowingly, an IS Manager , approved a payment for his uncle s IS software firm for a job not done by them.
Legal requirements
Standard deviation of the population
Internet trend analysis of the industry s performance.
An organisation chart provides a precise definition of the segregation of duties among the employees.
Access privileges are established on a need-to-know basis
renders charge back system easier and effective
Identity based policy
redundancy control
input subsystem
crashing disk drives read-write heads
Duplicate files and backup procedures
high work factor
smaller protection domains are permitted
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, and retain the card
Range check
crashing disk drives read-write heads
the decryption key is the same as the encryption key
Test case preparation and test case execution
Security
Number of customer problems reported per user month
Evaluating software distribution
Improvement done by the line management.
Test all new software on a stand-alone microcomputer.
It is easy to assign the cost of using link encryption to the users of the link
production work flow control
System performance
Record locking
Process the data using a different generalized audit software.
Transport
altering the audit trail to correct an error
Page 306
Sheet1
Page 307
Sheet1
private branch exchange
Malfunctioning of the hub will bring the star network down
Distributed
The latter tests for controls while the former tests for details
using CAAT techniques to know the access provided in the software
details of complete authentication steps and security procedures to allow access
Authority to access and delete transaction data files
Plan is circulated to all the Head of Departments
preparations and plans for the accidental damage or loss in the IPF
Should be easily identified from outside so that in the event of an emergency it can be easily found
Malfunctioning of the hub will bring the star network down
Productivity
Graphical-user interface (GUI) technology
System migration guidelines
Quality assurance manager.
the decryption key is the same as the encryption key
a new key is generated for each transaction
Interviewing people at the site for the specific tasks performed by them.
Willful damage to IS hardware or software.
Application layer
Security mechanisms
dedicated telephone lines
QA
Each request for data made by an application program must be analysed by DBMS.
none of the above
Configuration test
Portability
Faster delivery
validations logic to fields and records based o their interrelationships with controls established for the batch.
A communications terminal control hardware unit that controls a number of computer terminals.
A control chart
Face-to-face communications
Review of console logs for attempted / illegal intrusion.
Range check
maintain a log of all transactions of an organisation with its trading partner
Compliance tests
Information processing facilities operations and procedures manuals.
Test metrics
a procedural lapse
It provides for full processing capability in the event of a disaster.
data are recorded on source documents so it can be keyed to some type of magnetic medium
A index sequential
An increase in control risk
No, since this backup provision is adequately provided for in the agreement.
Programming controls
A legacy system is difficult to port to other environments
maintain a log of all transactions of an organisation with its trading partner
be in the top floor
Substantive tests of executed program logic
Developing system justification
Laser activated photo identification.
Cost of initial debugging of software
Access control
Managing end-user expectations
Duplicate transaction processing
The logic needed to solve a problem in an application program
Page 308
Sheet1
Page 309
Sheet1
Maintenance
transmission cipher
inappropriate, because technical support personnel are capable of running the system
none of the above
Modems
remembered information
Volume test
Conversion projects
establishing control over output
Log attempts of unauthorized access.
altering the audit trail to correct an error
to eliminate the risk that unauthorised changes may be made to the payment transactions
Accept the statistical hypothesis that value is not materially misstated when the true value is not materially misstated)
Knowingly, an IS Manager , approved a payment for his uncle s IS software firm for a job not done by them.
Calculation verifications.
Expand the use of the built-in access controls to new applications.
Formulation of a corporate information security policy and its adoption by the top management
thin ethernet cable transmission
the second-last residual dump
Walkthroughs
Assumptions
Cost of initial debugging of software
Develop a client/server system
System size and complexity
Reduce risks of existing or anticipated control weaknesses.
packets travel through the network depending upon channel availability
Digital signature.
error log
Developing system justification
for them to carry out their work, normally the application system controls have to be relaxed
Accreditation and assurance
Estimate the operating costs of the communication subsystem
concentrator
Expert systems can explain their own actions
A control chart
Information-oriented techniques
Contractual issues
concentration technique
establishing control over output
inadequate backup and recovery capabilities
Determining whether system specification documents are available
is suitable for an online system whereas a floppy disk is not
Updation of anti-virus configuration settings on logging in by the user.
understanding of internal controls
User updates of their access profiles.
balancing procedures through the system itself automatically
always boot from the diskettes
Detailed organisation chart
Restart procedures
Repudiated transactions
Maintenance
Does not provide backup in the event of absence.
denial of message services
It is more likely that the external auditors will focus on the reliability of the QA function rather than undertaking direct tests
data
Only one person should be responsible for correcting errors in any application system
Page 310
Sheet1
Page 311
Sheet1
Page 312
Sheet1
Page 313
Sheet1
Page 314
Sheet1
Page 315
Sheet1
tape management system is putting processing at risk and that the parameters must be set correctly.
the decryption key is the same as the encryption key
dynamically share a smaller number of output channels
What error analysis techniques were used?
a satellite line
Compliance tests
Code optimiser
Internet trend analysis of the industry s performance.
The audit review file.
Manual recalculation of sample items
demagnetising the hard disk
data entry by the user department is made easy
the exposures associated with transmitting credit card PINs as clear text
Data bugs
conduct a substantive test of the application system
Developing system justification
Including other features of word processing, spreadsheets and e-mails.
multiple transmission speeds
15 bit cipher system
Call back procedures
Field-size check
inappropriate, because technical support personnel are capable of running the system
Modularity means program segmentation
non-repudiation
downloaded codes reading files on the client s hard disk
Windows NT platform
Paid EDI and non-EDI invoices
encryption system that can not be used more than once
Output distribution
Whether the computer has terminal emulation software on it.
Access privileges are established on a need-to-know basis
A communications terminal control hardware unit that controls a number of computer terminals.
it can be a major bottleneck in the work flow in a data processing installation
security measures are easier to provide
Detailed Testing
System performance
Knowingly, an IS Manager , approved a payment for his uncle's IS software firm for a job not done by them.
Diagram checking tools
restricting access to sensitive messages by restricting them to specific parts of the network
it can be a major bottleneck in the work flow in a data processing installation
Code optimiser
The same user can initiate transactions and also change related parameters
demagnetising the hard disk
The receiver might not have captured the token but it might have passed the addressee node
Data errors
Including other features of word processing, spreadsheets and e-mails.
inadequate backup and recovery capabilities
Relational structure
the adoption of national and international information systems standards reduces for conflict within the management
It is more likely that the external auditors will focus on the reliability of the QA function rather than undertaking direct tests
Security administration is made simple
Product reliability
require a periodic review of matching of user ID and passwords for detection and correction
enforced periodic change of the PINs
PIN entry at acquirer's premises
call-back telephone facility
Page 316
Sheet1
Page 317
Sheet1
Page 318
Sheet1
Page 319
Sheet1
inadequate backup and recovery capabilities
Coaxial cable
The ability of a personal computer to act as a data terminal
the users are assigned privileges only if they know the password for each resource
Field-size check
required display of user codes and passwords
Magnetic card reader
ciphertext form that is a function of the account number
enforced periodic change of the PINs
correcting a hardware error in a modem
Time period for which the key is valid
manager responsible for the internal audit function
data capture, data preparation, data capture, data input
Standby power supplies
the receiver forging a message using the sender s private key
Duplicate files and backup procedures
System testing
Optimistic Time
An organisation chart provides a precise definition of the segregation of duties among the employees.
altering the audit trail to correct an error
Test metrics
Taking picture of transaction as it flows through a system
On-line system response times
Providing audit documentation for review and reference.
the loss likely to occur if the threat materializes
Reviewing execution of computer processing tasks.
Check digit
Corrective control
Operations controls
Restart procedures
The time required for subsequent acquisition to meet the requirement
conduct a substantive test of the application system
Information hiding
Systems analyst and database administrator are done by the same person.
Communication channel
Public switched telephone network
manager responsible for the internal audit function
Suggestive
formulated by the operations manager and promulgated as a standard through-out the organisation
dynamically share a smaller number of output channels
A communications terminal control hardware unit that controls a number of computer terminals.
Faster delivery
ciphertext form that is a function of the account number
Data storage
A control chart
Acceptance testing
What error analysis techniques were used?
A communications terminal control hardware unit that controls a number of computer terminals.
whether a master file should be stored on a particular storage medium
It is easy to assign the cost of using link encryption to the users of the link
The receiver might not have captured the token but it might have passed the addressee node
All input transactions
data are recorded on source documents so it can be keyed to some type of magnetic medium
Accept the statistical hypothesis that value is not materially misstated when the true value is not materially misstated)
Ratio and difference estimation.
Knowingly, an IS Manager , approved a payment for his uncle s IS software firm for a job not done by them.
Page 320
Sheet1
Distributed
Statistical sampling capabilities
Test transactions are representative of normal application system processing.
Recovery actions for the error codes.
Output distribution
Check digit
a continuous voltage stabilizer
Point-to-point network
security administration subsystem
logging and restart verification
Restrict updating to one position but permit read acccess to source code for everyone in IS
Internet Protocol (IP) address
Call back procedures
user workstations
enforced periodic change of the PINs
System size and complexity
Productivity
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Test metrics
It has high risk of wire-tapping
Integrated services digital network (ISDN)
Establishing data disclosure guidelines
the designer is uncertain as well as the user about the requirements and it is likely to evolve as the design progresses
Configuration test
the decryption key is the same as the encryption key
Code optimiser
Log attempts of unauthorized access.
renders charge back system easier and effective
traffic analysis
mail the card and PIN mailer separately in registered envelopes
The confidence level increases as the sample size decreases.
Conducts a review of the application developed)
Reviewing execution of computer processing tasks.
Process the data using a different generalized audit software.
Programming controls
Data ownership and classification
Detailed Testing
Reduce risks of existing or anticipated control weaknesses.
Review of Short and Long term IS strategies.
links all communication channels to form a loop, and each link passes communications through its neighbour to the appro
The database administrator
ciphertext form that is a function of the account number
Estimate the operating costs of the communication subsystem
Digital signature.
troubleshooting electrical connections failure
Time period for which the key is valid
an audit trail is not required with a mandatory access control policy
ISDN LAN Bridges, fiber optics, and asynchronous transfer mode (ATM)
Standby power supplies
X.12
Number of customer problems reported per user month
Standby power supplies
security measures are easier to provide
Range check
Modification of the message
Process the data using a different generalized audit software.
Page 321
Sheet1
Page 322
Sheet1
Page 323
Sheet1
Page 324
Sheet1
Such access authority is inappropriate because they have the full knowledge and understanding about the system
Guaranteed procedure
is suitable for an online system whereas a floppy disk is not
Program changes due to changes in data formats
Distributed applications or services
establishing control over output
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Decision- table preprocessor
Lack of internal program documentation
Analog signals are less attenuated than digital signals
hosting the website as part of your organisation
access control software & procedures
highlights and identity of the sensitive security features
Plan is circulated to all the Head of Departments
They both sign messages
Some countries will not allow transborder encryption of information
White noise
a procedural lapse
Low maintenance cost
Benefit-cost ratio
Maintenance
The IS auditor is not concerned with the key controls that once existed but with the one which exists in the new business
Standardisation
it can be a major bottleneck in the work flow in a data processing installation
Password controls are not administered over the client/server environment
defrauding by the receiver by colluding with the sender.
Completeness, accuracy and validity of input
Product reliability
Windows NT platform
X.12
write time is minimised to avoid concurrency conflicts
System external specifications
Faster delivery
error log
Access privileges are established on a need-to-know basis
Destruction of the logging and auditing data
the decryption key is the same as the encryption key
Test transactions are representative of normal application system processing.
The audit review file.
the second-last residual dump
Graphical-user interface (GUI) technology
Performing job activity analysis
Conducts a review of the application developed)
Detection risk
Programming controls
Helping the user by reminding the user's password through the screen
With similar business activities
Modification of the message
Project Management tool
Turnaround documents
follow-up on unpaid accounts if a transfer pricing scheme is being used
Workload forecasting
QA personnel are in the best position to decide whether quality improvement will result in better achievement of the organ
A documentation control
Prevent the file from being read before expiry of the retention date
Only one person should be responsible for correcting errors in any application system
Page 325
Sheet1
Range check
Information hiding
The sequence of the phases cannot vary
Extension of the network to new users
Decision table
correcting a hardware error in a modem
For the decryption, the decryption key should be equivalent to the encryption key
an audit trail is not required with a mandatory access control policy
message deletion
inappropriate, because technical support personnel are capable of running the system
The time and cost parameters for software projects are within schedule and comply with the estimated ones.
Cost of initial debugging of software
validations logic to fields and records based o their interrelationships with controls established for the batch.
Extension of the network to new users
security measures are easier to provide
Compliance tests
Decision- table preprocessor
Periodically submitting auditor prepared test data to the same computer process and evaluating the results
A report generated by the accountant from internal evidence
High Level of IS expertise is essential.
Management control system
Automated controls
Frequency of restoration of backups to test the backup tapes
traffic analysis
the unique identifier of the sender s node from which it was sent
Unit test cases
Productivity
Develop a client/server system
Developing system justification
Review of Short and Long term IS strategies.
consider appropriate corrective actions so they can make recommendations to management
maintaining a test deck
System testing
Establishing data disclosure guidelines
Test case preparation and test case execution
Assumptions
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
error log
ciphertext form that is a function of the account number
Estimate the operating costs of the communication subsystem
Test all new software on a stand-alone microcomputer.
thin ethernet cable transmission
The IS auditor is not concerned with the key controls that once existed but with the one which exists in the new business
facility to change queue sizes at a node
Performing job activity analysis
Paralled simulation
The basic objectives of auditing have undergone change
User updates of their access profiles.
unauthorised access to data
highlights and identity of the sensitive security features
Helping the user by reminding the user's password through the screen
concentration technique
Fourth-generation programming languages
The iterative model
Rapid prototyping model
Detailed Testing
Page 326
Sheet1
Page 327
Sheet1
Page 328
Sheet1
Page 329
Sheet1
Record locking
Remote processing site prior to transmission to the central processing site.
Sequential sampling selection technique
Physicals and logical access controls.
Touring key activities of the organisation.
demagnetising the hard disk
access control software & procedures
Identify applications that could be processed at the alternate site and develop manual procedures for other applications.
attenuation amplification
Maintenance
Development time of a high priority system is more than 12 months.
It has high risk of wire tapping
Link editor
an audit trail is not required with a mandatory access control policy
Substantive tests of executed program logic
Magnetic card reader
Cryptographic devices
Allowing distribution processing
operators do not need to rely on documentation during a disaster recovery operation
downloaded codes reading files on the client s hard disk
Application programmer
Voltmeter
Standby power supplies
Rent or purchase
receiver's private key
Recovery actions for the error codes.
Destruction of the logging and auditing data
Interviewing the system operator's supervisor
It provides a means for assessing the risk that the sample results will not accurately represent the population characterist
poor contacts
Maintenance
Knowingly, an IS Manager , approved a payment for his uncle s IS software firm for a job not done by them.
Providing audit documentation for review and reference.
Check digit
Whether the computer has terminal emulation software on it.
Multiplexor
fancy and international names can be used
The technique provides for taking the backup on a high speed medium like CDROM
Benefit-cost ratio
Walkthroughs
inadequate backup and recovery capabilities
Distributed applications or services
a new key is generated for each transaction
an open environment
required display of user codes and passwords
Prevent the file from being read before expiry of the retention date
Punishable by law relatively easily
traffic is exchanged through the firewall at the application layer only
Testing
Extension of the network to new users
Suggestive
Decision table
confirm that the card is not listed as hot
Estimate the operating costs of the communication subsystem
data capture, data preparation, data capture, data input
troubleshooting electrical connections failure
Page 330
Sheet1
The time and cost parameters for software projects are within schedule and comply with the estimated ones.
encryption system that can not be used more than once
Commitment
Encryption is resorted to as a control technique more in bus topology than ring topology
Inadequate volume testing.
Non-critical systems
Restart procedures
Malfunctioning of the hub will bring the star network down
There will be no need for taking a data dump
Application programmer mailbox
Menu-oriented user interfaces
Maintenance
Review system logs on such occasions to identify irregularities encountered if any.
Random Access Memory (RAM)
Relational structure
be in the top floor
on-line processing
to alleviate conflict between the Statutory Auditors and Information Systems Auditors
Only one person should be responsible for correcting errors in any application system
Computers systems handle large volume of data
Operating System
Configuration identification
non-repudiation
the receiver forging a message using the sender s private key
Reduced software maintenance efforts
Current decisions can be based on audited information.
Test metrics
How the new application will fit with other applications
low error propagation
Estimate the operating costs of the communication subsystem
Cryptographic devices
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Taking picture of transaction as it flows through a system
A test to evaluate the validation controls in an input program.
restricting access to sensitive messages by restricting them to specific parts of the network
Legal requirements
Whether the computer has terminal emulation software on it.
always boot from the diskettes
Point-to-point network
Mesh topology network
The data being intercepted and disclosed to others without authorisation
Benefit-cost ratio
Tracing
Assumptions
Each request for data made by an application program must be analysed by DBMS.
With the increase in use, the degree of concern regarding physical security decreases
The logic needed to solve a problem in an application program
Standardisation
consider appropriate corrective actions so they can make recommendations to management
QA personnel are in the best position to decide whether quality improvement will result in better achievement of the organ
Mr. S 's private key
require a periodic review of matching of user ID and passwords for detection and correction
QA
Inclusion of an uninterruptible power supply system and surge protection.
inappropriate, because technical support personnel are capable of running the system
validations logic to fields and records based o their interrelationships with controls established for the batch.
Page 331
Sheet1
Page 332
Sheet1
validations logic to fields and records based o their interrelationships with controls established for the batch.
User interface
Decreasing of the legal liabilities over proprietary data
sender's public key and receiver's private key
Application programmer
follow-up on unpaid accounts if a transfer pricing scheme is being used
High MTBF values imply good reliability
Audit hooks
Test cases rejected, test cases accepted
The ability of a personal computer to act as a data terminal
Optical fiber
it can be a major bottleneck in the work flow in a data processing installation
enforcing regular password changes
Link editor
Ownership is irrelevant on account of diversified control.
Code optimiser
User updates of their access profiles.
Interviewing the system operator's supervisor
Utilisation details of hardware and software for reviewing functioning of the system.
Inclusion of an uninterruptible power supply system and surge protection.
It prevents repudiation by the sender
Cost of technical action
Walkthroughs
Penalty provisions
Maintenance
Maintenance
Including other features of word processing, spreadsheets and e-mails.
Maturity of the implemented quality system is irrelevant.
Coaxial cable
for them to carry out their work, normally the application system controls have to be relaxed
require a periodic review of matching of user ID and passwords for detection and correction
Decision table
System testing
Standby power supplies
an audit trail is not required with a mandatory access control policy
Suggestive
encryption system that can not be used more than once
Face-to-face communications
Maintenance
Specifying physical data definition
Operating System
correcting a hardware error in a modem
Transport
elimination of control total problems when the transactions are resubmitted after a disaster and a restoration of the backu
Availability of adequate manpower for the effective implementation of the system.
An increase in control risk
Whether the computer has terminal emulation software on it.
Process the data using a different generalized audit software.
demagnetising the hard disk
unauthorised access to data
always boot from the diskettes
Frequency of restoration of backups to test the backup tapes
Guaranteed procedure
Assumptions
Rent or purchase
maintain a log of all transactions of an organisation with its trading partner
Page 333
Sheet1
Page 334
Sheet1
Page 335
Sheet1
Selection of testing sample data
Plan is circulated to all the Head of Departments
Telephone bill paying system
Tracing
Black-box, specification-based, data-driven technique
Rent or purchase
the decryption key is the same as the encryption key
Public switched telephone network
data
Call back procedures
The output could be cancelled before printing.
Page 336
Sheet1
Answers
B
C
B
A
A
B
D
C
A
C
C
D
B
D
B
A
D
C
D
A
B
A
B
C
C
A
B
D
B
A
C
A
D
B
C
B
D
D
D
D
C
C
B
D
D
A
C
B
A
A
A
C
C
B
A
Page 337
Sheet1
D
A
A
C
C
D
A
A
D
B
B
B
C
B
A
C
D
A
B
A
C
C
D
C
B
D
C
C
A
A
B
D
C
C
C
B
D
B
D
D
A
B
B
C
D
A
C
B
C
D
D
D
A
A
D
D
Page 338
Sheet1
C
A
B
C
D
C
B
C
D
D
A
B
C
A
C
D
A
C
C
A
D
C
D
A
B
A
C
C
C
B
D
C
A
A
B
D
B
C
D
D
B
D
B
A
C
D
A
D
D
D
B
A
C
D
C
C
Page 339
Sheet1
C
C
A
D
B
D
A
D
C
D
D
D
B
D
C
D
D
B
B
A
B
D
D
A
C
D
C
A
B
C
A
C
C
A
B
D
B
A
B
C
B
C
A
C
D
B
A
A
C
C
B
A
A
C
B
B
Page 340
Sheet1
A
C
D
C
D
A
D
C
B
B
C
D
B
D
B
B
D
D
D
D
B
A
B
D
D
C
C
A
C
C
B
C
D
A
A
B
B
C
C
B
C
C
A
B
C
D
C
D
A
B
A
A
D
B
C
C
Page 341
Sheet1
D
D
C
D
B
B
D
B
A
C
A
B
D
A
D
C
A
C
D
C
D
B
A
A
A
B
C
C
A
C
B
A
A
B
B
B
B
D
D
D
D
C
C
C
A
A
C
A
A
D
B
A
C
B
C
A
Page 342
Sheet1
A
A
D
A
A
A
B
B
C
C
D
B
C
B
C
A
A
B
C
D
D
A
B
B
C
A
D
B
C
B
C
D
C
B
D
A
D
D
C
D
A
C
D
B
C
C
A
D
C
A
C
B
D
D
C
D
Page 343
Sheet1
A
D
C
D
D
B
B
B
C
D
C
D
D
D
A
C
B
C
B
A
D
C
B
A
A
B
A
B
D
C
A
A
C
C
D
C
A
B
C
C
C
B
D
A
D
B
D
C
D
C
A
D
C
A
A
C
Page 344
Sheet1
B
D
B
C
C
C
C
D
D
D
D
D
B
D
B
A
C
A
D
D
C
D
A
C
B
B
A
D
C
B
C
C
C
B
B
C
C
B
C
C
B
A
D
D
C
D
A
D
A
D
A
C
D
D
B
D
Page 345
Sheet1
C
C
D
C
D
D
A
B
A
D
B
D
B
D
A
C
A
C
B
C
D
C
B
B
B
D
A
B
C
A
B
D
C
B
D
B
C
D
C
A
A
A
B
C
B
C
A
D
A
B
D
D
B
C
C
C
Page 346
Sheet1
B
C
C
C
C
C
D
C
D
D
B
A
C
B
D
A
B
C
C
D
B
C
B
A
D
A
B
C
B
B
A
B
B
D
D
C
B
D
B
C
C
A
A
C
C
C
B
A
B
B
C
C
B
D
D
C
Page 347
Sheet1
C
A
B
B
D
A
D
A
C
C
D
C
B
C
B
A
D
D
C
D
C
C
C
B
A
A
B
B
A
B
C
C
C
C
D
D
C
D
D
D
C
C
B
B
B
D
B
D
A
A
B
C
A
B
C
D
Page 348
Sheet1
A
C
D
C
D
D
B
C
D
C
C
C
B
C
A
C
B
B
C
C
A
C
D
C
C
C
D
B
D
B
B
A
A
D
C
B
C
A
B
C
B
D
A
B
C
A
D
C
C
B
B
C
B
C
B
C
Page 349
Sheet1
B
B
A
A
D
A
D
B
B
A
D
B
A
B
D
D
A
B
A
D
B
B
B
D
C
C
D
D
C
A
A
B
B
C
C
A
A
D
A
C
D
C
D
A
A
A
C
A
C
A
C
D
C
B
B
C
Page 350
Sheet1
C
C
C
D
C
D
A
C
B
C
B
B
B
C
D
D
A
A
A
C
D
D
D
B
B
B
B
D
A
D
D
D
D
A
C
C
B
A
D
D
B
A
B
A
C
B
C
C
D
D
C
C
D
C
B
A
Page 351
Sheet1
D
A
C
C
D
B
A
B
B
B
D
D
C
D
A
D
A
C
B
A
C
C
A
C
D
C
D
D
C
C
D
A
D
D
A
B
B
A
A
C
B
C
D
A
A
C
B
A
C
C
D
C
D
D
D
C
Page 352
Sheet1
B
D
B
C
B
B
B
C
A
D
C
D
D
D
A
D
B
B
D
B
A
C
A
B
C
C
D
A
D
D
D
B
D
D
D
A
A
B
B
D
A
D
B
D
D
C
D
D
B
A
C
B
C
C
D
D
Page 353
Sheet1
B
B
C
D
D
D
D
D
C
A
A
A
D
B
A
B
D
C
D
B
A
B
D
D
D
A
A
B
C
B
B
A
C
A
C
A
C
D
D
D
B
A
D
D
B
D
B
B
B
A
D
D
C
B
D
C
Page 354
Sheet1
A
A
B
A
A
A
A
A
C
D
C
B
B
A
D
D
C
B
C
B
D
C
C
D
D
C
D
B
A
C
A
C
D
C
D
D
D
B
C
D
A
A
A
B
A
D
B
A
D
A
A
B
B
B
A
A
Page 355
Sheet1
B
B
D
C
B
B
B
D
C
D
C
B
C
D
A
D
D
D
C
D
B
D
A
C
C
C
A
C
A
A
C
D
D
C
B
A
D
D
D
D
A
B
C
D
B
C
D
A
B
B
B
C
C
D
C
B
Page 356
Sheet1
C
D
D
D
C
B
B
C
C
C
D
D
C
B
C
C
C
A
B
C
B
A
C
A
A
C
B
C
C
C
D
D
C
C
B
D
C
B
C
C
B
B
B
D
C
C
D
D
B
D
B
B
B
B
A
A
Page 357
Sheet1
B
A
A
D
C
B
B
A
C
C
B
A
D
B
A
C
D
D
D
B
A
A
C
A
D
D
C
C
D
B
B
B
D
A
A
A
C
C
C
A
A
B
A
B
C
D
C
A
C
C
C
A
D
C
C
C
Page 358
Sheet1
C
A
B
C
B
A
A
A
D
D
A
D
C
C
C
D
D
C
C
D
A
B
C
D
D
B
D
D
D
C
C
B
B
A
B
C
D
D
C
D
A
A
C
B
C
D
D
C
D
A
B
D
A
A
D
D
Page 359
Sheet1
B
C
B
B
D
C
A
C
B
B
B
D
C
C
D
A
A
B
C
D
B
C
D
B
C
D
D
D
C
B
D
C
D
A
D
C
C
D
D
A
D
D
D
A
C
D
A
D
A
A
D
D
C
A
A
A
Page 360
Sheet1
D
A
D
D
C
D
C
C
B
D
B
A
B
B
D
A
D
C
C
C
D
A
D
D
C
C
C
B
A
C
A
B
C
B
D
D
C
A
A
B
D
A
A
C
D
B
C
A
A
C
D
B
A
A
B
C
Page 361
Sheet1
C
D
D
D
C
B
A
B
C
B
D
A
D
B
A
B
C
D
C
D
B
A
C
C
D
D
A
D
B
B
D
B
B
A
A
B
C
C
B
C
B
B
D
A
D
C
B
A
D
A
C
D
A
B
B
D
Page 362
Sheet1
D
D
C
B
C
A
B
C
A
B
D
D
D
B
B
D
A
A
B
C
C
A
A
C
A
A
C
C
C
D
D
A
D
C
B
A
D
C
C
B
D
D
B
C
C
D
C
C
D
A
C
A
D
A
B
C
Page 363
Sheet1
A
A
C
D
A
D
D
C
A
B
A
C
C
B
B
D
C
B
B
D
D
B
A
B
C
D
D
B
A
C
B
D
C
B
B
A
C
C
A
A
B
A
B
C
B
B
B
B
A
B
C
A
B
D
B
D
Page 364
Sheet1
A
A
C
D
B
C
D
B
D
C
D
C
C
D
C
D
B
A
D
D
C
B
D
B
C
D
D
A
A
A
A
D
D
D
A
B
A
B
A
D
C
A
B
A
C
A
A
C
D
D
D
C
C
B
A
B
Page 365
Sheet1
B
B
C
C
C
D
A
B
B
A
D
C
C
D
B
A
D
A
B
D
D
A
A
D
D
D
D
D
B
C
A
A
C
C
B
A
C
D
B
A
A
A
A
C
C
D
D
B
D
B
A
C
B
C
D
C
Page 366
Sheet1
C
C
B
C
C
D
C
C
A
C
C
C
D
B
C
C
D
C
C
A
B
C
C
C
B
B
D
B
A
C
C
C
C
C
D
B
A
B
B
A
D
B
D
B
D
A
C
B
D
A
D
D
B
C
C
A
Page 367
Sheet1
C
B
B
A
D
B
D
A
C
D
D
C
D
D
C
A
A
D
B
C
C
A
D
D
B
B
C
A
C
C
B
D
B
C
C
B
A
C
D
C
C
C
C
C
D
C
C
D
B
C
A
A
B
D
B
D
Page 368
Sheet1
B
A
A
C
C
C
D
B
D
C
D
A
B
B
A
B
B
B
D
B
C
D
C
D
D
A
A
D
C
A
D
C
C
A
C
B
C
C
D
A
A
A
C
A
B
C
C
C
D
D
B
A
A
A
C
D
Page 369
Sheet1
C
C
A
B
A
C
C
A
C
B
B
C
B
B
B
B
B
D
C
B
C
B
D
C
D
D
B
A
A
A
C
B
A
C
A
C
D
A
C
A
C
C
D
B
C
D
C
D
B
C
B
D
D
B
A
D
Page 370
Sheet1
A
C
C
D
D
C
C
B
B
C
A
C
D
B
B
C
D
D
D
D
B
C
C
D
D
C
D
B
D
B
C
D
D
C
B
C
D
A
C
A
A
A
A
A
D
C
C
C
A
C
C
D
C
C
A
C
Page 371
Sheet1
C
D
C
A
A
A
D
B
C
C
D
C
A
A
C
B
C
A
B
D
C
C
D
D
A
D
C
A
A
A
D
C
D
D
C
D
D
C
A
D
D
A
D
B
C
C
A
B
C
C
C
C
C
C
C
A
Page 372
Sheet1
B
C
D
C
D
D
C
B
D
A
B
B
A
D
D
D
D
B
D
D
A
A
C
B
D
A
A
B
A
B
B
B
C
D
C
C
C
C
A
B
B
A
D
A
C
C
C
D
D
D
C
D
B
C
C
A
Page 373
Sheet1
B
C
B
A
B
A
A
B
D
C
D
D
C
A
D
A
A
C
A
B
C
B
B
B
D
D
A
D
D
C
B
B
A
C
D
A
C
D
D
C
D
D
C
A
A
B
B
D
D
D
D
D
C
D
B
C
Page 374
Sheet1
B
D
B
D
A
C
C
D
D
C
C
D
D
D
B
D
C
D
C
C
B
B
A
A
C
D
A
A
D
D
D
C
C
C
A
D
A
A
D
B
A
D
D
C
C
B
C
A
D
C
A
B
D
A
B
D
Page 375
Sheet1
A
D
D
B
C
C
B
D
C
D
A
C
A
C
A
C
C
A
B
D
C
D
A
C
C
B
A
A
B
D
B
C
C
C
C
D
C
A
D
C
C
B
D
B
B
C
A
C
B
A
B
A
B
C
B
D
Page 376
Sheet1
C
D
D
D
A
A
C
D
A
D
D
A
D
C
C
D
C
C
A
D
D
B
D
D
D
C
A
B
D
D
C
A
B
B
B
D
C
D
C
D
C
D
A
D
A
A
C
B
C
C
C
C
D
A
C
B
Page 377
Sheet1
D
D
D
C
A
D
D
A
D
D
D
B
D
B
C
A
D
D
D
B
C
A
B
A
D
B
D
B
D
D
C
B
D
C
A
A
D
C
B
D
D
D
C
A
C
A
B
C
A
A
C
B
C
B
C
D
Page 378
Sheet1
C
C
B
B
A
B
C
D
A
C
D
C
B
A
B
B
C
C
C
B
C
A
C
C
C
C
A
D
D
C
D
C
C
A
D
D
C
A
D
C
A
C
B
C
D
C
D
D
B
D
D
A
C
B
A
A
Page 379
Sheet1
D
B
C
D
D
D
A
A
A
D
B
B
B
A
D
A
D
D
A
B
B
D
B
A
C
C
B
C
B
C
C
A
D
D
C
B
C
C
C
C
B
D
A
C
C
B
D
B
C
B
D
B
B
D
C
A
Page 380
Sheet1
C
A
A
C
A
B
C
A
D
C
C
D
D
C
B
C
B
A
A
C
A
D
C
D
D
B
D
C
D
C
A
A
B
D
D
C
D
D
C
B
C
A
A
D
B
D
C
C
C
D
B
D
D
B
C
C
Page 381
Sheet1
B
C
C
D
B
D
B
C
C
C
B
A
A
D
D
A
A
C
C
B
D
C
B
D
B
A
C
A
B
C
D
B
C
B
A
D
C
D
D
A
D
A
D
B
A
A
D
C
D
D
D
D
C
B
D
C
Page 382
Sheet1
C
A
A
D
C
D
D
A
B
A
D
A
D
C
C
C
C
A
A
C
C
B
C
D
C
D
C
B
A
D
C
C
C
A
B
C
D
C
C
C
D
C
B
A
A
B
B
A
C
B
A
D
D
A
C
A
Page 383
Sheet1
C
B
D
C
A
D
A
C
B
A
D
D
A
A
A
B
C
A
D
C
D
B
C
D
C
D
C
A
B
D
A
A
D
B
C
B
D
B
D
D
C
B
D
C
C
A
B
D
D
A
C
B
B
D
D
B
Page 384
Sheet1
D
C
D
C
C
C
D
D
C
B
D
C
C
D
C
D
D
B
B
B
B
A
A
D
C
B
C
D
C
B
C
B
C
C
B
D
D
D
B
C
C
A
D
D
D
D
D
B
C
C
B
C
C
B
B
C
Page 385
Sheet1
A
D
C
C
B
D
D
A
D
C
D
D
B
C
A
B
D
C
C
A
A
B
C
B
A
D
C
C
D
B
C
D
C
A
A
C
B
A
C
D
A
A
C
C
C
C
C
A
A
D
A
B
C
A
A
A
Page 386
Sheet1
B
A
D
D
A
C
D
A
D
A
A
C
B
C
B
B
C
B
C
C
D
D
D
A
A
B
A
D
B
A
D
C
D
D
A
A
A
D
D
D
D
C
C
D
B
B
D
C
D
D
A
C
A
C
C
A
Page 387
Sheet1
B
C
C
B
A
D
D
A
D
D
C
B
A
B
A
A
A
A
B
D
C
C
D
C
C
C
A
C
A
C
B
D
C
C
A
A
B
C
C
A
A
C
C
C
D
C
B
C
C
A
D
D
B
B
C
D
Page 388
Sheet1
A
B
A
B
A
B
B
D
C
D
B
D
A
B
A
C
C
C
C
C
C
C
D
A
A
C
C
C
D
C
C
B
C
C
C
A
A
D
C
C
D
D
B
C
C
B
A
B
D
D
D
B
D
D
B
B
Page 389
Sheet1
C
B
C
C
A
C
D
B
A
D
C
A
A
D
B
C
C
A
A
C
D
C
A
A
D
D
B
D
D
B
C
A
C
B
C
A
C
A
C
C
D
D
B
A
A
A
C
D
D
C
A
C
B
B
C
A
Page 390
Sheet1
B
A
B
D
C
C
C
B
B
B
D
A
A
C
D
C
C
D
C
D
C
D
C
B
B
B
C
B
C
A
D
B
A
B
C
D
D
C
A
A
B
B
A
D
C
C
D
D
B
B
A
C
B
D
B
D
Page 391
Sheet1
B
C
C
C
A
B
D
D
D
D
C
Page 392