1.

What topology offers the highest redundancy of routes and the

greatest network fault tolerance?
A. A star network topology
B. A mesh network topology with packet forwarding enabled at
each host
C. A bus network topology
D. A ring network topology

Correct Answer = B
Justification:- Mesh network topology offers maximum redundancy
and fault tolerance by establishing point-to-point links between all
network hosts.

2.Which of the following is the most effective method for

controlling file downloads via FTP? Choose the optimal answer.
A. An application-layer gateway, or proxy firewall, but not stateful
inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall

Correct Answer = B
Justification:- Application-layer gateways, also known as proxy
firewalls, effectively control file downloads through FTP by
inspecting the application layer of the OSI model.

3.What determines the strength of a secret key in a symmetric

key cryptosystem?
A. A combination of key length, degree of permutation, and the
complexity of the data-encryption algorithm that uses the key
B. A combination of key length, initial input vectors, and the
complexity of the data-encryption algorithm that uses the key
C. A combination of key length and the complexity of the data-
encryption algorithm that uses the key
D. Initial input vectors and the complexity of the data-encryption
algorithm that uses the key
Correct Answer = B
Justification:- The strength of a secret key in a symmetric key
cryptosystem depends on key length, initial input vectors, and the
complexity of the encryption algorithm.

4.What does PKI utilize to provide comprehensive control over

data confidentiality, reliability, and integrity in Internet
transactions?
A. A combination of public-key cryptography and digital
certificates and two-factor authentication
B. A combination of public-key cryptography and two-factor
authentication
C. A combination of public-key cryptography and digital
certificates
D. A combination of digital certificates and two-factor
authentication

Correct Answer = C
Justification:- Public-key infrastructure (PKI) combines public-key
cryptography and digital certificates to ensure data
confidentiality, reliability, and integrity in internet transactions.

5.Which of the following is the correct answer regarding digital

signature implementation?
A. A digital signature is created by the sender to prove message
integrity by encrypting the message with the sender's private
key. Upon receiving the data, the recipient can decrypt the data
using the sender's public key.
B. A digital signature is created by the sender to prove message
integrity by encrypting the message with the recipient's public
key. Upon receiving the data, the recipient can decrypt the data
using the recipient's public key.
C. A digital signature is created by the sender to prove message
integrity by initially using a hashing algorithm to produce a hash
value or message digest from the entire message contents. Upon
receiving the data, the recipient can independently create it.
D. A digital signature is created by the sender to prove message
integrity by encrypting the message with the sender's public key.
Upon receiving the data, the recipient can decrypt the data using
the recipient's private key.

Correct Answer = C
Justification:- Digital signatures, created using hashing algorithms
and public/private key pairs, verify message integrity and enforce
confidentiality and integrity of data.

6.What is essential for the IS auditor to gain a clear understanding

of in network management?
A. Security administrator access to systems
B. Systems logs of all hosts providing application services
C. A graphical map of the network topology
D. Administrator access to systems

Correct Answer = C
Justification:- An IS auditor requires a graphical interface of the
network topology map to gain a clear understanding of network
management.

7.What factor most significantly increases encryption overhead

and cost?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key

Correct Answer = B
Justification:- Long asymmetric encryption keys increase
encryption overhead and cost, whereas other solutions involve
single shared symmetric keys.
8.Which of the following could unintentionally result in a loss of
confidentiality? Choose the best answer.
A. Lack of employee awareness of a company's information
security policy
B. Failure to comply with a company's information security policy
C. A momentary lapse of reason
D. Lack of security policy enforcement procedures

Correct Answer = A
Justification:- Lack of employee awareness of a company's
information security policy can lead to unintentional breaches of
confidentiality.

9.How would you best characterize a mantrap or deadman door,

which serves as a deterrent control for piggybacking
vulnerability?
A. A monitored double-doorway entry system
B. A monitored turnstile entry system
C. A monitored doorway entry system
D. A one-way door that does not allow exit after entry

Correct Answer = A
Justification:- Monitored double-doorway entry systems, such as
mantraps or deadman doors, deter piggybacking and enhance
security.

10. Ensuring that security and control policies align with business
and IT objectives is a primary goal of:
A. An IT security policies audit
B. A processing audit
C. A software audit
D. A vulnerability assessment
Correct Answer = A
Justification:- An IT security policies audit aims to ensure that
security and control policies align with business and IT objectives.

11. When auditing third-party service providers, what should an IS

auditor be concerned about? Choose the best answer.
A. Ownership of the programs and files
B. A statement of due care and confidentiality, and the capability
for continued service of the service provider in the event of a
disaster
C. A statement of due care
D. Ownership of programs and files, a statement of due care and
confidentiality, and the capability for continued service of the
service provider in the event of a disaster

Correct Answer = D
Justification:- When auditing third-party service providers,
ownership of programs and files, due care and confidentiality, and
continuity planning in case of a disaster are important
considerations.

12. What is the primary purpose of implementing a virtual private

network (VPN)?
A. A virtual private network (VPN) helps to secure access between
an enterprise and its partners when communicating over an
otherwise unsecured channel such as the Internet.
B. A virtual private network (VPN) helps to secure access between
an enterprise and its partners when communicating over a
dedicated T1 connection.
C. A virtual private network (VPN) helps to secure access within
an enterprise when communicating over a dedicated T1
connection between network segments within the same facility.
D. A virtual private network (VPN) helps to secure access between
an enterprise and its partners when communicating over a
wireless connection.
Correct Answer = A
Justification:- Virtual private networks (VPNs) secure
communication between enterprises and partners over unsecured
channels like the Internet.

13. What is used to authenticate a website and can also

authenticate keys used for data encryption?
A. An organizational certificate
B. A user certificate
C. A website certificate
D. Authenticode

Correct Answer = C
Justification:- Website certificates authenticate websites and can
also authenticate keys used for data encryption.

14. What type of fire suppression system utilizes water released

from a main valve through a network of dry pipes installed
throughout the facilities?
A. A dry-pipe sprinkler system
B. A deluge sprinkler system
C. A wet-pipe system
D. A halon sprinkler system

Correct Answer = A
Justification:- Dry-pipe sprinkler systems release water through
pipes only when a fire is detected, minimizing damage from
accidental water discharge.

15. What is the purpose of business continuity planning and

disaster recovery planning?
A. Transfer the risk and impact of a business interruption or
disaster
B. Mitigate, or reduce, the risk and impact of a business
interruption or disaster
C. Accept the risk and impact of a business
D. Eliminate the risk and impact of a business interruption or
disaster

Correct Answer = B
Justification:- The primary goal of business continuity planning
and disaster recovery planning is to reduce the risk and impact of
business interruptions or disasters.

16. Processing controls ensure that data is accurate, complete,

and processed only through which of the following? Choose the
best answer.
A. Documented routines
B. Authorized routines
C. Accepted routines
D. Approved routines

Correct Answer = B
Justification:- Processing controls ensure accurate and complete
data processing through authorized routines.

17. A transaction journal provides the necessary information for

detecting unauthorized _____________ from a terminal. (Fill in the
blank.)
A. Deletion
B. Input
C. Access
D. Duplication

Correct Answer = B
Justification:- Transaction journals are useful for detecting
unauthorized input from terminals.
18. What serves as the framework for developing logical access
controls?
A. Information systems security policies
B. Organizational security policies
C. Access Control Lists (ACL)
D. Organizational charts for identifying roles and responsibilities

Correct Answer = A
Justification:- Information systems security policies serve as a
framework for developing logical access controls.

19. What can ISPs utilize to implement inbound traffic filtering as

a control to identify IP packets transmitted from unauthorized
sources? Choose the best answer.
A. OSI Layer 2 switches with packet filtering enabled
B. Virtual Private Networks
C. Access Control Lists (ACL)
D. Point-to-Point Tunneling Protocol

Correct Answer = C
Justification:- Access control lists (ACLs) help ISPs implement
inbound traffic filtering to identify unauthorized IP packets.

20. Which of the following can help detect transmission errors by

appending specially calculated bits to the end of each data
segment?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check

Correct Answer = A
Justification:- Redundancy checks detect transmission errors by
adding calculated bits to data segments.

21. What can be highly beneficial to an IS auditor when evaluating

the effectiveness of a systems maintenance program? Choose the
best answer.
A. Network-monitoring software
B. A system downtime log
C. Administration activity reports
D. Help-desk utilization trend reports

Correct Answer = B
Justification:- System downtime logs assist IS auditors in
evaluating the effectiveness of systems maintenance programs.

22. When should application controls be considered in the system

development process?
A. After application unit testing
B. After application module testing
C. After applications systems testing
D. As early as possible, even in the development of the project's
functional specifications

Correct Answer = D
Justification:- Application controls should be incorporated early in
the system development process, including functional
specifications.

23. When an application is modified, what should be tested to

determine the full impact of the change? Choose the best answer.
A. Interface systems with other applications or systems
B. The entire program, including any interface systems with other
applications or systems
C. All programs, including interface systems with other
applications or systems
D. Mission-critical functions and any interface systems with other
applications or systems

Correct Answer = B
Justification:- System testing should encompass the entire
program, including interfaces with other applications or systems,
to assess the impact of changes.

24. What supports data transmission through split cable facilities

or duplicate cable facilities?
A. Diverse routing
B. Dual routing
C. Alternate routing
D. Redundant routing

Correct Answer = A
Justification:- Diverse routing supports data transmission through
split or duplicate cable facilities.

25. Among the three major types of off-site processing facilities,

which type is often an acceptable solution for the recovery of
noncritical systems and data?
A. Cold site
B. Hot site
C. Alternate site
D. Warm site

Correct Answer = A
Justification:- Cold sites are suitable for recovering noncritical
systems and data in disaster scenarios.
26. Which type(s) of firewalls provide(s) the highest degree of
protection and control by inspecting all seven OSI layers of
network traffic?
A. A first-generation packet-filtering firewall
B. A circuit-level gateway
C. An application-layer gateway, or proxy firewall, and stateful-
inspection firewalls
D. An application-layer gateway, or proxy firewall, but not
stateful-inspection firewalls

Correct Answer = C
Justification:- Application-layer gateways and stateful-inspection
firewalls provide comprehensive protection by inspecting all
seven layers of network traffic.

27. What should an IS auditor review to determine the user

permissions granted for a specific resource? Choose the best
answer.
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs

Correct Answer = B
Justification:- IS auditors review access-control lists (ACLs) to
assess user permissions for specific resources.

28. What should an IS auditor do if project-approval procedures

are absent?
A. Advise senior management to invest in project-management
training for the staff
B. Create project-approval procedures for future project
implementations
C. Assign project leaders
D. Recommend to management that formal approval procedures
be adopted and documented
Correct Answer = D
Justification:- If project-approval procedures are absent, the IS
auditor should recommend adopting and documenting formal
approval procedures.

29. How does using a risk-based approach to audit planning

benefit the process of systems auditing?
A. Controls testing starts earlier.
B. Auditing resources are allocated to the areas of highest
concern.
C. Auditing risk is reduced.
D. Controls testing is more thorough.

Correct Answer = B
Justification:- A risk-based approach to audit planning allows the
allocation of auditing resources to areas of highest concern.

30. What process is employed to validate the identity of a

subject?
A. Identification
B. Nonrepudiation
C. Authorization
D. Authentication

Correct Answer = D
Justification:- Authentication is employed to validate the identity
of a subject.

31. An IS auditor should carefully review the functional

requirements in a systems development project to ensure that
the project is designed to:
A. Meet business objectives
B. Enforce data security
C. Be culturally feasible
D. Be financially feasible

Correct Answer = A
Justification:- IS auditors carefully review functional requirements
in systems development projects to ensure alignment with
business objectives.

32. While BCP and DRP are often implemented and tested by
middle management and end-users, the ultimate responsibility
and accountability for the plans remain with executive
management, such as the _______________. (Fill in the blank.)
A. Security administrator
B. Systems auditor
C. Board of directors
D. Financial auditor

Correct Answer = C
Justification:- While middle management and end users often
implement and test BCP and DRP, executive management retains
ultimate responsibility and accountability.

33. In an integrated systems environment, which applications

should have input/output controls implemented?
A. The receiving application
B. The sending application
C. Both the sending and receiving applications
D. Output on the sending application and input on the receiving
application

Correct Answer = C
Justification:- Input/output controls should be implemented for
both sending and receiving applications in integrated systems
environments.

34. Any changes in system assets, such as hardware

replacements, should be promptly recorded within the assets
inventory of which of the following? Choose the best answer.
A. IT strategic plan
B. Business continuity plan
C. Business impact analysis
D. Incident response plan

Correct Answer = B
Justification:- Changes in system assets, such as hardware
replacements, should be promptly recorded in the assets
inventory of a business continuity plan.

35. How can the minimization of single points of failure or

vulnerabilities in a common disaster be best controlled?
A. By implementing redundant systems and applications onsite
B. By geographically dispersing resources
C. By retaining onsite data backup in fireproof vaults
D. By preparing BCP and DRP documents for commonly identified
disasters

Correct Answer = B
Justification:- Geographically dispersing resources helps minimize
vulnerabilities and single points of failure in disaster scenarios.

36. How does properly implemented Electronic Data Interface

(EDI) affect the time required for transaction processing review?
A. EDI usually decreases the time necessary for review.
B. EDI usually increases the time necessary for review.
C. Cannot be determined.
D. EDI does not affect the time necessary for review.
Correct Answer = A
Justification:- Electronic data interface (EDI) facilitates intervendor
communication and error identification, reducing review time.

37. What type of approach to the development of organizational

policies is often driven by risk assessment?
A. Bottom-up
B. Top-down
C. Comprehensive
D. Integrated

Correct Answer = B
Justification:- A bottom-up approach to organizational policy
development is driven by risk assessment.

38. What serves as a countermeasure for potential database

corruption when two processes attempt to simultaneously edit or
update the same information? Choose the best answer.
A. Referential integrity controls
B. Normalization controls
C. Concurrency controls
D. Run-to-run totals

Correct Answer = A
Justification:- Concurrency controls prevent potential database
corruption when multiple processes attempt simultaneous edits or
updates.

39. What do digital signatures provide?

A. Authentication and integrity of data
B. Authentication and confidentiality of data
C. Confidentiality and integrity of data
D. Authentication and availability of data

Correct Answer = A
Justification:- Digital signatures primarily provide authentication
and data integrity.

40. What can be implemented to provide the highest level of

protection against external attacks?
A. Layering perimeter network protection by configuring the
firewall as a screened host in a screened subnet behind the
bastion host
B. Configuring the firewall as a screened host behind a router
C. Configuring the firewall as the protecting bastion host
D. Configuring two load-sharing firewalls facilitating VPN access
from external hosts to internal hosts

Correct Answer = A
Justification:- Configuring the firewall as a screened host in a
screened subnet behind the bastion host enhances network
protection against external attacks.

41. The use of statistical sampling procedures helps minimize:

A. Detection risk
B. Business risk
C. Controls risk
D. Compliance risk

Correct Answer = A
Justification:- Statistical sampling procedures are employed to
minimize detection risk.

42. Data edits are implemented before processing and are

considered which of the following? Choose the best answer.
A. Deterrent integrity controls
B. Detective integrity controls
C. Corrective integrity controls
D. Preventative integrity controls

Correct Answer = D
Justification:- Data edits implemented before processing serve as
preventive integrity controls.

43. Establishing data ownership is an important first step for

which of the following processes? Choose the best answer.
A. Assigning user access privileges
B. Developing organizational security policies
C. Creating roles and responsibilities
D. Classifying data

Correct Answer = D
Justification:- Data classification requires establishing data
ownership as an initial step.

44. What is an effective control for granting temporary access to

vendors and external support personnel? Choose the best answer.
A. Creating user accounts that automatically expire by a
predetermined date
B. Creating permanent guest accounts for temporary use
C. Creating user accounts that restrict logon access to certain
hours of the day
D. Creating a single shared vendor administrator account on the
basis of least-privileged access

Correct Answer = A
Justification:- User accounts with automatic expiration dates are
effective for granting temporary access to vendors and external
support personnel.
45. Who is responsible for maintaining appropriate security
measures over information assets?
A. Data and systems owners
B. Data and systems users
C. Data and systems custodians
D. Data and systems auditors

Correct Answer = A
Justification:- Data and systems owners bear responsibility for
maintaining appropriate security measures over information
assets.

46. Which of the following is best characterized by unauthorized

modification of data before or during systems data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack

Correct Answer = A
Justification:- Data diddling involves modifying data before or
during data entry in systems.

47. Which of the following provide near-immediate recoverability

for time-sensitive systems and transaction processing?
A. Automated electronic journaling and parallel processing
B. Data mirroring and parallel processing
C. Data mirroring
D. Parallel processing

Correct Answer = B
Justification:- Data mirroring and parallel processing ensure near-
immediate recoverability for time-sensitive systems and
transactions.

48. Who is ultimately responsible and accountable for reviewing

user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors

Correct Answer = C
Justification:- Data owners have the ultimate responsibility and
accountability for reviewing user access to systems.

49. Parity bits are a control used to validate what?

A. Data authentication
B. Data completeness
C. Data source
D. Data accuracy

Correct Answer = B
Justification:- Parity bits validate data completeness.

50. What is typically ensured through the verification of table

links and reference checks?
A. Database integrity
B. Database synchronization
C. Database normalcy
D. Database accuracy

Correct Answer = A
Justification:- Table link verification and reference checks are the
primary methods used to ensure database integrity.

51. Which tool can assist in identifying and investigating

unauthorized transactions? Select the most appropriate option.
A. Postmortem review
B. Reasonableness checks
C. Data-mining techniques
D. Expert systems

Correct Answer = C
Justification:- Data-mining techniques can assist in identifying and
investigating unauthorized transactions.

52. What methodology employs questionnaires to guide users

through a series of choices in order to reach a conclusion? Choose
the most suitable answer.
A. Logic trees
B. Decision trees
C. Decision algorithms
D. Logic algorithms

Correct Answer = B
Justification:- Decision trees utilize questionnaires to guide users
through a series of choices leading to a conclusion.

53. During which phase of the systems development life cycle

(SDLC) model are the following processes typically conducted?
A. Develop test plans.
B. Baseline procedures to prevent scope creep.
C. Define the need that requires resolution, and map to the major
requirements of the solution.
D. Program and test the new system. The tests verify and validate
what has been develope
Correct Answer = B
Justification:- Procedures to prevent scope creep are established
during the design phase of the systems-development life cycle
(SDLC) model.

54. What is the initial step in a project involving the re-

engineering of business processes?
A. Identifying current business processes
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewed
D. Reviewing the organizational strategic plan

Correct Answer = C
Justification:- The first step in a business process re-engineering
project is to define the scope of areas to be reviewed.

55. What is a passive method used by intruders to identify

potential network vulnerabilities?
A. Traffic analysis
B. SYN flood
C. Denial of service (DoS)
D. Distributed denial of service (DoS)

Correct Answer = A
Justification:- Traffic analysis is a passive attack method employed
by intruders to identify potential network vulnerabilities, whereas
all others are active attacks.

56. In what way does a check digit serve as an effective edit

check?
A. Detect data-transcription errors
B. Detect data-transposition and transcription errors
C. Detect data-transposition, transcription, and substitution errors
D. Detect data-transposition errors

Correct Answer = B
Justification:- Check digits are an effective means of detecting
data-transposition and transcription errors through edit checks.

57. Which type of risk is associated with authorized program

exits, commonly known as trap doors? Select the most
appropriate option.
A. Business risk
B. Audit risk
C. Detective risk
D. Inherent risk

Correct Answer = D
Justification:- Inherent risk is associated with factors such as
authorized program exits (trap doors).

58. What is often the most challenging aspect of the initial stages
of application development? Choose the most suitable answer.
A. Configuring software
B. Planning security
C. Determining time and resource requirements
D. Configuring hardware

Correct Answer = C
Justification:- Estimating time and resource requirements for an
application-development project is often the most challenging
aspect of initial development efforts.

59. In a control self-assessment (CSA), what is the traditional role

of an IS auditor?
A. Implementor
B. Facilitator
C. Developer
D. Sponsor

Correct Answer = B
Justification:- In a control self-assessment (CSA), the traditional
role of an IS auditor is to facilitate the assessment process.

60. Which focus area typically involves providing alternative

processes and resources for transaction processing?
A. Cold-site facilities
B. Disaster recovery for networks
C. Diverse processing
D. Disaster recovery for systems

Correct Answer = D
Justification:- Disaster recovery for systems primarily focuses on
providing alternative processes and resources for transaction
processing.

61. Among the following fire-suppression methods, which one is

considered the most environmentally friendly?
A. Halon gas
B. Deluge sprinklers
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers

Correct Answer = C
Justification:- Dry-pipe sprinklers are considered the most
environmentally friendly among the various methods of fire
suppression.
62. When should an application-level edit check be performed to
verify the completion of fund availability at the electronic funds
transfer (EFT) interface?
A. Before transaction completion
B. Immediately after an EFT is initiated
C. During run-to-run total testing
D. Before an EFT is initiated

Correct Answer = D
Justification:- An application-level edit check should be conducted
at the electronic funds transfer (EFT) interface to verify the
availability of funds before initiating an EFT.

63. What is the primary distinction between encryption and

hashing algorithms?
A. Hashing algorithms ensure data confidentiality.
B. Hashing algorithms are irreversible.
C. Encryption algorithms ensure data integrity.
D. Encryption algorithms are not irreversible.

Correct Answer = B
Justification:- Encryption algorithms are reversible, while hashing
algorithms are irreversible, distinguishing them from each other.

64. What is used to assess the effectiveness of biometric access

controls?
A. FAR
B. EER
C. ERR
D. FRR

Correct Answer = B
Justification:- When evaluating biometric access controls, a low
equal error rate (EER), also known as the crossover error rate
(CER), is preferred.

65. What is the recommended initial step for an IS auditor to

implement continuous monitoring systems?
A. Document existing internal controls
B. Perform compliance testing on internal controls
C. Establish a controls-monitoring steering committee
D. Identify high-risk areas within the organization

Correct Answer = D
Justification:- When implementing continuous-monitoring systems,
the first step for an IS auditor is to identify high-risk areas within
the organization.

66. Give an example of evidence that an IS auditor typically relies

more heavily on when collected directly.
A. Evidence collected through personal observation
B. Evidence collected through systems logs provided by the
organization's security administration
C. Evidence collected through surveys collected from internal staff
D. Evidence collected through transaction reports provided by the
organization's IT administration

Correct Answer = A
Justification:- IS auditors place greater reliance on evidence
directly collected, such as through personal observation.

67. What would an IS auditor typically expect to find in the

console log file?
A. Evidence of password spoofing
B. System errors
C. Evidence of data copy activities
D. Evidence of password sharing
Correct Answer = B
Justification:- System errors are often documented in the console
log, which serves as a valuable resource for IS auditors.

68. Among the following options, what is the greatest concern for
an IS auditor?
A. Failure to report a successful attack on the network
B. Failure to prevent a successful attack on the network
C. Failure to recover from a successful attack on the network
D. Failure to detect a successful attack on the network

Correct Answer = A
Justification:- The failure to report a successful attack on the
network is a significant concern for IS auditors.

69. Which control method is effective in safeguarding confidential

data stored on a personal computer (PC)?
A. Personal firewall
B. File encapsulation
C. File encryption
D. Host-based intrusion detection

Correct Answer = C
Justification:- File encryption is an effective control measure for
safeguarding confidential data residing on a personal computer
(PC) or other devices.

70. During which stage(s) of application processing can run-to-run

totals be used to verify data?
A. Initial
B. Various
C. Final
D. Output

Correct Answer = B
Justification:- Run-to-run totals can verify data at various stages of
application processing.

71. What is the primary purpose of intrusion detection systems

(IDS)?
A. To identify AND prevent intrusion attempts to a network
B. To prevent intrusion attempts to a network
C. Forensic incident response
D. To identify intrusion attempts to a network

Correct Answer = D
Justification:- Intrusion attempts on a network can be identified
using intrusion-detection systems (IDS).

72. What does library control software restrict access to in terms

of source code?
A. Read-only access
B. Write-only access
C. Full access
D. Read-write access

Correct Answer = A
Justification:- Source code access can be restricted to read-only
by library control software.

73. If an IS auditor observes that individual modules of a system

perform correctly in development project tests, what should the
auditor recommend to management based on these positive
results?
A. Documentation development
B. Comprehensive integration testing
C. Full unit testing
D. Full regression testing

Correct Answer = B
Justification:- If individual modules of a system perform correctly
in development project tests, the IS auditor should inform
management of the positive results and recommend further
comprehensive integration testing.

74. Which approach involves using a prototype that can be

continuously updated to meet changing user or business
requirements?
A. PERT
B. Rapid application development (RAD)
C. Function point analysis (FPA)
D. GANTT

Correct Answer = B
Justification:- Rapid application development (RAD) utilizes a
continually updated prototype to meet changing user or business
requirements.

75. What is a reliable technique for estimating the extent and cost
of a software development project?
A. Function point analysis (FPA)
B. Feature point analysis (FPA)
C. GANTT
D. PERT

Correct Answer = A
Justification:- Estimating the scope and cost of a software
development project can be reliably done using function point
analysis (FPA).
76. What is utilized as a control mechanism to detect data loss,
corruption, or duplication?
A. Redundancy check
B. Reasonableness check
C. Hash totals
D. Accuracy check

Correct Answer = C
Justification:- Hash totals are employed as a control mechanism to
detect data loss, corruption, or duplication.

77. Which of the following exploit vulnerabilities to cause harm or

damage to an organization and its assets?
A. Exposures
B. Threats
C. Hazards
D. Insufficient controls

Correct Answer = B
Justification:- Threats exploit vulnerabilities to cause loss or
damage to the organization and its assets.

78. Among the three major types of off-site processing facilities,

which type provides at least electricity and HVAC?
A. Cold site
B. Alternate site
C. Hot site
D. Warm site

Correct Answer = A
Justification:- Among hot, warm, and cold off-site processing
facilities, a cold site is characterized by providing at least
electricity and HVAC.

79. Which step is the MOST crucial when planning an audit?

A. Implementing a prescribed auditing framework such as COBIT
B. Identifying current controls
C. Identifying high-risk audit targets
D. Testing controls

Correct Answer = C
Justification:- Identifying areas of high risk is the most critical step
in planning an audit.

80. What is an initial step in establishing an appropriate firewall

policy?
A. Assigning access to users according to the principle of least
privilege
B. Determining appropriate firewall hardware and software
C. Identifying network applications such as mail, web, or FTP
servers
D. Configuring firewall access rules

Correct Answer = C
Justification:- The initial step in creating a proper firewall policy is
to identify network applications such as mail, web, or FTP servers
that will be externally accessed.

81. What is the most fundamental step in preventing virus

attacks?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users' desktop
computers
C. Implementing antivirus content checking at all network-to-
Internet gateways
D. Inoculating systems with antivirus code
Correct Answer = A
Justification:- The most fundamental step in preventing virus
attacks is adopting and communicating a comprehensive antivirus
policy, upon which all other antivirus prevention efforts rely.

82. What is a guiding principle for implementing logical access

controls?
A. Implementing the Biba Integrity Model
B. Access is granted on a least-privilege basis, per the
organization's data owners
C. Implementing the Take-Grant access control model
D. Classifying data according to the subject's requirements

Correct Answer = B
Justification:- Reviewing logical access controls ensures that
access is granted on a least-privilege basis, as per the
organization's data owners.

83. What is a common vulnerability that allows for denial-of-

service attacks?
A. Assigning access to users according to the principle of least
privilege
B. Lack of employee awareness of organizational security policies
C. Improperly configured routers and router access lists
D. Configuring firewall access rules

Correct Answer = C
Justification:- Improperly configured routers and router access
lists are a common vulnerability for denial-of-service attacks.
84. When is regression testing used to determine if new
application changes have introduced errors in the remaining
unchanged code?
A. In program development and change management
B. In program feasibility studies
C. In program development
D. In change management

Correct Answer = A
Justification:- Regression testing is used in program development
and change management to determine if new changes have
introduced errors in the remaining unchanged code.

85. When should plans for testing user acceptance be prepared?

A. In the requirements definition phase of the systems-
development project
B. In the feasibility phase of the systems-development project
C. In the design phase of the systems-development project
D. In the development phase of the systems-development project

Correct Answer = A
Justification:- Plans for testing user acceptance are typically
prepared during the requirements definition phase of the
systems-development project.

86. At what stage of the benchmarking process are benchmarking

partners identified?
A. In the design stage
B. In the testing stage
C. In the research stage
D. In the development stage

Correct Answer = C
Justification:- Benchmarking partners are identified during the
research stage of the benchmarking process.

87. What often occurs when functional requirements are poorly

defined, resulting in an expansion of project scope?
A. Inadequate software baselining
B. Insufficient strategic planning
C. Inaccurate resource allocation
D. Project delays

Correct Answer = A
Justification:- Inadequate software baselining often leads to
project scope creep due to ill-defined functional requirements.

88. In the context of authentication techniques for EDI systems,

what is crucial to mitigate certain risks?
A. Unsynchronized transactions
B. Unauthorized transactions
C. Inaccurate transactions
D. Incomplete transactions

Correct Answer = B
Justification:- Authentication techniques for sending and receiving
data between EDI systems play a crucial role in preventing
unauthorized transactions.

89. What is the most frequent cause of information systems

failing to meet user needs?
A. Lack of funding
B. Inadequate user participation during system requirements
definition
C. Inadequate senior management participation during system
requirements definition
D. Poor IT strategic planning
Correct Answer = B
Justification:- Inadequate user participation during system
requirements definition is the most common reason for
information systems failing to meet user needs.

90. In the design of a data warehouse, how is the quality of the

produced metadata typically evaluated?
A. Often hard to determine because the data is derived from a
heterogeneous data environment
B. The most important consideration
C. Independent of the quality of the warehoused databases
D. Of secondary importance to data warehouse content

Correct Answer = B
Justification:- The quality of metadata produced from a data
warehouse is the most important consideration in the
warehouse's design.

91. Among the following options, what can negatively impact

network performance?
A. Superfluous use of redundant load-sharing gateways
B. Increasing traffic collisions due to host congestion by creating
new collision domains
C. Inefficient and superfluous use of network devices such as
switches
D. Inefficient and superfluous use of network devices such as
hubs

Correct Answer = D
Justification:- Inefficient and unnecessary use of network devices
like hubs can degrade network performance.

92. What is one of the most effective controls for ensuring key
accuracy?
A. Data is entered correctly
B. Only authorized cryptographic keys are used
C. Input is authorized
D. Database indexing is performed properly

Correct Answer = A
Justification:- Key verification is one of the most effective controls
for ensuring accurate data entry.

93. When an IS auditor uses a statistical sample to inventory the

tape library, what type of test is being conducted?
A. A.Substantive
B. Compliance
C. Integrated
D. Continuous audit

Correct Answer = A
Justification:- Using a statistical sample to inventory the tape
library is an example of a substantive test.

94. Among the following options, what is effective in detecting

fraud due to its ability to consider multiple variables when
resolving issues?
A. Expert systems
B. Neural networks
C. Integrated synchronized systems
D. Multitasking applications

Correct Answer = B
Justification:- Neural networks are effective in detecting fraud
because they can consider a large number of variables when
resolving a problem.
95. When preparing for the recovery of time-sensitive data, such
as that resulting from a specific event, what should be ensured
regarding off-site data storage?
A. Financial reporting
B. Sales reporting
C. Inventory reporting
D. Transaction processing

Correct Answer = D
Justification:- When preparing for the recovery of time-sensitive
data resulting from transaction processing, off-site data storage
should be kept synchronized.

96. Which process enables IS management to determine whether

the organization's activities deviate from the planned or expected
levels?
A. Business impact assessment
B. Risk assessment
C. IS assessment methods
D. Key performance indicators (KPIs)

Correct Answer = C
Justification:- IS assessment methods help IS management
determine whether the organization's activities deviate from
planned or expected levels.

97. What benefit does the utilization of capacity-monitoring

software provide to management in terms of usage patterns and
trends?
A. The software can dynamically readjust network traffic
capabilities based upon current usage.
B. The software produces nice reports that really impress
management.
C. It allows users to properly allocate resources and ensure
continuous efficiency of operations.
D. It allows management to properly allocate resources and
ensure continuous efficiency of operations.
Correct Answer = D
Justification:- Monitoring usage patterns and trends with capacity-
monitoring software enables management to allocate resources
properly and ensure continuous operational efficiency.

98. What is a callback system?

A. It is a remote-access system whereby the remote-access server
immediately calls the user back at a predetermined number if the
dial-in connection fails.
B. It is a remote-access system whereby the user's application
automatically redials the remote-access server if the initial
connection attempt fails.
C. It is a remote-access control whereby the user initially connects
to the network systems via dial-up access, only to have the initial
connection terminated by the server, which then subsequently
dials the user back at a predetermined number stored in the
server's configuration database.
D. It is a remote-access control whereby the user initially
connects to the network systems via dial-up access, only to have
the initial connection terminated by the server, which then
subsequently allows the user to call back at an approved number
for a limited period of time.

Correct Answer = C
Justification:- A callback system is a remote-access control
method where the user initially connects to the network systems
via dial-up access, only to have the initial connection terminated
by the server, which then dials the user back at a predetermined
number stored in the server's configuration database.

99. Who takes ownership of a systems development project and

the resulting system?
A. User management
B. Project steering committee
C. IT management
D. Systems developers
Correct Answer = A
Justification:- User management assumes ownership of a systems-
development project and the resulting system.

100. Who or what is ultimately responsible for ensuring the

functionality, reliability, and security within the realm of IT
governance? Please select the best answer.
A. Data custodians
B. The board of directors and executive officers
C. IT security administration
D. Business unit managers

Correct Answer = B
Justification:- The functionality, reliability, and security within IT
governance are ultimately the responsibility of the board of
directors and executive officers.

101. Which method or approach provides the highest level of

authentication for controlling physical access?
A. Sign-in logs
B. Dynamic passwords
C. Key verification
D. Biometrics

Correct Answer = D
Justification:- Biometrics can provide excellent physical access
control.

102. Among various concerns, what factor often has the most
significant negative impact on the successful implementation of
new application software?
A. Failing to perform user acceptance testing
B. Lack of user training for the new system
C. Lack of software documentation and run manuals
D. Insufficient unit, module, and systems testing

Correct Answer = A
Justification:- Failing to perform user acceptance testing has the
greatest negative impact on the implementation of new
application software, above almost all other concerns.

103. If senior management lacks commitment to strategic

planning, what is the likelihood of a company's IT implementation
being successful?
A. IT cannot be implemented if senior management is not
committed to strategic planning.
B. More likely.
C. Less likely.
D. Strategic planning does not affect the success of a company's
implementation of IT.

Correct Answer = C
Justification:- Senior management's commitment to strategic
planning is crucial for the success of a company's IT
implementation.

104. As a result of business process re-engineering, what type of

automation usually occurs, and how does it impact the number of
individuals utilizing technology?
A. Increased automation and greater number of people using
technology
B. Increased automation and fewer people use technology
C. less automation, fewer people using technology
D. Increased automation while maintaining the same range of
people using technology
Correct Answer = A
Justification:- Business process re-engineering often leads to
increased automation, resulting in more people using technology.

105. In comparison to obtaining direct evidence about an

organization's IT processes, how valuable are prior audit reports
as a form of evidence?
A. The same value.
B. Greater value.
C. Lesser value.
D. Prior audit reports are not relevant.

Correct Answer = C
Justification:- When an IS auditor tries to gain an understanding of
an organization's IT process, prior audit reports are considered
less valuable compared to evidence directly collected.

106. To derive accurate conclusions about the effects of changes

or corrections to a program and ensure the absence of new
errors, what should regression testing employ?
A. Contrived data
B. Independently created data
C. Live data
D. Data from previous tests

Correct Answer = D
Justification:- Regression testing should utilize data from previous
tests to draw accurate conclusions about the effects of changes or
corrections to a program and ensure that no new errors have
been introduced.

107. What are trojan horse programs? Please choose the most
appropriate answer.
A. A common form of internal attack
B. Malicious programs that require the aid of a carrier program
such as email
C. Malicious programs that can run independently and can
propagate without the aid of a carrier program such as email
D. A common form of Internet attack

Correct Answer = D
Justification:- Trojan horse programs are a commonly encountered
form of Internet attack.

108. Which of the following descriptions best characterizes

"worms"?
A. Malicious programs that can run independently and can
propagate without the aid of a carrier program such as email
B. Programming code errors that cause a program to repeatedly
dump data
C. Malicious programs that require the aid of a carrier program
such as email
D. Malicious programs that masquerade as common applications
such as screensavers or macro-enabled Word documents

Correct Answer = A
Justification:- Worms are malicious programs that can propagate
independently without the need for a carrier program like email.

109. How do modems (modulation/demodulation) facilitate the

integration of analog transmissions into a digital network?
A. Modems convert analog transmissions to digital, and digital
transmission to analog.
B. Modems encapsulate analog transmissions within digital, and
digital transmissions within analog.
C. Modems convert digital transmissions to analog, and analog
transmissions to digital.
D. Modems encapsulate digital transmissions within analog, and
analog transmissions within digital.
Correct Answer = A
Justification:- Modems (modulation/demodulation) convert analog
transmissions to digital and digital transmissions to analog, and
they are required for analog transmissions to enter a digital
network.

110. Who should assume responsibility for network security

operations?
A. Business unit managers
B. Security administrators
C. Network administrators
D. IS auditors

Correct Answer = B
Justification:- Network security operations are typically the
responsibility of security administrators.

111. Among the options provided, which one offers the highest
level of server access control?
A. A mantrap-monitored entryway to the server room
B. Host-based intrusion detection combined with CCTV
C. Network-based intrusion detection
D. A fingerprint scanner facilitating biometric access control

Correct Answer = D
Justification:- Biometric access control facilitated by a fingerprint
scanner can offer a significant level of control over server access.

112. When should systems administrators initially assess the

impact of application or system patches?
A. Within five business days following installation
B. Prior to installation
C. No sooner than five business days following installation
D. Immediately following installation
Correct Answer = B
Justification:- Prior to installation, systems administrators should
always evaluate the impact of patches.

113. Which of the following measures help prevent an

organization's systems from participating in a distributed denial-
of-service (DDoS) attack? Please choose the most appropriate
answer.
A. Inbound traffic filtering
B. Using access control lists (ACLs) to restrict inbound connection
attempts
C. Outbound traffic filtering
D. Recentralizing distributed systems

Correct Answer = C
Justification:- Implementing outbound traffic filtering can help
prevent an organization's systems from being involved in a
distributed denial-of-service (DDoS) attack.

114. What aspect should be implemented as early as the data

preparation stage to ensure data integrity at the earliest possible
point?
A. Control totals
B. Authentication controls
C. Parity bits
D. Authorization controls

Correct Answer = A
Justification:- Control totals should be established during the early
stages of data preparation to ensure data integrity at the earliest
possible point.

115. What approach or method is used to develop strategically

important systems faster, reduce development costs, and
maintain high quality? Please choose the most appropriate
answer.
A. Rapid application development (RAD)
B. GANTT
C. PERT
D. Decision trees

Correct Answer = A
Justification:- Rapid application development (RAD) is employed to
expedite the development of strategically important systems,
reduce development costs, and maintain high quality.

116. What are typically the primary safeguards for systems

software and data?
A. Administrative access controls
B. Logical access controls
C. Physical access controls
D. Detective access controls

Correct Answer = B
Justification:- Systems software and data are often primarily
safeguarded by logical access controls.

117. Batch control reconciliation serves as a _________________

control to mitigate the risk of inadequate segregation of duties.
Please fill in the blank.
A. Detective
B. Corrective
C. Preventative
D. Compensatory

Correct Answer = D
Justification:- Batch control reconciliations serve as compensatory
controls to mitigate the risk of inadequate segregation of duties.
118. Which option is best suited for identifying duplications in
address fields?
A. Text search forensic utility software
B. Generalized audit software
C. Productivity audit software
D. Manual review

Correct Answer = B
Justification:- Generalized audit software can be utilized to search
for duplications in address fields.

119. Which of the following would prevent the repudiation of an

action, thereby ensuring accountability?
A. Proper authentication
B. Proper identification AND authentication
C. Proper identification
D. Proper identification, authentication, AND authorization

Correct Answer = B
Justification:- Without proper identification and authentication
during access control, there can be no accountability for any
actions performed.

120. A core principle of an Information Systems (IS) strategy is

that it must:
A. Be inexpensive
B. Be protected as sensitive confidential information
C. Protect information confidentiality, integrity, and availability
D. Support the business objectives of the organization

Correct Answer = D
Justification:- The foremost requirement of an IS strategy is to
support the business objectives of the organization.

121. Which program evaluation review technique considers

various scenarios for planning and controlling projects?
A. Function Point Analysis (FPA)
B. GANTT
C. Rapid Application Development (RAD)
D. PERT

Correct Answer = D
Justification:- PERT (Program Evaluation Review Technique) is a
planning and control technique that considers various scenarios
for projects.

122. What type of data validation edit control matches input data
to an occurrence rate? Please choose the most appropriate
answer.
A. Accuracy check
B. Completeness check
C. Reasonableness check
D. Redundancy check

Correct Answer = C
Justification:- A reasonableness check is an edit control used for
data validation that matches input data with an expected
occurrence rate.

123. One of the primary benefits of utilizing control self-

assessment (CSA) techniques within an organization is:
A. Identify high-risk areas that might need a detailed review later
B. Reduce audit costs
C. Reduce audit time
D. Increase audit accuracy
Correct Answer = C
Justification:- One of the primary benefits of employing control
self-assessment (CSA) techniques in an organization is the
identification of high-risk areas that may require a detailed review
later on.

124. To ensure the preservation of current and critical information

within backup files, what should organizations use off-site storage
facilities for? Please choose the most appropriate answer.
A. Confidentiality
B. Integrity
C. Redundancy
D. Concurrency

Correct Answer = C
Justification:- Redundancy, which ensures both integrity and
availability, provides the greatest advantage. Organizations
should utilize off-site storage facilities to maintain redundancy of
critical and current information in backup files.

125. What is an edit check used to determine the validity of data

in a field?
A. Completeness check
B. Accuracy check
C. Redundancy check
D. Reasonableness check

Correct Answer = A
Justification:- A completeness check is an edit check performed to
determine the validity of data in a field.

126. Before conducting an application audit, what must an IS

auditor understand? Please choose the most appropriate answer.
A. The potential business impact of application risks.
B. Application risks must first be identified.
C. Relative business processes.
D. Relevant application risks.

Correct Answer = C
Justification:- Before conducting an application audit, an IS auditor
must first understand the related business processes.

127. What is the main objective of a control self-assessment

(CSA) program?
A. Enhancement of the audit responsibility
B. Elimination of the audit responsibility
C. Replacement of the audit responsibility
D. Integrity of the audit responsibility

Correct Answer = A
Justification:- One of the objectives of a control self-assessment
(CSA) program is to enhance audit responsibility.

128. Once an IS auditor has identified threats and potential

impacts, what should the auditor do?
A. Identify and evaluate the existing controls
B. Conduct a business impact analysis (BIA)
C. Report on existing controls
D. Propose new controls

Correct Answer = A
Justification:- After identifying threats and potential impacts, the
IS auditor should proceed to identify and evaluate the existing
controls.
129. What type of risk occurs when an IS auditor utilizes an
inadequate test procedure and concludes that no material errors
exist, despite the presence of errors?
A. Business risk
B. Detection risk
C. Residual risk
D. Inherent risk

Correct Answer = B
Justification:- Detection risk arises when an IS auditor employs an
inadequate test procedure and erroneously concludes that no
material errors exist when they actually do.

130. ______________ risk analysis is not always feasible when

attempting to calculate risk using nonquantifiable threats and
potential losses. In such cases, a _______________ risk assessment
is more appropriate. Please fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective

Correct Answer = A
Justification:- Quantitative risk analysis is not always feasible
when the IS auditor attempts to calculate risk using
nonquantifiable threats and potential losses. In such cases, a
qualitative risk assessment is more suitable.

131. When should a review of an audit client's business plan be

conducted in relation to reviewing an organization's IT strategic
plan?
A. Reviewing an audit client's business plan should be performed
before reviewing an organization's IT strategic plan.
B. Reviewing an audit client's business plan should be performed
after reviewing an organization's IT strategic plan.
C. Reviewing an audit client's business plan should be performed
during the review of an organization's IT strategic plan.
D. Reviewing an audit client's business plan should be performed
without regard to an organization's IT strategic plan.

Correct Answer = A
Justification:- Reviewing an audit client's business plan should be
conducted before reviewing an organization's IT strategic plan.

132. How does the risk of improper file access change after the
implementation of a database system?
A. Risk varies.
B. Risk is reduced.
C. Risk is not affected.
D. Risk is increase

Correct Answer = D
Justification:- Implementing a database system increases the risk
of improper file access.

133. How does the risk level change when users have direct
access to a database at the system level?
A. Risk of unauthorized access increases, but risk of untraceable
changes to the database decreases.
B. Risk of unauthorized and untraceable changes to the database
increases.
C. Risk of unauthorized access decreases, but risk of untraceable
changes to the database increases.
D. Risk of unauthorized and untraceable changes to the database
decreases.

Correct Answer = B
Justification:- When users have direct access to a database at the
system level, the risk of unauthorized and untraceable changes to
the database is heightened.
134. What is an effective countermeasure for addressing the
vulnerability of data entry operators potentially leaving their
computers without logging off? Please choose the most
appropriate answer.
A. Employee security awareness training
B. Administrator alerts
C. Screensaver passwords
D. Close supervision

Correct Answer = C
Justification:- Using screensaver passwords is an effective control
to counter the vulnerability of data entry operators potentially
leaving their computers without logging off.

135. During the business impact assessment phase of business

continuity planning, which aspect is considered the most critical?
A. End-user involvement
B. Senior management involvement
C. Security administration involvement
D. IS auditing involvement

Correct Answer = A
Justification:- End-user involvement is crucial during the business
impact assessment phase of business continuity planning.

136. Who ultimately bears the responsibility for developing an

Information Systems (IS) security policy?
A. The board of directors
B. Middle management
C. Security administrators
D. Network administrators
Correct Answer = A
Justification:- The board of directors bears ultimate accountability
for the development of an IS security policy.

137. Who is responsible for implementing cost-effective controls

in an automated system?
A. Security policy administrators
B. Business unit management
C. Senior management
D. Board of directors

Correct Answer = B
Justification:- Business unit management is responsible for
implementing cost-effective controls in an automated system.

138. Who assumes the overall direction, cost management, and

timetable control for systems development projects?
A. The project sponsor
B. The project steering committee
C. Senior management
D. The project team leader

Correct Answer = B
Justification:- The project steering committee is responsible for
the overall direction, costs, and timetables of systems
development projects.

139. Which layer(s) of the OSI reference model are utilized for
encrypting data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer
Correct Answer = C
Justification:- User applications often utilize protocols within the
OSI session layer or lower in the transport layer to encrypt and
encapsulate data.

140. What protocols does the OSI Transport Layer of the TCP/IP
protocol suite provide to ensure reliable communication?
A. Nonconnection-oriented protocols
B. Connection-oriented protocols
C. Session-oriented protocols
D. Nonsession-oriented protocols

Correct Answer = B
Justification:- The transport layer of the TCP/IP protocol suite
ensures reliable communication by utilizing connection-oriented
protocols.

141. What is an acceptable recovery mechanism for extremely

time-sensitive transaction processing?
A. Off-site remote journaling
B. Electronic vaulting
C. Shadow file processing
D. Storage area network

Correct Answer = C
Justification:- Shadow file processing can be implemented as a
recovery mechanism for time-sensitive transaction processing.

142. What protects an application purchaser's ability to modify or

fix an application if the application vendor ceases operations?
A. Assigning copyright to the organization
B. Program back doors
C. Source code escrow
D. Internal programming expertise
Correct Answer = C
Justification:- Source code escrow safeguards an application
purchaser's ability to modify or fix an application in case the
application vendor ceases operations.

143. What is/are used to measure and ensure proper network

capacity management and service availability? Please choose the
most appropriate answer.
A. Network performance-monitoring tools
B. Network component redundancy
C. Syslog reporting
D. IT strategic planning

Correct Answer = A
Justification:- Network performance-monitoring tools are
employed to measure and ensure proper network capacity
management and service availability.

144. What can be used to gather evidence of network attacks?

A. Access control lists (ACL)
B. Intrusion-detection systems (IDS)
C. Syslog reporting
D. Antivirus programs

Correct Answer = B
Justification:- Intrusion-detection systems (IDS) are utilized to
gather evidence of network attacks.

145. When auditing password files, what is a crucial check that IS

auditors must always perform?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network
D. That password files are archived

Correct Answer = B
Justification:- IS auditors should always verify that password files
are encrypted.

146. If an IS auditor observes that an IS department fails to utilize

formal documented methodologies, policies, and standards, what
action should the auditor take? Please choose the most
appropriate answer.
A. Lack of IT documentation is not usually material to the controls
tested in an IT audit.
B. The auditor should at least document the informal standards
and policies. Furthermore, the IS auditor should create formal
documented policies to be implemented.
C. The auditor should at least document the informal standards
and policies, and test for compliance. Furthermore, the IS auditor
should recommend to management that formal documented
policies be developed and implemented.
D. The auditor should at least document the informal standards
and policies, and test for compliance. Furthermore, the IS auditor
should create formal documented policies to be implemente

Correct Answer = C
Justification:- If an IS auditor observes that an IS department does
not employ formal documented methodologies, policies, and
standards, the auditor should at least document the informal
policies and standards and evaluate compliance. Furthermore, the
auditor should recommend to management the development and
implementation of formal documented policies.

147. What factors influence decisions regarding the criticality of

assets?
A. The business criticality of the data to be protected
B. Internal corporate politics
C. The business criticality of the data to be protected, and the
scope of the impact upon the organization as a whole
D. The business impact analysis

Correct Answer = C
Justification:- The criticality of assets is often influenced by the
business criticality of the data to be protected and the extent of
the impact on the organization as a whole. For instance, the loss
of a network backbone has a far greater impact on the
organization as a whole compared to the loss of data on a typical
user's workstation.

148. When storing data archives off-site, what must be done to

ensure data completeness?
A. The data must be normalized.
B. The data must be validated.
C. The data must be parallel-tested.
D. The data must be synchronize

Correct Answer = D
Justification:- When storing data archives off-site, synchronization
is necessary to ensure data completeness.

149. To adequately protect against the unauthorized disclosure of

sensitive data, how should hard disks be sanitized?
A. The data should be deleted and overwritten with binary 0s.
B. The data should be demagnetized.
C. The data should be low-level formatted.
D. The data should be delete

Correct Answer = B
Justification:- To effectively safeguard against unauthorized
disclosure of sensitive data, hard disks should be demagnetized
before disposal or release.
150. Describe what the directory system of a database-
management system encompasses.
A. The access method to the data
B. The location of data AND the access method
C. The location of data
D. Neither the location of data NOR the access method

Correct Answer = B
Justification:- The directory system of a database-management
system defines the data's location and the access method.

151. What should an IS auditor be aware of to evaluate the

collective effect of preventative, detective, or corrective controls
within a process?
A. The business objectives of the organization
B. The effect of segregation of duties on internal controls
C. The point at which controls are exercised as data flows through
the system
D. Organizational control policies

Correct Answer = C
Justification:- When assessing the collective impact of preventive,
detective, or corrective controls within a process, an IS auditor
should consider the point at which controls are applied asdata
flows through the system.

152. When examining print systems spooling, what vulnerabilities

are of greatest concern to an IS auditor?
A. The potential for unauthorized deletion of report copies
B. The potential for unauthorized modification of report copies
C. The potential for unauthorized printing of report copies
D. The potential for unauthorized editing of report copies

Correct Answer = C
Justification:- When reviewing print systems spooling, an IS
auditor is primarily concerned with the potential unauthorized
printing of report copies.

153. Who bears the ultimate responsibility for providing

requirement specifications to the software development team?
A. The project sponsor
B. The project members
C. The project leader
D. The project steering committee

Correct Answer = A
Justification:- The project sponsor is ultimately responsible for
providing requirement specifications to the software development
team.

154. What is the recommended course of action if a database is

restored from information backed up before the last system
image?
A. The system should be restarted after the last transaction.
B. The system should be restarted before the last transaction.
C. The system should be restarted at the first transaction.
D. The system should be restarted on the last transaction.

Correct Answer = B
Justification:- If a database is restored from a backup taken before
the last system image, the system should be restarted before
processing the final transaction, as it needs to be reprocessed.

155. How does the SSL network protocol ensure confidentiality?

A. Through symmetric encryption such as RSA
B. Through asymmetric encryption such as Data Encryption
Standard, or DES
C. Through asymmetric encryption such as Advanced Encryption
Standard, or AES
D. Through symmetric encryption such as Data Encryption
Standard, or DES

Correct Answer = D
Justification:- The SSL protocol ensures confidentiality through
symmetric encryption methods like Data Encryption Standard
(DES).

156. Which controls are effective in detecting duplicate

transactions such as payments made or received?
A. Concurrency controls
B. Reasonableness checks
C. Time stamps
D. Referential integrity controls

Correct Answer = C
Justification:- Time stamps are an effective control for identifying
duplicate transactions, such as payments made or received.

157. Why does an IS auditor review an organization chart?

A. To optimize the responsibilities and authority of individuals
B. To control the responsibilities and authority of individuals
C. To better understand the responsibilities and authority of
individuals
D. To identify project sponsors

Correct Answer = C
Justification:- Reviewing an organization chart is primarily done by
an IS auditor to gain a better understanding of individuals'
responsibilities and authority.

158. What is the purpose of the IS auditor's review of system

logs?
A. To get evidence of password spoofing
B. To get evidence of data copy activities
C. To determine the existence of unauthorized access to data by a
user or program
D. To get evidence of password sharing

Correct Answer = C
Justification:- When attempting to determine unauthorized access
to data by a user or program, the IS auditor often reviews the
system logs.

159. What is the primary objective of Business Continuity

Planning (BCP) and Disaster Recovery Planning (DRP)?
A. To protect human life
B. To mitigate the risk and impact of a business interruption
C. To eliminate the risk and impact of a business interruption
D. To transfer the risk and impact of a business interruption

Correct Answer = A
Justification:- While the primary objective of Business Continuity
Planning (BCP) and Disaster Recovery Planning (DRP) is to
mitigate the risk and impact of business interruptions, the
protection of human life remains the dominant objective.

160. What is the main high-level goal for an auditor reviewing a

system development project?
A. To ensure that programming and processing environments are
segregated
B. To ensure that proper approval for the project has been
obtained
C. To ensure that business objectives are achieved
D. To ensure that projects are monitored and administrated
effectively

Correct Answer = C
Justification:- One of the main high-level goals for an auditor
reviewing a systems development project is to ensure the
achievement of business objectives. This objective guides all
other systems development objectives.

161. Why is it important to include a clause for requiring source

code escrow in an application vendor agreement?
A. To segregate systems development and live environments
B. To protect the organization from copyright disputes
C. To ensure that sufficient code is available when needed
D. To ensure that the source code remains available even if the
application vendor goes out of business
Correct Answer = D
Justification:- Including a provision for source code escrow in an
application vendor agreement is crucial to ensure the availability
of the source code, even if the application vendor ceases
operations.

162. What is the primary purpose of audit trails?

A. To document auditing efforts
B. To correct data integrity errors
C. To establish accountability and responsibility for processed
transactions
D. To prevent unauthorized access to data

Correct Answer = C
Justification:- The main objective of audit trails is to establish
accountability and responsibility for processed transactions.

163. If an IS auditor discovers evidence of risk associated with

improper segregation of duties, such as the security administrator
performing an operations function, what is the auditor's main
responsibility?
A. To advise senior management.
B. To reassign job functions to eliminate potential fraud.
C. To implement compensator controls.
D. Segregation of duties is an administrative control not
considered by an IS auditor.

Correct Answer = A
Justification:- The primary responsibility of an IS auditor is to
advise senior management about the risks associated with not
implementing proper segregation of duties. For example, this
includes situations where the security administrator performs
operational functions.

164. After identifying potential security vulnerabilities, what

should be the next step for the IS auditor?
A. To evaluate potential countermeasures and compensatory
controls
B. To implement effective countermeasures and compensatory
controls
C. To perform a business impact analysis of the threats that would
exploit the vulnerabilities
D. To immediately advise senior management of the findings

Correct Answer = C
Justification:- Once potential security vulnerabilities are identified,
the next step for the IS auditor is to conduct a business impact
analysis of the threats that could exploit those vulnerabilities.

165. Which authentication method provides the best single-factor

authentication?
A. Biometrics
B. Password
C. Token
D. PIN

Correct Answer = A
Justification:- Despite providing only single-factor authentication,
biometrics is widely regarded as an excellent method for user
authentication.

166. What is the primary security concern in EDI environments?

A. Transaction authentication
B. Transaction completeness
C. Transaction accuracy
D. Transaction authorization

Correct Answer = D
Justification:- Transaction authorization is the primary security
concern in EDI environments.

167. Why should off-site data backup and storage be

geographically separated?
A. Accept
B. Eliminate
C. Transfer
D. Mitigate

Correct Answer = D
Justification:- To mitigate the risk of a widespread physical
disaster like a hurricane or an earthquake, it is important to
geographically separate off-site data backup and storage.

168. What type of testing should programmers perform following

any changes to an application or system?
A. Unit, module, and full regression testing
B. Module testing
C. Unit testing
D. Regression testing

Correct Answer = A
Justification:- Following any changes made to an application or
system, programmers should perform unit, module, and full
regression testing.

169. What is the greatest concern when conducting an IS audit?

A. Users' ability to directly modify the database
B. Users' ability to submit queries to the database
C. Users' ability to indirectly modify the database
D. Users' ability to directly view the database

Correct Answer = A
Justification:- One of the major concerns in IS auditing is the
ability of users to directly modify the database.

170. Which control is commonly used to detect and deter internet

attacks?
A. Honeypots
B. CCTV
C. VPN
D. VLAN

Correct Answer = A
Justification:- Honeypots are frequently utilized as detection and
deterrent controls against internet attacks.

171. What type of major BCP test only requires representatives

from each operational area to review the plan?
A. Parallel
B. Preparedness
C. Walk-thorough
D. Paper

Correct Answer = C
Justification:- Among the three primary types of BCP tests (paper,
walk-through, and preparedness), a walk-through test only
requires representatives from each operational area to meet and
review the plan.

172. What type of BCP test simulates a system crash using actual
resources to validate the plan's effectiveness?
A. Paper
B. Preparedness
C. Walk-through
D. Parallel

Correct Answer = B
Justification:- Of the three major types of BCP tests (paper, walk-
through, and preparedness), only the preparedness test utilizes
actual resources to simulate a system crash and validate the
effectiveness of the plan.

173. Why is the WAP gateway a critical concern for the IS auditor
when auditing and testing controls for message confidentiality?
A. WAP is often configured by default settings and is thus
insecure.
B. WAP provides weak encryption for wireless traffic.
C. WAP functions as a protocol-conversion gateway for wireless
TLS to Internet SSL.
D. WAP often interfaces critical IT systems.

Correct Answer = C
Justification:- When auditing and testing controls that enforce
message confidentiality, the IS auditor needs to critically review
the WAP gateway, which functions as a protocol-conversion
gateway for wireless TLS to Internet SSL.

174. What type of cryptosystem involves encrypting data using

the recipient's public key and decrypting it using the recipient's
private key?
A. With public-key encryption, or symmetric encryption
B. With public-key encryption, or asymmetric encryption
C. With shared-key encryption, or symmetric encryption
D. With shared-key encryption, or asymmetric encryption

Correct Answer = B
Justification:- With public key encryption or asymmetric
encryption, the sender encrypts data using the recipient's public
key and the recipient decrypts it using their private key.

175. True or false: IS auditors are most likely to perform

compliance tests of internal controls if control risks are within
acceptable limits.
A. True
B. False

Correct Answer = A
Justification:- IS auditors are most likely to perform compliance
tests of internal controls if, after their initial evaluation, they
determine that control risks are within acceptable limits.
Compliance testing is necessary to validate reliance on internal
controls. When control risks are high, additional substantive
testing is required.

176. True or false: Proper segregation of duties prohibits a system

analyst from performing quality-assurance functions.
A. True
B. False

Correct Answer = A
Justification:- Proper segregation of duties prevents a system
analyst from performing quality-assurance functions.

177. True or false: Proper segregation of duties does not prohibit

a LAN administrator from having programming responsibilities.
A. True
B. False

Correct Answer = B
Justification:- In general, proper segregation of duties prohibits a
LAN administrator from having programming responsibilities.

178. True or false: Atomicity ensures data integrity by completing

a transaction entirely or not at all.
A. True
B. False

Correct Answer = A
Justification:- Atomicity ensures data integrity by guaranteeing
that a transaction is either completed entirely or not at all.
Atomicity is one of the ACID test criteria for transaction
processing.

179. True or false: A disaster recovery plan aims to reduce the

length of recovery time and associated costs.
A. True
B. False

Correct Answer = A
Justification:- A disaster recovery plan (DRP) aims to reduce the
recovery time and associated costs in the event of a major
business interruption. Despite increasing pre- and post-incident
operational costs, DRP results in reduced recovery and business
impact costs.
180. True or false: Obtaining user approval for program changes
is effective in controlling application changes and maintenance.
A. True
B. False

Correct Answer = A
Justification:- Obtaining user approval for program changes is
highly effective in controlling application changes and
maintenance.

181. True or false: Function Point Analysis (FPA) estimates the

size of an information system based on its inputs and outputs.
A. True
B. False

Correct Answer = B
Justification:- Function point analysis (FPA) estimates the size of
an information system based on the number and complexity of
inputs, outputs, and files.

182. True or false: An IS auditor should focus on system controls

rather than documentation when participating in a systems-
development project.
A. True
B. False

Correct Answer = B
Justification:- When participating in a systems-development
project, an IS auditor should ensure that adequate and complete
documentation exists for all projects.
183. True or false: Fourth-Generation Languages (4GLs) are
suitable for designing the application's GUI but not intensive data-
calculation procedures.
A. True
B. False

Correct Answer = A
Justification:- Fourth-generation languages (4GLs) are suitable for
designing the application's graphical user interface (GUI) but not
for designing intensive data-calculation procedures.

184. True or false: Network environments often increase the

complexity of program-to-program communication and make
application system implementation and maintenance more
difficult.
A. True
B. False

Correct Answer = A
Justification:- Network environments often increase the
complexity of program-to-program communication, making
implementation and maintenance of application systems more
challenging.

185. True or false: A password disclosure can be detected in

control logs.
A. True
B. False

Correct Answer = B
Justification:- Control logs are unlikely to reveal whether a
password disclosure was intentional or unintentional.

186. True or false: An integrated test facility cannot compare

processing output with independently calculated data.
A. True
B. False

Correct Answer = B
Justification:- An integrated test facility is a valuable audit tool as
it compares processing output with independently calculated
data.

187. True or false: Continuous audit can improve system security

in time-sharing environments with a high volume of transactions.
A. True
B. False

Correct Answer = A
Justification:- One advantage of a continuous audit approach is
that it can enhance system security in time-sharing environments
that process a large number of transactions.

188. True or false: An IS auditor should review both short-term

and long-term IS strategies during an IS strategy audit.
A. True
B. False

Correct Answer = B
Justification:- When conducting an IS strategy audit, an IS auditor
should review both short-term (one-year) and long-term (three- to
five-year) IS strategies, interview relevant corporate management
personnel, and ensure consideration of the external environment.

189. True or false: Allowing application programmers to directly

patch or change code in production programs increases the risk of
fraud.
A. True
B. False

Correct Answer = A
Justification:- Allowing application programmers to directly patch
or change code in production programs increases the risk of
fraud.

190. True or false: Proper segregation of duties does not prohibit

a quality control administrator from being responsible for change
control and problem management.
A. True
B. False

Correct Answer = A
Justification:- Proper segregation of duties does not prevent a
quality-control administrator from being responsible for change
control and problem management at the same time.

191. True or false: Proper segregation of duties prevents a

computer operator from performing security administration
duties.
A. True
B. False

Correct Answer = A
Justification:- Proper segregation of duties ensures that a
computer operator (user) cannot perform security administration
duties.

192. True or false: Digital signatures involve encrypting data with

the sender's public key and decrypting it with the recipient's
private key.
A. False
B. True

Correct Answer = B
Justification:- Digital signatures require the sender to encrypt the
data with their private key, which is then decrypted by the
recipient using the sender's public key.

193. True or false: The primary concern of an IS auditor is the

effectiveness and utilization of assets rather than access control
and safeguards.
A. True
B. False

Correct Answer = B
Justification:- Rather than solely assessing the effectiveness and
utilization of assets, an IS auditor is more concerned with
adequate access control, appropriate access policies, and the
effectiveness of safeguards and procedures.

194. True or false: When a programmer has update access to a

live system, the ability to initiate or modify transactions and
access production is of greater concern to IS auditors than the
ability to authorize transactions.
A. True
B. False

Correct Answer = A
Justification:- When a programmer has update access to a live
system, IS auditors are primarily concerned with their ability to
initiate or modify transactions and access production rather than
their authority to authorize transactions.
195. True or false: An off-site processing facility should be easily
identifiable externally to ensure smoother recovery.
A. True
B. False

Correct Answer = B
Justification:- An off-site processing facility should not be easily
identifiable externally, as easy identification would create an
additionalvulnerability for sabotage.

196. True or false: Mitigating the risk and impact of a disaster

takes priority over transferring risk to a third party such as an
insurer.
A. True
B. False

Correct Answer = A
Justification:- Prioritizing the mitigation of the risk and impact of a
disaster or business interruption usually takes precedence over
transferring the risk to a third party, such as an insurer.

197. Is it true or false that test and development environments

should be separated?
A. True
B. False

Correct Answer = A
Justification:- Test and development environments should be
separated to maintain the stability of the test environment.

198. Is it true or false that the IS auditor attempts to identify and

quantify the impact of controls that may have been removed or
may not work effectively after business process changes?
A. True
B. False

Correct Answer = A
Justification:- When business processes undergo re-engineering,
the IS auditor should strive to identify and quantify the impact of
any controls that may have been removed or might be less
effective after the changes.

199. Is it true or false that in small office environments,

maintaining proper segregation of duties for programmers is not
always possible, and compensatory controls such as reviewing
transaction results may be necessary if a programmer has access
to production data or applications?
A. True
B. False

Correct Answer = A
Justification:- In small office environments, maintaining proper
segregation of duties for programmers is not always feasible.
Compensatory controls, such as reviewing transaction results
against approved input, may be necessary if a programmer has
access to production data or applications.

200. Is it true or false that database snapshots can provide an

excellent audit trail for an IS auditor?
A. True
B. False

Correct Answer = A
Justification:- Database snapshots can serve as an excellent audit
trail for an IS auditor.