Certified Information Systems Auditor popularly called CISA is offered by ISACA
Which of the following would be the BEST method for ensuring that critical fields in a master
record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
Which of the following is a dynamic analysis tool for the purpose of testing software modules?
A. Blackbox test
B. Desk checking
C. Structured walk-through
D. Design and code
Which of the following is MOST likely to result from a business process reengineering (BPR)
A. An increased number of people using technology
B. Significant cost savings, through a reduction in the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase
Which of the following devices extends the network and has the capacity to store frames and act
as a storage and forward device?
IS management has decided to rewrite a legacy customer relations system using
languages (4GLs). Which of the following risks is MOST often associated with system
development using 4GLs?
A. Inadequate screen/report design facilities
B. Complex programming language subsets
C. Lack of portability across operating systems
D. Inability to perform data intensive operations
Which of the following is a benefit of using callback devices?
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
A call-back system requires that a user with an id and password call a remote server through a
dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password using a telephone number
from its database.
B. dials back to the user machine based on the user id and password using a telephone number
provided by the user during this connection.
C. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using its database.
D. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using the sender’s database.
Structured programming is BEST described as a technique that:
A. provides knowledge of program functions to other programmers via peer reviews.
B. reduces the maintenance time of programs by the use of small-scale program modules.
C. makes the readable coding reflect as closely as possible the dynamic execution of the
D. controls the coding and testing of the high-level functions of the program in the development
Which of the following data validation edits is effective in detecting transposition and transcription
A. Range check
B. Check digit
C. Validity check
D. Duplicate check
An offsite information processing facility having electrical wiring, air conditioning and flooring, but
no computer or communications equipment is a:
A. cold site.
B. warm site.
C. dial-up site.
D. duplicate processing facility.
A number of system failures are occurring when corrections to previously detected errors are
resubmitted for acceptance testing. This would indicate that the maintenance team is probably
not adequately performing which of the following types of testing?
A. Unit testing
B. Integration testing
C. Design walk-throughs
D. Configuration management
In an EDI process, the device which transmits and receives electronic documents is the:
A. communications handler.
B. EDI translator.
C. application interface.
D. EDI interface.
The MOST significant level of effort for business continuity planning (BCP) generally is required
A. testing stage.
B. evaluation stage.
C. maintenance stage.
D. early stages of planning.
The use of a GANTT chart can:
A. aid in scheduling project tasks.
B. determine project checkpoints.
C. ensure documentation standards.
D. direct the post-implementation review.
Which of the following translates e-mail formats from one network to another so that the message
can travel through all the networks?
B. Protocol converter
C. Front-end communication processor
Which of the following BEST describes the necessary documentation for an enterprise product
reengineering (EPR) software installation?
A. Specific developments only
B. Business requirements only
C. All phases of the installation must be documented
D. No need to develop a customer specific documentation
A hub is a device that connects:
A. two LANs using different protocols.
B. a LAN with a WAN.
C. a LAN with a metropolitan area network (MAN).
D. two segments of a single LAN.
A LAN administrator normally would be restricted from:
A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.
Which of the following tests is an IS auditor performing when a sample of programs is selected to
determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
A data administrator is responsible for:
A. maintaining database system software.
B. defining data elements, data names and their relationship.
C. developing physical database structures.
D. developing data dictionary system software.
A database administrator is responsible for:
A. defining data ownership.
B. establishing operational standards for the data dictionary.
C. creating the logical and physical database.
D. establishing ground rules for ensuring data integrity and security.
An IS auditor reviewing the key roles and responsibilities of the database administrator (DBA) is
LEAST likely to expect the job description of the DBA to include:
A. defining the conceptual schema.
B. defining security and integrity checks.
C. liaising with users in developing data model.
D. mapping data model with the internal schema.
Which of the following network configuration options contains a direct link between any two host
D. Completely connected (mesh)
Which of the following types of data validation editing checks is used to determine if a field
contains data, and not zeros or blanks?
A. Check digit
B. Existence check
C. Completeness check
D. Reasonableness check
What process is used to validate a subject’s identity?
What is often assured through table link verification and reference checks?
A. Database integrity
B. Database synchronization
C. Database normalcy
D. Database accuracy
Which of the following s hould an IS auditor review to determine user permissions that have been
granted for a particular resource? Choose the BEST answer.
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs
What should IS auditors always check when auditing password files?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network
D. That password files are archived
Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer
When should systems administrators first assess the impact of applications or systems patches?
A. Within five business days following installation
B. Prior to installation
C. No sooner than five business days following installation
D. Immediately following installation
Which of the following is the most fundamental step in preventing virus attacks?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users’ desktop computers
C. Implementing antivirus content checking at all network-to-Internet gateways
D. Inoculating systems with antivirus code
Which of the following is of greatest concern when performing an IS audit?
A. Users’ ability to directly modify the database
B. Users’ ability to submit queries to the database
C. Users’ ability to indirectly modify the database
D. Users’ ability to directly view the database
What supports data transmission through split cable facilities or duplicate cable facilities?
A. Diverse routing
B. Dual routing
C. Alternate routing
D. Redundant routing
What type(s) of firewalls provide(s) the greatest degree of protection and control because both
firewall technologies inspect all seven OSI layers of network traffic?
A. A first-generation packet-filtering firewall
B. A circuit-level gateway
C. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls
D. An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls
Which of the following can degrade network performance? Choose the BEST answer.
A. Superfluous use of redundant load-sharing gateways
B. Increasing traffic collisions due to host congestion by creating new collision domains
C. Inefficient and superfluous use of network devices such as switches
D. Inefficient and superfluous use of network devices such as hubs
Which of the following provide(s) near-immediate recoverability for time-sensitive systems and
A. Automated electronic journaling and parallel processing
B. Data mirroring and parallel processing
C. Data mirroring
D. Parallel processing
What is an effective control for granting temporary access to vendors and external support
personnel? Choose the BEST answer.
A. Creating user accounts that automatically expire by a predetermined date
B. Creating permanent guest accounts for temporary use
C. Creating user accounts that restrict logon access to certain hours of the day
D. Creating a single shared vendor administrator account on the basis of least-privileged access
Which of the following help(s) prevent an organization’s systems from participating in a distributed
denial-of-service (DDoS) attack? Choose the BEST answer.
A. Inbound traffic filtering
B. Using access control lists (ACLs) to restrict inbound connection attempts
C. Outbound traffic filtering
D. Recentralizing distributed systems
What is a common vulnerability, allowing denial-of-service attacks?
A. Assigning access to users according to the principle of least privilege
B. Lack of employee awareness of organizational security policies
C. Improperly configured routers and router access lists
D. Configuring firewall access rules
What are used as a countermeasure for potential database corruption when two processes
attempt to simultaneously edit or update the same information? Choose the BEST answer.
A. Referential integrity controls
B. Normalization controls
C. Concurrenc y controls
D. Run-to-run totals
What increases encryption overhead and cost the most?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key
Which of the following best characterizes “worms”?
A. Malicious programs that can run independently and can propagate without the aid of a carrier
program such as email
B. Programming code errors that cause a program to repeatedly dump data
C. Malicious programs that require the aid of a carrier program such as email
D. Malicious programs that masquerade as common applications such as screensavers or
macro-enabled Word documents
Which of the following is used to evaluate biometric access controls?
Proper segregation of duties prevents a computer operator (user) from performing security
administration duties. True or false?
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network?
A. Modems convert analog transmissions to digital, and digital transmission to analog.
B. Modems encapsulate analog transmissions within digital, and digital transmissions within
C. Modems convert digital transmissions to analog, and analog transmissions to digital.
D. Modems encapsulate digital transmissions within analog, and analog transmissions within
Who is ultimately responsible and accountable for reviewing user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors
Of the three major types of off-site processing facilities, what type is characterized by at least
providing for electricity and HVAC?
A. Cold site
B. Alternate site
C. Hot site
D. Warm site
In order to properly protect against unauthorized disclosure of sensitive data, how should hard
disks be sanitized?
A. The data should be deleted and overwritten with binary 0s.
B. The data should be demagnetized.
C. The data should be low-level formatted.
D. The data should be deleted.
When reviewing print systems spooling, an IS auditor is MOST concerned with which of the
A. The potential for unauthorized deletion of report copies
B. The potential for unauthorized modification of report copies
C. The potential for unauthorized printing of report copies
D. The potential for unauthorized editing of report copies
Why is the WAP gateway a component warranting critical concern and review for the IS auditor
when auditing and testing controls enforcing message confidentiality?
A. WAP is often configured by default settings and is thus insecure.
B. WAP provides weak encryption for wireless traffic.
C. WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL.
D. WAP often interfaces critical IT systems.
With the objective of mitigating the risk and impact of a major business interruption, a disaster-
recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs
associated with recovery. Although DRP results in an increase of pre- and post-incident
operational costs, the extra costs are more than offset by reduced recovery and business impact
costs. True or false?
What is a primary high-level goal for an auditor who is reviewing a system development project?
A. To ensure that programming and processing environments are segregated
B. To ensure that proper approval for the project has been obtained
C. To ensure that business objectives are achieved
D. To ensure that projects are monitored and administrated effectively
Whenever an application is modified, what should be tested to determine the full impact of the
change? Choose the BEST answer.
A. Interface systems with other applications or systems
B. The entire program, including any interface systems with other applications or systems
C. All programs, including interface systems with other applications or systems
D. Mission-critical functions and any interface systems with other applications or systems
What often results in project scope creep when functional requirements are not defined as well as
they could be?
A. Inadequate software baselining
B. Insufficient strategic planning
C. Inaccurate resource allocation
D. Project delays
Fourth-Generation Languages (4GLs) are most appropriate for designing the application’s
graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation
procedures. True or false?
When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and
long-term (three- to five-year) IS strategies, interview appropriate corporate management
personnel, and ensure that the external environment has been considered. The auditor should
especially focus on procedures in an audit of IS strategy. True or false?
What process allows IS management to determine whether the activities of the organization differ
from the planned or expected levels? Choose the BEST answer.
A. Business impact assessment
B. Risk assessment
C. IS assessment methods
D. Key performance indicators (KPIs)
When should reviewing an audit client’s business plan be performed relative to reviewing an
organization’s IT strategic plan?
A. Reviewing an audit client’s business plan should be performed before reviewing an
organization’s IT strategic plan.
B. Reviewing an audit client’s business plan should be performed after reviewing an
organization’s IT strategic plan.
C. Reviewing an audit client’s business plan should be performed during the review of an
organization’s IT strategic plan.
D. Reviewing an audit client’s business plan should be performed without regard to an
organization’s IT strategic plan.
Allowing application programmers to directly patch or change code in production programs
increases risk of fraud. True or false?
Who should be responsible for network security operations?
A. Business unit managers
B. Security administrators
C. Network administrators
D. IS auditors
Proper segregation of duties does not prohibit a quality control administrator from also being
responsible for change control and problem management. True or false?
What can be implemented to provide the highest level of protection from external attack?
A. Layering perimeter network protection by configuring the firewall as a screened host in a
screened subnet behind the bastion host
B. Configuring the firewall as a screened host behind a router
C. Configuring the firewall as the protecting bastion host
D. Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal
The directory system of a database-management system describes:
A. The access method to the data
B. The location of data AND the access method
C. The location of data
D. Neither the location of data NOR the access method
How is the risk of improper file access affected upon implementing a database system?
A. Risk varies.
B. Risk is reduced.
C. Risk is not affected.
D. Risk is increased.
To affix a digital signature to a message, the sender must first create a message digest by
applying a cryptographic hashing algorithm against:
A. the entire message and thereafter enciphering the message digest using the sender’s private
B. any arbitrary part of the message and thereafter enciphering the message digest using the
sender’s private key.
C. the entire message and thereafter enciphering the message using the sender’s private key.
D. the entire message and thereafter enciphering the message along with the message digest
using the sender’s private key.
A sequence of bits appended to a digital document that is used to secure an e-mail sent through
the Internet is called a:
A. digest signature.
B. electronic signature.
C. digital signature.
D. hash signature.
A critical function of a firewall is to act as a:
A. special router that connects the Internet to a LAN.
B. device for preventing authorized users from accessing the LAN.
C. server used to connect authorized users to private trusted network resources.
D. proxy server to increase the speed of access to authorized users.
Which of the following hardware devices relieves the central computer from performing network
control, format conversion and message handling tasks?
B. Cluster controller
C. Protocol converter
D. Front end processor