1. Using test data as part of a comprehensive test of program controls in a continuous online manner is called a/an: A. test data/deck. B. base-case system evaluation. C. integrated test facility (ITF). D. parallel simulation. The correct answer is: B. base-case system evaluation. Explanation: Base-case system evaluation uses test data sets developed as part of comprehensive testing programs. It is used to verify correct systems operations before acceptance, as well as periodic validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious files in the database with test transactions processed simultaneously with live input. Parallel simulation is the production of data processed using computer programs that simulate application program logic. 2. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: A. payroll reports should be compared to input forms. B. gross payroll should be recalculated manually. C. checks (cheques) should be compared to input forms. D. checks (cheques) should be reconciled with output reports. The correct answer is: A. payroll reports should be compared to input forms. Explanation: The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the input (payroll reports). Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible as checks (cheques) have the processed information and input forms have the input data. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports. 3. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be the IS auditor’s main concern about the new process? A. Are key controls in place to protect assets and information resources? B. Does it address the corporate customer requirements? C. Does the system meet the performance goals (time and resources)? D. Have owners been identified who will be responsible for the process? The correct answer is: A. Are key controls in place to protect assets and information resources? Explanation: The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, but they are not the auditor’s primary concern. 4. Which of the following is the BEST control to detect internal attacks on IT resources? A. Checking of activity logs B. Reviewing firewall logs C. Implementing a security policy D. Implementing appropriate segregation of duties The correct answer is: A. Checking of activity logs Explanation: Verification of individual activity logs will detect the misuse of IT resources. Depending on the configuration, firewall logs can help in detecting attacks passing through the firewall. Implementation of a security policy and segregation of duties are deterrent controls that might prevent the misuse of IT resources. 5. An IS auditor performing a review of an application’s controls would evaluate the: A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. the application’s optimization. The correct answer is: B. impact of any exposures discovered. Explanation: An application control review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an application audit but are not part of an audit restricted to a review of controls. 6. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production The correct answer is: A. Verifying production to customer orders Explanation: Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming, manual process that does not guarantee proper control. 7. A data validation edit that matches input data to an occurrence rate is a: A. limit check. B. reasonableness check. C. range check. D. validity check. The correct answer is: B. reasonableness check. Explanation: A reasonableness check is an edit check, wherein input data are matched to predetermined reasonable limits or occurrence rates. Limit checks verifiy that data does not exceed a predetermined amount. Range checks verifiy that data is within a predetermined range of values. Validity checks test for data validity in accordance with predetermined criteria. 8. A retail company recently installed data warehousing client software at geographically diverse sites. Due to time zone differences between the sites, updates to the warehouse are not synchronized. Which of the following will be affected the MOST? A. Data availability B. Data completeness C. Data redundancy D. Data inaccuracy The correct answer is: B. Data completeness Explanation: Unsynchronized updates will generally cause data completeness to be affected, for example, sales data from one site do not necessarily match costs incurred in another site. 9. Which of the following types of controls is designed to provide the ability to verify data and record values through the stages of application processing? A. Range checks B. Run-to-run totals C. Limit checks on calculated amounts D. Exception reports The correct answer is: B. Run-to-run totals Explanation: Run-to-run totals provide the ability to verify data values through the stages of application processing. Runto- run total verification ensures that data read into the computer was accepted and then applied to the updating process. 10. An IS auditor assigned to audit a reorganized process should FIRST review which of the following? A. A map of existing controls B. Eliminated controls C. Process charts D. Compensating controls The correct answer is: C. Process charts Explanation: To ensure adequate control over the business process, the auditor should first review the flow charts showing the before and after processes. The process charts aid in analyzing the changes in the processes. The other choices—analyzing eliminated controls, ensuring that compensating controls are in place and analyzing the existing controls—are incorrect as each, performed individually, would not be as effective and all encompassing as reviewing the process charts. 11. Which of the following is a data validation edit and control? A. Hash totals B. Reasonableness checks C. Online access controls D. Before and after image reporting The correct answer is: B. Reasonableness checks Explanation: A reasonableness check is a data validation edit and control, used to ensure that data conform to predetermined criteria. Before and after image reporting is a control over data files that makes it possible to trace changes. Online access controls are designed to prevent unauthorized access to the system and data. A hash total is a total of any numeric data field or series of data elements in a data file. This total is checked against a control total of the same field (or fields) to ensure completeness of processing. 12. The lack of adequate security controls represents an: A. threat. B. asset. C. impact. D. vulnerability. The correct answer is: D. vulnerability. Explanation: The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, resulting in loss of sensitive information, which could lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "Potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets". The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability. 13. IT governance is PRIMARILY the responsibility of the: A. chief executive officer. B. board of directors. C. IT steering committee. D.audit committee. The correct answer is: B. board of directors. Explanation: IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). The chief executive officer is instrumental in implementing IT governance per the directions of the board of directors. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The audit committee reports to the board of directors and should monitor the implementation of audit recommendations. 14. Which of the following message services provides the strongest protection that a specific action has occurred? A. Proof of delivery B. Nonrepudiation C. Proof of submission D. Message origin authentication The correct answer is: B. Nonrepudiation Explanation: Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts (i.e., proof of submission, proof of delivery, and message origin authentication); however, nonrepudiation provides stronger protection because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation. Message origination authentication will only confirm the source of the message and does not confirm the specific action that has been completed. 15. Effective IT governance will ensure that the IT plan is consistent with the organization’s: A. business plan. B. audit plan. C. security plan. D. investment plan. The correct answer is: A. business plan. Explanation: To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization’s business plans. The audit and investment plans are not part of the IT plan, and the security plan should be at a corporate level. 16. To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is: A. during data preparation. B. in transit to the computer. C. between related computer runs. D. during the return of the data to the user department. The correct answer is: A. during data preparation. Explanation: During data preparation is the best answer, because it establishes control at the earliest point. 17. An independent software program that connects two otherwise separate applications sharing computing resources across heterogeneous technologies is known as: A. middleware. B. firmware. C. application software. D. embedded systems. The correct answer is: A. middleware. Explanation: Middleware is independent software that connects two otherwise separate applications sharing computing resources across heterogeneous technologies. Firmware is software (programs or data) that has been written onto read-only memory (ROM). It is a memory chip with embedded program code that holds its content when power is turned off. Firmware is a combination of software and hardware. Application software are programs that address an organization’s processes and functions as opposed to system software, which enables the computer to function. Embedded systems are built-in modules for a specific purpose, e.g., SCARF. 18. To share data in a multivendor network environment, it is essential to implement program-to-program communication. With respect to program-to-program communication features, that can be implemented in this environment, which of the following makes implementation and maintenance difficult? A. User isolation B. Controlled remote access C. Transparent remote access D. The network environments The correct answer is: D. The network environments Explanation: Depending on the complexity of the network environment, implementation of program-to-program communication features becomes progressively more difficult. It is possible to implement program-toprogram communication to isolate a user in the multivendor network. Program-to-program communication can be implemented to control and monitor the files that a user can transfer between systems, and the remote program-to-program communication will be transparent to the end user. All of these are security features. 19. Which of the following is the MOST critical and contributes the MOST to the quality of data in a data warehouse? A. Accuracy of the source data B. Credibility of the data source C. Accuracy of the extraction process D. Accuracy of the data transformation The correct answer is: A. Accuracy of the source data Explanation: Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source is important, accurate extraction processes are important and accurate transformation routines are important but would not change inaccurate data into quality (accurate) data. 20. Which of the following user profiles should be of MOST concern to the IS auditor, when performing an audit of an EFT system? A. Three users with the ability to capture and verify their own messages B. Five users with the ability to capture and send their own messages C. Five users with the ability to verify other users and to send their own messages D. Three users with the ability to capture and verify the messages of other users and to send their own messages The correct answer is: A. Three users with the ability to capture and verify their own messages Explanation: The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified. 21. Which of the following is a check (control) for completeness? A. Check digits B. Parity bits C. One-for-one checking D. Prerecorded input The correct answer is: B. Parity bits Explanation: Parity bits are used to check for completeness of data transmissions. Choice A is incorrect because check digits are a control check for accuracy. Choice C is incorrect because, in one-for-one checking, individual documents are matched to a detailed listing of documents processed by the computer, but do not ensure that all documents have been received for processing. Choice D (prerecorded input) is a data file control for which selected information fields are preprinted on blank input forms to reduce the chance of input errors. 22. Which of the following is an implementation risk within the process of decision support systems? A. Management control B. Semistructured dimensions C. Inability to specify purpose and usage patterns D. Changes in decision processes The correct answer is: C. Inability to specify purpose and usage patterns Explanation: The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DSS. 23. An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as: A. critical. B. vital. C. sensitive. D. noncritical. The correct answer is: C. sensitive. Explanation: Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions refer to those that can be performed manually but only for a brief period of time. This is associated with lower costs of disruption than critical functions. Noncritical functions may be interrupted for an extended period of time, at little or no cost to the company, and require little time or cost to restore. 24. An IS auditor performing a review of the EFT operations of a retailing company would verify that the customers credit limit is checked before funds are transferred by reviewing the EFT: A. system’s interface. B. switch facility. C. personal identification number generating procedure. D. operation backup procedures. The correct answer is: A. system’s interface. Explanation: At the application processing level, the IS auditor should review the interface between the EFT system and the application system that processes the accounts from which funds are transferred. Choice B is incorrect because an EFT switch is the facility that provides the communication linkage for all equipment in the network. Choices C and D are procedures that would not help determine if the customer’s credit limit is verified before the funds are transferred. 25. Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems B. Data mining techniques C. Firewalls D. Packet filtering routers The correct answer is: B. Data mining techniques Explanation: Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, than it is a flag that the transaction may have resulted from a fraudulent use of the card. 26. The FIRST step in managing the risk of a cyberattack is to: A. assess the vulnerability impact. B. evaluate the likelihood of threats. C. identify critical information assets. D. estimate potential damage. The correct answer is: C. identify critical information assets. Explanation: The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages. 27. Following a reorganization of a company’s legacy database, it was discovered that records were accidentally deleted. Which of the following controls would have MOST effectively detected this occurrence? A. Range check B. Table lookups C. Run-to-run totals D. One-for-one checking The correct answer is: C. Run-to-run totals Explanation: Run-to-run totals would have been an effective detective control over processing in this situation. Table lookups and range checks are used for data validation before input, or as close to the point of origination as possible. One-for-one checking is time-consuming and, therefore, less effective. 28. When two or more systems are integrated, input/output controls must be reviewed by the IS auditor in the: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems. The correct answer is: C. systems sending and receiving data. Explanation: Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other. 29. An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? A. Allow changes to be made only with the DBA user account. B. Make changes to the database after granting access to a normal user account C. Use the DBA user account to make changes, log the changes and review the change log the following day. D. Use the normal user account to make changes, log the changes and review the change log the following day. The correct answer is: C. Use the DBA user account to make changes, log the changes and review the change log the following day. Explanation: The use of a database administrator (DBA) user account is (should be) normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls. 30. In an artificial intelligence system, access to which of the following components should be strictly controlled? A. Inference engine B. Explanation module C. Knowledge base D. Data interface The correct answer is: C. Knowledge base Explanation: The knowledge base contains specific information or fact patterns associated with a particular subject matter and the rules for interpreting these facts; therefore, strict access controls should be implemented and monitored to ensure the integrity of the decision rules. The inference engine is a program that uses the knowledge base and determines the most appropriate outcome based on the information supplied by the user. The data interface enables the expert system to collect data from nonhuman sources. For example, measurement instruments in a power plant and the explanation module aid the user in addressing the problem to be analyzed and provides the expert conclusion. 31. Prices are charged on the basis of a standard master file rate that changes as volume increases. Any exceptions must be manually approved. What is the MOST effective automated control to help ensure that all price exceptions are approved? A. All amounts are displayed back to the data entry clerk, who must verify them visually. B. Prices outside the normal range should be entered twice to verify data entry accuracy. C. The system beeps when price exceptions are entered and prints such occurrences on a report. D. A second-level password must be entered before a price exception can be processed. The correct answer is: D. A second-level password must be entered before a price exception can be processed. Explanation: Automated control should ensure that the system processes the price exceptions only upon approval of another user who is authorized to approve such exceptions. A second-level password would ensure that price exceptions will be approved by a user who has been authorized by management. Visual verification of all amounts by a data entry clerk is not a control, but a basic requirement for any data entry. The user’s ability to visually verify what has been entered is a basic manual control. Entry of price e xceptions twice, is an input control. This does not ensure, that exceptions will be verified automatically by another user. The system beeping on entry of a price exception is only a warning to the data entry clerk; it does not prevent proceeding further. Printing of these exceptions on a report is a detective (manual) control. 32. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required? A. Integrated test facility (ITF) B. Continuous and intermittent simulation (CIS) C. Audit hooks D. Snapshots The correct answer is: D. Snapshots Explanation: A snapshot tool is most useful when an audit trail is required. ITF can be used to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined. 33. A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? A. Key verification B. One-for-one checking C. Manual recalculations D. Functional acknowledgements The correct answer is: D. Functional acknowledgements Explanation: Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main controls used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company. 34. An employee is responsible for updating daily the interest rates in a finance application, including interest rate exceptions for preferred customers. Which of the following is the BEST control to ensure that all rates exceptions are approved? A. A supervisor must enter his/her password before a rate exception is validated. B. Rates outside the normal range require prior management approval. C. The system beeps an alarm when rate exceptions are entered. D. All interest rates must be logged and verified every 30 days. The correct answer is: B. Rates outside the normal range require prior management approval. Explanation: Prior approval of management for rates outside the normal range would be a proper control. Entering the password of a supervisor does not ensure authorization. A system alarm on entry of a rate exception is only a warning and logging of exceptions is a detective control. 35. A programmer included a routine into a payroll application to search for his/her own payroll number. As a result, if this payroll number does not appear during the payroll run, a routine will generate and place random numbers onto every paycheck. This routine is known as: A. scavenging. B. data leakage. C. piggybacking. D. a Trojan horse. The correct answer is: D. a Trojan horse. Explanation: A Trojan horse is malicious code hidden in an authorized computer program. The hidden code will be executed whenever the authorized program is executed. In this case, as long as the perpetrator’s payroll number is part of the payroll process nothing happens, but as soon as the payroll number is gone havoc occurs. 36. The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: A. integrity. B. authenticity. C. authorization. D. nonrepudiation. The correct answer is: A. integrity. Explanation: A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures. 37. An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the: A. EDI trading partner agreements. B. physical controls for terminals. C. authentication techniques for sending and receiving messages. D. program change control procedures. The correct answer is: C. authentication techniques for sending and receiving messages. Explanation: Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues. 38. An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure the type of transaction is valid for that card type. B. verify the format of the number entered then locate it on the database. C. ensure that the transaction entered is within the cardholder’s credit limit. D. confirm that the card is not shown as lost or stolen on the master file. The correct answer is: B. verify the format of the number entered then locate it on the database. Explanation: The initial validation should confirm whether the card is valid. This validity is established through the card number and PIN entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered is valid (i.e., it can be processed by the system). If the data captured in the initial validation is not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, then other validations specific to the card and cardholder would be performed. 39. A data warehouse is: A. object-oriented. B. subject-oriented. C. departmental specific. D. a volatile database The correct answer is: B. subject-oriented. Explanation: Data warehouses are subject-oriented. The data warehouse is meant to help make decisions when the function(s) to be affected by the decision transgresses across departments within an organization. They are nonvolatile. Object orientation and volatility are irrelevant to a data warehouse system. 40. Which of the following ensures completeness and accuracy of accumulated data? A. Processing control procedures B. Data file control procedures C. Output controls D. Application controls The correct answer is: A. Processing control procedures Explanation: Processing controls ensure the completeness and accuracy of accumulated data, for example, editing and runto- run totals. Data file control procedures ensure that only authorized processing occurs to stored data, for example, transaction logs. Output controls ensure that data delivered to users will be presented, formatted and delivered in a consistent and secure manner, for example, using report distribution. Application controls are a general terminology comprising all kinds of controls used in an application. 41. A manufacturer has been purchasing materials and supplies for its business through an e-commerce application. Which of the following should this manufacturer rely on to prove that the transactions were actually made? A. Reputation B. Authentication C. Encryption D. Nonrepudiation The correct answer is: D. Nonrepudiation Explanation: Nonrepudiation may ensure that a transaction is enforceable. It involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient of the data’s receipt, or vice versa. Choice A is incorrect because the company’s reputation would not, of itself, prove a deal was made via the Internet. Choice B is not correct as authentication controls are necessary to establish the identification of all parties to a communication. Choice C is incorrect since encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. 42. In an electronic fund transfer (EFT) system, which of the following controls would be useful in detecting a duplication of messages? A. Message authentication code B. Digital signature C. Authorization sequence number D. Segregation of authorization The correct answer is: C. Authorization sequence number Explanation: All the controls are necessary in an EFT system; however, the authorization sequence number is the control that will detect the duplication of a message. A message authentication code detects unauthorized modifications, a digital signature ensures nonrepudiation, and the segregation of the creation of the message and the authorization will avoid dummy messages. 43. Before implementing an IT balanced scorecard, an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses. The correct answer is: B. define key performance indicators. Explanation: A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives. 44. An IS auditor was hired to review e-business security. The IS auditor’s first task was to examine each existing e-business application looking for vulnerabilities. Which would be the next task? A. Report the risks to the CIO and CEO immediately. B. Examine e-business application in development. C. Identify threats and likelihood of occurrence. D. Check the budget available for risk management. The correct answer is: C. Identify threats and likelihood of occurrence. Explanation: The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs. 45. Which of the following data validation edits is effective in detecting transposition and transcription errors? A. Range check B. Check digit C. Validity check D. Duplicate check The correct answer is: B. Check digit Explanation: A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. This control is effective in detecting transposition and transcription errors. A range check is checking data that matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteria. In a duplicate check, new or fresh transactions are matched to those previously entered to ensure that they are not already in the system. 46. In an EDI process, the device which transmits and receives electronic documents is the: A. communications handler. B. EDI translator. C. application interface. D. EDI interface. The correct answer is: A. communications handler. Explanation: A communications handler transmits and receives electronic documents between trading partners a nd/or wide area networks (WANs). An EDI translator translates data between the standard format and a trading partner's proprietary format. An application interface moves electronic transactions to or from the application system and performs data mapping. An EDI interface manipulates and routes data between the application system and the communications handler. 47. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses the team should: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define exactly the loss amount. The correct answer is: C. apply a qualitative approach. Explanation: The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). A ROI is computed when there is predictable savings or revenues, which can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack) that situation is not likely to change, and at the end of the day, the result will be a not well-supported evaluation. 48. Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. B. ability of the software to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. D. relationship between the performance of the software and the amount of resources used. The correct answer is: A. existence of a set of functions and their specified properties. Explanation: Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Choice B refers to portability, choice C refers to reliability and choice D refers to efficiency. 49. The output of the risk management process is an input for making: A. business plans. B. business plans. C. security policy decisions. D. software design decisions. The correct answer is: C. security policy decisions. Explanation: The risk management process is about making specific security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process. 50. A proposed transaction processing application will have many data capture sources and outputs in both paper and electronic form. To ensure that transactions are not lost during processing, the IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing. The correct answer is: D. automated systems balancing. Explanation: Automated system’s balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to sum and compare inputs and outputs, an automated process is less susceptible to error. 51. Which of the following presents an inherent risk, with no distinct identifiable preventive controls? A. Piggybacking B. Viruses C. Data diddling D. Unauthorized application shutdown The correct answer is: C. Data diddling Explanation: Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses, because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights, e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions. This could be prevented by encrypting the message. Viruses are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected machine. Antiviral software can be used to protect the computer against viruses. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls. 52. Which of the following data validation edits could be used by a bank, to ensure the correctness of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors? A. Sequence Check B. Validity Check C. Check Digit D. Existence Check The correct answer is: C. Check Digit Explanation: A check digit is a mathematically calculated value that is added to data to ensure that the original data has not been altered or an incorrect but correct value substituted. This helps in avoiding transposition and transcription errors. Thus, a check digit can be added to an account number to check for accuracy. Sequence checks ensure that a number follows sequentially and any out of sequence or duplicate control numbers are rejected or noted on an exception report. Validity checks and existence checks match data against predetermined criteria to ensure accuracy. 53. Establishing the level of acceptable risk is the responsibility of: A. quality assurance management. B. senior business management. C. the chief information officer. D. the chief security officer. The correct answer is: B. senior business management. Explanation: Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level. 54. When developing a risk management program, the FIRST activity to be performed is a/an: A. threat assessment. B. classification of data. C. inventory of assets. D. criticality analysis. The correct answer is: C. inventory of assets. Explanation: Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis. 55. A financial institution is using an expert system for managing credit limits. An IS auditor reviewing the system should be MOST concerned with the: A. validation of data inputs into the system. B. level of experience and skills contained in the knowledge base. C. access control settings. D. implemented processing controls. The correct answer is: B. level of experience and skills contained in the knowledge base. Explanation: The level of experience or intelligence in the knowledge base is a key concern for the IS auditor as decision errors, based on a lack of knowledge, could have a severe impact on the organization. Choices A, C and D are not as important as B. 56. Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report. The correct answer is: B. transaction journal. Explanation: The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, and the user error report would only list input that resulted in an edit error. 57. While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus? A. A scan of all floppy disks before use B. A virus monitor on the network file server C. Scheduled daily scans of all network drives D. A virus monitor on the user’s personal computer The correct answer is: C. Scheduled daily scans of all network drives Explanation: Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system. 58. The reliability of an application system’s audit trail may be questionable if: A. user IDs are recorded in the audit trail. B. the security administrator has read-only rights to the audit file. C. date and time stamps are recorded when an action occurs. D. users can amend audit trail records when correcting system errors. The correct answer is: D. users can amend audit trail records when correcting system errors. Explanation: An audit trail is not effective if the details in it can be amended. 59. A sequence of bits appended to a digital document that is used to secure an e-mail sent through the Internet is called a: A. digest signature. B.electronic signature. C. digital signature. D. hash signature. The correct answer is: C. digital signature. Explanation: A digital signature through the private cryptographic key authenticates a transmission from a sender through the private cryptographic key. A digest signature is a string of bits that uniquely represent another string of bits, a digital document. An electronic signature refers to the string of bits that digitally represents a handwritten signature captured by a computer system when a human applies it on an electronic pen pad, connected to the system. 60. Which of the following represents the GREATEST potential risk in an EDI environment? A. Transaction authorization B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls The correct answer is: A. Transaction authorization Explanation: Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. 61. As a business process reengineering (BPR) project takes hold it is expected that: A. business priorities will remain stable. B. information technologies will not change. C. the process will improve product, service and profitability. D. input from clients and customers will no longer be necessary. The correct answer is: C. the process will improve product, service and profitability. Explanation: As a reengineering process takes hold, certain key results will begin to emerge, including a concentration on process as a means of improving product, service and profitability. In addition, new business priorities and approaches to the use of information as well as powerful and more accessible information technologies will emerge. Often, the roles of client and customers will be redefined providing them with more direct and active participation in the enterprise’s business process. 62. Functional acknowledgements are used: A. as an audit trail for EDI transactions. B. to functionally describe the IS department. C. to document user roles and responsibilities. D. as a functional description of application software. The correct answer is: A. as an audit trail for EDI transactions. Explanation: Functional acknowledgements are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and therefore can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements. 63. With reference to the risk management process, which of the following statements is correct? A. Vulnerabilities can be exploited by a threat. B. Vulnerabilities are events with the potential to cause harm to IS resources. C. Vulnerability exists because of threats associated with use of information resources. D. Lack of user knowledge is an example of a threat. The correct answer is: A. Vulnerabilities can be exploited by a threat. Explanation: Vulnerabilities are characteristics of IS resources that can be exploited, resulting in some harm. Threats not vulnerabilities are events with the potential to cause harm. A threat occurs because of a vulnerability associated with the use of information resources. Lack of user knowledge is an example of a vulnerability. 64. A tax calculation program maintains several hundred tax rates. The BEST control to ensure that tax rates entered into the program are accurate is: A. an independent review of the transaction listing. B. a programmed edit check to prevent entry of invalid data. C. programmed reasonableness checks with 20 percent data entry range. D. a visual verification of data entered by the processing department. The correct answer is: A. an independent review of the transaction listing. Explanation: Tax rates represent critical data that will be used in numerous calculations and should be independently verified by someone other than the entry person before they are used in processing. Choices B and C are programmed controls that are useful for preventing gross errors, that is, errors such as an added zero or alpha instead of a numeric. A tax table must be 100 percent accurate, not just readable. Choice D will allow the data entry person to check input accuracy, but it is not sufficient. 65. To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters the same data again, before the money is transferred. The control adopted by the organization in this case is: A. sequence check. B. key verification. C. check digit. D. completeness check. The correct answer is: B. key verification. Explanation: Key verification is a process in which keying-in is repeated by a separate individual using a machine that compares the original entry to the repeated entry. Sequence check refers to the continuity in serial numbers within the number range on documents. A check digit is a numeric value that has been calculated mathematically and added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. Completeness checks ensure that all the characters required for a field have been input. 66. An IS auditor has imported data from the client's database. The next step of confirming whether the imported data are complete is performed by: A. matching control totals of the imported data to control totals of the original data. B. sorting the data to confirm whether the data are in the same order as the original data. C. reviewing printout of the first 100 records of original data with the first 100 records of imported data. D. filtering data for different categories and matching them to the original data. The correct answer is: A. matching control totals of the imported data to control totals of the original data. Explanation: Matching control totals of the imported data with control totals of the original data is the next logical step, as this confirms the completeness of the imported data. It is not possible to confirm completeness by sorting the imported data, because the original data may not be in sorted order. Further, sorting does not provide control totals for verifying completeness. Reviewing a printout of 100 records of original data with 100 records of imported data is a process of physical verification and confirms the accuracy of only these records. Filtering data for different categories and matching them to original data would still require that control totals be developed to confirm the completeness of the data. 67. In a data warehouse, data quality is achieved by: A. cleansing. B. restructuring. C. source data credibility. D. transformation. The correct answer is: C. source data credibility. Explanation: In a data warehouse system, the quality of data depends on the quality of the originating source. Choices A, B and D relate to the composition of a data warehouse and do not affect data quality. Restructuring, transformation and cleansing all relate to reorganization of existing data within the database. 68. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks. The correct answer is: D. database commits and rollbacks. Explanation: Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway. 69. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks? A. Check digit B. Existence check C. Completeness check D. Reasonableness check The correct answer is: C. Completeness check Explanation: A completeness check is used to determine if a field contains data and not zeros or blanks. A check digit is a digit calculated mathematically to ensure original data were not altered. An existence check also checks entered data for agreement to predetermined criteria. A reasonableness check matches input to predetermined reasonable limits or occurrence rates. 70. During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend? A. Implement data backup and recovery procedures. B. Define standards and closely monitor for compliance. C. Ensure that only authorized personnel can update the database. D. Establish controls to handle concurrent access problems. The correct answer is: A. Implement data backup and recovery procedures. Explanation: Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can be used to roll back database errors. Defining or establishing standards is a preventive control, and monitoring for compliance is a detective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is a preventive control. 71. Once an organization has finished the business process reengineering (BPR) of all its critical operations, the IS auditor would MOST likely focus on a review of: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans. The correct answer is: B. post-BPR process flowcharts. Explanation: The IS auditor’s task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project. 72. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor? A. There could be a question with regards to the legal jurisdiction. B. Having a provider abroad will cause excesive costs in future audits. C. The auditing process will be difficult because of the distances. D. There could be different auditing norms. The correct answer is: A. There could be a question with regards to the legal jurisdiction. Explanation: In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction. 73. The BEST method of proving the accuracy of a system tax calculation is by: A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs. The correct answer is: C. preparing simulated transactions for processing and comparing the results to predetermined results. Explanation: Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for proving accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations. 74. Which of the following is used to ensure that batch data is completely and accurately transferred between two systems? A. Control total B. Check digit C. Check sum D. Control account The correct answer is: A. Control total Explanation: A control total is frequently used as an easily recalculated control. The number of invoices in a batch or the value of invoices in a batch are examples of control totals. They provide a simple way of following an audit trail from a general ledger summary item to an individual transaction, and back. A check digit is a method of verifying the accuracy of a single data item, such as a credit card number. Although a check sum is an excellent control over batch completeness and accuracy, it is not easily recalculated and, therefore, is not as commonly used in financial systems as a control total. Check sums are frequently used in data transfer as part of encryption protocols. Control accounts are used in financial systems to ensure that components that exchange summary information, such as a sales register and a general ledger, can be reconciled. 75. Which of the following tasks occurs during the research stage of the benchmarking process? A. Critical processes are identified. B. Benchmarking partners are visited. C. Findings are translated into core principles. D. Benchmarking partners are identified. The correct answer is: D. Benchmarking partners are identified. Explanation: During the research stage, the team collects data and identifies the benchmarking partners. In the planning stage, the team identifies the critical processes to be benchmarked. Visiting the benchmarking partners is performed in the observation stage. Translating the findings into core principles is performed during the adaptation stage. 76. Sales orders are automatically numbered sequentially at each of a retailer’s multiple outlets. Small orders are processed directly at the outlets, with large orders sent to a central production facility. The MOST appropriate control to ensure that all orders transmitted to production are received and processed would be to: A. send and reconcile transaction counts and totals. B. have data transmitted back to the local site for comparison. C. compare data communications protocols with parity checking. D. track and account for the numerical sequence of sales orders at the production facility. The correct answer is: A. send and reconcile transaction counts and totals. Explanation: Sending and reconciling transaction totals not only ensure that the orders were received, but also processed by the central production location. Transmission back to the local site confirms that the central location received it, but not that they have actually processed it. Tracking and accounting for the numerical sequence only confirms what orders are on hand, and not whether they actually have been completed. The use of parity checking would only confirm that the order was not changed during transmission. 77. Which of the following integrity tests examines the accuracy, completeness, consistency and authorization of data? A. Data B. Relational C. Domain D. Referential The correct answer is: A. Data Explanation: Data integrity testing examines the accuracy, completeness, consistency and authorization of data. Relational integrity testing detects modification to sensitive data by the use of control totals. Domain integrity testing verifies that data conforms to specifications. Referential integrity testing ensures that data exists in its parent or original file before it exists in the child or another file. 78. An IS auditor evaluating data integrity in a transaction-driven system environment should review atomicity to determine whether: A. the database survives failures (hardware or software). B. each transaction is separated from other transactions. C. integrity conditions are maintained. D. a transaction is completed, or a database is updated. The correct answer is: D. a transaction is completed, or a database is updated. Explanation: This concept is included in the atomicity, completeness, isolation and durability (ACID) principle. Durabilitymeans that the database survives failures (hardware or software). Isolation means that each transaction is separated from other transactions. Consistency means that integrity conditions are maintained. 79. The GREATEST benefit in implementing an expert system is the: A. capturing of the knowledge and experience of individuals in an organization. B. sharing of knowledge in a central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments. The correct answer is: A. capturing of the knowledge and experience of individuals in an organization. Explanation: The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. Employee turnover is not necessarily affected by an expert system. 80. When auditing the conversion of an accounting system an IS auditor should verify the existence of a: A. control total check. B. validation check. C. completeness check. D. limit check. The correct answer is: A. control total check. Explanation: Tallying a control total of all accounts before and after conversion will assure the IS auditor that all amount data has been taken into the new system. Later one-to-one checking by users will assure that all the data has been converted. The other choices are incorrect. Validation checks, completeness checks and limit checks would be applied at the point at which the data are/were originally entered into the accounting system. 81. The impact of EDI on internal controls will be: A. that fewer opportunities for review and authorization will exist. B. an inherent authentication. C. a proper distribution of EDI transactions while in the possession of third parties. D. that IPF management will have increased responsibilities over data center controls. The correct answer is: A. that fewer opportunities for review and authorization will exist. Explanation: EDI promotes a more efficient paperless environment, but at the same time, less human intervention makes it more difficult for reviewing and authorizing. Choice B is incorrect; since the interaction between parties is electronic, there is no inherent authentication occurring. Computerized data can look the same no matter what the source and does not include any distinguishing human element or signature. Choice C is incorrect because this is a security risk associated with EDI. Choice D is incorrect because there are relatively few, if any, additional data center controls associated with the implementation of EDI applications. Instead, more control will need to be exercised by the user’s application system to replace manual controls, such as site reviews of documents. More emphasis will need to be placed on control over data transmission (network management controls). 82. Which of the following is an advantage of an integrated test facility (ITF)? A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. B. Periodic testing does not require separate test processes. C. It validates application systems and tests the ongoing operation of the system. D. It eliminates the need to prepare test data. The correct answer is: B. Periodic testing does not require separate test processes. Explanation: An integrated test facility creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data. 83. Before implementing controls, management should FIRST ensure that the controls: A. satisfy a requirement in addressing a risk issue. B. do not reduce productivity. C. are based on a cost-benefit analysis. D. are detective or corrective. The correct answer is: A. satisfy a requirement in addressing a risk issue. Explanation: When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls. Realistically, it may not be possible to design them all and cost may be prohibitive; therefore, it is necessary to first consider the preventative controls that attack the cause of a threat. 84. The IS auditor’s FIRST step in an application audit is to: A. identify the risks of using the software. B. assess access controls. C. review the policies of the IS organization. D. understand the business processes. The correct answer is: D. understand the business processes. Explanation: The audit of application software should start with the IS auditor gaining a knowledge and understanding of the business. This can be done through the study of the operating procedures of the organization. Choices A and B are performed after the auditor has an understanding of the business processes. Likewise, a review of IS policies, choice C, would occur after having gained a basic understanding of the operation. Policies would be a part of audit compliance testing. 85. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results. B. customer satisfaction. C. internal process efficiency. D. innovation capacity. The correct answer is: A. financial results. Explanation: Financial results have traditionally been the sole overall performance metric. The IT Balanced Scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing. 86. IS management has recently informed the IS auditor of its decision to disable certain referential integrity controls in the payroll system to provide users with a faster report generator. This will MOST likely increase the risk of: A. data entry by unauthorized users. B. a nonexistent employee being paid. C. an employee receiving an unauthorized raise. D. duplicate data entry by authorized users. The correct answer is: B. a nonexistent employee being paid. Explanation: Referential integrity controls prevent the occurrence of unmatched foreign key values. Given that a nonexistent employee does not appear in the employees’ table, it will never have a corresponding entry in the salary payment’s table. The other choices cannot be detected by referential integrity controls. 87. The use of a GANTT chart can: A. aid in scheduling project tasks. B. determine project checkpoints. C. ensure documentation standards. D. direct the post-implementation review. The correct answer is: A. aid in scheduling project tasks. Explanation: A GANTT chart is used in project control. It may aid in the identification of needed checkpoints, but its primary use is in scheduling. It will not ensure the completion of documentation nor will it provide direction for the post-implementation review. 88. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system? A. Investigate the author. B. Remove any underlying threats. C. Establish compensating controls. D. Have the offending code removed. The correct answer is: D. Have the offending code removed. Explanation: The IS auditor’s first duty is to prevent the Trojan horse from causing further damage. After removing the offending code, follow up actions would include investigation and recommendations (choices B and C). 89. A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a: A. reasonableness check. B. parity check. C. redundancy check. D. check digits. The correct answer is: C. redundancy check. Explanation: A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A parity check is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission. Check digits detect transposition and transcription errors. 90. An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? A. Design further tests of the calculations that are in error. B. Identify variables that may have caused the test results to be inaccurate. C. Examine some of the test cases to confirm the results. D. Document the results and prepare a report of findings, conclusions and recommendations. The correct answer is: C. Examine some of the test cases to confirm the results. Explanation: The IS auditor should next examine cases where incorrect calculations occurred and confirm the results. After the calculations have been confirmed, further tests can be conducted and reviewed. Report preparation, findings and recommendations would not be made until all results are confirmed. 91. Which of the following is a mechanism for mitigating risks? A. Security and control practices B. Property and liability insurance C. Audit and certification D. Contracts and service level agreements (SLAs) The correct answer is: A. Security and control practices Explanation: Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and contracts and SLAs are mechanisms of risk allocation. 92. Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization’s change control procedures? A. Review software migration records and verify approvals. B. Identify changes that have occurred and verify approvals. C. Review change control documentation and verify approvals. D. Ensure that only appropriate staff can migrate changes into production. The correct answer is: B. Identify changes that have occurred and verify approvals. Explanation: The most effective method is to determine through code comparisons what changes have been made and then verify that they have been approved. Change control records and software migration records may not have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key control process, but in itself does not verify compliance. 93. Which of the following is the FIRST step in a business process reengineering (BPR) project? A. Defining the areas to be reviewed B. Developing a project plan C. Understanding the process under review D. Reengineering and streamlining the process under review The correct answer is: A. Defining the areas to be reviewed Explanation: On the basis of the evaluation of the entire business process, correctly defining the areas to be reviewed is the first step in a BPR project. On the basis of the definition of the areas to be reviewed, the project plan is developed. Understanding the process under review is important, but the subject of the review must first be defined. Thereafter, the process can be reengineered, streamlined, implemented and monitored for continuous improvement. 94. The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site. The correct answer is: D. remote processing site prior to transmission of the data to the central processing site. Explanation: remote processing site prior to transmission of the data to the central processing site. 95. Which of the following is a control to compensate for a programmer having access to accounts payable production data? A. Processing controls such as range checks and logic edits B. Reviewing accounts payable output reports by data entry C. Reviewing system-produced reports for checks (cheques) over a stated amount D. Having the accounts payable supervisor match all checks (cheques) to approved invoices The correct answer is: D. Having the accounts payable supervisor match all checks (cheques) to approved invoices Explanation: To ensure that the programmer could not have a check (cheque) generated, it would be necessary for someone to confirm all of the checks (cheques) generated by the system. Range and logic checks could easily be bypassed by a programmer since they are privy to the controls that have been built into the system. The review of the accounts payable reports by data entry would only identify changes that might have been made to the data input. It would not identify information that might have been changed on the master files. Reviewing reports for checks (cheques) over a certain amount would not allow for the identification of any unauthorized, low-value checks (cheques) or catch alterations to the actual checks (cheques) themselves. 96. During an audit of the tape management system at a data center, an IS auditor discovered that parameters are set to bypass or ignore the labels written on tape header records. The IS auditor also determined that effective staging and job setup procedures were in place. In this situation, the IS auditor should conclude that the: A. tape headers should be manually logged and checked by the operators. B. staging and job setup procedures are not appropriate compensating controls. C. staging and job setup procedures compensate for the tape label control weakness. D. tape management system parameters must be set to check all labels. The correct answer is: C. staging and job setup procedures compensate for the tape label control weakness. Explanation: Compensating controls are an important part of a control structure. They are considered adequate if they help to achieve the control objective and are cost-effective. In this situation the IS auditor is most likely to conclude that staging and job setup procedures compensate for the tape label control weakness. 97. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? A. Log all table update transactions. B. Implement before-and-after image reporting. C. Use tracing and tagging. D. Implement integrity constraints in the database. The correct answer is: D. Implement integrity constraints in the database. Explanation: Implementing integrity constraints in the database is a preventive control, because data is checked against predefined tables or rules preventing any undefined data from being entered. Logging all table update transactions and implementing before-and-after image reporting are detective controls that would not avoid the situation. Tracing and tagging are used to test application systems and controls and could not prevent out-of-range data. -------------------------------------------------------------------------------- Close Window | Instruction Page Copyright © 2002-5 Information Systems Audit and Control Association. All rights reserved. USE RESTRICTIONS The Question Database and Software ("CISA Sample Exam") is copyrighted. Licensee may not and Licensee may not permit others to (a) disassemble, decompile, or otherwise derive source code from the CISA Sample Exam, (b) reverse engineer the CISA Sample Exam, (c) modify or prepare derivative works of the CISA Sample Exam, (d) copy the CISA Sample Exam (e) rent or lease the CISA Sample Exam, (f) use the CISA Sample Exam in an on-line system, (g) use the CISA Sample Exam in any manner that infringes the intellectual property or other rights of another party, or (h) transfer the CISA Sample Exam or any copy thereof to another party. Unauthorized copying of the CISA Sample Exam is expressly forbidden. Licensee may not reproduce the CISA Sample Exam or any part thereof. You may not create derivative works, including translations, of the CISA Sample Exam or any part thereof without the prior written consent of ISACA. Licensee may make printed media copies of the quiz and scored results, so long as such copies do not include any part of the Software, for non-commercial, personal use including transmission by any means including electronic, mechanical, recording, or otherwise.