Certified Information Systems Auditor (CISA)

Multiple Choice Questions:

1. What is a primary high-level goal for an auditor reviewing a system
development project?
a. To ensure that programming and processing environments are
segregated.
b. To ensure that proper approval for the project has been obtained.
c. To ensure that business objectives are achieved.
d. To ensure that projects are monitored and administrated
effectively.

2. The quality of the metadata produced from a data warehouse is

_______________ in the warehouse's design. Choose the best answer.
a. Often hard to determine because the data is derived from a
heterogeneous data environment
b. The most important consideration
c. Independent of the quality of the warehoused databases
d. Of secondary importance to data warehouse content

3. Who assumes ownership of a systems-development project and the

resulting system?
a. User management
b. Project steering committee
c. IT management
d. Systems developers

4. What is a reliable technique for estimating the scope and cost of a

software development project?
a. Function point analysis (FPA)
b. Feature point analysis (FPA)
c. GANTT
d. PERT
5. Which of the following is a program evaluation review technique that
considers different scenarios for planning and control projects?
a. Function Point Analysis (FPA)
b. GANTT
c. Rapid Application Development (RAD)
d. PERT

6. Is the following statement true or false?

Fourth-Generation Languages (4GLs) are most appropriate for designing
the application's graphical user interface (GUI). They are inappropriate
for designing any intensive data-calculation procedures.
a. True
b. False

7. Run-to-run totals can verify data through which stage(s) of application

processing?
a. Initial
b. Various
c. Final
d. Output

8. What can be used to help identify and investigate unauthorised

transactions? Choose the best answer.
a. Post-mortem review
b. Reasonableness checks
c. Data-mining techniques
d. Expert systems

9. What must an IS auditor understand before performing an application

audit? Choose the best answer.
a. The potential business impact of application risk
b. Application risks must first be identified
c. Relative business processes
d. Relevant application risk
10.______________ risk analysis is only sometimes possible because the IS
auditor is attempting to calculate risk using nonquantifiable threats and
potential losses. In this event, a ______________ risk assessment is
more appropriate. Fill in the blanks.
a. Quantitative; qualitative
b. Qualitative; quantitative
c. Residual; subjective
d. Quantitative; subjective

11. A transaction journal provides the information necessary for detecting

unauthorised _____________ from a terminal.
a. Deletion
b. Input
c. Access
d. Duplication

12. When are benchmarking partners identified within the benchmarking

process?
a. In the design stage
b. In the testing stage
c. In the research stage
d. In the development stage

13. A check digit is an effective edit check to ___________________.

a. Detect data transcription errors
b. Detect data transposition and transcription errors
c. Detect data transposition, transcription, and substitution errors
d. Detect data transposition errors

14. Parity bits are a control used to validate ________________

a. Data authentication
b. Data completeness
c. Data source
d. Data accuracy
15. Which would prevent accountability for an action performed, thus
allowing nonrepudiation?
a. Proper authentication
b. Proper identification and authentication
c. Proper identification
d. Proper identification, authentication, and authorisation

16. Which of the following is of most significant concern to the IS auditor?

a. Failure to report a successful attack on the network
b. Failure to prevent a successful attack on the network
c. Failure to recover from a successful attack on the network
d. Failure to detect a successful attack on the network

17. Is the following statement true or false?

An advantage of a continuous audit approach is that it can improve
system security when used in time-sharing environments that process
many transactions.
a. True
b. False

18. Ensuring that security and control policies support business and IT
objectives is a primary objective of _______________
a. An IT security policies audit
b. A processing audit
c. A software audit
d. A vulnerability assessment

19. When auditing third-party service providers, an IS auditor should be

concerned with which of the following? Choose the best answer.
a. Ownership of the programs and files
b. A statement of due care and confidentiality and the capability for
continued service of the service provider in the event of a disaster
c. A statement of due care
 d. Ownership of programs and files, a statement of due care and
confidentiality, and the capability for continued service of the
service provider in the event of a disaster

20. Is the following statement true or false?

Allowing application programmers to patch or change code in
production programs directly increases the risk of fraud.
a. True
b. False

21. How do modems (modulation/demodulation) facilitate analogue

transmissions entering a digital network?
a. Modems encapsulate analog transmissions within digital and
digital transmissions within analog.
b. Modems convert analog transmissions to digital, and digital
transmission to analog.
c. Modems convert digital transmissions to analog and analog
transmissions to digital.
d. Modems encapsulate digital transmissions within analog and
analog transmissions within digital.

22. What type(s) of firewalls provide(s) the most significant degree of

protection and control because both firewall technologies inspect all
seven OSI layers of network traffic?
a. A first-generation packet-filtering firewall
b. A circuit-level gateway
c. An application-layer gateway, or proxy firewall, and stateful-
inspection firewalls
d. An application-layer gateway, or proxy firewall, but not stateful-
inspection firewalls
23. Which of the following help(s) prevent an organisation's systems from
participating in a distributed denial-of-service (DDoS) attack? Choose the
best answer.
a. Inbound traffic filtering
b. Access control lists (ACLs) restrict inbound connection attempt
c. Outbound traffic filtering.
d. Recentralising distributed systems.

24. What is a common vulnerability allowing denial-of-service attacks?

a. Assigning access to users according to the principle of least
privilege
b. Lack of employee awareness of organisational security policies
c. Improperly configured routers and router access lists
d. Configuring firewall access rules

25. What can be used to gather evidence of network attacks?

a. Access control lists (ACL)
b. Intrusion-detection systems (IDS)
c. Syslog reporting
d. Antivirus programs

26. Which of the following do intruders use a passive attack method to

determine potential network vulnerabilities?
a. Traffic analysis
b. SYN flood
c. Denial of service (DoS)
d. Distributed denial of service (DoS)

27. What type of fire-suppression system suppresses fire via water released
from the main valve to be delivered via a system of dry pipes installed
throughout the facilities?
a. A dry-pipe sprinkler system
b. A deluge sprinkler system
c. A wet-pipe system
d. A halon sprinkler system
28. Is the following statement true or false?
Digital signatures require the sender to "sign" the data by encrypting the
data with the sender's public key, then decrypted by the recipient using
the recipient's private key.
a. True
b. False

29. Which of the following should be IS auditor review to determine user

permissions for a particular resource? Choose the best answer.
a. Systems logs
b. Access control lists (ACL)
c. Application logs
d. Error logs

30. Organisations should use off-site storage facilities to maintain

_________________ of current and critical information within backup
files. Choose the best answer.
a. Confidentiality
b. Integrity
c. Redundancy
d. Concurrency

31. The purpose of business continuity planning and disaster recovery

planning is to __________________.
a. Transfer the risk and impact of a business interruption or disaster
b. Mitigate, or reduce the risk and impact of a business interruption
or disaster
c. Accept the risk and impact of a business
d. Eliminate the risk and impact of a business interruption or disaster
32. Why is a clause for requiring source code escrow in an application
vendor agreement important?
a. To segregate systems development and live environments
b. To protect the organisation from copyright disputes
c. To ensure that sufficient code is available when needed
d. To ensure that the source code remains available even if the
application vendor goes out of business

33. What protects an application purchaser's ability to fix or change an

application if the vendor goes out of business?
a. Assigning copyright to the organisation
b. Program back doors
c. Source code escrow
d. Internal programming expertise

34. Which of the following uses a prototype that can be updated continually
to meet changing user or business requirements?
a. PERT
b. Rapid application development (RAD)
c. Function point analysis (FPA)
d. GANTT

35. Who is responsible for the overall direction, costs, and timetables for
systems-development projects?
a. The project sponsors
b. The project steering committee
c. Senior management
d. The project team leader
36. Input/output controls should be implemented for which applications in
an integrated systems environment?
a. The receiving application
b. The sending application
c. Both the sending and receiving of applications
d. Output on the sending application and input on the receiving
application

37. After identifying potential security vulnerabilities, what should be the IS

auditor's next step?
a. To evaluate potential countermeasures and compensatory
controls
b. To implement effective countermeasures and compensatory
controls
c. To perform a business impact analysis of the threats that would
exploit the vulnerabilities
d. To immediately advise senior management of the findings

38. Business process re-engineering often results in ______________

automation, which results in _____________ number of people using
technology.
a. Increased; greater
b. Increased; fewer
c. Less; a fewer
d. Increased; the same

39. Is the following statement true or false?

Whenever business processes have been re-engineered, the IS auditor
attempts to identify and quantify the impact of any controls that might
have been removed, or that might not work as effectively after business
process changes.
a. True
b. False
40. Processing controls ensure that data is accurate and complete and is
processed only through which of the following? Choose the best answer.
a. Documented routines
b. Authorised routines
c. Accepted routines
d. Approved routines