DISA Review Questions, Answers Manual: Key A Justification

DISA Review Questions, Answers Manual
A. Setting of clear goals for power reduction, decreased carbon footprint, etc.
B. Replacing a single server system with multiple servers
C. Avoiding replacement of old equipment with new ones
D. Moving back storage & processing capacity from the cloud
KEY A
Justification
The answers in Options B to D would act, by and large, counter to the goals of Green
information technology. Moving to cloud computing helps improved utilisation of
resources; similarly, a single server system is probably more energy efficient than
multiple servers. Though it may appear worthwhile continuing to sweat old equipment,
new equipment are generally more energy efficient and can more than compensate for
the benefits of retaining the old equipment. The answer in Option A, however, is
relevant & will make a meaningful contribution to the goals of Green IT. The setting of
clear goals helps direct focus to the effort. Hence, only Option A is the correct answer.
442. What is characteristic of Web 2.0 ?
A. Communication from one person/unit to many
B. HTML Web pages & email newsletters
C. Facilitates collaboration & information sharing online
D. Two-way communication not possible
KEY C
Justification
The Web 2.0 version is a two-way communication facility covering blogs, wikis and
social networking sites. It facilitates collaboration & information sharing online, as
indicated in Option C. It is not a case of communication from only one person to many.
It is also an improvement over the Web 1.0 version which comprised HTML web pages
& email newsletters. Hence, Option C is the correct answer.
443. What is a distinguishing feature of Web 3.0 ?
A. Communication from one person/unit to many
B. Facilitates convergence of mobile phones, smartphone apps, etc.
C. HTML Web pages & email newsletters
D. Two-way communication not possible
176
Primer on Information Technology, IS Infrastructure & Emerging Technologies
KEY B
Justification
The Web 3.0 version is an evolving system which is an improvement over Web 2.0. It
facilitates convergence of mobile phones, smart phone apps, tablets, etc. It is not a
case of communication from only one person to many. Like Web 2.9, it is also an
improvement over the Web 1.0 version which comprised HTML web pages & email
newsletters. Hence, Option B is the correct answer.
444. What is one of the controls that can be practically established for overcoming the
risks of Web 2.0 without compromising on operational efficiencies ?
A. Blocking social networking sites like Facebook
B. Restricting access to blog sites
C. Blocking access to forums
D. Using extended validation, SSL certification for websites
KEY D
Justification
Blocking out features like social networking, forums, blogs, etc. would prevent utilization
of some of the KEY features of Web 2.0 and, hence, would be a sub-optimal approach.
It would be better to build in preventive measures like website validation, as brought out
in Option D. Hence, Option D is the correct answer.
445. One practical control that can be established for overcoming the risks of Web 2.0
without compromising on operational efficiencies is ?
A. To develop & implement internal policies for safeguarding against risks
B. Restricting access to blog sites
C. Blocking access to forums
D. Blocking social networking sites like Facebook
KEY A
Justification
Blocking out features like social networking, forums, blogs, etc. would prevent utilization
of some of the KEY features of Web 2.0 and, hence, would be a sub-optimal approach.
It would be better to draw up a robust policy which addresses all the potential risks of
Web 2.0 and the preventive measures required to minimizing them. Hence, only answer
in Option A is correct.
446. What is an example of Click jacking ?
177
A. Malicious take-over of a computer on remote basis

B. Stealing files in a computer from a remote location
C. Stealing of keyed in credentials information
D. Resolution of software issues on a device from remote location
KEY C
Justification
Click jacking is the malicious stealing of keyed in credentials information through a
transparent second layer. The answers in Options A,B and D are incorrect; only the
answer in Option C is correct.
447. What is the Web of Everything ?
A. Coverage of all theoretical concepts by the Internet
B. Encompasses the Internet as well as all forms of telecommunication
C. Comprises the Internet, all telecommunication as well as satellites
D. Expansion of Internet to objects like cars, refrigerators, etc.
KEY D
Justification
The Web of Everything or the Internet of Everything is the integration of objects like
cars, refrigerators, etc. into the internet. It basically merges the physical world with the
digital world. The answers in Options A B and C are incorrect; only the answer in Option
D is correct.
448. What is 3D printing ?
A. Printing of a 3 dimensional video or movie on to paper
B. Technology for printing images on paper in 3-dimensional form
C. An additive manufacturing process for printing 3-dimensional objects
D. Technology which permits printing of images incorporating movement/change
KEY C
Justification
3D printing in an exciting development in printing technology which permits the use of
various types of materials, including metals, to create 3 dimensional objects. This is
done through a process of additive manufacturing (AM) and can be used for creating
virtually any 3 dimensional object. Answer at Option C is, hence, correct whereas the
other answers are wrong.
178
Primer on Information Technology, IS Infrastructure & Emerging Technologies
449. Which is one of the major areas of emerging technology wherein CAs need to play
a KEY role ?
A. Management of social media & the risks associated with it
B. Development of new software technology
C. New techniques of marketing of products
D. Developments in the field of integrated circuits
KEY A
Justification
One major area of importance to CAs in the changing global environment is that of
management of social media & the risk associated with it. For, organizations are
increasingly shifting their marketing focus from the physical to the virtual market,
exploiting the strengths of the Internet. As more and more products get linked to the
Internet, the value of social media will increase tremendously as will the risks
associated with it. Hence, Option A is the correct answer. The other answers from
Options B to D are not correct.
450. Which one of the following is a KEY Area to be focussed upon by CAs in the
current era of emerging technologies ?
A. New techniques of marketing of products
B. Developments in the field of integrated circuits
C. Security of Systems and Data
D. Development of new software technology
KEY C
Justification
Apart from social media, the other major area of importance to CAs in the changing
global environment is security of systems and data. With the explosion of the Internet &
connected devices and expanded use of the Internet, the number of interfaces between
an organization & its customers / stake holders has grown exponentially. As a
consequence, security risks have mushroomed & the CA would have to focus on this as
a KEY element driving not just the success of an organization but also in preventing
failures in the organization. Thus, the answer in Option C is the correct answer. The
other answers from Options A, B and D are not correct.
451. Information System Audit encompasses independent review & evaluation of
___________
A. Automated information systems, related manual systems & their interfaces
179
B. All computerised information systems alone

C. All financial information stored in computers
D. All financial & regulatory information stored in computers
KEY A
Justification
IS Audit encompasses all automated information systems (containing both financial as
well as non-financial information), related manual systems and the interfaces between
them. Hence, Answer at Option A is correct & the other answers are incorrect.
180
Module 2
Information Systems Assurance Services
452. In COBIT 5 enablers are factors that influence that something will work in
governance & management of enterprise IT. How many such categories of
enablers does the COBIT 5 system identify ?
A. 7 categories of enablers
B. 5 categories of enablers
C. 8 categories of enablers
D. 10 categories of enablers
KEY A
Justification
COBIT5 is a framework for governance & management of enterprise IT. It helps
organizations manage risk & ensure compliance, continuity, security & privacy. One of
its 5 KEY principles is meeting stakeholders’ needs. This principle creates value by
balancing the benefits against the optimization of risk & the use of resources. The
system identifies 7 categories of enablers that facilitate governance & management of
enterprise IT. Hence, the answer in Option A is correct and the other options are wrong.
453. Guidance on evaluating and assessing the internal controls implemented in an
enterprise is available in _________________
A. MEA 02 of COBIT 5
B. ITAF 1200 series
C. IS/IEF 27001
D. ITAF 1400 series
KEY A
Justification
COBIT5 is a framework for governance & management of enterprise IT. MEA 02 of
COBIT5 is a process which provides guidance on evaluating and assessing the internal
controls implemented in an enterprise. Hence, the answer in Option A is correct and the
other options are wrong.
454. You have been engaged as a Consultant to carry out IS Audit of a large
organization. What is the first step you would take while commencing your work ?
A. Commence auditing of the financials
B. List all the software and hardware used in the organization
C. Peruse financials for the previous three years
D. Identify all risks present in the IT environment of the organization
KEY D
Justification
The first step in audit engagement is risk assessment based upon which the auditing
programme can be developed, giving more importance to high risk areas. Thus, the
auditor needs to identify all the risks present in the IT environment of the organization.
Hence, the answer in Option D is correct and the other options are wrong.
455. What is the minimum frequency of risk assessment to be carried out as per ISACA
guidelines ?
A. Once in 6 months
B. Once in 3 years
C. Once a year
D. Once in 2 years or whenever any major change in systems takes place
KEY C
Justification
The minimum frequency of risk assessment to be carried out as per ISACA guidance is
one year. Hence, the answer in Option C is correct and the other options are wrong.
456. State TRUE or FALSE. As per ISACA guidance, the IS auditor can complete the
risk assessment process and present the final findings to the stake holders. The
auditor needs to maintain his independence and does not need to seek the
specific approval of the stake holders for the findings.
A. FALSE
B. TRUE
KEY A
Justification
As per ISACA guidance, the IS auditor needs to seek approval of the risk assessment
from the audit stake holders and other appropriate parties Hence, the statement in the
question stem is false & the answer in Option A is correct.
182
457. State True or False. Standards on Risk assessment pertaining to IS Audit are
different from those prescribed by ICAI under SA315. IS Audit follow a different
set of standards laid down by ISACA.
A. TRUE
B. FALSE
KEY B
Justification
The standards on risk assessment pertaining to IS audit as prescribed by ICAI under
SA315 are also applicable to risk assessment under IS Audit. Hence, the statement in
the question stem is false & the answer in Option B is correct.
458. For effective risk assessment, auditors should ideally supplement the regular risk
assessment procedures with _______________
A. Observation, inspection & analytical procedures
B. Interviews with client’s competitors
C. Intensive analysis of historical data
D. Interviews with client’s suppliers
KEY A
Justification
While the risk assessment procedures outlined by ISACA, ICAI, etc. provide a ready-
made template that helps ensure typically vulnerable areas to be captured, observation,
inspection & analytical procedures help zero in on risk areas which are peculiar to the
particular business or specific period of time. The approaches in the other options may
also add value but may not be as significant as that achievable through the answer at
Option A. Hence, the statement in the question stem is false & the answer in Option A is
correct.
459. The ideal risk assessment technique _____________
A. Is a computerized scoring system based upon evaluation of risk factors
B. Is judgemental, based upon the auditor’s personal assessment
C. Depends upon the complexity level & detail appropriate for the organization
D. Is a combination of computerized scoring & judgemental system
183
KEY C
Justification
The ideal risk assessment technique depends upon the complexity level & detail
appropriate for the particular organization. It could be one or a combination of more
than one technique. Hence, the statement in the question stem is false & the answer in
Option C is correct.
460. An IS Auditor carries out a preliminary visit to his client’s site to get a feel of the
operations and identify risks, if any, missed out during his initial study of the
records of the organization. In the server room, he feels uncomfortable and
realizes that the humidity level as well as the ambient temperature are quite high.
On further probing, he discovers that the air conditioning equipment had failed &
the original supplier had ceased operations. The administration manager was
struggling to find an alternate agency to set the problem right. Also, no fall back
system was in place. The IS Auditor is wondering whether this would fall within
the purview of his IT General Controls Review. What is your view ?
A. Yes, it would fall within the purview of IT General Control Review
B. No, it would not fall within the purview of IT General Control review
KEY A
Justification
A general control review would include infrastructure and environment controls too.
Hence, the answer in Option A is correct.
461. As part of his exploratory trips to his client’s office, an IS Auditor meets up with
the Server Manager. The manager is despondent and the auditor learns it is
because of his network cable supervisor’s resignation and impending relief. The
manager is unable to find a substitute immediately and dreads the thought of
managing any network cabling issues in the interim. The auditor discusses the
matter with the manager who feels that the incumbent supervisor is virtually
indispensable and he has no subordinate who could step into his shoes.
The auditor probes further and also visits some of the locations wherein cable
inspection slots were located. He discovers that the cabling junctions had been
done in a very haphazard fashion and were not even labelled. Nor was there any
manual or chart identifying the network of cables, their junctions/ports, etc. He
realizes that the incumbent supervisor had become indispensable on account of
this disorganized cabling system as also the absence of any manual. Ideally, the
cabling should have been carried out more scientifically, there should have been
a ready-reckoner or manual showing the details of the network and a second-in-
184
line should have been in place to stand in for the supervisor in the event of his
short term absence or resignation.
Would the auditor be well within his rights to include this aspect as a lacuna in
the general controls review ?
A. No, he would not be right to include this as a lacuna in his general controls
review
B. Yes, he would be right in including this aspect as a lacuna in his general controls
review
KEY B
Justification
A general control review would include infrastructure and environment controls too.
Hence, the answer in Option B is correct.
462. Is segregation of duties useful as an Organizational control ? Why ?
A. Yes, it reduces employee cost
B. Yes, it reduces fraud risk & facilitates accuracy check of one person’s work by
another
C. No, it is not an advantage; it increases employee cost
D. No, it complicates the role of the manager who has to manage more employees
KEY B
Justification
Segregation of duties is an important control tool whereby, conflicting roles in particular,
are segregated and handled by different individuals. It reduces the risk of fraud since
one person cannot independently commit any fraud but would need to collude with the
second. Also, since the output of one individual may become the input of another, an
independent accuracy check of one person’s work by another person becomes a built-in
reality. This may increase head-count and, hence, manpower cost but, employed
judiciously, the higher manpower cost can be more than compensated by the reduced
risks to the organization. Hence, the answer in Option B is correct.
463. A newly appointed Senior executive in an organization, who happened to be a
close relative of the promoter, is miffed when the IT Manager refuses access to
him to the Server room citing policy guidelines. The executive shares with you,
the Auditor of the organization, what he perceives to be insulting behaviour by
the IT Manager. You question him about the purpose of the visit and learn that the
executive just wanted to have a tour of the facility, as part of his induction. Do
you agree or disagree with the executive ? Why ?
185
A. Yes, I would agree. As a close relative of the promoter, he would surely have the
organization’s best interests at heart.
B. No, I would not agree. As a new employee, he should not be given access to the
server room
C. Yes, I would agree. The server, in any case, would be password protected & no
harm can be done
D. No, I would not agree. Physical access control to the server is an important
control mechanism
KEY D
Justification
Physical access control to the server room is an important part of IT General controls in
any organization. The server is a sensitive equipment with certain commands & settings
being exclusive to it. Un-authorized access to it could compromise the security of the IT
system & the organization, obviously, has a clearly defined access policy which has to
be respected. Relationship to the promoter cannot be an excuse for breaking the policy;
if, indeed, he had genuine need to visit the server room, he could have got the
necessary clearances. Denial of access cannot be owing to the newness of the
employee. Lastly, any robust system operates at different levels of redundancy & the
mere existence of password protected access to the server does not prevent a second
level of defence, in the form of access control, being done away with. Hence, the
answer in Option D is correct.
464. As a measure of IT General control, an organization decides to separate those
who can input data from those that can reconcile or approve data. Is this a good
move ? Why ?
A. No, it is not a good move; the person who inputs the data is the best person to
approve the data too
B. Yes, it is a good move; it can help prevent unauthorised data entry
C. Yes, it is a good move; inputting data & reconciling data requires different skills
D. No, it is not a good move; data entry errors would be compounded
KEY B
Justification
reality
Hence, the answer in Option B is correct.
186

who can test programs (e.g. Users) from those who can develop programs (e.g.
Application programmers). Is this a good move ? Why ?
A. No, it is not a good move; the person who develops the program is the best
person to test it too
B. Yes, it is a good move; program testing and program development require
different skills
C. Yes, it is a good move; it can help prevent unauthorised programs from being run
D. No, it is not a good move; significant time would be lost in the process
KEY C
Justification
reality. In this case, conflict in roles is clearly existing. Time savings could, perhaps, be
gained by using the same person but this would mean paying the expensive price of
potentially unauthorised programs being run. Hence, the answer in Option C is correct.
who can run live programs (e.g. Operations department) from those who can
change programs (e.g. programmers). Is this a good move ? Why ?
A. Yes, it is a good move; it can help prevent unauthorised programs from being run
B. No, it is not a good move; the user dept. knows best & should be allowed to
change programs
C. Yes, it is a good move; since the programmers would have no work to do
otherwise
D. No, it is not a good move; significant time would be lost in the process & potential
savings lost
KEY A
Justification
187
reality. In this case, conflict in roles is clearly existing. Also, while the user dept. may
have the need for a change, it is up to the programmer to devise an appropriate method
of programming logic to satisfy the user’s requirement. Time savings could, perhaps, be
gained by using the same person but this would mean paying the expensive price of
potentially unauthorised & defective programs being run. Hence, the answer in Option A
is correct.
467. Thanks to its growing popularity, a family-run fast food restaurant is transforming
itself into a chain of branded restaurants & has created a formal organization
structure to manage the growing organization. Having identified young and
upcoming IT industry employees as their core base of customers, the family
decides to build a strong backbone of IT to facilitate online ordering of food,
creation of customer database, etc. Since the immediate primary purpose is to
enable online payments for the purchases by customers, the trustworthy family
retainer & Junior Accountant is given the responsibility of installing and
maintaining the IT system.
As an IS Auditor, do you think the family was right in giving the Junior
Accountant the responsibility ? Why ?
A. No. A senior management representative should take responsibility in the interest
of IT General Control
B. Yes, since the accountant is the main beneficiary of the IT system
C. No. The Senior Accountant in the chain should have been given the responsibility
D. Yes, this role requires a trustworthy person & the family retainer is the best fit
KEY A
Justification
Responsibility for IT systems should lie with the top management with appropriate
delegation to lower levels. This would not only ensure that the highly vulnerable IT
systems are properly controlled at the highest levels in the company but also ensure
that appropriate IT policies are framed, keeping in mind organizational objectives and
goals. The perspective of an accountant, whether junior or senior, would be rather
limited to his area of operations and responsibility; it may lack the breadth of vision
which would be essential at the top management level as also the interfaces between
various functions in the business. In any professional organization, no positive bias can
be allowed for the dominance of so-called ‘family retainers’ however trustworthy they
may be. The operations have to be system driven & not personality driven. Hence, the
answer in Option A is correct.
188
468. An important element of Management Control for the Information System in an

organization is the Information Technology Steering Committee. The Committee
_________
A. Will be exclusively representatives from the IT division
B. Will cover core IT alone, excluding telecommunication, automation systems, etc.
C. Will handle operational issues only; overall goals & strategies would be outside
its purview
D. Will include members from all areas of business, apart from IT personnel
KEY D
Justification
The IT Committee in an organization would drive IT in line with organizational goals,
vision & mission. It will be manned by senior officials from all areas of the
business, apart from IT professionals. Its scope will include all types of IT related
operations including telecommunication, automation systems, manufacturing
processing systems, etc. Hence, the answer in Option D is correct.
469. A leading exporter of cut & polished diamonds has a specially designed vault for
storing its raw as well as processed diamonds. At any point of time, the material
stored in the vault is worth several crores of rupees.
The exporter has laid down a clear procedure for operation of the vault. It can be
opened or closed using two different keys which are held by the Operations Head
and the Finance Head respectively. These officials cannot pass on their individual
KEY to the other official or any other official. They have to be necessarily present
and operate their KEY themselves. Both at the time of every opening the vault as
also every closing of the vault, a vault register is signed by both these officials
after filling in relevant information. The vault is also sealed with individual unique
seals of these officials & checked every time before the vault is opened afresh.
Thus, the vault can be opened only when both these officials are present & a
record is also maintained of every transaction. These officials carry their
individual keys home but never travel together while coming to the office or while
leaving it.
What type of control is being exercised by this Diamond exporter through this
process ?
A. Dual Finance Control
B. Physical Access Control
C. Operating System Control
D. Management Control
189
KEY A
Justification
This is a dual control system which falls under Finance control mechanism since it
entails two people simultaneously accessing an asset. Hence, the answer in Option A is
correct.
470. What is the first step for an Auditor in an Application software review ?
A. Ascertain the creator of the application software
B. Ascertain the validity of the user licence for the software
C. Ascertain the business function or activity that the software performs
D. Identify the users who have been granted access to the software
KEY C
Justification
The first step for an Auditor is to ascertain the business function or activity that the
software performs. The auditor needs to understand the intricacies of the business and
the way in which the software facilitates the business. Hence, the answer in Option C is
correct.
471. As an IS Auditor reviewing Application software in your new client’s organization,
you have started by thoroughly understanding the nature of the business and the
manner in which the Application software meets the business requirements. What
is the next step which you would take in the process of the Application software
review ?
A. Identify the users who have been granted access to the software
B. Ascertain the creator of the application software
C. Ascertain the validity of the user licence for the software
D. Check how the software handles the risks associated with the particular area of
business dealt with by it
KEY D
Justification
The next important step for an Auditor is to identify the potential risks associated with
the business activity/function served by the software & see how the risks are handled by
the software. Hence, the answer in Option D is correct.
472. State True or False. IT Application controls are controls which are in-built in the
software application itself.
190
A. FALSE
B. TRUE
KEY B
Justification
IT application controls are, indeed, controls which are in-built in the software application
itself. Hence, the answer in Option B is correct.
473. Which of the following are one of the KEY Areas that should be covered during an
IS Audit of Application software ?
A. List of authorised users of the software
B. Adherence to business rules in the flow & processing accuracy
C. Validity of software licence
D. Cost of the software & availability of cheaper alternatives
KEY B
Justification
One of the KEY Areas to be covered is the software’s adherence to business rules in
the flow and processing accuracy. The other answers in Options A, C and D are not of
immediate relevance or urgency. The answer in Option B is correct.
A. Cost of the software & availability of cheaper alternatives
B. List of authorised users of the software
C. Validations of various data inputs
D. Validity of software licence
KEY C
Justification
One of the KEY Areas to be covered is the validation of various data inputs. The other
answers in Options A, B and D are not of immediate relevance or urgency. The answer
in Option C is correct.
A. Logical access control and authorization
191

DISA Review Questions, Answers Manual: Key A Justification

Uploaded by

Copyright:

Available Formats

DISA Review Questions, Answers Manual: Key A Justification

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DISA Review Questions, Answers Manual: Key A Justification

Uploaded by

Copyright:

Available Formats

DISA Review Questions, Answers Manual

A. Malicious take-over of a computer on remote basis

B. All computerised information systems alone

465. As a measure of IT General control, an organization decides to separate those

468. An important element of Management Control for the Information System in an

You might also like