CISA Exam-Test 17 /30 215 Sorry, Your time is over. CISA EXAM-TEST 17 1 / 30 1. An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: systems development management. the quality assurance (QA) team. the project manager. business unit management. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. 2 / 30 2. Which of the following cryptography demands less computational power and offers more security per bit? Quantum cryptography Elliptic Curve Cryptography (ECC) Asymmetric Key Cryptography Symmetric Key Cryptography 3 / 30 3. The GREATEST risk of database denormalization is: loss of data confidentiality. incorrect metadata. decreased performance. loss of database integrity 4 / 30 4. Information for detecting unauthorized input from a user workstation would be BEST provided by the: automated suspense file listing. transaction journal. user error report. console log printout. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. 5 / 30 5. Which of the following would BEST help to detect errors in data processing? Well-designed data entry screens Programmed edit checks Segregation of duties Hash totals The use of hash totals is an effective method to reliably detect errors in data processing. A hash total would indicate an error in data integrity. 6 / 30 6. An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? Project procurement management Project time management Project risk management Project scope management Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. 7 / 30 7. The editing/validation of data entered at a remote site would be performed MOST effectively at the: central processing site after running the application system. central processing site during the running of the application system. remote processing site after transmission of the data to the central processing site. remote processing site prior to transmission of the data to the central processing site. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site. 8 / 30 8. There are many known weaknesses within an Intrusion Detection System (IDS). Which of the following is NOT a limitation of an IDS? Application level vulnerability Backdoor into application Detect zero day attack. Weakness in the identification and authentication scheme 9 / 30 9. During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: review the licensing policy. ensure that the procedure had been approved. test the software for compatibility with existing hardware. perform a gap analysis. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. 10 / 30 10. Which of the following is the most important element in the design of a data warehouse? Volatility of the data Vulnerability of the system Speed of the transactions Quality of the metadata Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse. 11 / 30 11. The PRIMARY purpose of audit trails is to: establish accountability and responsibility for processed transactions. improve response time for users. improve the operational efficiency of the system. provide useful information to auditors who may wish to track transactions. Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. 12 / 30 12. The objective of a vulnerability identification step in a risk assessment process is to. determine the impact of compromise determine the likelihood of a threat identify the compensating controls develop a list of weaknesses 13 / 30 13. Which of the following data validation edits is effective in detecting transposition and transcription errors? Range check Check digit Duplicate check Validity check A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered (e.g., an incorrect, but valid, value substituted for the original). This control is effective in detecting transposition and transcription errors. 14 / 30 14. Before implementing controls in a newly developed system, management should PRIMARILY ensure that the controls: do not reduce productivity. are based on a minimized cost analysis. are detective or corrective. satisfy a requirement in addressing a risk. The purpose of a control is to mitigate a risk; therefore, the primary consideration when selecting a control is that it effectively mitigates an identified risk. When designing controls, it is necessary to consider all of the aspects in choices A through D. In an ideal situation, controls that address all of these aspects would be the best controls. Realistically, it may not be possible to design them all and the cost may be prohibitive; therefore, it is necessary to consider the controls related primarily to the treatment of existing risk in the organization. 15 / 30 15. An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans. accept the project manager's position because the project manager is accountable for the outcome of the project. inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project. offer to work with the risk manager when one is appointed. The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk. 16 / 30 16. Which of the following functionality is NOT performed by the application layer of a TCP/IP model? End-to-end connection Data encryption and compression Dialog management Print service, application services 17 / 30 17. Which of the following comparisons are used for identification and authentication in a biometric system? One-to-one for identification and authentication One-to-one for identification and one-to-many for authentication One-to-many for identification and one-to-one for authentication One-to-many for identification and authentication 18 / 30 18. When reviewing an organization's data protection practices, an IS auditor should be MOST concerned with a lack of training manuals. data encryption. data classification. a security team. Data classification helps in determining the appropriate level of protection for information assets. 19 / 30 19. The phases and deliverables of a system development life cycle (SDLC) project should be determined: only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls. during the initial planning stages of the project. throughout the work stages, based on risk and exposures. after early planning has been completed but before work has begun. It is extremely important that the project be planned properly, and that the specific phases and deliverables are identified during the early stages of the project. This enables project tracking and resource management. 20 / 30 20. Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports Calculation of the expected end date based on current resources and remaining available project budget Extrapolation of the overall end date based on completed work packages and current resources Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). 21 / 30 21. Which of the following group is MOST likely responsible for the implementation of IT projects? IT steering committee IT strategy committee IT compliance committee IT governance committee IT steering committee is responsible for implementation and monitoring for IT projects 22 / 30 22. Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve the effectiveness of its IT processes? IT staff should be surveyed to identify current IT process weaknesses and suggest improvements The organization should use a capability maturity model to identify current maturity levels for each IT process The organization should refer to poor audit reports to identify the specific IT processes to be improved IT management should include process improvement requirements in staff performance objectives 23 / 30 23. A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software? Integration testing System testing Unit testing Acceptance testing Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level because this could result in delays and cost overruns. 24 / 30 24. When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: increases in quality are only achieved if resource allocation is increased. increases in quality can be achieved, even if resource allocation is decreased. decreases in delivery time can only be achieved if quality is decreased. decreases in delivery time can be achieved, even if resource allocation is decreased. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant. 25 / 30 25. When implementing an application software package, which of the following presents the GREATEST risk? Source programs that are not synchronized with object code Programming errors Incorrectly set parameters Uncontrolled multiple software versions Parameters that are not set correctly would be the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that could lead to system breach, failure or noncompliance. 26 / 30 26. Which of the following cryptography is based on practical application of the characteristics of the smallest “grains” of light, the photon, the physical laws governing their generation and propagation and detection? Symmetric Key Cryptography Quantum Cryptography Elliptical Curve Cryptography (ECC) Asymmetric Key Cryptography 27 / 30 27. A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: if the project could be brought in ahead of schedule if the project budget can be reduced. what amount of progress against schedule has been achieved. if the budget savings can be applied to increase the project scope. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. 28 / 30 28. Ideally, stress testing should be carried out in a: production environment using live workloads. test environment using test data. production environment using test data. test environment using live workloads. Stress testing is carried out to ensure that a system can cope with production workloads. Testing with production level workloads is important to ensure that the system will operate effectively when moved into production. 29 / 30 29. The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: nonrepudiation. authorization. integrity. authenticity. A checksum calculated on an amount field and included in the electronic data interchange (EDI) communication can be used to identify unauthorized modifications. 30 / 30 30. Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? Implement formal software inspections. Increase the time allocated for system testing. Require the sign-off of all project deliverables Increase the development staff. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. Your score is LinkedIn Facebook Twitter Exit Customized Jute Bags in Dubai | Customized Jute Bags in Sharjah