CISA Exam-Test 19 /30 195 Sorry, Your time is over. CISA EXAM-TEST 19 1 / 30 1. Which of the following is MOST important lo have in place for he continuous improvement of process maturity within a large IT support function? Control self-assessments (CSAs) Project management Performance metrics dashboard Regular internal audits 2 / 30 2. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: checks (cheques) should be reconciled with output reports. payroll reports should be compared to input forms. checks (cheques) should be compared to input forms. gross payroll should be recalculated manually. The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. 3 / 30 3. An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: check to ensure that the type of transaction is valid for the card type. verify the format of the number entered, then locate it on the database. confirm that the card is not shown as lost or stolen on the master file. ensure that the transaction entered is within the cardholder's credit limit. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. 4 / 30 4. When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? Using a cryptographic hashing algorithm Calculating a checksum of the transaction Enciphering the message digest Using a sequence number and time stamp When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated. 5 / 30 5. Which of the following is found in an audit charter? Required training for audit staff Audit objectives and scope The process of developing the annual audit plan The authority given to the audit function 6 / 30 6. Due to a high volume of customer orders, an organization plans to implement a new application for customers to use for online ordering Which type of testing is MOST important to ensure the security of the application prior to go-live? Stress testing Vulnerability testing Regression testing User acceptance testing (UAT) 7 / 30 7. Which of the following is MOST important for an IS auditor to consider during a review of the IT governance of an organization? Funding allocation Defined service levels Risk management methodology Decision making responsibilities 8 / 30 8. Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? Transmission delay Loss or duplication of EDI transmissions Lack of transaction authorizations Deletion or manipulation of transactions prior to or after establishment of application controls Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. 9 / 30 9. Which of the following attack could be avoided by creating more security awareness in the organization and provide adequate security knowledge to all employees? Phishing Interrupt attack Traffic analysis surf attack 10 / 30 10. The MAIN purpose of a transaction audit trail is to: help an IS auditor trace transactions. determine accountability and responsibility for processed transactions. reduce the use of storage media. provide useful information for capacity planning. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. 11 / 30 11. Which of the following type of lock uses a magnetic or embedded chip based plastic card key or token entered into a sensor/reader to gain access? Electronic door lock Bolting door locks Biometric door lock Combination door lock 12 / 30 12. When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: recommend that overrides not be permitted. ensure that overrides are automatically logged and subject to review. not be concerned because there may be other compensating controls to mitigate the risk. verify whether all such overrides are referred to senior management for approval. If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. 13 / 30 13. An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? Senior IS and business management must approve use before production data can be utilized for testing. Production data can be used provided that confidentiality agreements are in place. Production data can be used if they are copied to a secure test environment. Production data can never be used. All test data must be developed and based on documented test cases. There is risk associated with the use of production data for testing. This includes compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production data would provide insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to "real" data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy. 14 / 30 14. Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? Quality assurance (QA) test specifications Test data covering critical applications Detailed test plans User acceptance test specifications A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. 15 / 30 15. A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized? The system displays a warning message to the clerk. The system requires the clerk to enter an approval code. The system will not process the change until the clerk's manager confirms the change by entering an approval code. The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager. Requiring an approval code by a manager would prevent or detect the use of an unauthorized interest rate. 16 / 30 16. Which of the following is an advantage of the top-down approach to software testing? Interface errors are identified early. Errors in critical modules are detected sooner. Testing can be started before all programs are complete. It is more effective than other testing approaches. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. 17 / 30 17. Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Bottom-up testing Sociability testing Top-down testing System testing The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. 18 / 30 18. An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? Delay the project until compliance with standards can be achieved. Enforce standard compliance by adopting punitive measures against violators. Achieve standards alignment through an increase of resources devoted to the project. Align the data definition standards after completion of the project. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. 19 / 30 19. A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? One-for-one checking Key verification Manual recalculations Functional acknowledgements Acting as an audit trail for electronic data interchange (EDI) transactions, functional acknowledgments are one of the main controls used in data mapping. 20 / 30 20. Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? Accuracy of the data transformation Accuracy of the source data Accuracy of the extraction process Credibility of the data source Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data will corrupt the integrity of the data in the data warehouse. 21 / 30 21. Which of the following type of lock uses a numeric keypad or dial to gain entry? Electronic door lock Cipher lock Bolting door locks Biometric door lock 22 / 30 22. Which of the following protocol is PRIMARILY used to provide confidentiality in a web based application thus protecting data sent across a client machine and a server? SSH FTP S/MIME SSL 23 / 30 23. Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? Decision-making may be impaired due to diminished responsiveness to requests for information. Development and maintenance costs may be increased. Applications may not be subject to testing and IT general controls. Application development time may be increased. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. 24 / 30 24. Which of the following is the GREATEST risk to the effectiveness of application system controls? Removal of manual processing steps Unresolved regulatory compliance issues Collusion between employees Inadequate procedure manuals Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. 25 / 30 25. An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the: authentication techniques for sending and receiving messages. EDI trading partner agreements. program change control procedures. physical controls for terminals. Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. 26 / 30 26. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? Using hash totals in the order transmitting process Verifying production to customer orders Approving (production supervisor) orders prior to production Logging all customer orders in the ERP system Verification will ensure that produced products match the orders in the customer order system. 27 / 30 27. Which of the following will BEST ensure the successful offshore development of business applications? Awareness of cultural and political differences Postimplementation reviews Stringent contract management practices Detailed and correctly applied specifications When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. 28 / 30 28. Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Data representing conditions that are expected in actual processing Completing the test on schedule A random sample of actual data A sufficient quantity of data for each test case Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. 29 / 30 29. Which of the following is penetration test where the penetration tester is provided with limited or no knowledge of the target's information systems? Targeted Testing External Testing Internal Testing Blind Testing 30 / 30 30. During a review of IT service desk practices, an IS auditor notes that help desk personnel are spending more time fulfilling user requests (or password resets than resolving critical incidents. Which of the following recommendations to IT management would BEST address this situation? Incentivize service desk personnel to close incidents within agreed service levels. Calculate the age of incident tickets and alert senior IT personnel when they exceed service level agreements (SLAs). Implement a self-service solution and redirect users to access frequently requested services. Provide annual password management training to end users to reduce the number of instances requiring password resets. Your score is LinkedIn Facebook Twitter Exit Tote Bags in Dubai | Tote Bags in UAE | Tote Bags in Sharjah