CISA Exam-Test 17 /30 213 Sorry, Your time is over. CISA EXAM-TEST 17 1 / 30 1. Information for detecting unauthorized input from a user workstation would be BEST provided by the: automated suspense file listing. user error report. console log printout. transaction journal. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. 2 / 30 2. A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: if the project could be brought in ahead of schedule if the project budget can be reduced. what amount of progress against schedule has been achieved. if the budget savings can be applied to increase the project scope. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. 3 / 30 3. The GREATEST risk of database denormalization is: decreased performance. loss of database integrity loss of data confidentiality. incorrect metadata. 4 / 30 4. Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Extrapolation of the overall end date based on completed work packages and current resources Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables Calculation of the expected end date based on current resources and remaining available project budget Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). 5 / 30 5. When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: decreases in delivery time can only be achieved if quality is decreased. decreases in delivery time can be achieved, even if resource allocation is decreased. increases in quality can be achieved, even if resource allocation is decreased. increases in quality are only achieved if resource allocation is increased. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant. 6 / 30 6. During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: test the software for compatibility with existing hardware. ensure that the procedure had been approved. perform a gap analysis. review the licensing policy. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. 7 / 30 7. Before implementing controls in a newly developed system, management should PRIMARILY ensure that the controls: are based on a minimized cost analysis. do not reduce productivity. satisfy a requirement in addressing a risk. are detective or corrective. The purpose of a control is to mitigate a risk; therefore, the primary consideration when selecting a control is that it effectively mitigates an identified risk. When designing controls, it is necessary to consider all of the aspects in choices A through D. In an ideal situation, controls that address all of these aspects would be the best controls. Realistically, it may not be possible to design them all and the cost may be prohibitive; therefore, it is necessary to consider the controls related primarily to the treatment of existing risk in the organization. 8 / 30 8. An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: the quality assurance (QA) team. systems development management. business unit management. the project manager. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. 9 / 30 9. The PRIMARY purpose of audit trails is to: establish accountability and responsibility for processed transactions. improve the operational efficiency of the system. provide useful information to auditors who may wish to track transactions. improve response time for users. Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. 10 / 30 10. There are many known weaknesses within an Intrusion Detection System (IDS). Which of the following is NOT a limitation of an IDS? Application level vulnerability Weakness in the identification and authentication scheme Detect zero day attack. Backdoor into application 11 / 30 11. Which of the following cryptography is based on practical application of the characteristics of the smallest “grains” of light, the photon, the physical laws governing their generation and propagation and detection? Quantum Cryptography Symmetric Key Cryptography Asymmetric Key Cryptography Elliptical Curve Cryptography (ECC) 12 / 30 12. Which of the following is the most important element in the design of a data warehouse? Vulnerability of the system Speed of the transactions Volatility of the data Quality of the metadata Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse. 13 / 30 13. Which of the following data validation edits is effective in detecting transposition and transcription errors? Duplicate check Range check Validity check Check digit A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered (e.g., an incorrect, but valid, value substituted for the original). This control is effective in detecting transposition and transcription errors. 14 / 30 14. An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? Project time management Project procurement management Project scope management Project risk management Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. 15 / 30 15. The phases and deliverables of a system development life cycle (SDLC) project should be determined: during the initial planning stages of the project. throughout the work stages, based on risk and exposures. only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls. after early planning has been completed but before work has begun. It is extremely important that the project be planned properly, and that the specific phases and deliverables are identified during the early stages of the project. This enables project tracking and resource management. 16 / 30 16. Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve the effectiveness of its IT processes? IT staff should be surveyed to identify current IT process weaknesses and suggest improvements The organization should use a capability maturity model to identify current maturity levels for each IT process IT management should include process improvement requirements in staff performance objectives The organization should refer to poor audit reports to identify the specific IT processes to be improved 17 / 30 17. Ideally, stress testing should be carried out in a: production environment using live workloads. test environment using test data. test environment using live workloads. production environment using test data. Stress testing is carried out to ensure that a system can cope with production workloads. Testing with production level workloads is important to ensure that the system will operate effectively when moved into production. 18 / 30 18. Which of the following group is MOST likely responsible for the implementation of IT projects? IT strategy committee IT governance committee IT steering committee IT compliance committee IT steering committee is responsible for implementation and monitoring for IT projects 19 / 30 19. The objective of a vulnerability identification step in a risk assessment process is to. determine the impact of compromise determine the likelihood of a threat identify the compensating controls develop a list of weaknesses 20 / 30 20. The editing/validation of data entered at a remote site would be performed MOST effectively at the: central processing site during the running of the application system. remote processing site prior to transmission of the data to the central processing site. central processing site after running the application system. remote processing site after transmission of the data to the central processing site. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site. 21 / 30 21. When reviewing an organization's data protection practices, an IS auditor should be MOST concerned with a lack of data encryption. data classification. training manuals. a security team. Data classification helps in determining the appropriate level of protection for information assets. 22 / 30 22. When implementing an application software package, which of the following presents the GREATEST risk? Uncontrolled multiple software versions Programming errors Source programs that are not synchronized with object code Incorrectly set parameters Parameters that are not set correctly would be the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that could lead to system breach, failure or noncompliance. 23 / 30 23. An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans. inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project. accept the project manager's position because the project manager is accountable for the outcome of the project. offer to work with the risk manager when one is appointed. The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk. 24 / 30 24. Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? Implement formal software inspections. Increase the time allocated for system testing. Require the sign-off of all project deliverables Increase the development staff. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. 25 / 30 25. Which of the following functionality is NOT performed by the application layer of a TCP/IP model? End-to-end connection Data encryption and compression Dialog management Print service, application services 26 / 30 26. A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software? Acceptance testing System testing Integration testing Unit testing Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level because this could result in delays and cost overruns. 27 / 30 27. The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: authenticity. authorization. nonrepudiation. integrity. A checksum calculated on an amount field and included in the electronic data interchange (EDI) communication can be used to identify unauthorized modifications. 28 / 30 28. Which of the following comparisons are used for identification and authentication in a biometric system? One-to-one for identification and one-to-many for authentication One-to-one for identification and authentication One-to-many for identification and authentication One-to-many for identification and one-to-one for authentication 29 / 30 29. Which of the following would BEST help to detect errors in data processing? Well-designed data entry screens Segregation of duties Hash totals Programmed edit checks The use of hash totals is an effective method to reliably detect errors in data processing. A hash total would indicate an error in data integrity. 30 / 30 30. Which of the following cryptography demands less computational power and offers more security per bit? Quantum cryptography Symmetric Key Cryptography Elliptic Curve Cryptography (ECC) Asymmetric Key Cryptography Your score is LinkedIn Facebook Twitter Exit Customized Jute Bags in Dubai | Customized Jute Bags in Sharjah