CISA Exam-Test 19 /30 193 Sorry, Your time is over. CISA EXAM-TEST 19 1 / 30 1. Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? Applications may not be subject to testing and IT general controls. Development and maintenance costs may be increased. Application development time may be increased. Decision-making may be impaired due to diminished responsiveness to requests for information. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. 2 / 30 2. Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Completing the test on schedule A sufficient quantity of data for each test case Data representing conditions that are expected in actual processing A random sample of actual data Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. 3 / 30 3. A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? One-for-one checking Manual recalculations Key verification Functional acknowledgements Acting as an audit trail for electronic data interchange (EDI) transactions, functional acknowledgments are one of the main controls used in data mapping. 4 / 30 4. An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the: EDI trading partner agreements. program change control procedures. authentication techniques for sending and receiving messages. physical controls for terminals. Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. 5 / 30 5. An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? Senior IS and business management must approve use before production data can be utilized for testing. Production data can be used if they are copied to a secure test environment. Production data can never be used. All test data must be developed and based on documented test cases. Production data can be used provided that confidentiality agreements are in place. There is risk associated with the use of production data for testing. This includes compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production data would provide insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to "real" data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy. 6 / 30 6. Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? Accuracy of the data transformation Accuracy of the source data Credibility of the data source Accuracy of the extraction process Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data will corrupt the integrity of the data in the data warehouse. 7 / 30 7. Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Sociability testing System testing Bottom-up testing Top-down testing The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. 8 / 30 8. When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? Using a sequence number and time stamp Calculating a checksum of the transaction Using a cryptographic hashing algorithm Enciphering the message digest When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated. 9 / 30 9. Which of the following type of lock uses a numeric keypad or dial to gain entry? Bolting door locks Cipher lock Electronic door lock Biometric door lock 10 / 30 10. During a review of IT service desk practices, an IS auditor notes that help desk personnel are spending more time fulfilling user requests (or password resets than resolving critical incidents. Which of the following recommendations to IT management would BEST address this situation? Incentivize service desk personnel to close incidents within agreed service levels. Calculate the age of incident tickets and alert senior IT personnel when they exceed service level agreements (SLAs). Provide annual password management training to end users to reduce the number of instances requiring password resets. Implement a self-service solution and redirect users to access frequently requested services. 11 / 30 11. Which of the following is the GREATEST risk to the effectiveness of application system controls? Inadequate procedure manuals Collusion between employees Removal of manual processing steps Unresolved regulatory compliance issues Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. 12 / 30 12. Which of the following attack could be avoided by creating more security awareness in the organization and provide adequate security knowledge to all employees? Phishing surf attack Interrupt attack Traffic analysis 13 / 30 13. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? Logging all customer orders in the ERP system Verifying production to customer orders Using hash totals in the order transmitting process Approving (production supervisor) orders prior to production Verification will ensure that produced products match the orders in the customer order system. 14 / 30 14. A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized? The system displays a warning message to the clerk. The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager. The system will not process the change until the clerk's manager confirms the change by entering an approval code. The system requires the clerk to enter an approval code. Requiring an approval code by a manager would prevent or detect the use of an unauthorized interest rate. 15 / 30 15. An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? Enforce standard compliance by adopting punitive measures against violators. Delay the project until compliance with standards can be achieved. Align the data definition standards after completion of the project. Achieve standards alignment through an increase of resources devoted to the project. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. 16 / 30 16. An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: confirm that the card is not shown as lost or stolen on the master file. ensure that the transaction entered is within the cardholder's credit limit. verify the format of the number entered, then locate it on the database. check to ensure that the type of transaction is valid for the card type. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. 17 / 30 17. Which of the following type of lock uses a magnetic or embedded chip based plastic card key or token entered into a sensor/reader to gain access? Bolting door locks Combination door lock Electronic door lock Biometric door lock 18 / 30 18. Which of the following will BEST ensure the successful offshore development of business applications? Detailed and correctly applied specifications Awareness of cultural and political differences Stringent contract management practices Postimplementation reviews When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. 19 / 30 19. Which of the following is an advantage of the top-down approach to software testing? Testing can be started before all programs are complete. It is more effective than other testing approaches. Errors in critical modules are detected sooner. Interface errors are identified early. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. 20 / 30 20. Which of the following is found in an audit charter? The authority given to the audit function Required training for audit staff The process of developing the annual audit plan Audit objectives and scope 21 / 30 21. Which of the following is MOST important for an IS auditor to consider during a review of the IT governance of an organization? Funding allocation Decision making responsibilities Defined service levels Risk management methodology 22 / 30 22. Which of the following is penetration test where the penetration tester is provided with limited or no knowledge of the target's information systems? External Testing Internal Testing Targeted Testing Blind Testing 23 / 30 23. Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? Deletion or manipulation of transactions prior to or after establishment of application controls Lack of transaction authorizations Transmission delay Loss or duplication of EDI transmissions Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. 24 / 30 24. Which of the following is MOST important lo have in place for he continuous improvement of process maturity within a large IT support function? Project management Regular internal audits Performance metrics dashboard Control self-assessments (CSAs) 25 / 30 25. When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: not be concerned because there may be other compensating controls to mitigate the risk. recommend that overrides not be permitted. ensure that overrides are automatically logged and subject to review. verify whether all such overrides are referred to senior management for approval. If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. 26 / 30 26. Due to a high volume of customer orders, an organization plans to implement a new application for customers to use for online ordering Which type of testing is MOST important to ensure the security of the application prior to go-live? Vulnerability testing Stress testing Regression testing User acceptance testing (UAT) 27 / 30 27. Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? User acceptance test specifications Test data covering critical applications Detailed test plans Quality assurance (QA) test specifications A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. 28 / 30 28. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: payroll reports should be compared to input forms. checks (cheques) should be reconciled with output reports. checks (cheques) should be compared to input forms. gross payroll should be recalculated manually. The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. 29 / 30 29. The MAIN purpose of a transaction audit trail is to: determine accountability and responsibility for processed transactions. help an IS auditor trace transactions. reduce the use of storage media. provide useful information for capacity planning. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. 30 / 30 30. Which of the following protocol is PRIMARILY used to provide confidentiality in a web based application thus protecting data sent across a client machine and a server? FTP SSL SSH S/MIME Your score is LinkedIn Facebook Twitter Exit Tote Bags in Dubai | Tote Bags in UAE | Tote Bags in Sharjah