CISA Exam-Test 20 /30 245 Sorry, Your time is over. CISA EXAM-TEST 20 1 / 30 1. Regression testing is undertaken PRIMARILY to ensure that: applicable development standards have been maintained. system functionality meets customer requirements. a new system can operate in the target environment applied changes have not introduced new errors. Regression testing is used to test for the introduction of new errors in the system after changes have been applied. 2 / 30 2. Which of the following should be a concern to an IS auditor reviewing a digital forensic process for a security incident? Analysis was performed using an image of the original media. The forensic expert used open-source forensic tools. The affected computer was not immediately shut down after the incident. The media with the original evidence was not write-btocked 3 / 30 3. An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. 4 / 30 4. What is the PRIMARY purpose of performing a parallel run of a new system? To verify the new system can process the production load To verify the new system provides required business functionality To validate the operation of the new system against its predecessor. To provide a failover plan in case of system Issues. 5 / 30 5. Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? Mapping Logging A snapshot Tracing and tagging Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. 6 / 30 6. An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? Eliminate planned testing by the development team, and proceed straight to acceptance testing. Implement a test tool to automate defect tracking. Fix and retest the highest-severity functional defects. Test and release a pilot with reduced functionality. Testing and releasing a pilot with reduced functionality reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. 7 / 30 7. A project development team is considering using production data for its test deck. The team removed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice? Production data are introduced into the test environment. The project may run over budget. Specialized training is required. Not all functionality will be tested. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement. 8 / 30 8. A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? Whether the legacy system being replaced was developed in-house The users not devoting reasonable time to define the functionalities of the solution Technical skills and knowledge within the organization related to sourcing and software development Privacy requirements as applied to the data processed by the application Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. 9 / 30 9. Which of the following is a data validation edit and control? Online access controls Before and after image reporting Hash totals Reasonableness checks 10 / 30 10. Which of the following controls helps prevent duplication of vouchers during data entry? A sequence check A cyclic redundancy check (CRC) A range check Transposition and substitution A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. 11 / 30 11. The MOST significant level of effort for business continuity planning (BCP) generally is required during the: evaluation stage maintenance stage testing stage early stages of planning 12 / 30 12. The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: the requirements gathering process. the internal lab testing phase. the implementation phase. testing and prior to user acceptance. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. 13 / 30 13. An offsite information processing facility having electrical wiring, air conditioning and flooring, but no computer or communications equipment is a: cold site. warm site duplicate processing facility dial-up site 14 / 30 14. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Implement before and after image reporting. Use tracing and tagging. Implement integrity constraints in the database. Log all table update transactions. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered. 15 / 30 15. An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation? The test environment may produce inaccurate results due to use of production data. The test environment may not have adequate controls to ensure data accuracy. Hardware in the test environment may not be identical to the production environment. The test environment may not have adequate access controls implemented to ensure data confidentiality. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed. 16 / 30 16. The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning (ERP) system. As the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? Significant cost savings over other testing approaches Increased resiliency during the parallel processing time Assurance that new, faster hardware is compatible with the new system Assurance that the new system meets functional requirements Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (batch jobs, backups) on both systems to ensure that the new system is reliable before unplugging the old system. 17 / 30 17. Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? Program coding standards A version control system The programming language The development environment Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications. 18 / 30 18. An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. users were involved in the quality assurance (QA) testing. benefits realization has been evidenced there are unresolved high-risk items the project adhered to the budget and target date 19 / 30 19. Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization's incident response process? Results from management testing of incident response procedures Incident response roles and responsibilities Past incident response actions Incident response staff experience and qualifications 20 / 30 20. Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? Snapshots Integrated test facility Regression tests Generalized audit software (GAS) Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data. 21 / 30 21. An IS auditor who is auditing the software acquisition process will ensure that the: user participation is adequate in the process. contract is reviewed and approved by the legal counsel before it is signed. requirements are found to be critical for the business. requirements cannot be met with the systems already in place. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. 22 / 30 22. What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system? Parallel testing Multiple testing Integration testing Prototype testing Parallel testing is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommission of the legacy system. Parallel testing also results in better user adoption of the new system. 23 / 30 23. During a system development life cycle (SDLC) audit of a human resources (HR) and payroll application, the IS auditor notes that the data used for user acceptance testing (UAT) have been masked. The purpose of masking the data is to ensure the: reliability of the data. confidentiality of the data. accuracy of the data. completeness of the data. Masking is used to ensure the confidentiality of data, especially in a user acceptance testing (UAT) exercise in which the testers have access to data that they would not have access to in normal production environments. 24 / 30 24. Which of the following is the MOST likely cause of a successful firewall penetration? Loophole m firewall vendor's code Use of a Trojan to bypass the firewall Firewall misconfiguration by the administrator Virus infection 25 / 30 25. An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? Program logic specification Program output testing System configuration Performance tuning A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. 26 / 30 26. What kind of software application testing is considered the final stage of testing and typically includes users outside the development team? Regression testing White box testing Beta testing Alpha testing Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT) and generally involves a limited number of users who are external to the development effort. 27 / 30 27. A LAN administrator normally would be restricted from: being responsible for LAN security administration. having programming responsibilities reporting to the end-user manager having end-user responsibilities. 28 / 30 28. A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? Backups of the information in the overseas database Remote access to the backup database The hardware being used to run the database application Confidentiality of the information stored in the database The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. 29 / 30 29. During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? Data file security Transaction logs One-for-one checking File updating and maintenance authorization Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. 30 / 30 30. An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost-effective test of the DRP? Paper test Regression test Full operational test Preparedness test Your score is LinkedIn Facebook Twitter Exit