CISA Exam-Test 21 /30 190 Sorry, Your time is over. CISA EXAM-TEST 21 1 / 30 1. Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? Packet filtering routers Firewalls Data mining techniques Intrusion detection systems Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from fraudulent use of the card 2 / 30 2. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: attempt to resolve the error. ignore the error because it is not possible to get objective evidence for the software error. recommend that problem resolution be escalated. report the error as a finding and leave further exploration to the auditee's discretio When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. 3 / 30 3. An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to: acknowledge receipt of electronic orders with a confirmation message. encrypt electronic orders. perform reasonableness checks on quantities ordered before filling orders. verify the identity of senders and determine if orders correspond to contract terms. An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. 4 / 30 4. If senior management is not committed to strategic planning, how likely is it that a company's implementation of IT will be successful? Less likely IT cannot be implemented if senior management is not committed to strategic planning More likely Strategic planning does not affect the success of a company's implementation of IT 5 / 30 5. . What should an IS auditor do if he or she observes that project-approval procedures do not exist? Recommend to management that formal approval procedures be adopted and documented Create project-approval procedures for future project implementations Assign project leaders Advise senior management to invest in project-management training for the staff 6 / 30 6. Which of the following would provide an IS auditor with the MOST assurance when auditing the implementation of a new application system? Sign-off by system owner Attribute sampling Substantive testing Statistical sampling 7 / 30 7. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? Sociability testing Parallel testing Interface/integration testing Pilot testing The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. 8 / 30 8. Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? System designers System owners System builders System users System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. 9 / 30 9. From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: a deployment plan based on sequenced phases. to simulate the new infrastructure before deployment. a major deployment after proof of concept. prototyping and a one-phase deployment. When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results. 10 / 30 10. An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data? There is no privacy information in the data. The data is taken directly from the system. The data can be obtained in a timely manner. The data analysis tools have been recently updated. 11 / 30 11. A core tenant of an IS strategy is that it must Protect information confidentiality, integrity, and availability Be inexpensive Support the business objectives of the organization Be protected as sensitive confidential information 12 / 30 12. Following good practices, formal plans for implementation of new information systems are developed during the: development phase. design phase testing phase. deployment phase. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses. 13 / 30 13. An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? Phased Direct cutover Pilot Parallel Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This is the riskiest approach and may cause a significant impact on the organization. 14 / 30 14. What is the primary objective of a control self-assessment (CSA) program? Replacement of the audit responsibility Enhancement of the audit responsibility Integrity of the audit responsibility Elimination of the audit responsibility 15 / 30 15. An IS audit manager finds that data manipulation logic developed by the audit analytics team leads to incorrect conclusions This inaccurate logic is MOST likely an indication of lich of the following? The team's poor understanding of the business process being analyzed Poor security controls that grant inappropriate access to analysis produced Poor change controls over data sets collected from the business 16 / 30 16. An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: correlation of arithmetic characteristics of the data migrated between the two systems. correlation of functional characteristics of the processes between the two systems. correlation of semantic characteristics of the data migrated between the two systems. relative efficiency of the processes between the two systems. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. 17 / 30 17. The specific advantage of white box testing is that it: ensures a program's functional operating effectiveness without regard to the internal program structure. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system. verifies a program can operate successfully with other parts of the system. determines procedural accuracy or conditions of a program's specific logic paths. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. 18 / 30 18. Which of the following is an implementation risk within the process of decision support systems (DSSs)? Inability to specify purpose and usage patterns Changes in decision processes Semistructured dimensions Management control The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. 19 / 30 19. An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Extensive use of software development tools to maximize team productivity Use of a capability maturity model (CMM) Postiteration reviews that identify lessons learned for future use in the project Regular monitoring of task-level progress against schedule A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. 20 / 30 20. A bank is relocating its servers to a vendor that provides data center hosting services to multiple clients. Which of the following controls would restrict other clients from physical access to the bank servers? Closed-circuit television camera Biometric access at all data center entrances 24-hour security guards Locking server cages 21 / 30 21. During which phase of software application testing should an organization perform the testing of architectural design? System testing Unit testing Acceptance testing Integration testing Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. 22 / 30 22. Which of the following system and data conversion strategies provides the GREATEST redundancy? Pilot study Phased approach Direct cutover Parallel run Parallel runs are the safest—though the most expensive—approach because both the old and new systems are run, thus incurring what might appear to be double costs. 23 / 30 23. A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Project manager IS auditor Database administrator Data owner During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. 24 / 30 24. The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: decision trees. rules. semantic nets. dataflow diagrams. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. 25 / 30 25. The MAJOR advantage of a component-based development approach is the: support of multiple development environments. provision for modeling complex relationships. capacity to meet the demands of a changing environment. ability to manage an unrestricted variety of data types. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic. 26 / 30 26. Which of the following situations would increase the likelihood of fraud? Application programmers are implementing changes to production programs. Operations support staff members are implementing changes to batch schedules. Database administrators are implementing changes to data structures. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. 27 / 30 27. An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? System administrators are trained to use the virtual machine (VM) architecture. The VM server is included in the disaster recovery plan (DRP). Server configuration has been hardened appropriately. Allocated physical resources are available. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture. 28 / 30 28. As part of a follow-up of a previous year's audit, an IS auditor has increased the expected error rate for a sample. The impact will be: required sample size increases. standard deviation decreases. degree of assurance increases. sampling risk decreases. 29 / 30 29. During the system testing phase of an application development project the IS auditor should review the: error reports program change requests. vendor contract. conceptual design specifications. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. 30 / 30 30. The reason a certification and accreditation (C&A) process is performed on critical systems is to ensure that: data have been encrypted and are ready to be stored. security compliance has been technically evaluated. the systems have followed the phases of a waterfall model. the systems have been tested to run on different platforms. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration. Your score is LinkedIn Facebook Twitter