101-200
Which of the following systems-based approaches would a financial processing company employ to monitor spending patterns in order to identify abnormal expenditures? A. A neural network B. Database management software C. Management information systems D. Computer assisted audit techniques
A. A neural network
Which of the following data entry controls provides the GREATEST assurance that data entered does not contain errors? A. Key verification B. Segregation of the data entry function from data entry verification C. Maintaining a log/record detailing the time, date, employee's initials/user -id and progress of various data preparation and verification tasks D. Check digits
A. Key verification
While conducting an audit of management's planning of IS, what would an IS auditor consider the MOST relevant to short-term planning for the IS department? A. Allocating resources B. Keeping current with technology advances C. Conducting control self-assessment D. Evaluating hardware needs
A. Allocating resources
Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs B. Application programmers are implementing changes to test programs C. Operations support staff are implementing changes to batch schedules D. Data base administrators are implementing changes to data structures
A. Application programmers are implementing changes to production programs
Which of the following is widely accepted as one of the critical components in networking management? A. Configuration management B. Topological mappings C. Application of monitoring tools D. Proxy server trouble shooting
A. Configuration management
Which of the following transmission media would NOT be affected by cross talk or interference? A. Fiber optic systems B. Twisted pair circuits C. Microwave radio systems D. Satellite radiolink systems
A. Fiber optic systems
Which of the following audit techniques would an IS auditor place the MOST reliance on when determining whether an employee practices good preventive and detective security measures? A. Observation B. Detail testing C. Compliance testing D. Risk assessment
A. Observation
Which of the following tools is NOT used to monitor the efficiency and effectiveness of services provided by IS personnel? A. Online monitors B. Operator problem reports C. Output distribution reports D. Console logs
A. Online monitors
An IS auditor needs to link his/her microcomputer to a mainframe system that uses binary synchronous data communications with block data transmission. However, the IS auditor's microcomputer, as presently configured, is capable of only asynchronous ASCII character data communications. Which of the following must be added to the IS auditor's computer to enable it to communicate with the mainframe system? A. Protocol conversion and buffer capacity B. Network controller and buffer capacity C. Buffer capacity and parallel port D. Parallel port and protocol conversion
A. Protocol conversion and buffer capacity
An organization is considering installing a local area network (LAN) in a site under construction. If system availability is the main concern, which of the following topologies is MOST appropriate? A. Ring B. Line C. Star D. Bus
A. Ring
Which one of the following types of firewalls would BEST protect a network from an Internet attack? A. Screened sub-net firewall B. Application filtering gateway C. Packet filtering router D. Circuit level gateway
A. Screened sub-net firewall
Which of the following would an IS auditor be MOST concerned with when evaluating the effectiveness and adequacy of a computer preventive maintenance program? A. System downtime log B. Vendors' reliability figures C. A log of regularly scheduled maintenance D. A written preventive maintenance schedule
A. System downtime log
In protocols like HTTP, FTP, and SMTP, the implementation of the TCP/IP suite is arranged in the following manner: A. TCP works at the transport layer and handles packets, while IP works at the network layer and handles addresses. B. TCP works at the transport layer and handles addresses, while IP works at the network layer and handles packets. C. TCP works at the presentation layer and handles proxies, while IP works at the data link layer and handles applets. D. TCP works at any of the OSI layers and handles circuits, while IP also works at any of the OSI layers but handles messages.
A. TCP works at the transport layer and handles packets, while IP works at the network layer and handles addresses.
Which of the following would an IS auditor NOT review when performing a general operational control review? A. User manuals B. Re-run reports C. Maintenance logs D. Backup procedures
A. User manuals
How can an enterprise provide access to its intranet (i.e., extranet) across the Internet to its business partners? A. Virtual private network B. Client/server C. Dial-in access D. Network service provider
A. Virtual private network
Is it appropriate for an IS auditor from a company which is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and assist his/her company in implementing a complementary plan. B. Yes, because, based on the plan, the IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. No, because backup to be provided should be adequately specified in the contract. D. No, because the service bureau's business continuity plan is proprietary information to which users' IS auditors are not usually allowed access.
A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and assist his/her company in implementing a complementary plan.
E-cash is a form of electronic money that: A. can be used over any computer network. B. utilizes reusable e-cash coins to make payments. C. does not require the use of an Internet digital bank. D. contains unique serial numbering to track the identity of the buyer.
A. can be used over any computer network.
A data dictionary is an example of software that is used to: A. describe application systems. B. assist in fast program development. C. improve operation efficiency. D. test data quality.
A. describe application systems.
A probable advantage to an organization that has outsourced its data processing services is that: A. greater IS expertise can be obtained from the outside. B. more direct control can be exercised over computer operations. C. processing priorities can be established and enforced internally. D. greater user involvement is required to communicate user needs.
A. greater IS expertise can be obtained from the outside.
All of the following are common problems with firewall implementations EXCEPT: A. inadequately protecting the network and servers from virus attacks. B. incorrectly configuring access lists. C. logging of connections is either insufficient or not reviewed on a regular basis. D. network services destined to internal hosts are passed through the firewall unscreened.
A. inadequately protecting the network and servers from virus attacks.
In a TCP/IP based network, an IP address specifies a: A. network connection. B. router/gateway. C. computer in the network. D. device on the network such as a gateway/router, host, server, etc.
A. network connection.
The security administrator is responsible for providing reasonable assurance over the confidentiality, integrity and availability of information system controls. Another duty that could be considered compatible, without causing a conflict of interest, would be: A. quality assurance. B. application programming. C. systems programming. D. data entry.
A. quality assurance.
A sound information security policy will MOST likely include a: A. response program to handle suspected intrusions. B. correction program to handle suspected intrusions. C. detection program to handle suspected intrusions. D. monitoring program to handle suspected intrusions.
A. response program to handle suspected intrusions.
An IS auditor consulting on a project to develop a network management system, would consider all of the following essential features EXCEPT: A. the capacity to interact with the Internet for problem solving. B. a graphical interface to map the topology. C. a relational database to store the readings. D. the ability to gather information from various network devices.
A. the capacity to interact with the Internet for problem solving.
Connection-oriented protocols in the TCP/IP suite are implemented in the: A. transport layer. B. application layer. C. physical layer. D. network layer.
A. transport layer.
Which of the following is a telecommunication device that translates data from digital form to analog form and back to digital? A. Multiplexer B. Modem C. Protocol converter D. Concentrator
B. Modem
Which of the ISO/OSI model layers provides service for how to route packets between nodes? A. Data link B. Network C. Transport D. Session
B. Network
Which of the following types of firewalls provide the GREATEST degree and granularity of control? A. Screening router B. Packet-filter C. Application-gateway D. Circuit-gateway
C. Application-gateway
Which of the following would provide the LEAST justification for an organization's investment in a security infrastructure? A. Risk analysis of internal/external threats B. A white paper report on Internet attacks, companies attacked, and damage inflicted C. A penetration test of the organization's network demonstrates that the threat from intruders is high D. Reports generated internally from use of high-profile network tools
B. A white paper report on Internet attacks, companies attacked, and damage inflicted
Which of the following tools for controlling input/output of data are used to verify output results and control totals by matching them against the input data and control totals? A. Batch header forms B. Batch balancing C. Data conversion error corrections D. Access controls over print spools
B. Batch balancing
Which of the following is NOT a telecommunications control? A. Trailer record B. Common carrier C. Diagnostic routine D. Echo check
B. Common carrier
During a review of a large data center an IS auditor observed computer operators acting as backup tape librarians and security administrators. Which of these situations would be MOST critical to report to senior management? A. Computer operators acting as tape librarians B. Computer operators acting as security administrators C. Computer operators acting as a tape librarian and security administrator D. It is not necessary to report any of these situations to senior management
B. Computer operators acting as security administrators
Which of the following would provide a mechanism whereby IS management can determine when, and if, the activities of the enterprise have deviated from planned, or expected levels? A. Quality management B. IS assessment methods C. Management principles D. Industry standards/benchmarking
B. IS assessment methods
Which of the following functions would be acceptable for the security administrator to perform in addition to his or her normal function? A. Systems analyst B. Quality assurance C. Computer operator D. Systems programmer
B. Quality assurance
Who of the following, who is responsible for network security operations? A. Users, who periodically change their passwords. B. Security administrators, who control services and computers. C. Line managers, responsible for policies and procedures. D. Security officers, who administer the security policy.
B. Security administrators, who control services and computers.
Which of the following is NOT a common database structure? A. Network B. Sequential C. Hierarchical D. Relational
B. Sequential
Which of the following is NOT an advantage of an object-oriented approach to data management systems? A. A means to model complex relationships B. The ability to restrict the variety of data types C. The capacity to meet the demands of a changing environment D. The ability to access only the information that is needed
B. The ability to restrict the variety of data types
Which of the following is the BEST form of transaction validation? A. Use of key field verification techniques in data entry B. Use of programs to check the transaction against criteria set by management C. Authorization of the transaction by supervisory personnel in an adjacent department D. Authorization of the transaction by a department supervisor prior to the batch process
B. Use of programs to check the transaction against criteria set by management
The device to extend the network that must have storage capacity to store frames and act as a storage and forward device is a: A. router. B. bridge. C. repeater. D. gateway.
B. bridge.
A universal serial bus (USB) port: A. connects the network without a network card. B. connects the network with an Ethernet adapter C. replaces all existing connections. D. connects the monitor.
B. connects the network with an Ethernet adapter
Capacity monitoring software is used to ensure: A. maximum use of available capacity. B. future acquisitions meet user functionality demands. C. concurrent use by a large number of users. D. continuity of efficient operation.
D. continuity of efficient operation.
While evaluating a file/table design, an IS auditor should understand that a referential integrity constraint consists of: A. ensuring the integrity of transaction processing. B. ensuring that data are updated through triggers. C. ensuring controlled user updates to the database. D. rules for designing tables and queries.
B. ensuring that data are updated through triggers.
A database administrator is responsible for: A. maintaining the access security of data residing on the computers. B. implementing database definition controls. C. granting access rights to users. D. defining system's data structure.
B. implementing database definition controls.
Service level agreements establish: A. minimum service levels to be rendered by IS management. B. minimum service levels to be achieved in the event of a disaster. C. maximum service levels to be rendered by IS support services. D.minimum levels of processing capabilities that can be affected by a disaster.
B. minimum service levels to be achieved in the event of a disaster.
All of the following are properties of a relational database EXCEPT: A. relational database technology separates data from applications B. operational efficiencies are significantly increased with relational models C. relational database models information in the structure of a table with columns and rows in a relational model there is always a primary key for a tuple and there are no duplicate
B. operational efficiencies are significantly increased with relational models
Receiving an electronic data interchange (EDI) transaction and passing it through the communications interface stage usually requires: A. translating and unbundling transactions. B. routing verification procedures. C. passing data to the appropriate application system. D. creating a point of receipt audit log.
B. routing verification procedures.
An IS auditor reviewing the organization IT strategic plan should FIRST review: A. the existing information technology environment. B. the business plan. C. the present IT budget. D. current technology trends.
B. the business plan.
Which of the following indicators would LEAST likely indicate that complete or selected outsourcing of computer operators should be considered ? A. The applications development backlog is greater than three years. B. It takes one year to develop and implement a high-priority system. C. More than 60 per cent of programming costs are spent on systems maintenance. D. Duplicate information systems functions exist at two sites.
B.It takes one year to develop and implement a high-priority system.
Which of the following IS functions may be performed by the same individual, without compromising on control or violating segregation of duties? A. Job control analyst and applications programmer B. Mainframe operator and system programmer C. Change/problem and quality control administrator D. Applications and system programmer
C. Change/problem and quality control administrator
What type of transmission requires modems in a network to be connected to terminals from the computer? A. Encrypted B. Digital C. Analog D. Modulated
C. Analog
Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them? A. Overwriting the tapes B. Initializing the tape labels C. Degaussing the tapes Erasing the tapes
C. Degaussing the tapes
A large manufacturing firm wants to automate its invoice and payment processing system with its suppliers. Requirements state that the system of high integrity will require considerably less time for review and authorization. The system should still be capable of quickly identifying errors that need follow up. Which approach below is BEST suited in meeting these requirements? A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies. B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing. C. Establishing an electronic data interchange (EDI) system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format. D. Reengineering existing processing and redesigning the existing system.
C. Establishing an electronic data interchange (EDI) system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format.
Various standards have emerged to assist IS organizations in achieving an operational environment that is predictable, measurable and repeatable. The standard that provides the definition of the characteristics and associated quality evaluation process to be used when specifying the requirements for and evaluating the quality of software products throughout their life cycle is: A. ISO 9001. B. ISO 9002. C. ISO 9126. D. ISO 9003.
C. ISO 9126.
Which of the following computer system risks would be increased by the installation of a database system? A. Programming errors B. Data entry errors C. Improper file access D. Loss of parity
C. Improper file access
Which of the following statements pertaining to a data communication system is FALSE? A. It has multiple layers. B. It interfaces with the operating system. C. It operates on the content of the information. D. It is concerned with the correct transmission between two points.
C. It operates on the content of the information.
1. Congestion control is BEST handled by which OSI layer? A. Data link B. Session layer C. Transport layer D. Network layer
C. Transport layer
Which of the following allow programmers to code and compile programs interactively with the computer from a terminal? A. Firmware B. Utility programs C. Online programming facilities D.Network management software
C. Online programming facilities
Which of the following functions would represent a risk if combined with that of a system analyst, due to the lack of compensating controls? A. Application programming B. Data entry C. Quality assurance D. Database administrator
C. Quality assurance
Which of the following is NOT an advantage of image processing? A. Verifies signatures B. Improves service C. Relatively inexpensive to use D. Reduces deterioration due to handling
C. Relatively inexpensive to use
Which of the following is NOT related to file identification? A. Periodic file inventory B. External label standards C. Retention period standards D. High-level qualifier restrictions
C. Retention period standards
Which of the following Local Area Network (LAN) physical layouts are subject to vulnerability to failure if one device fails? A. Star B. Bus C. Ring D. Completely connected
C. Ring
An organization is about to implement a computer network in a new office building. The company has 200 users located in the same physical area. No external network connections will be required. Which of the following network configurations would be the easiest for problem resolution? A. Bus B. Ring C. Star D. Mesh
C. Star
Which of the following is a network architecture configuration that links each station directly to a main hub? A. Bus B. Ring C. Star D. Completed connected
C. Star
Which of the following is the operating systems mode in which all instructions can be executed? A. Problem B. Interrupt C. Supervisor D. Standard processing
C. Supervisor
Which of the following would an IS auditor expect to find in a console log? A. Names of system users B. Shift supervisor identification C. System errors D. Data edit errors
C. System errors
Neural networks are effective in detecting fraud because they can: A. discover new trends since they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. attack problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output.
C. attack problems that require consideration of a large number of input variables.
Employee termination practices should address all of the following EXCEPT: A. arrangement for the final pay and removal of the employee from active payroll files. B. notification to other staff and facilities security to increase awareness of the terminated employee's status. C. employee bonding to protect against losses due to theft.
C. employee bonding to protect against losses due to theft.
The data control department responsible for data entry should: A. maintain access rules to data and other IT resources. B. periodically review and evaluate the data security policy. C. ensure proper safekeeping of source documents until processing is complete. D. monitor security violations and take corrective action.
C. ensure proper safekeeping of source documents until processing is complete.
In a review of the operating system software selection and the acquisition process, an IS auditor would place more importance in finding evidence of: A. competitive bids. B. user-department approval. C. hardware-configuration analysis. D. purchasing department approval.
C. hardware-configuration analysis.
An IS steering committee should: A. include a mix of members from different departments and management levels. B. ensure that IS security policies and procedures have been properly executed. C. have formal terms of reference and maintain minutes of its meetings. D. be briefed about new trends and products at each meeting by a vendor.
C. have formal terms of reference and maintain minutes of its meetings.
Utility programs that assemble software modules needed to execute a machine instruction application program version are: A. text editors. B. program library managers. C. linkage editors and loaders. D. debuggers and development aids.
C. linkage editors and loaders.
The input/output control function is responsible for: A. pulling and returning all tape files. B. entering and key verifying data. C. logging batches and reconciling hash totals. D. executing both production and test jobs.
C. logging batches and reconciling hash totals.
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.
C. ownership of intellectual property.
An IS auditor has discovered that the organization's existing computer system is no longer adequate for the demands being placed on it by data processing, is not compatible with new models and cannot be expanded. As a result, a recommendation is made to use emulation. Emulation involves: A. hardware which converts a new computer into an image of the old computer. B. writing the programs in modules which simplify the transition to a new computer. C. software which translates the old program into one readable by a new computer. D. simulating a new computer on the old computer to produce machine independent code.
C. software which translates the old program into one readable by a new computer.
An organization has outsourced network and desktop support. Although the relationship has been reasonably successful, risks remain due to connectivity issues. Which of the following controls should FIRST be performed to assure the organization reasonably mitigates these possible risks? A. Network defense program B.Encryption/Authentication C. Adequate reporting between organizations D. Adequate definition in contractual relationship
D. Adequate definition in contractual relationship
Which of the following network configuration options contains a direct link between any two host machines? A. Bus B. Ring C. Star D. Completely connected (mesh)
D. Completely connected (mesh)
Which of the following is NOT a function of an online tape management system? A. Indicating which tapes should be cleaned B. Maintaining an inventory listing of tapes C. Allowing external tape labels to contain a serial number only D. Controlling physical access to the tape library area
D. Controlling physical access to the tape library area
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? A. Parity check B. Echo check C. Block sum check D. Cyclic redundancy check
D. Cyclic redundancy check
Which of the following line media would be MOST secure in a telecommunication network? A. Broadband network digital transmission B. Baseband network C. Dial up D. Dedicated lines
D. Dedicated lines
103. Which of the following provisions in a contract for external information systems services would an IS auditor consider to be LEAST significant? A. Ownership of program and files B. Statement of due care and confidentiality C. Continued service of outsourcer in the event of a disaster D. Detailed description of computer hardware used by the vendor
D. Detailed description of computer hardware used by the vendor
Which of the following key performance indicators would an IS manager be LEAST likely to systematically report to its board of directors? A. Average response time to users requirements B. Cost per transaction C. IS costs per area D. Disk storage space free
D. Disk storage space free
Which of the following is NOT a way that executive information systems (EIS) are distinguished from other information systems? A. EIS are much easier to use than other systems. B. EIS normally include user friendly features. C. EIS normally include other features such as e-mail and word processing abilities. D. EIS focus on broad problems to a specific view.
D. EIS focus on broad problems to a specific view.
Which of the following is a hardware device that relieves the central computer from performing network control, format conversion and message handling tasks? A. Spool B. Cluster controller C. Protocol converter D. Front end processor
D. Front end processor
The development of an IS security policy is the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors.
D. board of directors.
An organization is about to implement a computer network in a new office building. The company has 200 users located in the same physical area. No external network connections will be required. Which of the following network configurations would be the MOST expensive to install? A. Bus B. Ring C. Star D. Mesh
D. Mesh
Which of the following is the MOST important function to be performed by IT management within an outsourced environment?. A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance
D. Monitoring the outsourcing provider's performance
Which of the following is NOT an element of a LAN environment? A. Packet switching technology B. Baseband (digital signaling) C. Ring or short bus topology D. Private circuit switching technology
D. Private circuit switching technology
1. An IS auditor needs to link his/her microcomputer to a mainframe system that uses binary synchronous data communications with block data transmission. However, the IS auditor's microcomputer, as presently configured, is capable of only asynchronous ASCII character data communications. Which of the following must be added to the IS auditor's computer to enable it to communicate with the mainframe system? A. Buffer capacity and parallel port B. Network controller and buffer capacity C. Parallel port and protocol conversion D. Protocol conversion and buffer capability
D. Protocol conversion and buffer capability
Which of the following independent duties is performed by the data control group? A. Access to data B. Authorization tables C. Custody of assets D. Reconciliation
D. Reconciliation
Which of the following provides the MOST effective means of determining which controls are functioning properly in an operating system? A. Consulting with the vendor B. Reviewing the vendor installation guide C. Consulting with the system programmer D. Reviewing the system generation parameters
D. Reviewing the system generation parameters
Which of the following can a local area network (LAN) administrator use to protect against exposure to illegal or unlicensed software usage by the network user? A. Software metering B. Virus detection software C. Software encryption D. Software inventory programs
D. Software inventory programs
Which of the following issues would be of LEAST concern when reviewing an outsourcing agreement in which the outsourcing vendor assumes responsibility of the information processing function? A. The organization's right to audit vendor operations. B. The loyalty of the third-party personnel. C. The access control system that protects the outsourcing vendor's data. D. The outsourcing vendor's software acquisition procedures.
D. The outsourcing vendor's software acquisition procedures.
When auditing operating software development, acquisition or maintenance, the IS auditor would review system software maintenance activities to determine: A. fallback or restoration procedures are in place in case of production failure. B. impact of the product on processing reliability. C. system software changes are scheduled when they least impact IS processing. D. current versions of the software are supported by the vendor.
D. current versions of the software are supported by the vendor.
101. A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's vast experience and: A. the length of service since this will help ensure technical competence. B. the individual's age as training in audit techniques may be impractical. C. IS knowledge since this will bring enhanced credibility to the audit function. D. existing IS relationships where the ability to retain audit independence may be difficult.
D. existing IS relationships where the ability to retain audit independence may be difficult.
102. An IS auditor reviewing the key roles and responsibilities of the database administrator (DBA) is LEAST likely to expect the job description of the DBA to include: A. defining the conceptual schema. B. defining security and integrity checks. C. liaising with users in developing data model. D. mapping data model with the internal schema.
D. mapping data model with the internal schema.
One of the responsibilities of the technical support function is: A. ensuring job preparation, scheduling and operating instructions. B. establishing, enhancing and maintaining a stable, controlled environment for the implementation of changes within the production software environment. C. defining, establishing and maintaining a standard, consistent and well-defined testing methodology for computer systems. D. obtaining detailed knowledge of the operating system and other systems software.
D. obtaining detailed knowledge of the operating system and other systems software.
Public-key infrastructure (PKI) integrates all of the following into an enterprise-wide network security architecture EXCEPT: A. public-key cryptosystem. B. digital certificates. C. certificate authorities. D. password key management.
D. password key management.
In Wide Area Networks (WANs): A. data flow can be half duplex or full duplex. B. communication lines must be dedicated. C. circuit structure can be operated only over a fixed distance. D. the selection of communication lines will affect reliability.
D. the selection of communication lines will affect reliability.
A hub is a device that connects: A. two LANs using different protocols. B. a LAN with a WAN. C. a LAN with a MAN. D. two segments of a single LAN.
D. two segments of a single LAN.
Assuming this diagram represents an internal facility and the organization is implementing a firewall protection program, where should firewalls be installed? A. No firewalls are needed B. op-3 location only C. MIS (Global) and NAT2 D. SMTP Gateway and op-3
SMTP Gateway and op-3